The new QualysGuard Vulnerability Notification feature allows you to configure QualysGuard to send email notifications to users about new and updated vulnerabilities in the QualysGuard KnowledgeBase. An update to QualysGuard 7.11 will be released in production in the coming weeks to introduce this feature.
QualysGuard 7.11 will be released in production in the coming weeks and includes enhancements to QualysGuard Vulnerability Management (VM) and Policy Compliance (PC) reports, and API.
Highlights include: ability to rerun a report, new “Host Scan Date” filter and “Vulnerability Fixed On” date filter for the vulnerability scorecard report, and API enhancements.
QualysGuard 7.10 will be released in production in the coming weeks and includes enhancements to QualysGuard Cloud Platform, Vulnerability Management (VM), Policy Compliance (PC) and API.
New QualysGuard Express Lite
The new service offering QualysGuard Express Lite for SMBs is launched with this release.
QualysGuard Cloud Platform Enhancements
Redesigned Application Picker: In this release, the application picker has been redesigned with a new look & feel to clearly show to users the various applications available in their subscriptions.
An air gap network, sometimes called an isolated network, is a set of systems that are intentionally isolated from the Internet or other networks for increased security. If there is an air gap, i.e. no physical connection between your systems and unsecured networks or the Internet, then you have better protection against data leakage or intrusion.
Air gap networks are most common in production or manufacturing environments, such as nuclear power plants or where SCADA-type systems are installed; in military or government organizations; and in sensitive financial applications like stock exchanges. Despite the air gap, these environments still can require security audits to ensure that other defense-in-depth controls are in place and working properly. For example, it is believed that the well-known Stuxnet virus entered the systems via a USB stick, showing how an air gap is not a foolproof security measure. In these cases, Qualys sees demand from our customers for a QualysGuard scan across the air gap.
Continuously Monitor Vulnerability Remediation Performance Across your Organization with QualysGuard v7.8 Vulnerability Scorecards
With QualysGuard 7.8, customers can now create new Vulnerability Scorecard Reports and set remediation goals to measure and monitor the performance of the teams in charge of fixing vulnerabilities in their companies. Enhancements to the Vulnerability Scorecard Reports will help security professionals better monitor the progress of their vulnerability remediation process.
In addition, Dynamic Asset Tagging and Management, which automatically identifies, categorizes and manages large numbers of assets in highly dynamic IT environments, is now integrated with Vulnerability Scorecard Reports. This integration gives security managers and executives always up-to-date reports that measure the number of vulnerable hosts per business unit against a list of vulnerabilities that represent the most important security risks.
These reports also display the groups of assets, or business units, that are meeting their goals in term of fixing these vulnerabilities. Furthermore, Vulnerability Scorecard Reports provide additional vulnerability management metrics and statistics, giving managers and unit managers more visibility into the efficiency of fixing critical and important vulnerabilities that expose their business to IT risks.
The Vulnerability Scorecard Reports offer these new capabilities:
- Customizable Business Risk Goals represent the maximum allowed percentage of vulnerable hosts per asset tag or asset group.
- Support for Vulnerability Search Lists: search lists can be used as a set of vulnerabilities that must be fixed according to their security risk, and the scorecards will measure the remediation progress and report the entities that have met their goal.
- Breakdown of Vulnerabilities per Asset Tag and Asset Group organizes assets by business units, technology, or other organizational entities.
- Number of New, Active, Fixed and Re-Opened Vulnerabilities gives insight into vulnerability scanning and remediation performance.
- Number of Vulnerabilities by Age shows the number vulnerabilities that are less than one month, two months or three months old.
- Number of Vulnerabilities by Type shows the breakdown of confirmed vulnerabilities versus potential vulnerabilities.
- Vulnerability Scorecards can be scheduled on a daily, weekly or monthly basis to continuously monitor remediation progress.
- Vulnerability Scorecards can be exported in CSV format automatically via the API or manually in the UI, for easy integration into external security performance dashboards.
