All Posts

1509 posts

Microsoft Patch Tuesday: July 2008 Security Bulletin

Security-Alert-WK+AS.gif

Qualys® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against the 4 new vulnerabilities present in Microsoft Windows. Yesterday’s Microsoft Patch Tuesday marks a first – a synchronized industry wide effort for the patching of a common vulnerability. Customers can immediately audit their networks for these and other recent vulnerabilities by accessing their QualysGuard subscription.

Microsoft released in July, 4 security patches to fix newly discovered flaws in Microsoft Windows. The Qualys Vulnerability R&D Lab has released the following checks for these new vulnerabilities, including:

– DNS Could Allow Spoofing
– Microsoft Windows Explorer Remote Code Execution Vulnerability
– Microsoft Outlook Web Access for Exchange Server Elevation of Privilege
– Microsoft SQL Server Could Allow Elevation of Privilege

Read Alert
Listen to Podcast

Coming Soon — the next update on Qualys® Vulnerability R&D Lab takes place August 12th.

Qualys Adds Red Hat Exec To Board

Alex_Pinchev.gif Alex Pinchev has become the latest member to join the Qualys board of directors. Pinchev who is Red Hat’s president of global sales, services and field marketing had this to say — "Qualys has demonstrated significant traction and industry leadership through its successful SaaS delivery model and most recently with its integrated QualysGuard® Security and Compliance Suite. I look forward to working with the Qualys executive team and its board members to help drive on-demand security innovation."

Read More

80,000+ Financial Service Accounts Protected With Automated Vulnerability Discovery and Remediation

Doug_Spaw_VSR.gifDoug Spaw, network engineer for VSR Financial Services, wanted to achieve effective and efficient IT security and risk mitigation while ensuring regulatory compliance for the organizations 80,000+ clients and 300+ registered users.  

"We selected QualysGuard because of the simplicity of its SaaS model. You set it up, and it just works," stated Doug.  "We rely on QualysGuard Express to scan more than 128 IP addresses, which includes our internal servers and systems as well as all of the company’s Internet-facing devices. The reports from these assessments are very detailed, which helps us to resolve any issues we find quickly."

QualysGuard will also keep VSR Financial Services prepared for all possible future regulations that will affect the broker/dealer industry. To read more about how Doug addresses threats without the substantial cost, resource demands, and deployment hassles associated with traditional software scanners, visit:
http://www.qualys.com/docs/customers/casestud/VSR.pdf

Information Security Highlights Qualys Customer TransUnion

TransUnion.gifInformation Security reporter, Neil Roiter speaks with the director of the information security architecture group, Victor Hsiang of TransUnion.  Victor shares how the Qualys Software-as-a-Service (SaaS) model has enabled TransUnion, a global consumer credit reporting bureau, to streamline and easily extend its vulnerability management program to many locations.

"The product approach requires individual purchases of the license at each location, purchasing a platform to load licenses on and administration of that platform, then the care and feeding of it," says Victor Hsiang, director of TransUnion’s information security architecture group. "With the service approach, from a corporate perspective, we can pick up the cost of Qualys and absorb the business units into the whole process."

Hsiang will beta test the Policy Compliance module at TransUnion, and expects it to integrate with his group’s program of using the vulnerability management service and a central database to certify systems through a cycle of vulnerability scanning, ticketing and remediation.

"We won’t have to reinvent the wheel; the compliance module fits into the architecture we’ve developed for tracking and fixing vulnerabilities," says Hsiang.

Click here to read full interview.

Introducing QualysGuard Policy Compliance

QGPC-WHP.gif

QualysGuard Policy Compliance extends QualysGuard global scanning capabilities to collect OS Configuration and Application Access controls from hosts and other assets within the enterprise and maps this information into polices to fix and document compliance with regulations and mandates.

