All Posts

10 posts

QualysGuard 8.1 New Features

QualysGuard 8.1 adds the following capabilities to the QualysGuard Cloud Platform and its suite of services:

  • Vulnerability Management
    • New Maps
    • Certificate Fingerprint in Certificates Dashboard
    • Lite OS Detection and Custom Header Settings
    • Host Remediation Information
    • Scan Report Template Improvements
    • New Library Templates for Heartbleed and Continuous Monitoring
  • Policy Compliance
    • Directory Search UDCs
    • Exception Expiring Notifications
    • Policy Library Improvements
  • API Enhancements
    • User Defined HTTP Headers
    • API Support for SCAP Scans
    • Compliance Posture CSV Output
  • QualysGuard Platform
    • Help Tips

Continue reading …

Using QualysGuard With Secret Server

Why Does Authentication Matter?

Drive-by downloadsExcel spreadsheet zero-days.  In today’s IT environment, threats are coming from more places than ever before, making it more important than ever to perform comprehensive assessment of vulnerabilities.  Although remote-only checks can be very useful for finding issues, only authenticated scanning can guarantee that all issues – not just ones exposed on listening ports – are detected and addressed.  Unfortunately, however, enterprises often face a number of challenges when attempting to roll out authenticated scanning:

  • System administrators may be reluctant to give out credentials, especially when those credentials are stored by a third party.
  • Performing password rotation can lead to lots of failed scans if credentials aren’t updated in every option profile and target asset simultaneously.
  • Auditing the use of the shared credential becomes critically important when a single shared privileged ID is used across multiple targets.

In order to help address these issues, Qualys has added support for Thycotic’s Secret Server Enterprise Password Management solution.  This new capability provides several benefits:

  • Credentials for targets can be kept inside the customer’s network perimeter at all times.  When configured to use Secret Server, QualysGuard scans only need Web Services credentials for Secret Server.  When a target is scanned, the scanner appliance inside the customer’s network communicates directly with Secret Server to obtain credentials for scanning.  These credentials are only kept in memory on the scanner appliance, are destroyed when the scan is completed, and are never transmitted outside the customer’s network.
  • Password rotation can happen frequently and automatically.  Because the credentials for a target are obtained at the time of the scan, administrators can set any password rotation time desired, even as often as daily.  The only time updating is required in QualysGuard is when the Web Services credentials are changed, and this only needs to be configured in one place.
  • Control and auditing of credential usage can be done easily.  Secret Server can limit access to the credential to your scanner appliances only, and provides detailed reporting about access and usage of the credentials so that you know exactly when, where, and why a credential was used.

Configuring QualysGuard to use Secret Server

In order to begin using Secret Server with QualysGuard you must first ensure that Secret Server’s Web Services are enabled by doing the following:

  1. Log in to the Thycotic Secret Server Administration interface.
  2. Go to Administration > Configuration.
    Secret Server Configuration
  3. Click Edit to change configuration settings.
  4. On the General tab, select "Enable Webservices".
    Enable Webservices
  5. Click Save.

Once you’ve completed these steps you can then configure QualysGuard to use Secret Server .

  1. First, go to Scans -> Authentication -> Authentication Vaults
    Auth Vaults
  2. Create a new Thycotic Secret Server vault:
    Screen Shot 2012-03-12 at 8.35.03 AM
  3. Fill out the information required:
    URL:  URL to the Secret Server webservices which may use http or https, e.g.
    //secretserver.qualys.com/webservices/sswebservice.asmx

    User Name:  The user name of the Secret Server user account that has access to the secret names to be used for authentication.
    Password:  The password of the Secret Server user account; note this is for the Web Services user only, not for that target systems.
    Domain (Optional):  Provide a fully qualified domain name if Secret Server is integrated with Active Directory.

