Digital transformation, driven primarily by the DevOps movement, represents a new opportunity “to redo IT from scratch, but more importantly, to redo security from scratch,” Sumedh Thakar, Qualys’ Chief Product Officer, said during QSC18 Virtual Edition.

Specifically, organizations can organically build security into this new, hybrid IT infrastructure, instead of abruptly bolting it on as has been done traditionally — and ineffectively.  Meshing security in natively requires a unified security and compliance platform for detection, prevention and response.

Today, many organizations have a fragmented, siloed strategy that doesn’t provide the needed visibility because it’s based on accumulating point products that don’t scale, are costly to deploy and maintain, and complex to integrate.

“This is why security is so far behind,” Thakar said during his keynote.

“The effort and resistance that goes into putting together the information that’s required to make decisions is very costly, very time-consuming, and not accurate,” he added.

Continue reading …

Qualys Chairman and CEO Philippe Courtot set the tone for the company’s first virtual conference, the QSC18 Virtual Edition, with a call to the industry to re-invent security to protect digital transformation efforts.

CIOs and CISOs can’t continue accumulating disparate, point solutions that are costly to manage, difficult to integrate, and ultimately ineffective at protecting hybrid IT environments. “The mission is for us together to stop bolting on security and compliance solutions, and start building them in,” he said during the opening keynote.

Digital transformation projects, built by DevOps teams and delivered via cloud services, web apps, and mobile computing, demand a recasting of security’s role. The traditional approach, in which security is an isolated element jammed in at the end of the software pipeline, erases the benefits of digital transformation by slowing it down. 

Qualys is uniquely able to help enterprises address these challenges, he said.

Continue reading …

How many digital certificates are in use in your organization? When do they expire? Do you have a way of discovering digital certificates from unapproved Certificate Authorities?

Most organizations can’t answer these questions with complete certainty, because they lack the necessary visibility and control over their certificates. This creates the potential for security lapses, since SSL/TLS certificates are critical for the integrity and protection of a host of e-business functions.

With proper certificate management, organizations can cut their risk of breaches and unplanned outages, and continuously and effectively protect their digital assets, Asif Karel, a Qualys Director of Product Management, said recently during a webcast.

Since their creation in the mid-1990s, digital certificates have provided security for Internet traffic. They’re meant to ensure the confidentiality, authenticity, integrity and non-repudiation of online communications in public-facing online services, internal services, machine-to-machine communications, public cloud services and API integrations.

During his webcast, Karel outlined the current challenges organizations face with certificate visibility, and explained how Qualys can help with CertView, a free app available now.

Continue reading …

As organizations increase their use of public cloud platforms, they encounter cloud-specific security and compliance threats, which can be challenging to address without the right tools and processes.

Organizations’ cloud security difficulties lie in two main areas: Lack of visibility into their cloud assets and resources, and a misunderstanding of cloud providers’ shared security responsibility model. As a result, there have been a multitude of easily preventable security mishaps in public cloud deployments due to leaky storage buckets, misconfigured security groups, and erroneous user policies.

These security breakdowns have caused data breaches and other compromises at organizations large and small, including Verizon, Viacom, the Republican National Committee, Tesla and the U.S. Department of Defense. The key to protect public cloud workloads lies in adopting a cloud-native way of supporting and securing your resources in a hybrid IT environment, so as to have full visibility and control.

“Rather than having bifurcated tooling or bifurcated processes or even bifurcated teams, organizations need a unified view of their resources and security posture across on-premises and cloud environments,” Hari Srinivasan, Director of Product Management at Qualys, said during a recent webcast.

Read on to learn about cloud security challenges, best practices, and how Qualys can help you secure any infrastructure, at any scale, on-premises and in cloud, via a unified interface, using uniform standards and processes.

Continue reading …

This last week or so of May has been busy with security news and incidents, as the FBI put out an unprecedented call to do a massive wave of reboots of home and small office routers, while Intel confirmed the existence of yet another Spectre / Meltdown variant. And, yes, we had yet another high-profile instance of an unprotected AWS storage bucket exposing data, as well as more IoT security bad news.

Unplug and reset that router pronto!

As you may have heard by now, THE FBI WANTS YOU TO REBOOT YOUR ROUTERS!

Sorry, we didn’t mean to use our outside voice and startle you, but the urgent and extraordinary plea from the feds has been ubiquitous in recent days and we wouldn’t want you to be out of the loop.

The reason: It takes a village to dismantle a botnet that has infected 500,000 home and small office routers, as well as other networked devices, with the VPNFilter malware.

The FBI discovered the botnet, which it says was assembled by Russian hacker group Sofacy. Also known as Fancy Bear, the group has targeted government, military, security and intelligence organizations since 2007. It’s credited with the hack of the Democratic National Committee in 2016.

By rebooting their home and small business routers, people won’t get rid of the malware, but the move will prevent it from escalating to more destructive stages, and allow the FBI to deepen its intervention.

As Cnet explained: “Rebooting your router will destroy the part of the malware that can do nasty things like spy on your activities, while leaving the install package intact. And when that install package phones home to download the nasty part, the FBI will be able to trace that.”

