This new release of the Qualys Cloud Platform (VM, PC), version 8.13, includes several new feature improvements across the apps such as the ability to test authentication records, as well as improvements to UDC’s and report options in Qualys Policy Compliance.
With the EU’s General Data Protection Regulation (GDPR) going into effect in late May, organizations are hungry for clarifying information regarding its vaguely-worded requirements, in particular as they apply to cyber security and IT compliance. This interest in better understanding how to comply with GDPR was evident among participants of a recent Qualys webcast titled “The GDPR deadline readiness and impact to global organizations outside the EU.”
Here we’re providing an edited transcript of their questions and of the answers provided by webcast host and Qualys Director of Product Management Tim White. Darron Gibbard, Qualys’ Chief Technical Security Officer and Managing Director of the EMEA North region, contributed to some of the answers.
Are there any recommended frameworks for implementing controls and processes for information security that I could follow to ensure GDPR readiness?
There are a variety of different ways of implementing general security best practices. There are some specific recommendations and each member country is starting to post the requirements. The most advanced one is the U.K.’s ICO (Information Commissioner’s Office). They provided a lot more depth about what InfoSec requirements you should put in place, but even their recommendations are still very vague. This isn’t like PCI where they say you have to implement a change detection solution to monitor critical changes to configuration files, and you must monitor log files on a regular basis. GDPR doesn’t have prescriptive controls like that. GDPR indicates that you have to implement the controls that are appropriate for the level of risk and that you need to protect the data from breaches of confidentiality, integrity and availability. So they basically say: “Do a good job at security.”
Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations that are most commonly used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS as well as the ones based on security guidelines from vendors such as Microsoft and VMware.
In order to keep up with the latest changes in security control requirements and new technologies, Qualys publishes new content to the Policy Library every month.
This release includes the following new policies and updates:
- New CIS policy for Palo Alto Firewall 7 and Microsoft Windows 10 Enterprise Release 1607
- New mandate-based policies Adobe Common Controls Framework for Microsoft Windows, and HITRUST for VMware & Network Devices
- Several updates to existing library policies
Today’s Patch Tuesday covers a lot of vulnerabilities, but in terms of critical updates, it is still light. Out of the 75 vulnerabilities covered, only 15 are marked as critical. Adobe has released patches as well, covering 7 vulnerabilities.
All of the critical vulnerabilities from Microsoft are in browsers and browser-related technologies. It is recommended that these be prioritized for workstation-type devices. Any system that accesses the Internet via a browser should be patched.
In this week’s InfoSec news review we’ll dive into cryptomining, get the latest on DDoS amplification, go over recent data breaches, and check out another vendor claiming it can crack iPhones.
I, me, mine
The freight train that’s cryptomining shows no sign of slowing down, and the cyber security implications are intensifying accordingly.
This week alone, Microsoft detected and disrupted a massive cryptomining malware campaign, a Tesla AWS account got hijacked, a new mining worm was discovered, and Kaspersky researchers warned about increased sophistication of infection methods.
While there is a legitimate component to this business, malicious hackers eager to profit are aggressively breaching networks and infecting devices — PCs, IoT systems, smartphones, servers — to steal computing power for mining virtual currencies.
With the General Data Protection Regulation (GDPR) going into effect in under three months, the countdown clock is fast approaching zero for organizations worldwide that handle personal data of EU residents.
GDPR is a very broad and wide-ranging regulation that requires organizations to obtain a lot of legal advice, and to implement business controls. Although these controls exceed the scope of information security, IT security and compliance are a significant subset of the regulation.
A special challenge for InfoSec teams is GDPR’s lack of details about specific security measures and requirements for protecting EU residents’ data.
“The GDPR regulation is extremely vague and doesn’t give any detailed prescriptive requirements of what the expectations are for data protection, but they’re very far-reaching,” Tim White, a Qualys Product Management Director, said during a recent webcast.
GDPR puts a heavier burden of accountability on organizations, forcing them, among other things, to accommodate significant new rights for individuals. For example, EU residents can request that organizations delete, disclose, correct and transfer their personal information.
To comply with these GDPR “subject access requests,” organizations must know what data they have, where it’s stored, with whom they’re sharing it, how they’re protecting it, and what they’re using it for.
Unfortunately, many organizations are far from ready to comply with GDPR.
Qualys will require all connections to our Cloud Platform to use TLS 1.1 or higher beginning April 2nd 2018, in order to align with industry best practices for security and data integrity.
Please ensure that you are using TLSv1.1+, or your connectivity to the Cloud Platform will be impacted. This change will affect all connections to the Cloud Platform, this includes UIs, APIs, Scanner Appliances, and Cloud Agents.
Apple has been all over InfoSec news in the past week or so, along with Spectre / Meltdown developments, a tax season scam alert from the feds, and an apparent solution to the Winter Olympics’ hack whodunit. In addition, researchers warned about a new trend of using Memcached servers to significantly boost DDoS attacks, as GitHub became a victim of this new tactic.
Apple under siege
The second half of February was intense for Apple on the security front. A digital forensics vendor claimed having the ability to unlock all iPhone models, including the X, while a researcher warned about a Trojan targeting MacOs computers that’s not detected by anti-virus products. Oh, and Apple had to squash another one of those pesky bugs that let people crash iPhones via texting.
Forbes dropped a news bomb on Monday when it reported that Cellebrite recently started telling its customers — which are primarily government, military and corporate investigative teams — that it’s able to unlock and extract data from devices running iOS 11, such the iPhone X, as well as other iPhones, iPads and iPods.
While Cellebrite isn’t publicly trumpeting this capability, anonymous sources told Forbes that in recent months the company “has developed undisclosed techniques to get into iOS 11 and is advertising them to law enforcement and private forensics folk across the globe.”
As Forbes noted, Cellebrite has posted a brochure on its website where it details its ability to unlock these Apple products as well as several Android devices, and extract data from them. The way it works is that customers ship the devices to Cellebrite, where its engineers work their magic. Cellebrite can’t (or won’t) crack devices remotely.
In a perfect world, organizations would patch vulnerabilities immediately after they’re disclosed, preemptively blocking exploits and dodging most cyber attacks.
Of course, reality is far from that hypothetically ideal state. Organizations often leave critical vulnerabilities unpatched for months, even years. Hackers routinely feast on all that low-hanging fruit to hijack systems, steal data, deface websites and disrupt operations.
We all know it’s impossible to patch every single vulnerability. Thousands are disclosed every year, and patching systems can be complicated, time-consuming and inconvenient. But InfoSec teams agree that fixing the most dangerous bugs on a timely basis is not only doable but also necessary.
The problem is that prioritizing remediation and pinpointing those critical vulnerabilities is difficult when — as is often the case — organizations lack continuous and automated vulnerability management, asset inventorying and threat analysis.
Unsurprisingly, recent Qualys data on patching behavior shows that remediation activity is directly related to the level of risk attached to specific vulnerabilities. And in some cases, specifically when it comes to the realm of IoT devices, patching is always slow, and often non-existent.