Screen+Shot+2012-03-12+at+8.51.39+AM

Now that you’ve configured Qualys to use Secret Server, you need to set up either Windows or Unix credentials in Secret Server for the targets you want to authenticate to.  For example, let’s say that we’ve configured Secret Server to store administrative credentials for user vm_scan_account under the secret name win_scan_secret for 10.0.0.1 (mywindowsserver.acme.com).  Following the steps above, we’ve create an Authentication Vault entry called Secret Server Vault

We now need to create a new Windows Authentication Record with the following items checked:

Login Type:  Authentication Vault
User Name:  vm_scan_account (this is the name of the account on 10.0.0.1 that will be used for login)
Vault Type:  Secret Server
Vault Title:  Secret Server Vault (what we set up above)
Secret Name:  win_scan_secret (the name of the secret in Secret Server that stores the password for user vm_scan_account)
Screen Shot 2012-03-12 at 9.02.20 AM

Don’t forget to add IP 10.0.0.1 to the record as well (unless you’re using a NetBIOS Service-Selected IP domain type, in which case the record will be automatically used for any Windows systems participating in that domain).

If there are any problems using the Secret Server credentials then you’ll see the specific error message listed under QID #105015 (Windows Authentication Failed) or QID #105053 (Unix Authentication Failed).

Conclusion

Secret Server will help you expand the scope of your authenticated scanning, giving you even greater visibility of any vulnerabilities on the target systems, and allowing you to make effective use of features such as our Zero-Day Risk Analyzer.  We hope you find this new integration useful; please let us know how we can improve these capabilities to make them even better.

Using QualysGuard 7.0: iDefense Threat Intelligence and Zero-Day Risk Analyzer

Vulnerability Management has always been defined by scanning assets for known vulnerabilities, applying the required patches, and then repeating the cycle.  Over the past few years, however, there has been and increasing threat from zero-day vulnerabilities:  threats that exploit vulnerabilities that are unknown to the software developer, and thus don’t have associated patches.  These new threats pose a major risk and have been very difficult to deal with using traditional vulnerability management tools.

I’m pleased to announce that QualysGuard 7.0 adds the new iDefense Threat Intelligence Module and Zero-Day Risk Analyzer in order to help customers proactively assess the risk of emerging zero-day threats in their environment.  This provides a few key abilities to QualysGuard users:

  • Exclusive coverage and analysis of emerging zero-day threats provided by iDefense
  • Customizable alerting and notification of new threats and their impact on your environment
  • Prediticative analysis of the threat in your environment without the need to perform new scanning

Let’s review how each of these items are implemented.

iDefense Threat Intelligence

Once the iDefense Threat Intelligence Module has been purchased and activated, a user with Manager role in your subscription should be used to log in.  You will see an new tab in the KnowledgeBase workflow:  iDefense Intelligence.  Navigating to this tab will lead to a prompt to activate and configure both the New data security model and iDefense Notifications:

Screen Shot 2012-02-25 at 5.43.38 AM

Both steps are optional but recommended in order to get the full value of the iDefense Threat Intelligence module.

  • New data security model:  By enabling this, the Zero-Day risk analyzer will be enabled to make predictions about the impact of new zero-day vulnerabilities based on previous scan results (discussed below).  Activating this also allows your subscription to take advantage of scheduled reporting and participate in the Asset Tagging beta program.
  • Manage Notifications:  Do to the sensitivity of the data contained, only Managers can configure for email alerts to be sent.  Different types of alerting are available and can be configured on a per-user basis; this is explained in more detail in the next section.

Once the intial configuration is complete, you’ll be greated with the iDefense Intelligence datalist:

Screen Shot 2012-02-25 at 5.15.36 AM

There are four important items to see:

  1. iDefense Identifier and Title:  The iDefense Document ID and description of the vulnerability are displayed here.  Many entries may indicate "iDefense Exclusive" – these are items that are only available from the research team at iDefense, and are not publically known.
  2. CVSS Score and Publication Date:  CVSS helps you determine the severity of the vulnerability; you can sort vulnerabilities by the publication date in order to see the newest items.  Vulnerabilities published in the last week are also marked with "New" next to the Document ID.
  3. Prediction Details:  Clicking on a row displays the prediction details.  "Predictable" indicates that a vulnerability can be evaluated by the Zero-Day Risk Analyzer, and a count of the assets at risk will be displayed here.
  4. % at Risk:  This shows the percentage of assets in your environment that the Zero-Day Risk Analyzer has predicted to be impacted.