Oracle just released an extremely important critical patch for Java. It fixes an impressive number of vulnerabilities, and it is recommended to install this update as fast as possible. You can read more about this here: http://laws.qualys.com/2013/02/oracle-releases-early-cpu-for.html
And here is the official page on the Oracle website: http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
A new QID "120832 – Oracle Java SE Critical Patch Update – February 2013" has been released and you can use QualysGuard VM to scan your network to find the systems that require the patch.
Here is a report that gives you a preview of the details of a report for this QID, including a list of known exploits that are available for some of the vulnerabilities that are fixed by this patch:
IPv6 first came onto the horizon years ago, and it has seemingly stayed out there ever since. Recently, we’ve heard or read a lot about having run out of IPv4 addresses. But the transition is not so simple, and we find ways to extend the time until it is necessary to make IPv6 a priority. Some great information on adoption is available at Google’s “IPv6 statistics" page.
At this page, the Adoption tab shows a trend with enough historical data to tempt a statistician to extrapolate. Adding another dimension, the Per-Country adoption tab shows geographic adoption overlaid with very interesting info on connectivity issues – reliability and latency.
Even while global adoption is below 1%, IPv6 is showing signs of significant increase, and it is prudent to pay attention and make sure it doesn’t introduce new security exposures in your network. For instance, deploying IPv6 ready devices, such as desktops and laptops with modern operating systems, on IPv4 networks can cause problems as IPv6 traffic may bypass IPv4 specific protection systems (including firewalls, intrusion detection systems), allowing IPv6 traffic to reach unintended recipients if there is a lack of expertise in IPv6 networking. See footnote.
If you are interested in knowing more about the exposure of your IPv6 devices connected to the Internet, the steps below walk you through how to scan an IPv6 address using Qualys FreeScan:
Step 1: Create your account. If you already have an account you can skip to the next step:
1. Go to https://freescan.qualys.com/
2. Click on “Sign up”.
3. Enter your name, email address and company information as indicated in the page.
4. You will shortly receive your credentials by email.
Step 2: Use your FreeScan credentials to open a session at https://freescan.qualys.com/
Step 3: Enter your Internet facing IPv6 address in the “New IP scan” field as shown below:
Step 4: Wait a little while for the scan to finish. It typically takes 5 to 15 minutes:
Step 5: Once the scan is completed you can review the vulnerabilities of your IPv6 device that are exposed on Internet and can be potentially be exploited in order of criticality: (note: we need a better screenshot here)
Whether or not IPv6 is imminent for everyone, or whether switchover is becoming a high priority, we can say that we are in a learning period whereby challenges, pitfalls and real-world problems will be exposed as all of us in the IT and security community increasingly are involved in working with IPv6.
To a large extent we will need experience, insight and ongoing input from the Qualys community to track and assess progress as well as setbacks, while inside Qualys we continue our work to stay ahead of the market.
Please let us know your feedback on utilizing this new capability in FreeScan. We’d also like to know how important IPv6 is to you in 2012, how important you expect it to be in 2013, and perhaps most importantly, how it needs to be supported by Qualys or your IT vendors.
Foot note: Draft Proposal filed with the Internet Engineering Task Force on April 27, 2012: “Security Implications of IPv6 on IPV4” by Fernando Gont of the UK Centre for the Protection of National Infrastructure
“You know only insofar as you can measure.”
– Lord Kelvin
“If you want it, measure it. If you can’t measure it, forget it.”
– Peter Drucker
Measurement is critical in achieving objectives. But a more subtle factor drives your success: what you measure and how you measure it. These are what guide your actions. The measurement of vulnerabilities is no exception, and with vulnerabilities, the difference between automatic and manual data and its implications are the key factors.
So, what is the difference?
Manual data is a point-in-time snapshot of vulnerability data that is tied to a single scan and shows the vulnerability posture of the hosts at the time the scan was run.
Automatic data is data from multiple scans normalized into a database. It is the asset-centric history of vulnerability data, built out of the results of previous scans.
Simple enough, right? Let’s examine the implications.
Assessment vs. Management
Manual data lets you assess vulnerabilities, but you need automatic data for vulnerability management.
