Qualys Blog

www.qualys.com
1243 posts

Implementing the CIS 20 Critical Security Controls: Make Your InfoSec Foundation Rock Solid

For almost 10 years, thousands of organizations eager to solidify their security and compliance foundations have found clarity and direction in the the Center for Internet Security’s Critical Security Controls (CSCs).

This structured set of 20 foundational InfoSec best practices, first published in 2008, offers a methodical and prioritized approach for securing your IT environment. Mapping effectively to most security control frameworks, government regulations, contractual obligations and industry mandates, the CSCs can cut an organization’s risk of cyber attacks by over 90%, according to the CIS.

These battle-tested controls, described in a free document that has been downloaded more than 70,000 times, were developed and are maintained by a global team of expert volunteers from all cybersecurity sectors, including government, industry and academia.

A detailed plan that can help you boost your security and compliance posture is more relevant than ever, now that attacks are getting more sophisticated and aggressive, and that throwing money at the problem hasn’t proven to be the solution.

In the SANS Institute paper “Leading Effective Cybersecurity with the Critical Security Controls”, author Wes Whitteker noted that while investments in cybersecurity have boomed in recent years, so have the number of major data breaches.

According to Whitteker, the global cybersecurity problem is being met with ineffective responses due to organizations’ lack of a solid cybersecurity foundation.

“If the functions that set an organization’s cybersecurity foundation are flawed, it is very likely that the solutions they choose will be flawed, too,” he writes. “The CSCs offer a framework that provides the critical visibility needed to aid in strategy development and manage existing organizational environments.”

In this blog series, we’ve explained how Qualys Cloud Platform — a single, integrated, end-to-end platform for discovery, prevention, detection, and response — and its Qualys Cloud Apps can help security teams of any size to broadly and comprehensively adopt the CIS controls.

We first discussed how Qualys can help organizations slash risk of cyber attacks by 85% with the first five controls. In our second post, we explained the benefits of building upon that “foundational cyber hygiene” with controls six through 10. And last week we delved into more sophisticated techniques with controls 11 through 15.

In this, our fourth and last installment, we’ll discuss controls 16 through 20. Continue reading …

Implementing the CIS 20 Critical Security Controls: Delving into More Sophisticated Techniques

Corden Pharma needed a standardized security program to meet customer requirements. Link3 Technologies wanted to prioritize its network security improvements. Telenet was looking for a road map to implement its ISO-27000 compliance program.

These three companies — a German pharmaceutical contract manufacturer, an IT services provider in Bangladesh and a large telecom in Belgium — all found the InfoSec clarity and guidance they needed in the Center for Internet Security’s Critical Security Controls (CSCs).

They are among the thousands of organizations that over the years have successfully adopted the CSCs, a set of 20 security best practices that map effectively to most security control frameworks, as well as regulatory and industry mandates.

In this blog series, we’re explaining how Qualys Cloud Platform — a single, integrated, end-to-end platform for discovery, prevention, detection, and response — and its Qualys Cloud Apps can help security teams of any size to broadly and comprehensively adopt the CIS controls.

In our first installment, we discussed how Qualys can help organizations slash 85% of cyber attack risk by adopting the first five of the Center for Internet Security’s 20 Critical Security Controls. Last week, we explained the benefits of building upon that “foundational cyber hygiene” with controls 6 to 10.

Now on version 6.1, the CSCs are described by the CIS as “high-priority, highly effective actions” that offer “specific and actionable ways to thwart the most pervasive attacks.” They’re meant to be a starting point for cyber defense improvement using a prioritized approach.

The CSCs, first published in 2008, help organizations prioritize and deal with “the most important things, which are the ones that stop real world attacks,” John Pescatore, a SANS Institute analyst, said in a recent webcast hosted by Qualys.

In today’s installment of our blog series we’ll discuss controls 11 to 15, as we move into the second half of the list, which contains increasingly more sophisticated techniques. Continue reading …

Qualys Policy Compliance Notification: Policy Library Update

The Qualys library of built-in policies makes it easy to comply with the security standards and regulations that are most commonly used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS as well as the ones based on security guidelines from vendors such as Microsoft and VMware.

In order to keep up with the latest changes in security control requirements and new technologies, Qualys publishes new content to the Policy Library every month.

This release includes the following new policies and updates:

  • New CIS benchmarks for Docker
  • New policies for USGCB for Microsoft Windows
  • New best practice controls for reducing risk related to malware/ransomware
  • Several updates to existing Mandate-based, CIS and DISA STIG Policies

Continue reading …

Qualys Cloud Platform 8.11.2 New Features

This new patch release of the Qualys Cloud Platform, version 8.11.2, includes updates to shared platform features, Qualys Vulnerability Management and Qualys Policy Compliance SCAP scanning.

Update 12/1/2017: New Vulnerability Management feature added below.

