Qualys Community

1078 posts

Assessing Risk from Vendors and Other Third Parties Is Key to Business Success

Jane and Emily are CISOs at two large companies which about five years ago almost simultaneously hired a well-known outsourcer that provides back office business services. Both companies entrusted the outsourcer with sensitive corporate data and granted it special access to their IT systems.

Both Jane and Emily had spent a lot of time, effort and money boosting their respective companies’ physical and IT security, and tightening their compliance with external regulations and internal rules.

However, these two successful CISOs differed in a key area: third party risk management. Jane had given short shrift to this important but overlooked area. Meanwhile, Emily had made it a priority to create a formal, comprehensive, centralized and automated program for assessing third party risk.

Recently, cyber criminals broke into the network of the outsourcer and stole confidential data and access credentials from its customers, including Jane’s company. Emily’s company had cut off ties with the outsourcer 18 months before, so it wasn’t affected.

Continue reading …

Problem with OpenSSL Patches of September 22, 2016

Today, OpenSSL has released an update advising of a problem with patches that was released last week on September 22.

The first offending patch was for CVE-2016-6309, and it could result in a crash or even execution of attacker-supplied code resulting in compromise of the patched machine. This issue only affects OpenSSL 1.1.0a, released on 22nd September 2016. As a result OpenSSL 1.1.0 users should upgrade to 1.1.0b.

The second offending patch was for CVE-2016-7052, and if the patch is installed, it could allow attackers to cause a denial of service condition leading to a crash. This issue affects only OpenSSL 1.0.2i, released on 22nd September 2016. As a result OpenSSL 1.0.2i users should upgrade to 1.0.2j.

Prioritizing Remediation: Visualize and Share the Data, Apply It to Your Organization

This is the last part in our series on prioritizing vulnerability remediation, where we’ve been outlining basic requirements so you can always identify the IT assets you must patch right away.

In our first two posts, we met Steve, an infosec manager whose organization’s inability to manage its IT environment’s vulnerabilities had turned him into an insomniac. We also described the first three requirements for success:

  • compiling a complete, detailed IT asset inventory;
  • logging the constant stream of vulnerability disclosures;
  • and correlating external threat information with your IT assets’ vulnerabilities.

In this last installment, we discuss the last two of the five requirements: having dashboard tools to visualize and share your threat landscape; and making precise assessments of your organization’s risk scenarios.
Continue reading …

Qualys Beefs Up Cloud Tool for Security Consultants

Like all security consultants, you face intensifying challenges, demands and pressures as your customers’ IT infrastructures become more complex and hackers get more aggressive and effective.

Organizations entrust you with the complex and critical task of making comprehensive and accurate security assessments of their IT environments. Every customer engagement is a high-stakes job.

You must stay abreast of the latest, ever more sophisticated cyber attacks, as well as understand your customers’ increasingly heterogeneous and distributed IT environments. To succeed, it’s not sufficient to rely on your know-how and experience, however vast those might be. You also need the best software tools available to do your job.

Continue reading …

Prioritizing Remediation: Plug into the Firehose of Vulnerability Disclosures and Correlate

This is part two in a three-part series on prioritizing vulnerability remediation, where we’re explaining five basic requirements for identifying on an ongoing basis which IT assets you must patch right away.

In our first post last week we met Steve, a nightmare-stricken infosec manager who loses sleep over his organization’s inability to manage its IT environment’s vulnerabilities. We also described the first requirement for success: compiling a complete, detailed IT asset inventory.

In this second installment, we’ll spell out two more requirements: Logging the constant stream of vulnerability disclosures; and correlating external threat information with your IT assets’ vulnerabilities.

Continue reading …

Patch Tuesday September 2016 Video Highlights


In one of the larger Patch Tuesdays in some time, Microsoft today released 14 security bulletins for desktop OSes, server OSes, browsers, Silverlight, SMBv1, Exchange Server and more. Watch this video to learn how security teams should prioritize patching based on the new bulletins.

Adobe September 2016 Security Update

Today Adobe released three security updates that patched Adobe Flash, AIR and Adobe Digital Editions. Top priority goes to Adobe flash bulletin APSB16-29 which fixes a whopping 29 vulnerabilities. This update applies to Windows, Macintosh, Linux and ChromeOS platforms.

Continue reading …

Large Microsoft Patch Tuesday Update for September 2016

It’s September 2016 Patch Tuesday, and Microsoft has released 14 security bulletins that affect a host of components including desktop operating systems, servers, browsers , Exchange server, Silverlight, SMBv1 and several others. It’s a large update that will keep desktop as well as server administrators busy.  Seven updates are rated as critical, while the other seven are rated as important. One 0-day vulnerability CVE-2016-3352 which was publicly disclosed earlier is also patched in the MS16-110 bulletin.

Continue reading …

End the Nightmare of Vulnerability Disclosure Overload: Keep Calm and Prioritize

Overwhelmed by the mounds of vulnerabilities in their IT environments, many organizations struggle to prioritize remediation, but you can overcome this challenge with the right approach

Prioritize vulnerability remediation with Qualys ThreatPROTECT so you don't lose sleep.

Steve, an information security manager, is again rattled awake at 3 a.m. by a recurring nightmare: He’s at work and his desk suddenly gets transformed into a mile-long Whack-A-Mole cabinet with thousands of holes. But instead of toy moles, what springs up from the cabinet holes are red square signs, each displaying a different CVE number.

Mallet in hand, a flustered Steve quickly realizes there’s no way he can hit every CVE sign before time runs out. Worse, he gets no points for hitting the ones that pose no threat to his IT assets: He only gets rewarded when he whacks one that could seriously compromise his IT environment.

Continue reading …

Qualys Cloud Platform 2.17 New Features

A new release of the Qualys Cloud Platform release 2.17 which includes updates and new features for:

  • Cloud Agent Platform (version 1.8.0)
  • Continuous Monitoring (version 1.16.0)
  • Security Assessment Questionnaire (version 2.2.0)

Continue reading …