Qualys Blog

Qualys’ library of built-in policies makes it easy to comply with commonly adhered to security standards and regulations. Qualys provides a wide range of policies, including many that have been certified by CIS as well as ones based on security guidelines from vendors such as Microsoft and VMware.

In order to keep up with the latest changes in security control requirements and new technologies, Qualys publishes new content to the Policy Library monthly.

This release includes new policies and updates covering:

• New CIS versions for Apache HTTP Server, Solaris, Microsoft Windows 2016, centOS, Microsoft IIS, Oracle Linux, and Red Hat Enterprise Linux
• New DISA STIG policies for Red Hat Enterprise Linux and Windows 2016
• New Security & Configuration Policies for IIS, MS SQL Server 2016
• New Mandate mappings for CIS Critical Security Controls & First Five CIS Controls
• Several updates to minor versions for Vendor Recommended and CIS policies

Continue reading …

From the first page, the EU’s General Data Protection Regulation stresses the importance it places on the security and privacy of EU residents’ private information. The 88-page document opens by referring to the protection of this personal data as a “fundamental right” essential for “freedom, security and justice” and for creating the “trust” needed for the “digital economy” to flourish.

The stakes are sky-high for EU regulators tasked with enforcing GDPR, and for organisations that must comply with it. The requirements outlined in the document amount to what some have called “zero-tolerance” on mishandling EU residents’ personally identifiable information (PII) and apply to any organisation doing business in the EU, regardless of where they are based.

Both data “controllers” — those who collect the data — and data “processors” — those with whom it’s shared — must implement “appropriate technical and organisational measures” and their IT networks and systems must “resist, at a given level of confidence, accidental events or unlawful or malicious actions.”

Bottom line: Organisations are expected to have technology and processes in place to prevent accidental or malicious incidents that compromise the “availability, authenticity, integrity and confidentiality of stored or transmitted personal data.”

As we’ve discussed in this GDPR preparedness blog series, while the regulation’s document is light on specific prescriptive information security controls and technologies, organisations must have solid InfoSec foundations in place to comply with this regulation, which goes into effect in May 2018.

In prior installments, we’ve discussed the importance for GDPR compliance of IT asset inventory, vulnerability management, prioritization of remediation based on current threats, and vendor risk assessment. Today, we’ll focus on another core component for preparing for GDPR: policy compliance.

Continue reading …

This new patch release of the Qualys Cloud Suite, version 8.10.2, includes updates to shared platform features, a new role for user management, and expanded Policy Compliance platform support. Continue reading …

Today Microsoft released patches covering 48 vulnerabilities as part of August’s Patch Tuesday update, with 15 of them affecting Windows. Patches covering 25 of these vulnerabilities are labeled as Critical, and 27 can result in Remote Code Execution. According to Microsoft, none of these vulnerabilities are currently being exploited in the wild.

Continue reading …

Destruction of service. Get acquainted with this newly-minted term, and with its acronym — DeOS. It’s a particularly disturbing type of cyber attack InfoSec teams may face regularly in the not too distant future.

That’s one of the main findings featured in the Cisco 2017 Midyear Cybersecurity Report, a comprehensive cyber security study the networking giant has been publishing for almost a decade.

Due to several troubling developments, including the expected popularization of DeOS attacks — intended to wreck breached IT systems — and the proliferation of IoT device use in DDoS attacks, this report blares a special alarm.

“We must raise our warning flag even higher,” reads the report, which is based on research and data from Cisco and several of its technology partners, including Qualys. “Our security experts are becoming increasingly concerned about the accelerating pace of change — and yes, sophistication — in the global cyber threat landscape.”
Continue reading …

If your organization needs a compelling reason for establishing or enhancing its vulnerability management program, circle this date in bold, red ink on your corporate calendar: May 25, 2018.

On that day, the EU’s General Data Protection Regulation (GDPR) goes into effect, intensifying the need for organizations to painstakingly protect EU residents’ data from accidental mishandling and foul play.

While complying with GDPR involves adopting and modifying a variety of IT systems and business processes, having comprehensive and effective vulnerability management should be key in your efforts.

Why? Too many preventable data breaches occur because hackers exploit well-known vulnerabilities for which patches are available but haven’t been installed.

Continue reading …

It’s happening all over the business world. Organizations of all sizes and in all industries are aggressively deploying innovative products to new online consumer channels, digitizing their core services and transitioning core business workloads to public clouds as part of digital transformation efforts aimed at increasing business efficiency and effectiveness.

This trend represents both a challenge and an opportunity for InfoSec teams. The challenge: To ensure the security and compliance of these cloud instances, without interrupting their deployment. The opportunity: To become a partner to business units by facilitating the adoption of public cloud services and other digital transformation technologies.

The digital transformation opportunities ahead are immense, according to Mark Butler, Qualys CISO. Digital transformation programs are yielding tangible business benefits, but fundamental security challenges remain, he said during the recent webcast “Securing Your Public Cloud Infrastructure.” 

Specifically, InfoSec teams must gain visibility into these cloud workloads, so that they can monitor those assets, identify vulnerabilities and misconfigurations, and promptly remediate problems. Continue reading …

Dear Customer, Partner and Security Professional,

I would like to thank all of you for your support during our ongoing journey to a world where we are making security invisible and an integrated component of the Digital Transformation of our enterprises. With your help and the dedication of our engineers over many years, we are finally getting closer to that dream, as we continue to significantly increase the performance and reach of the Qualys Cloud Platform and apps.

Continue reading …

To comply with GDPR, organizations typically must overhaul and update a number of internal processes and systems, but they can’t ignore a critical area: risk from vendors and other third parties such as contractors, partners, suppliers and service providers.

It’s a point that’s stressed repeatedly throughout the 88-page text of the EU’s General Data Protection Regulation (GDPR), which goes into effect in May 2018 and requires that organizations worldwide properly identify, track and protect their EU customers’ personally identifiable information (PII).

In GDPR lingo, “data controllers” must vet the “data processors” they share this customer information with, and assume joint responsibility for what happens to it. In other words, you’re liable if one of your third parties gets breached for failing to adhere to GDPR requirements and as a result your customers’ personal data gets compromised.

Continue reading …