Qualys Blog

www.qualys.com
348 posts

Implementing the CIS 20 Critical Security Controls: Slash Risk of Cyber Attacks by 85%

If a CISO needed to cut cyber attack risk by 85%, how would this security chief go about accomplishing that? Would the CISO even know where to begin? It’s safe to say that such a mandate would be considered daunting, and maybe even overwhelming.

CISOs are scrambling to protect IT infrastructures whose boundaries are increasingly fluid due to the adoption of mobility, cloud computing, IoT, and other new technologies. They get bombarded daily with information — research studies, threat warnings, vendor announcements, regulatory requirements, industry recommendations. Making sense out of it all is a challenge.

And yet, that dramatic cyber-attack risk reduction is an attainable goal for organizations that apply the first five of the Center for Internet Security’s 20 Critical Security Controls.

This structured and prioritized set of foundational InfoSec best practices offers a methodical and sensible approach for securing your IT environment. It maps effectively to most security control frameworks, government regulations, contractual obligations and industry mandates.

In this blog series, we’ll explain how Qualys Cloud Platform — a single, integrated, end-to-end platform for discovery, prevention, detection, and response — can help security teams of any size to broadly and comprehensively adopt the CIS controls. Continue reading …

Webcast Q&A: DevSecOps – Building Continuous Security Into IT and App Infrastructures

As organizations adopt DevOps to create and deliver software quickly and continuously — a key step for supporting their digital transformation initiatives — they must not overlook security. In DevOps, development and operations teams add agility and efficiency to software lifecycles with automation tools and constant collaboration, but the added speed and flexibility can backfire if security is left out.

Rather, organizations should bake security personnel, tools and processes into the process to end up instead with DevSecOps, a topic whose business and technology aspects were explored in depth during a recent webcast by Qualys Product Management VP Chris Carlson and SANS Institute Analyst John Pescatore.

In this blog post, we’re providing an edited transcript of the question-and-answer portion of the webcast, during which participants asked Carlson and Pescatore about a variety of issues, including the dangers of using Java, the right tools for DevSecOps, and the best way to embed security into the process. We hope you find their explanations insightful and useful.

In addition, if you didn’t catch the live broadcast of the webcast — titled “DevSecOps – Building Continuous Security Into IT & App Infrastructures” — we invite you to listen to its recording, which we’re sure will provide you with a lot of practical tips, useful best practices and valuable insights about DevSecOps and digital transformation. Continue reading …

New ‘Silence’ Banking Trojan copies Carbanak to Steal from Banks (Analysis with IOCs)

Dark Reading is reporting on a new banking trojan called ‘Silence’ that mimics techniques similar to the Carbanak hacker group targeting banks and financial institutions.  The attack vector is similar – target individuals using spear-phish emails to trick them into running a malicious attachment which will connect to download a dropper to further infect the user’s machine.  This attack does not use an exploit against a vulnerability, but rather takes advantage of social engineering to fool the user into executing the malicious payload and infecting their machine.

Silence is interesting in that the trojan’s capabilities include a screen grabber that will take multiple screenshots of the user’s active monitor and upload the real-time stream to a command and control server for monitoring by the adversary.  This technique allows the threat actor to identify which users have access to specific banking applications, systems, and accounts that they can use for financial gain.

Continue reading …

DevSecOps: Building Continuous Security Into IT and App Infrastructures

With software now at the heart of essential business processes, organizations must build security into their IT and application development pipeline to prevent breaches, avoid compliance violations, and protect digital transformation initiatives.

This especially applies to organizations creating and deploying applications quickly and continuously using DevOps, in which development and operations teams add agility and efficiency to software lifecycles with automation tools, pre-built third-party code and constant collaboration.

DevSecOps Building Continuous Security into IT and App InfrastructuresDevOps replaces the traditional, linear “waterfall” method in which each team works in silos with minimal communication and coordination, often resulting in lengthy software lifecycles and code that is buggy and insecure.

But for all the speed and flexibility that DevOps adds to IT and application development and delivery — and to the business initiatives powered by the software —  it can backfire if security is an afterthought or left out altogether.