Additionally, right-clicking on an entry allows you to either view the Threat Report from the Zero-Day Risk Analyzer (detailed below) or see the detailed analysis from iDefense about the vulnerability:

Screen Shot 2012-02-25 at 5.34.09 AM

Customizable Alerts

Managers can configure email alerts to be sent for new iDefense publications by using the iDefense Notifications selection in the Setup portion of the KnowledgeBase workflow.  It displays the following screen:

Screen Shot 2012-02-25 at 6.03.34 AM

For each entry you configure the following:

  • User:  Any defined QualysGuard user in your subscription can be chosen.
  • Email Type:  Either ASCII (Text) and HTML notifications can be used.  The contents of the message are identical.
  • Show Details:  If chosen, each new zero-day vulnerability published will be listed individually.  If show details is not selected then only a general statement ("New vulnerabilities have been published") will be emailed; users must log in to see the specifics.
  • Show Risk %:  If "Show Details" is chosen then this will be available; it will show the percentage of systems in your environment that have been predicted to be at risk to this new vulnerability based on the Zero-Day Risk Analyzer.

The most powerful type of alert is one with both "Show Details" and "Show Risk %" enabled; it provides immediate information on the risk of newly-published vulnerabilities without an need for scanning or other user intervention.

Screen Shot 2012-02-25 at 5.18.28 AM


Zero-Day Risk Analyzer

The Zero-Day Risk Analyzer performs analysis for predictable vulnerabilities from the iDefense listing.  It does so by taking the most current data available for assets ("automatic data" stored in the QualysGuard database) and looking for correlation points that would indicate a vulnerability.  Here’s an example:

  1. iDefense publishes a new vulnerability for CUPS affecting a variety of OS X and Unix platforms.
  2. The Zero-Day Analyzer determines the attributes (CUPS packages, known vulnerable version numbers, Operatiing systems, etc.) that can be used to make a prediction.
  3. The most recent scan data for each asset in your environment – whether from last night, or 3 weeks ago, or whenever – is used to determine if these is a correlation.
  4. The quality of the prediction (based on the number of matching attributes) is determined and is recorded.

The Zero-Day Risk Analyzer is accessed via the Quick Actions menu in the iDefense Datalist under the heading "Threat Report".

Screen Shot 2012-02-25 at 5.16.09 AMOnce opened, this will display the Zero-Day Risk Analyzer report for the selected vulnerability.

Screen Shot 2012-02-25 at 5.16.36 AM

This report displays several important items:

  1. At Risk Analysis:  This chart shows the percentage of your environment predicted to be at risk from this vulnerability.
  2. Prediction Details:  This shows to the breakdown of the types of predications made for the assets affected.  Predictions are made based on correlating existing scan data with known vulnerability attributes, and can have one of three different qualities:
       Confirmed:  For some vulnerabilities an actual scan may have been performed, and the QID detected.
       Likely:  A signficant number of attributes matched, giving a high likelihood that the asset is affected.
       Potential:  Some attributes matched, so there is a possibility that the asset is at risk, but the confidence level is lower.
  3. Most Impacted Asset Groups:  The top 10 most impacted asset groups are listed in descending order, so that remediation/mitigation activities can be prioritized.
  4. Vulnerability Details:  Specific information about the vulnerability can be found here.
  5. Asset Details:  Clicking this leads to the affected asset datalist.