Manual data shows you where you’re vulnerable at the time of the scan. You can think of manual data as a file folder on the left side of your desk with a folder corresponding to each scan. Inside each folder is a piece of paper containing the forensic record of the raw results from that point-in-time scan. The biggest limitation of this data model is that it lacks context and trending since it is a snapshot of a point in time. For example, if you scanned on January 1 and found 500 vulnerabilities, then scanned the same assets on February 1 and found 300 vulnerabilities, what does that mean? Did you fix all 500 vulnerabilities from January and have 300 new vulnerabilities for February? Did you fix 200 vulnerabilities from January and have 300 left, but no new vulnerabilities in February? There are several other potential scenarios that would also need to be considered, and determining the answer with any degree of certainty is problematic at best.
If you only have access to manual data, you have to perform a manual monthly process with a custom spreadsheet to attempt to reconcile and normalize the results from scan to scan to show month-over-month trending.
Another big problem with this data model is that it is difficult to track the lifecycle of a vulnerability on a particular host. For example, you should be careful not to assume that if you don’t find a vulnerability in a subsequent scan that it has been fixed. This is a poor assumption as there is a huge difference between "fixed" and "not found". For example, if you first scan with authentication, then scan without authentication, many vulnerabilities won’t be detected in the second scan, simply because authentication wasn’t used. This does not mean that the vulnerabilities are actually fixed and can lead to a false sense of security.
Lifecycle of a Vulnerability
Automatic data addresses these limitations by introducing the concept of a vulnerability’s state and providing additional context that is valuable when managing the lifecycle. Automatic data can be thought of as a large relational database on the right side of your desk that normalizes the results of every scan over time for each asset. A vulnerability can have one of four states:
- NEW: Detected for the first time
- ACTIVE: Detected more than once
- FIXED: Detected, then confirmed to be resolved by scanning in the *same* manner as originally detected – e.g. with authentication
- REOPENED: Detected, confirmed to be remediated, then detected again. This may be the result of a machine being re-imaged without all relevant patches being applied.
The automatic data also enable users with the capability to mark vulnerabilities as IGNORED, and create an audit trail of all the transitions. The IGNORED state is complementary to the status. A vulnerability can be NEW/IGNORED or ACTIVE/IGNORED for instance. It is a way to manage exceptions.
Trending and Reporting
In addition to a vulnerability’s state, automatic data allows us to report on when a vulnerability was first detected, last detected, and the number of times it has been detected. Also, vulnerability status is tracked intelligently to account for different option profiles being used. For example, if a vulnerability is first detected using authentication, it will not be considered closed until a rescan *with authentication* confirms that the vulnerability has been resolved. This addresses the limitation of the assumption that not found = fixed. And it prevents "saw tooth" trend results that can happen when scans are conducted with varying configurations (e.g. with / without authentication) over time.
This type of accurate trending information is valuable to be able to correctly report the postures of organizations and the progress (or lack thereof) over time in remediating vulnerabilities in their environments. Using the QualysGuard Detection API, this concept of vulnerability state/trend information can be included in data integrated with third party platforms (e.g. SIEM, GRC, etc). Without automatic data, organizations are left to extremely manual, time-consuming, and error-prone approaches to attempt to measure and track the effectiveness of their vulnerability management programs over time.
Decoupling Reporting / Remediation from Scanning
One other main benefit of automatic data is that it allows the scanning and reporting/remediation efforts to be decoupled since all the data is tracked and normalized. Scanning can be conducted according to location and reporting can be performed according to those responsible for remediation.
The most obvious place where the difference between manual and automatic data is found in the QualysGuard user interface is when editing a scan report template and choosing the Scan Results Selection:
Automatic data is also used in “Status” and “Status with Trend” scan reports and Scorecard reports, as well as throughout the user interface including your dashboard, asset search results, remediation tickets and host information.
Automatic is the Way to Go
The difference between manual and automatic data is the difference between a vulnerability assessment program that identifies only current vulnerabilities and a vulnerability management program that drives the remediation of vulnerabilities over time. Automatic data makes QualysGuard the only vulnerability management solution that can differentiate between vulnerabilities that are actually fixed, versus those that simply weren’t detected.
