Qualys Blog

The WannaCry ransomware attack spread so quickly and has been so disruptive that IT departments can’t get enough information about what caused it, how it can be remediated and what can be done to protect their organizations from similar threats. This thirst for insights, explanations and best practices was evident during the Q&A portion of our recent webcast  “How to Rapidly Identify Assets at Risk to WannaCry Ransomware.”

Below is a transcript of 20 questions asked by participants, and the answers provided by our experts, Qualys CISO Mark Butler and Qualys Product Management Director Jimmy Graham. Continue reading …

It didn’t have to happen.

That’s the simple yet profound lesson from WannaCry’s ransomware rampage that has infected 300,000-plus systems in more than 150 countries, disrupting critical operations across industries, including healthcare, government, transportation and finance.

If vulnerable systems had been patched and maintained as part of a proactive and comprehensive system configuration and vulnerability management program, the attack would have been a dud, barely registering on anyone’s InfoSec radar.

“WannaCry was totally preventable with the proper patching and the proper build configurations,” Mark Butler, Qualys’ Chief Information Security Officer (CISO), said during a webcast this week. “That’s a reminder to all of us that you didn’t have to be a victim.”

There are various workarounds for mitigating the underlying WannaCry vulnerability, but those are stopgap measures. “The primary way to remediate this vulnerability is through disciplined and timely patching,” Qualys Product Management Director Jimmy Graham said during the webcast, titled “How to Rapidly Identify Assets at Risk to WannaCry Ransomware.”

Continue reading …

The looming deadline for complying with the EU’s General Data Protection Regulation (GDPR) is shining the spotlight on a foundational InfoSec best practice: A comprehensive IT asset inventory.

The reason: GDPR places strict requirements on the way a business handles the personally identifiable information (PII) of EU residents. For example, companies must know what PII they hold on these individuals, where it’s kept, with whom they’re sharing it, how they’re protecting it, and for what purposes it’s being used.

An organization can’t expect to comply with GDPR if it lacks full visibility into the IT assets — hardware and software — that it’s using to process, transmit, analyze and store this data.

“If you don’t know what IT assets you’ve got, how can you effectively find the data on your network that you need to meet GDPR requirements?” said Darron Gibbard, Qualys’ Chief Technical Security Officer for the EMEA region, during a recent webcast.

Continue reading …

The SANS Institute recently released its 2017 report on cybersecurity trends. We examined the report’s six threat trends in a recent blog post, as well as in a webcast with the report’s author, security analyst John Pescatore, and with Qualys Product Management Vice President Chris Carlson. Now, we’re providing you with a useful checklist to help put you in a better position to respond these trends, which are expected to continue to dominate this year.

Continue reading …

As we’ve discussed in this blog series on automated IT asset inventory, having — or regaining — unobstructed visibility of your IT environment is key for a strong security and compliance posture.

We met Max, the CISO of a large manufacturer, whose organization progressively lost this visibility, as it adopted cloud computing, mobility, virtualization, IoT and other digital transformation technologies.

With the company’s IT environment upended and its network perimeter blurred, Max and the InfoSec team recovered control with a cloud-based, automated IT asset inventory system. This successful solution featured six key elements. In the previous posts, we addressed the first three:

• Complete visibility of your IT environment
• Deep visibility into assets, wherever they reside
• Continuous and automatic updates

This means that you need a complete and continuously updated list of IT assets, as well as granular security, compliance and system details on each one.

In this post, we’ll explain the next two requirements for an effective cloud-based IT asset inventorying system:

• Asset criticality rankings
• Dashboarding and reporting

Continue reading …

In the first installment of this blog series on automated asset inventorying, we met Max, the CISO of a large manufacturer whose InfoSec team lost full visibility of the company’s hardware and software.

Dangerous blind spots appeared progressively over time as Max’s company adopted more and more digital transformation technologies, such as cloud computing, mobility, IoT, and virtualization.

Eventually, Max and his team became alarmed at the inability of their legacy on-premises security products to account for the new cloud instances, virtualized environments, mobile endpoints and other assets outside of the traditional, tightly-controlled network perimeter.

They were concerned that this lack of visibility could lead to an increase in employee use of unapproved personal devices and unauthorized software, as well as to data breaches.

Continue reading …

First the bad news: Internet of Things (IoT) systems have created immense security holes. Now the good news: The problem can be fixed fairly easily.

That was the message from Jason Kent, Qualys’ Vice President of Web Application Security, during his recent webcast, “Aligning Web Application Security with DevOps and IoT Trends.”

“IoT doesn’t have to be scary. We have the knowledge on how to solve all these application security problems,” Kent said. “We just need to put focus on it.”

The effort to create awareness and shine a light on the issue of IoT security must be shared by IoT system manufacturers, application developers, and customers, including both businesses and consumers.

Continue reading …

Several years ago, Max, the CISO of a large manufacturer, realized that his organization’s formerly homogeneous, self-contained IT environment had lost its clearly delineated perimeter. Instead, it had become a hybrid environment with blurred borders, made up of a mix of legacy on-premises systems, new cloud workloads, and a variety of mobile endpoints.

Continue reading …

With 2017 still in its infancy, plenty of time remains for InfoSec practitioners to make concrete strides toward better security and compliance in their organizations. That’s why to help you start off the year on the right foot, we’ve shared best practices, ideas and recommendations in our Qualys Top 10 Tips for a Secure & Compliant 2017 blog series.

Continue reading …

It used to be difficult or outright impossible for employees to install and use unapproved software on their work computers. For many IT departments, those happy days are over.

Web apps’ proliferation combined with mobile devices’ ubiquity have drastically lowered the bar —  or removed it altogether — for people to use software of their own choosing at work.

Continue reading …