When clicking on details you will see the affected asset datalist:

Screen Shot 2012-02-25 at 5.17.14 AM

Assets are listed with identifying attributes such as IP address and host name.  The OS and Software found that led to the predication are also displayed, along with the resulting confidence level of the prediction (Confirmed, Likely, and Potential).  Assets can be sorted, filtered by asset group, and a CSV of the results can be downloaded for additional analysis.

Summary


The iDefense Threat Intelligence module and the Zero-Day Risk Analyzer provide the information security professionals need in order to be truly proactive when dealing with emerging threats.  The iDefense Intelligence tab provides up-to-the-minute information on emerging threats, and offers customizable alerting so that your users can be informed immediately.  The Zero-Day Risk Analyzer allows you to determine the impact of the new vulnerability without having to wait for a time to actually perform the scan, but rather by using the extensive information you’ve already collected using QualysGuard scans.  This allows you to focus on mitigating controls and risk management, rather than scrambling to get scans of systems to determine the scope of the problem.

In the future we’ll be adding many more capabilities to the Zero-Day Risk Analyzer, including the ability to model the impact of mitigating controls (such as firewall rules to block traffic) and the ability to perform predictions on non-iDefense vulnerabilities (such as Microsoft Patch Tuesday vulnerabilities).  In the interim, we hope you find this new module to be useful, and would greatly appreciate any feedback you have on how it can be improved. 

If you are interested in obtaining a trial or purchasing the iDefense Threat Intelligence module, please contact your Technical Account Manager or Qualys' Technical Support Department at support@qualys.com.

Using QualysGuard 7.0: The New UI

Starting with QualysGuard 7.0 all accounts will be converted to use the New User Interface.  This new interface is designed to make use of QualysGuard easier and more efficient by focusing on four key areas:

  • Distinct modules and grouped workflows to help accomplish key tasks
  • Dashboards to provide immediate feedback on the security and compliance of your network
  • Context-sensitive menus and integrated dialogs to provide direct and relevant actions

Let’s review how each of these items are implemented.

The Module Picker

In the upper-left hand corner of the UI you’ll find the module picker, which allows you access the specific functionality you’re looking for:

Screen Shot 2012-02-13 at 3.05.00 PM

Several modules may be displayed depending on what is enabled for your subscription:  VM (my personal favorite), PC/FDCC, WAS, ASSET, MDS, and others.  Choosing a module changes the context of the rest of UI.  For example, when working in the Vulnerability Management context your workflows would look like this:

Screen Shot 2012-02-13 at 3.14.50 PM

Switch to Policy Compliance and the workflows adjust:

Screen Shot 2012-02-13 at 3.20.30 PM

The Module Picker allows you to focus on the tasks at hand – performing vulnerability scans, creating policies for Unix systems, or reviewing Malware statistics – without the distraction of menus or icons that aren’t relevant.

Grouped Workflows

Grouped workflows organize the various features of QualysGuard into related units so that you have easy access to the all the functions necessary to perform a task.  For Vulnerability Management there are seven workflows:

Screen Shot 2012-02-13 at 3.27.45 PM

Dashboard:  This displays a high-level overview of the number of vulnerabilities in your environment (see below for more details).

Scans:  All the activities required for provisioning scanner appliances, creating authentication records, and scheduling and launching new maps and scans.

Reports: All the activities required for creating customized reports of scan data.

Remediation:  Management of ticketing policies and reviewing/editing/resolving individual tickets.

Assets:  Functions to manage asset groups, lists of individual assets/virutal hosts/domains, and the ability to search for assets meeting specific criteria.

KnowlegeBase:  List of all current detections, iDefense Threat Intelligence information, and search list management.

Users:  All the activities require to provision new users, assign them to business units, and review their recent activities.

As new capabilites are added to QualysGuard you’ll see more entries under each workflow, and we may add additional workflows as well.