29 April 2013: edited with new screenshot
Trusted scans collect more detailed vulnerability information than “un-trusted” remote scans. That’s not surprising: with a trusted scan, the QualysGuard scanner logs into the target machine and reads configuration data including registry values and configuration files on the file system, just like a regular user session could. QualysGuard uses the configuration data to verify whether or not certain vulnerabilities exist. When running un-trusted remote scans, QualysGuard collects data by pinging network-accessible services on the target machine and interpreting the responses. QualysGuard then reports security issues that a remote attacker might use to access those systems. This approach misses local vulnerabilities such as those requiring user interaction from the browser or email client. Also, the response sometimes indicates the machine has a potential vulnerability, but not whether it is a confirmed vulnerability. Often a configuration value available via a trusted scan is required to determine if the potential vulnerability can be ignored or should be classified as a confirmed vulnerability.
For policy compliance, QualysGuard always performs trusted scans because system configuration data is required to verify compliance checks, such as password strength. For vulnerability management (VM) scans, QualysGuard administrators can choose either trusted or remote scans. But they often perform remote scans, even though they would benefit from the more detailed data collected in trusted scans.
In large organizations where thousands of machines are scanned regularly for vulnerabilities, managing passwords is a challenge. Currently administrators must manually provide QualysGuard with login credentials for each asset to be scanned. Password policies add more complexity; for example if a password ages out and gets changed, then those changes must be passed to QualysGuard so that its passwords remain current. The teams in charge of managing the scans usually don’t own the scanned machines.
Better Manageability with Cyber-Ark Integration
Using QualysGuard integration with Cyber-Ark Privileged Identity Management (PIM) Suite, management is simplified because organizations no longer need to store a copy of their passwords in QualysGuard. QualysGuard stores a pointer to the location of the password information in the Cyber-Ark Enterprise Password Vault® of the PIM suite, and the scanner appliance requests the password when it needs to perform the trusted scan. Because passwords are maintained in the Cyber-Ark Enterprise Password Vault®, the organization can change passwords at will or by using any policy via Cyber-Ark without having to worry about synchronizing those changes to QualysGuard.
Increased Security, Control and Audit of Login Credentials
While QualysGuard has industry-leading protections on the data it stores, some organizations that are particularly sensitive to password controls now have the assurance the QualysGuard no longer needs to store passwords centrally. In fact, an organization could set up a password policy to change its passwords via Cyber-Ark PIM Suite immediately after each password is used by QualysGuard to perform a trusted scan.
To revoke access, an administrator only needs to disable one user in Cyber-Ark instead of changing the relevant password on each target machine. Cyber-Ark can also store an audit trail of all uses to the login credentials.
How it Works
Configurating Trusted Scans: Without the Cyber-Ark integration, an admin configures QualysGuard with the logins and passwords that will be used for the trusted scans. With the Cyber-Ark integration, the admin configures QualysGuard with the Cyber-Ark Enterprise Password Vault® server and the correct safe within the vault where the passwords are stored (see Figure 1) and the Windows or Unix authentication record specifying an authentication vault for a specific trusted scan (see Figure 2).
Figure 1 – Create a Cyber-Ark authentication vault record in QualysGuard
Figure 2 – Create a Windows or Unix authentication record specifying the use of an authentication vault
Running Trusted Scans: When the scan is ready to run, QualysGuard sends a request to the scanner appliance to run the trusted scan. Instead of specifying the password of the target machine, QualysGuard specifies the IP address of the Cyber-Ark Enterprise Password Vault® server and the name of the safe. The scanner appliance then passes this information to Cyber-Ark and requests the password for the given username, which it uses to log into the target machine and perform the trusted scan. After performing the scan, the scanner deletes every trace of the password and sends the scan results back to QualysGuard. The process is done.
Better Information for Stronger Security
For organizations that currently perform trusted scans, password management is now easier and more secure. This integration will hopefully encourage organizations to expand their trusted scanning across their global assets to collect better vulnerability and compliance data from their systems.