Instead, security pros, processes and tools must be threaded seamlessly into DevOps to end up with DevSecOps. Continue reading …

InfoSec Pros Must Fasten Their Seatbelts for Digital Transformation Ride

The IT industry has gone through multiple revolutions – client-server computing, the Internet’s rise, virtualization, mobility – but none rivals the unprecedented impact of today’s digital transformation.

The implications for InfoSec professionals are broad, requiring that they adapt quickly to the profound changes brought about by digital transformation trends.

“Whether you’re ready or not, it’s coming at you, and it’s coming at you very fast,” Scott Crawford, Research Director of Information Security at 451 Research, told Qualys Security Conference 2017 attendees last week in Las Vegas.

Continue reading …

Webcast Q&A: Automating the CIS Critical Security Controls

Qualys Product Management Director Tim White and SANS Institute Analyst John Pescatore did a deep dive into the Center for Internet Security’s Critical Security Controls during a recent webcast, and answered questions from audience members about these 20 foundational security practices, and about the importance of maintaining basic security hygiene.

In this blog post, we’re providing edited transcripts of their answers to all the questions, including those that they didn’t have time to address during the one-hour webcast, which was titled “Automating CIS Critical Security Controls for Threat Remediation and Enhanced Compliance.” We hope you find their explanations insightful and useful.

Webcast Questions and Answers - Automating CIS 20 Critical Security ControlsIn addition, if you didn’t catch the webcast live, we invite you to listen to the CIS controls webcast recording. We also encourage you to download a copy of a highly detailed guide that maps the CIS controls and sub-controls directly to specific features in Qualys apps.

Continue reading …

Bad Rabbit – Ransomware

(updated: 10/26/2017 with additional file hashes and mitigations)

A new ransomware campaign has affected at least three Russian media companies in a fast-spreading malware attack. Fontanka and Interfax are among the companies affected by the Bad Rabbit ransomware named by the researchers who first discovered it. The malware is delivered as fake Flash installer, it uses the SMB protocol to check hardcoded credentials. Bad Rabbit does not employ any exploits to gain execution or elevation of privilege. The Ukrainian computer emergency agency CERT-UA has issued an alert incident and mentioned that Odessa airport and Kiev subway were also affected. It is unsure whether this alert is regarding Bad Rabbit, but they suspect that it may be the start of a new wave of cyberattacks.

Continue reading …

ACLU Attorney: U.S. Citizens Legally Unsheltered from Abusive Surveillance

U.S. law has failed to protect Americans from widespread and excessive surveillance, a dire situation that requires immediate attention from citizens, lawmakers, attorneys, privacy experts and the courts.

That was the urgent warning Jennifer S. Granick, Surveillance and Cybersecurity Counsel at the American Civil Liberties Union, conveyed to attendees of the Qualys Security Conference 2017 during the event’s closing keynote speech.

Continue reading …

Gartner: The Pursuit of Perfection Weakens InfoSec Effectiveness

While malicious hackers are the obvious enemies of InfoSec pros, there’s something else that puts IT environments in danger: Perfectionism.

When applied to security, perfectionism becomes detrimental, creating a false certainty that all bases are covered and yielding a fundamentally flawed approach to protecting enterprises from attacks, according to Neil MacDonald, a Gartner Distinguished Analyst and Vice President.

“Perfect security is impossible,” MacDonald said during a keynote speech at the Qualys Security Conference 2017 on Thursday.

Continue reading …

The Shift from Securing our Networks to Enabling the Digital Transformation of our Enterprises

It’s not yet Thursday, but attendees at Qualys Security Conference 2017 were treated to a major “throwback” as CEO and Chairman Philippe Courtot journeyed back centuries during QSC17’s opening keynote to illustrate the seismic changes of today’s digital revolution.

Courtot cited some of history’s biggest shifts, such as the development of the printing press, which dramatically accelerated the distribution of knowledge, triggering massive political and economic changes, as well as Copernicus’ heliocentric model, which upended astronomy.

The difference is that changes of that magnitude are happening much more frequently in our time, as the Internet powers developments driven by digital technologies at dizzying speeds.

Continue reading …