Dashboards

New Dashboards provide a high-level overview of the state of your network, the most common issues found, recent and upcoming scans, and recently generated reports.  For Vulnerability Management the Dashboard looks like this:

Screen Shot 2012-02-13 at 4.06.25 PM

The Policy Compliance Dashboard is similar, but provides additional abilities to drill down into specific policies to find trends and problem areas.

Screen Shot 2012-02-13 at 4.12.40 PMScreen Shot 2012-02-13 at 4.13.03 PM

You’ll notice in the Welcome to 7.0 message that there is a one-click way to make these dashboards your default home page; you can also change this yourself by choosing the "Homepage" option here:

Screen Shot 2012-02-13 at 4.10.09 PM

Context-Sensitive Menus and Integrated Dialogs

New "Quick Actions" items are available in every datalist in order to allow you to immediate access common tasks.  In the scanning datalist, for example, you can quickly view the results, relaunch the scan, download the file, and more.

Screen Shot 2012-02-24 at 3.38.57 PM

Many dialog boxes that used to be pop-up windows have also been converted into modal windows so that you don’t have to hunt through a pile of QualysGuard windows to find the ones dealing with the task you’re trying to accomplish.  For example, the "Info" quick action on Option Profiles now launches a modal window with start-to-finish navigation tabs listed on the left-hand side:

Screen Shot 2012-02-25 at 6.59.16 AM

If you prefer to have the information in it’s own window then you can click on the "Pop-out" button on the upper right corner.

Summary

We’ve worked hard to modernize the QualysGuard user interface in a way that’s more intuitive, more efficient for performing tasks, and more flexible for a variety of different types of users.  We’ve had many comments and suggestions from customers, and have made over 150 changes to the interface based on those suggestions; we’d love to hear more about how we can continue to make it better.  Please contact your Technical Account Manager,  Qualys' Technical Support Department at support@qualys.com, or make a posting here or in the New User Interface portion of our community with your thoughts and suggestions.

QualysGuard 7.0

Qualys is excited to announce the release of QualysGuard®, Version 7.0 will be available in production on Thursday, February 23rd, 2012

QualysGuard Enhancements:

  • New User Interface:   Starting with QualysGuard 7.0 all accounts will be converted to use the New User Interface that features interactive dashboards, actionable menus and workflows, and context-based interactions.
  • Dynamic Asset Tagging (beta):  QualysGuard 7.0 includes the open beta of Dynamic Asset Tagging that gives customers the ability to automatically organize assets based on any discovered attributes (e.g. Operating System, installed software, or even users in the Administrators Group).
    Screen Shot 2012-02-09 at 6.40.35 PM
  • iDefense Threat Intelligence:  QualysGuard 7.0 adds the iDefense Threat Intelligence module that provides users with a way to get customized alerts about new threats published exclusively by VeriSign iDefense Cyber Intelligence.
    Screen Shot 2012-02-09 at 7.11.27 PM
  • Zero-Day Risk Analyzer:  QualysGuard 7.0 provides the Zero-Day Risk Analyzer to inform customers of emerging zero-day threats and estimate their impact critical systems using information collected from previous scan results, giving security professionals the ability to adress risk without requiring scanning first.
    0day
  • Scheduled Reporting: QualysGuard 7.0 introduces the ability to schedule reports, allowing customers to automate the process of distributing scan results, scorecards, and Patch Reports.
    sch
  • qgCalendar: QualysGuard 7.0 adds support for downloading a feed of scanning activity in iCal format so that customers can view all past and future scanning activities in calendaring applications such as Microsoft Outlook.
    cal

QualysGuard Policy Compliance Enhancements:

  • DB2 Authentication: QualysGuard 7.0 adds authentication  for IBM DB2 databases on supported Windows and Linux platforms, providing customers the ability to gather database configuration information in order to validate compliance with corporate policies.
  • Policy Report Improvements: QualysGuard 7.0 includes the following report improvements:

               1) users can hide all details in the Detailed Results section of the policy report

               2) users can include Control References in template based reports

  • FDCC Support for Windows 2008 Server: Custom FDCC policies can be created for Windows 2008, allowing you to scan for FDCC compliance and generate FDCC reports for this technology. A pre-defined policy for Windows 2008 can be imported into your account.