Continue reading …

Turned into law in 2016, the EU’s General Data Protection Regulation (GDPR) finally goes into effect this week, slapping strict requirements on millions of businesses and subjecting violators to severe penalties. The complex regulation applies to any organization worldwide — not just in Europe — that controls and processes personal data of EU residents, whose security and privacy GDPR fiercely protects.

GDPR calls this data’s protection a “fundamental right” essential for “freedom, security and justice” and for creating the “trust” needed for the “digital economy” to flourish. Its requirements amount to what some have called zero-tolerance on mishandling EU residents’ personal data.

A PwC survey found that more than half of U.S. multinationals say GDPR is their main data-protection priority, with 77% planning to spend $1 million or more on GDPR readiness. “Data protection has been a thing organizations know about, but GDPR has brought it all to the forefront,” Richard Sisson, Senior Policy Officer at the U.K.’s Information Commissioner’s Office (ICO) said during a recent GDPR roundtable.

Continue reading …

To properly and effectively protect DevOps pipelines, organizations can’t blindly apply conventional security processes they’ve used for traditional network perimeters. Since DevOps’ value is the speed and frequency with which code is created, updated and deployed, security must be re-thought so that it’s not a last step that slows down this process.

Hampering the agility of DevOps teams has terrible consequences. These teams produce the code that digitally transforms business tasks and makes them more innovative and efficient. Thus, it’s imperative for security to be built into — not bolted onto — the entire DevOps lifecycle, from planning, coding, testing, release and packaging, to deploying, operating and monitoring.

If security teams take existing processes and tools, and try to jam them into the DevOps pipeline, they’ll break the automation, agility and flexibility that DevOps brings. 

“This doesn’t work,” Qualys Vice President of Product Management Chris Carlson said during a recent webcast, in which he explained how security teams can seamlessly integrate security into DevOps using Qualys products.

Continue reading …

When a bank recently created a consumer mobile wallet, it built the entire project — from development to deployment — in the cloud, an increasingly common decision among enterprises.

A less common step taken by this multinational bank and Qualys customer was incorporating the security team from day one. It recognized that the safety of the application was as critical for its success as its feature functionality.

In doing so, this bank tackled a challenge that organizations face as they move workloads to public cloud platforms: Protecting these new cloud workloads as effectively as their on-premises systems, but with processes and tools that are effective in both environments.

In a recent webcast, SANS Institute and Qualys experts addressed this issue in detail, offering insights and recommendations for security teams faced with protecting hybrid IT infrastructures’ assets on premises and in public clouds.

Cloud adoption triggers new security needs

In pursuit of digital transformation benefits, organizations are aggressively moving more workloads to public clouds, expanding from straightforward software-as-a-service (SaaS) applications to more involved platform- and infrastructure-as-a-service (PaaS and IaaS) deployments.

As this happens, InfoSec teams find that safeguarding these environments can be complex. “Security teams have rallied around the idea that this is something they need to live with,” Dave Shackleford, a SANS analyst and instructor, said during the webcast.

Continue reading …

In a memorable scene from “Jumpin’ Jack Flash,” Whoopi Goldberg struggles to understand the lyrics of the eponymous song from the Rolling Stones, as she pleads: “Mick, Mick, Mick, speak English!”

It appears that multiple operating system vendors had similar trouble interpreting Intel and AMD debugging documentation, which led the OS vendors to independently create the same critical security flaw in their respective kernel software.

The issue came to light last week when US-CERT (United States Computer Emergency Readiness Team) warned that under certain circumstances “some operating systems or hypervisors may not expect or properly handle an Intel architecture hardware debug exception.”

“The error appears to be due to developer interpretation of existing documentation for certain Intel architecture interrupt/exception instructions, namely MOV to SS and POP to SS,” the CERT alert reads.

The list of OS vendors affected reads like an industry “who’s who.” It includes Apple, Microsoft, Red Hat, VMware, Ubuntu, Xen and SUSE Linux. The problem was discovered by researcher Nick Peterson of Everdox Tech, who has detailed the flaw in a paper titled “POP SS/MOV SS Vulnerability.”

Continue reading …

The cyber security news cycle is always active, so to help you stay in the loop here’s a selection of incidents that caught our attention over the past week or so involving, among others, Twitter, Cisco and GPON routers.

Twitter picks a good day for password-change call

As “change your password” calls from vendors go, the one from Twitter last week ranks right up there, and not just because of the scope of users involved. As Jon Swartz pointed out in Barron’s, Twitter’s alert went out on Thursday, which happened to be World Password Day.

The social media juggernaut reached out to all of its 330 million users and advised them to take a moment, go to their account settings page and enter a new password. Twitter also suggested they enable Twitter’s two-step verification feature, a move strongly endorsed by Forbes’ Thomas Fox-Brewster. In addition, Twitter recommended that users change their password on any other online services where they used their Twitter password. (It bears repeating: It’s a bad idea to re-use passwords.)

The reason for the brouhaha: An IT slip-up caused user passwords to be stored in plain text in an internal Twitter log. Twitter’s security policy is to instead mask passwords using the “bcrypt” hashing technique. That way, passwords are stored on Twitter systems as a string of random characters.

Continue reading …