Continue reading …

Qualys WAS: New Detections for XML External Entities (XXE)

In the new 2017 edition of the OWASP Top 10, XML External Entities (XXE) make their first appearance at #A4 on the list. Qualys is pleased to announce that Qualys Web Application Scanning (WAS) engine 4.4 includes new detection capabilities for XXE vulnerabilities.

Continue reading …

Implementing the CIS 20 Critical Security Controls: Building Upon Foundational Cyber Hygiene

Most successful cyber attacks exploit known vulnerabilities for which patches are available, or take advantage of weak configuration settings that could have been easily hardened. You can significantly lower the risk of being victimized by this type of common, preventable attack by adopting the Center for Internet Security’s Critical Security Controls (CSCs).

This set of 20 structured InfoSec best practices offers a methodical and sensible plan for securing your IT environment, and maps to most security control frameworks, government regulations, contractual obligations and industry mandates.

The CSCs were first developed in 2008 and are periodically updated by a global community of volunteer cybersecurity experts from government, academia and industry. “The CIS Controls provide a prioritized approach to cyber security, starting with the most essential tasks and progressing to more sophisticated techniques,” Tony Sager, CIS Chief Evangelist, wrote recently.

In this blog series, we’re explaining how Qualys Cloud Platform — a single, integrated, end-to-end platform for discovery, prevention, detection, and response — and its Qualys Cloud Apps can help security teams of any size to broadly and comprehensively adopt the CIS controls.

Continue reading …

November Patch Tuesday: 53 Vulnerabilities and a Massive Adobe Update

This November Patch Tuesday is moderate in volume and severity.  Microsoft released patches to address 53 unique vulnerabilities, with 25 focused on Remote Code Execution fixes. Windows OS receives 14 patches, while the lion’s share is focused on Browsers, Microsoft Office, and Adobe. According to Microsoft, there do not appear to be any actively attacked vulnerabilities in the wild in this patch release.

Continue reading …

Implementing the CIS 20 Critical Security Controls: Slash Risk of Cyber Attacks by 85%

If a CISO needed to cut cyber attack risk by 85%, how would this security chief go about accomplishing that? Would the CISO even know where to begin? It’s safe to say that such a mandate would be considered daunting, and maybe even overwhelming.

CISOs are scrambling to protect IT infrastructures whose boundaries are increasingly fluid due to the adoption of mobility, cloud computing, IoT, and other new technologies. They get bombarded daily with information — research studies, threat warnings, vendor announcements, regulatory requirements, industry recommendations. Making sense out of it all is a challenge.

And yet, that dramatic cyber-attack risk reduction is an attainable goal for organizations that apply the first five of the Center for Internet Security’s 20 Critical Security Controls.

This structured and prioritized set of foundational InfoSec best practices offers a methodical and sensible approach for securing your IT environment. It maps effectively to most security control frameworks, government regulations, contractual obligations and industry mandates.

In this blog series, we’ll explain how Qualys Cloud Platform — a single, integrated, end-to-end platform for discovery, prevention, detection, and response — can help security teams of any size to broadly and comprehensively adopt the CIS controls. Continue reading …

Webcast Q&A: DevSecOps – Building Continuous Security Into IT and App Infrastructures

As organizations adopt DevOps to create and deliver software quickly and continuously — a key step for supporting their digital transformation initiatives — they must not overlook security. In DevOps, development and operations teams add agility and efficiency to software lifecycles with automation tools and constant collaboration, but the added speed and flexibility can backfire if security is left out.

Rather, organizations should bake security personnel, tools and processes into the process to end up instead with DevSecOps, a topic whose business and technology aspects were explored in depth during a recent webcast by Qualys Product Management VP Chris Carlson and SANS Institute Analyst John Pescatore.

In this blog post, we’re providing an edited transcript of the question-and-answer portion of the webcast, during which participants asked Carlson and Pescatore about a variety of issues, including the dangers of using Java, the right tools for DevSecOps, and the best way to embed security into the process. We hope you find their explanations insightful and useful.

In addition, if you didn’t catch the live broadcast of the webcast — titled “DevSecOps – Building Continuous Security Into IT & App Infrastructures” — we invite you to listen to its recording, which we’re sure will provide you with a lot of practical tips, useful best practices and valuable insights about DevSecOps and digital transformation. Continue reading …

New ‘Silence’ Banking Trojan copies Carbanak to Steal from Banks (Analysis with IOCs)

Dark Reading is reporting on a new banking trojan called ‘Silence’ that mimics techniques similar to the Carbanak hacker group targeting banks and financial institutions.  The attack vector is similar – target individuals using spear-phish emails to trick them into running a malicious attachment which will connect to download a dropper to further infect the user’s machine.  This attack does not use an exploit against a vulnerability, but rather takes advantage of social engineering to fool the user into executing the malicious payload and infecting their machine.

Silence is interesting in that the trojan’s capabilities include a screen grabber that will take multiple screenshots of the user’s active monitor and upload the real-time stream to a command and control server for monitoring by the adversary.  This technique allows the threat actor to identify which users have access to specific banking applications, systems, and accounts that they can use for financial gain.

Continue reading …