Full release notes will be available to customers from within the Resources section of your QualysGuard account. To receive more information on QualysGuard 7.0, please visit the Qualys Community at https://community.qualys.com or contact your Technical Account Manager or Qualys' Technical Support Department at support@qualys.com.

Risk I/O Integrates with QualysGuard to Further Automate Vulnerability Management

 

It’s good to share.

Qualys is a firm believer in the tremendous benefits of sharing information to improve information security.  Over the past year, we’ve demonstrated our commitment to industry collaboration with many projects, including the creation of the Ironbee Open Source project, our support of Convergence, and our work with StopBadware.  I’m happy to announce today that Risk I/O has joined the community of our partners in sharing.

Risk I/O provides a centralized portal for vulnerability information, reporting, and remediation management.  By utilizing the QualysGuard API, Risk I/O makes it easy to get an accurate and up-to-the-minute assessment of your vulnerabilites and share that information using concise charts and reports, improving efficiency and performance of vulnerability management programs.  Tickets can be assigned to drive remediation work, and QualysGuard verification scans can be automatically launched to close the loop on remediation activities.   Risk I/O can even aggregate QualysGuard results with other standards-based tools in your environment to multiply the value of your data.  Since both QualysGuard and Risk I/O are cloud-based solutions, getting started is as easy as signing up for a free trial account.  You can read more about the Qualys and Risk I/O partnership on the Risk I/O blog.

We’re excited to work with Risk I/O to help you perform better vulnerability management.  Please share your experiences with us; we would love to hear your feedback so we can continue to improve our products and integrations!

QualysGuard PCI Now Includes Open Services Report

I was surrounded by numbers, more numbers that I could ever remember or justify.  Every time I tried to add them up they would find a new combination – one I hadn’t seen before – and mock me with a sum that was just a few dollars above or below where it was supposed to be.  I spent nearly three days doing calculations before I finally swallowed my pride and put in a "calculation error" entry to finish the process.

Reconciling my family’s checkbook had defeated me…this time.

Over the years I got better at doing the reconciliations, and eventually Microsoft Money made everything easier by automating the process, downloading transactions from my bank and helping me categorize and track all expenses.  Today I can happily say that balancing my account takes just a few minutes each month.

In many ways the PCI DSS section 1.1.5 requirement is a lot like reconciling a bank statement.  It states the following:

Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.

Simply keeping track of the assets in a cardholder data environment (CDE) can be a challenge, and this requirement adds on the responsibility for administrators to keep track of all ports and protocols that are in use in the CDE.  Additionally, the business justification for each port and protocol must be included; for most enterprises this requires involving multiple people and keeping notes about what the justification is and who provided it.

I’m pleased to announce that QualysGuard PCI version 5.3 now provides the Open Services Report.  In the same way the Microsoft Money helped me keep track of my spending, the Open Services Report can help you comply with PCI 1.1.5 by automating the workflow for discovering, authorizing, and reporting of the ports and protocols in your CDE.

Once you have performed a scan of your CDE you can access the Open Services Report via Network -> Open Services Report.

PCI_Main

You’ll immediately see a few key capabilities:

  • The Summary section shows you how many services have been identified during the most recent scans and tracks how many have been categorized.  As you perform the workflow to approve/reject services these numbers will be updated.
  • A dynamic listing of all open ports and protocols detected in your CDE is listed in the grid.  You can change the grouping by host IP or by service, and can filter the list to show only the items you are interested in (such as description containing "NetBIOS" or service marked as "Unauthorized")
  • A CSV download of all the services and their status can be downloaded for distribution outside of the PCI application.

