This release of the Qualys Cloud Platform version 2.32 includes updates and new features for AssetView, EC2 Connector, Indication of Compromise, Security Assessment Questionnaire, Web Application Scanning, and Web Application Firewall, highlights as follows.
This week offered a representative sampling of different corners of the cyber security world: The monthly Patch Tuesday, a brazen attack against the Olympics, new Meltdown and Spectre concerns, and a boost for Intel’s bug bounty program.
Oh, and the gargantuan Equifax data breach may have been even bigger than previously thought.
Winter Olympics hack confirmed
The 2018 Winter Olympics in Pyeongchang, South Korea are in full swing, featuring the world’s best ice skaters, skiers, hockey players and snowboarders, and also attracting, unfortunately, malicious hackers.
Attackers’ goals seem to be to disrupt the games in a variety of ways by interfering with and disabling IT systems.
For this month’s Patch Tuesday, Microsoft has released patches covering 55 vulnerabilities, with 15 ranked as critical. This includes out-of-band Office patches from mid-January as well as patches for Adobe Flash that were released last week.
From this list, there are patches for a vulnerability (CVE-2018-0825) that impacts StructuredQuery in Windows servers and workstations. Exploitation of this vulnerability would be through a malicious file and would lead to remote code execution. This patch should be at the top of the priority list, aside from the Adobe Flash patches mentioned below.
As hackers get faster at weaponizing exploits for disclosed bugs, InfoSec teams need — more than ever — automated, continuous and precise IT asset inventorying, vulnerability management, threat prioritization and patch deployment.
Critical vulnerabilities that linger unpatched for weeks or months offer hackers easy opportunities to breach systems. These bugs open the door for bad guys to steal confidential data, hijack PCs, commit financial fraud and create mayhem.
The WannaCry ransomware attack, which infected 300,000-plus systems and disrupted critical operations globally in mid-May 2017, highlighted the importance of timely vulnerability remediation.
It’s been a busy week in InfoSec land, as Intel released a new Spectre patch, iOS source code was leaked online, and a zero-day Flash bug got exploited in the wild.
Also making noise these past few days: A major security hole in the Grammarly web app, WordPress updates tripping over each other, and a data breach at a Swiss telecom company.
As has been the case these past few weeks, we’ll lead off with the latest on Meltdown and Spectre, the hardware vulnerabilities whose disclosure on Jan. 3 sent shockwaves through the IT industry due to their scope and severity, and which are expected to remain an issue for years.
You’ll be hard pressed to find file integrity monitoring on any list of cool, emerging, cutting-edge cybersecurity technologies. But if you choose to ignore this mature, foundational technology, it’ll be at great risk.
File integrity monitoring, or FIM, plays a key role in critical security and compliance scenarios. An effective FIM system can help you to promptly detect a variety of changes stemming from normal IT activity, compliance and change control violations, or malicious acts such as ransomware/malware attacks and configuration tampering. FIM can be your last line of detection for complex and evasive rootkits or mobile code. It is also invaluable in making sure validated scripts and configurations are not changed by insiders, malicious or not.
In this blog series, we’ll address the major uses for FIM, starting with regulatory compliance, and specifically the PCI DSS (Payment Card Industry Data Security Standard) mandate.
While FIM is an implicitly required control in many regulations for ensuring information integrity, it is explicitly mentioned in PCI DSS for any system handling personally identifiable information. The best practices and insights from those monitoring systems with FIM for PCI compliance are just as applicable to other regulations and mandates, such as HIPAA, GDPR and Sarbanes-Oxley.
With web and mobile apps becoming a preferred vector for data breaches, organizations must include application security in their plans for complying with the EU’s General Data Protection Regulation (GDPR.)
First discussed in the 1990s and turned into law in 2016, GDPR goes into effect in May of this year, imposing strict requirements on millions of businesses and subjecting violators to severe penalties.
The complex regulation applies to any organization worldwide — not just in Europe — that controls and processes the data of EU citizens, whose privacy the GDPR is meant to protect. Fines are stiff, including up to 4 percent of an organization’s annual revenue, or €20 million, whichever is higher.
While GDPR makes only a few, vague references to technology requirements for compliance, it stresses that data “controllers” and “processors” must safeguard customer information by implementing “appropriate technical and organisational measures.”
The regulation also highlights the need for organizations to have in place secure IT networks and systems that can “resist, at a given level of confidence, accidental events or unlawful or malicious actions.”
We are giving advance notification for following grading criteria changes applying from March 1, 2018: Not using forward secrecy, not using AEAD suites, and vulnerability to ROBOT. Update: This release also includes a grading change for some Symantec certificates.
This week brought new developments in the Meltdown / Spectre saga, including more concerns about Intel’s buggy patches, and mounting evidence that hackers are trying to create exploits for the vulnerabilities.
It seemed that after weeks of complaints and confusion, Intel’s issue had hit bottom and was headed for a resolution on Monday of last week. That’s when the company said its firmware updates for Broadwell and Haswell CPUs shouldn’t be installed anymore, because, as many customers had reported, they made systems behave erratically, including unexpectedly rebooting.
At the time, Intel said it had discovered the “root cause” for the firmware’s problems, and was already actively developing new updates. However, another shoe was about to drop. Three days later Intel acknowledged in its quarterly earnings report that the glitchy firmware can also cause “data loss or corruption.”
This disclosure prompted Microsoft to take the unusual step of releasing an emergency Windows update designed to disable Intel’s fix for one of the two Spectre variants. Microsoft’s “out-of-band” update — KB4078130 — targets Intel’s patch for CVE-2017-5715, Spectre’s branch target injection vulnerability.
In today’s information security world, all assets everywhere must be detected, visible, protected and compliant — all the time. It’s no longer enough to rely on “point in time” security and compliance assessments, such as scheduled weekly or monthly scans on handpicked critical servers.
“You must transition to continuous security and compliance monitoring of all of your global IT assets,” Chris Carlson, a Vice President of Product Management at Qualys, said during a recent webcast.
The reasons for this shift are many and varied, and include these three key ones: