With the newly available Qualys Consulting Edition, consultants and MSPs can now individually manage their mid-market client networks, keeping data separate and organized. This lets them offer their clients tailored, personalized services, with valuable insights and recommendations for threat prevention, detection, and response.
The solution’s flexibility allows consultants to customize the deployment and setup for each client’s unique environment. It’s all based on the highly-scalable Qualys Cloud Platform, which is trusted by many of the world’s largest businesses and service providers.
The annual Qualys user conference, QSC18, is quickly approaching, and we are looking for customer presentations showcasing how you use Qualys to enable security best practices and secure your digital transformation.
If you would like to be considered as a presenter, please send a session title and short abstract to David Conner at email@example.com. The CFP is open until October 11, 2018. Qualys will cover travel costs for approved customer presenters.
This year’s event will be held on November 14-15 at the Bellagio Hotel in Las Vegas. QSC is a unique forum to connect our customers and partners with our engineers and leading industry experts. To learn more about Qualys Security Conference, watch the QSC17 highlights video.
A swipe of confidential data from almost 400,000 British Airways customers. A string of app takedowns at the Mac App Store after exfiltration findings. A gargantuan data breach at a Chinese hotel chain. An unpatched zero-day Windows bug exploited in the wild. These are some of the security news that have recently caught our eye.
Could British Airways hit GDPR turbulence after data breach?
Hackers breached British Airways’ website and mobile app during a two-week period recently, and may have stolen personal and financial information of 380,000 customers, including payment card details. The airline disclosed the hack last week, saying that the cyber criminals had access to the breached systems between Aug. 21 and Sept. 5.
Credit card information included the 3- or 4-digit security codes printed on the cards. Other information that was at risk included names, billing addresses, and email addresses. This set of information puts affected customers at risk for a variety of fraudulent activity, including unauthorized use of their payment card and email “phishing” scams.
Although GDPR has been in effect for months, “it’s clear that many organizations lack such a strategy or the tools needed to effectively protect sensitive data and maintain privacy and protection,” Gartner analyst Deborah Kish said in August.
To help companies still in the process of meeting the regulation’s requirements, the IT GRC Forum recently held a webcast titled “GDPR 101: Monitoring & Maintaining Compliance After the Deadline.” The webcast’s panelists included Qualys expert Tim White, who spoke about the importance of managing vendor risk and leveraging a control framework.
White explained that IT security is a small yet key subset of GDPR. “The need to protect the privacy of the information, to prevent accidental or intentional disclosure, is a critical sub-component,” he said.
It’s also important to know that GDPR offers vague, general requirements for IT security, unlike other industry mandates and regulations that are very specific and prescriptive in this regard, said White, Qualys’ Director of Product Management for Policy Compliance.
“In GDPR, you’ve got to implement a good security program and apply the appropriate technical compensating and procedural controls to do due diligence to protect the information privacy,” he said.
“It’s really important to make sure you have comprehensive coverage of all aspects of IT security, including vulnerability management, configuration management and patching, as well as all appropriate detection and preventative controls at the network layers,” White said.
With container adoption booming, security teams must protect the applications that DevOps teams create and deploy using this method of OS virtualization. The security must be comprehensive across the entire container lifecycle, and built into the DevOps pipeline in a way that is seamless and unobtrusive.
Accomplishing this requires an understanding of Docker container technology and the adoption of processes and tools tailored for these environments. In a recent webcast, Qualys Director of Product Management Hari Srinivasan, an expert on cloud and container security, outlined container security risks, use cases, and best practices.
Read on to learn about Srinivasan’s recommendations for gaining visibility into container assets, doing vulnerability analysis, and detecting drifting runtimes across your DevOps pipeline.
Black Hat attendees got a peek at Qualys Passive Network Sensor (PNS), a product that amplifies the already comprehensive IT asset visibility Qualys provides to its customers. By adding real-time network analysis to Qualys’ versatile set of sensors, PNS eliminates blind spots across IT environments through continuous traffic monitoring.
“Now you have instant visibility into every single asset that’s communicating on your network,” said Qualys’ Chief Product Officer Sumedh Thakar during a presentation on Passive Network Sensor at the conference.
The sensor extends the Qualys Cloud Platform’s broad spectrum of integrated security and compliance capabilities, further reducing Qualys customers’ needs for multi-vendor point products that are costly to manage and integrate.
Ransomware raids aimed at specific targets with big pockets. Another Struts vulnerability — but scarier than last year’s. An Android spyware that records your phone calls. These are some of the security news that have caught our attention.
New Struts Bug Should Be Patched Yesterday
Apache patched a serious remote code execution vulnerability (CVE-2018-11776) affecting all supported versions — 2.3 to 2.3.34 and 2.5 to 2.5.16 — of the widely used Struts Java application framework. The bug is considered more dangerous than the one disclosed last year in Struts that was exploited in the massive data breach at Equifax.
In the Apache security bulletin, the vulnerability is rated “Critical” and users are advised to immediately upgrade to Struts 2.3.35 or Struts 2.5.17.
The remote code execution becomes possible “when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace” and “when using url tag which doesn’t have value and action set,” the bulletin reads.
Organizations should upgrade to the patched Struts versions even if their applications aren’t vulnerable to this bug. “An inadvertent change to a Struts configuration file may render the application vulnerable in the future,” stated Semmle, whose security researcher Man Yue Mo discovered this vulnerability.
WannaCry rears its ugly head again. Reddit gets hacked, despite using two-factor authentication. A cryptojacking campaign targets carrier-grade routers. Here are some recent security industry news that have caught our attention.
WannaCry hits Taiwan Semi
The notorious WannaCry ransomware re-appeared recently, when Taiwan Semiconductor Manufacturing, a chip supplier to Apple and other smartphone makers, suffered an infection that dented its operations.
Specifically, the ransomware disrupted chip production to a point that will delay shipments and cut revenue in the third quarter, although no confidential data was compromised, the company said.
According to Sophos’ Naked Security blog, the chip maker, which is Taiwan’s largest company, blamed the incident on a careless supplier that installed software infected with a WannaCry variant on its network. “When the virus hit, it spread quickly, affecting production at semiconductor plants in Tainan, Hsinchu and Taichung,” Naked Security’s Lisa Vaas wrote.
Of course, WannaCry can be avoided altogether by patching vulnerable systems, as Ben Lovejoy reminds us in 9to5Mac.
That’s the major lesson from last year’s WannaCry global rampage, which infected 300,000-plus systems, disrupting critical operations globally. Long before WannaCry erupted in May of last year, organizations should have patched the vulnerability that the ransomware exploited. Now they’ve had more than a year to fix it.
Qualys Malware Research Labs recently released the Qualys BrowserCheck CoinBlocker Chrome Extension. We have seen enthusiastic adoption from users across the globe in the first week since its release, which has given us enough telemetry data to indicate success in protecting users from popular cryptojacking attacks. This blog post details these detection statistics and analyzes a few interesting cryptojacking campaigns uncovered by Qualys BrowserCheck CoinBlocker.
About Qualys BrowserCheck CoinBlocker
The world heat map below shows the geographical distribution of mining threats as a percentage of detections blocked by Qualys BrowserCheck CoinBlocker. The Top 5 countries where mining threats are detected and blocked are Bulgaria (33%) topped the list followed by India (18%), the United States (16%), Argentina (10%) and Thailand (9%).