The Open Services Report includes the ability to classify services as authorized or unauthorized.  To do so, simply select all the services you wish to mark and click on "Classfiy".  You’ll be prompted to enter a business justification for that decision:

PCI_Classify

A complete history of all activity – who classified a service, when, and the reasons why – will be maintained and viewable in the report.  You can then proceed to use the report to demonstrate your compliance with the PCI 1.1.5 requirement.

We hope you find these new capabilities helpful in tracking and justifying the business needs for services in your CDE, and look forward to hearing your feedback.

QualysGuard Adds Malware Correlation and Virtual Patch Solutions

snow

The forecast is "More snow."

Hundreds of people abandoned their cars on Chicago’s Lake Shore Drive after a storm left them stuck in more than a foot of snow.  Atlanta roads were nearly shut down and a Hawks game was canceled when snow overwhelmed the city’s eight snow plows.  Municipalities across the nation are finding their already thin finances stretched to the limit by snow removal costs. 

A nearly endless blizzard overwhelming resources with no end in sight…does this remind anybody else of vulnerabilities on a corporate network?  I can envision you nodding your head in agreement, thinking of the last report with quadruple-digit vulnerability counts (even when filtered to just Severity 4 and 5).  It’s not that you’re not interested in get comprehensive scanning; it would just be nicer if you could easily focus on the most important issues.

At Qualys we’ve been looking for ways to help you filter and prioritize the vulnerabilities reported by QualysGuard into more actionable – and more concise – reporting.  Last year we introduced Exploitability Correlation to help focus on high-risk vulnerabilties, and over the past month we’ve worked closely with Trend Micro to introduce two new enhancements:  Malware Correlation and Virtual Patch Solutions.

QualysGuard 6.16 introduced Malware Correlation with the Trend Micro Threat Encyclopedia, allowing you to determine which vulnerabilities have associated Malware.  For example, the screenshot below shows that QualysGuard QID #90636 (MS10-061:  Microsoft Windows Print Spooler Remote Code Execution Vulnerability) is used by STUXNET:

StuxNet.jpg

Using Search Lists that filter on QIDs with associated Malware will allow you really target the big risk items in your environment that could lead to something like a Conficker outbreak, while still having all the information on other vulnerabilities that need to be tracked and patched.

After you’ve determined the vulnerabilities that need to be fixed you now need to…well, do the fixing.  QualysGuard provides comprehensive information on patches available and workarounds that can be used, and in QualysGuard 6.17 we’ve added information on the availability of virtual patches that can also help mitigate risks in your environment.  A virtual patch is not a software patch per se, but is actually a mechanism – such as a HIPS firewall rule – that doesn’t actually patch the affected software but does still provide a mitigating control that reduces or eliminates the ability of an attacker to exploit the weakness.  We’ve leveraged the Trend Micro Threat Encyclopedia to determine which QIDs have virtual patching solutions provided by Trend Micro Deep Security and OfficeScan + IDF as shown in this screenshot:

VirtualPatch.jpg

We’ve also expanded our Search Lists to support filtering on both vendor-provided patches and virtual patches:

searching.jpg

This allows you to find alternatives to applying vendor patches, especially in cases where a software patch can’t be applied (due to change control or software version dependencies) or isn’t available yet.

We’ve also tried to make it easy for you to use these new capabilities by including a few new items in our Template Library:

  • Virtually Patchable Assets v.1:  A report template listing high-priority vulnerabilities that can be remediated only via a Trend Micro virtual patch.
  • Assets at risk of Malware v.1:  A report template listing assets that have vulnerabilities with associated Malware as described by Trend Micro.
  • Critical Vulnerabilities with Virtual Patches v.1:  A Search List of high severity vulnerabilities with virtual patches correlated from Trend Micro.
  • Critical Vulnerabilities with Associated Malware v.1: A Search List of High severity remotely-accessible vulnerabilities with associated Malware correlated from Trend Micro.

Please let us know how we can improve these capabilities to make them even more useful.  In the interim, we hope you find these new features helpful in weathering the blizzard of vulnerabilities you face every day!

PCI Version 2.0 SAQs Now Available

On November 18th the PCI Security Standards Council published version 2.0 of the Self Assessment Questionnaires (SAQs).  These updated documents now align with the new version 2.0 of the PCI Data Security Standard.

The changes to the SAQs mostly involve minor refinements and clarifications, but one major change is the inclusion of a new type of SAQ: C-VT.  This SAQ is a simplified version of SAQ C that is targeted at merchants who use virtual terminals to process payments.  The SAQ defines a virtual termals as:

a web-browser based access to an acquirer, processor or third party service provider website to authorize payment card transactions, where the merchant manually enters payment card data via a securely connected web browser. Unlike physical terminals, virtual terminals do not read data directly from a payment card. Because payment card transactions are entered manually, virtual terminals are typically used instead of physical terminals in merchant environments with low transaction volumes.

Note that data is not read directly from the card, so no card readers or other swipe devices.  The most accurate representation of a qualifying merchant would be someone at a personal computer typing in card numbers and getting authorization codes from a provider like Authorize.Net or Paypal.

Version 2.0 of the SAQs become available in January of 2011, but merchants can still choose to use version 1.2 instead throughout 2011 (you may not mix SAQ versions and DSS versions, however; everything must be either 1.2 or 2.0).  Version 1.2 of both the DSS and the SAQs expire on December 31st of 2011.

In order to provide the most flexibility for merchants, QualysGuard PCI has added support for all version 2.0 SAQs, including wizards to help choose the proper SAQ version (A,B,C,C-VT,D), help text to provide guidance when completing the questionnaire, and full support for the milestone-based prioritized approach to the SAQs.  Version 1.2 of the SAQs is also supported throughout 2011 for merchants choosing to use that version.

We hope you find the new capabilities helpful in achieving PCI compliance, and look forward to hearing your feedback.

More technical resources are available at QualysGuard PCI.

QualysGuard adds VeriSign Identity Protection

Hi!  My name is Corey, I have a dog named Sparky, and I really like chocolate.   You now have everything you need to guess my password.

This isn’t a surprise, of course.  Over the last several years research has shown that passwords are often easily compromised:

One good solution to these password issues is to use two-factor authentication, where a user is required to both know something (i.e. your username and password) and have something (such as a generated code from a key fob).  Your debit card is a good example of this:  You need to both know your PIN code and have the physical card in order to access the bank account it protects.   Two-factor authentication has become more readily available over the last few years, and is now a capability that many security-oriented companies are actively pursuing.

Consequently, I’m thrilled to announce that Qualys is now making VeriSign Identity Protection (VIP) two-factor authentication available to all QualysGuard users at no charge, providing an additional layer of protection to keep your data secure.

Subscription Managers can require VIP for all accounts, or individuals can opt-in as desired.  Enabling it for an account is simple with just three steps:

  1. Obtain a credential from VeriSign.  Like QualysGuard, VeriSign VIP is a software-as-a-service offering with no server software to deploy or hardware to manage.  I prefer using their phone-based credential, but their toolbar is also a good choice (as are key fobs for those who like having a physical token); see the complete list of supported devices.
  2. Login to QualysGuard and edit your user settings.  Click “Advanced” and you’ll see the following under the “Options” tab:VIP Activation
  3. Click “Register Credential” and provide the codes requested.Credential Registration

You’re now ready to use VIP Authentication for logging in to QualysGuard.  You’ll still use your username and password (what you know) but will be prompted to provide the code from your credential (what you have) to complete the login process:

VIP Login

Don’t worry if you can’t access your token (who hasn’t left their phone on the kitchen table?); you can request a one-time password that will grant access within the next hour.

We’re excited to help lead the effort to replace passwords with better authentication methods, and look forward to hearing from you on how we can continue to improve our service.  In the meantime, feel free to take that chocolate bar without any guilt!