QualysGuard Policy Compliance Benefits:

  • Combined agent-less solution for vulnerability and configuration scanning
  • Rapid global deployment with the QualysGuard Software-as-a-Service (SaaS) delivery model requiring no software to install or maintain
  • Centralized approach to policy definition and management
  • Customizable auditing capabilities for multiple regulatory initiatives and mandates including SOX, HIPAA, GLBA, Basel II and others
  • Comprehensive instructions and audit trails to review and prove compliance with auditors

For more details, please visit:
http://www.qualys.com/solutions/policy_compliance/

QualysGuard 6.0: Reporting Metrics for Enterprise Stakeholders

QG-Scorecard.gif

QualysGuard 6.0 enables security managers and key organization executives, including business line managers, members of the board and auditors, to get an on demand view of IT security and compliance within the enterprise. QualysGuard 6.0 offers new metrics reporting supported by scorecards and secure, collaborative report distribution workflows which help operations and IT staff to be efficient and communicate effectively with auditors and executive management.

QualysGuard PCI: Determine Your Compliance Gaps and Take Action to Ensure Full Compliance

QGPCI-SAQ1-1.gif

The new Self-Assessment Questionnaire (SAQ) Version 1.1, issued by the Payment Card Industry (PCI) Security Standards Council (PCI SSC) is now available within QualysGuard PCI.  Implementation of the new SAQ allows customers to complete all versions of the questionnaire online and e-file it securely with their acquiring banks.  The SAQ is available at https://www.pcisecuritystandards.org/tech/saq.htm and consists of four unique forms to meet various business scenarios.

For use primarily by Level 2, 3 and 4 merchants (and some smaller service providers), as defined by the major credit-card brands — Visa Inc., MasterCard Worldwide, Discover Financial Services, American Express and JCB International — to validate compliance with the PCI Data Security Standards (PCI DSS). The PCI SSC updated SAQ version 1.0 to better align with PCI DSS version 1.1 and created four variants to ensure merchants only answer questions relevant to their environment. Each of the four variants, labeled A, B, C and D have qualifying questions used to determine which of the four questionnaires a merchant is required to complete.

QualysGuard fully supports all four types of questionnaires, labeled A-D, including the ability to enter online comments for compensating controls, provide remediation action plan for non-compliant sections, complete attestation of the assessment and electronically sign the SAQ online. More details on the QualysGuard PCI implementation or SAQ 1.1 are available at: http://www.qualys.com/docs/QG_PCI_GSG.pdf within the PCI Questionnaires chapter.

Dummies Guide to Vulnerability Management — Now Available

VM-for-Dummies.gifJust released – "Dummies Guide to Vulnerability Management" in conjunction with publisher John Wiley & Sons. This VM handbook is an easy-to-read and informative guide designed to educate and explain the essentials of vulnerability management, educating readers on selecting the right tools to manage vulnerabilities automatically ensuring that their networks are safe from attacks. In five succinct parts, the book leads readers through a basic understanding of vulnerability management and provides a guide to essential best practices, the various options available, the pros and cons of automated vulnerability management as well as a valuable 10-point checklist for removing existing vulnerabilities in the network. 

To download a free copy, visit
http://www.qualys.com/dummies.

Cisco’s Doug Dexter, Michael Mucha of Stanford Hospital and Gartner analyst Mike Nicolett focus on Security Risk and Compliance Best Practices

Gartner-BP.gif

Cisco’s Doug Dexter, Michael Mucha of Stanford Hospital and Gartner analyst Mike Nicolett in an informative program focused on Security Risk and Compliance Best Practices addressing the vulnerability management lifecycle and technology, security configuration assessments.

See and hear Doug and Michael’s approach with insight from Mike Nicolett of Gartner for implementing vulnerability management and the results it has produced for their security organizations. 

To view video, go to: http://www.qualys.com/gartnervideo

Stanford Hospital CISO Michael Mucha in Information Security Magazine — 7 Security Questions to Ask Your SaaS Provider

“The biggest thing we focus on with all of this is control of the data,” says Michael Mucha, chief information security officer for Stanford Hospital in Palo Alto, Calif., which uses several clinical applications that are delivered as a service, including transcription, and radiology and analysis systems. Given that health care is by far the most regulated industry he has worked in, Mucha has created a standardized checklist for his technical assessment of any application delivered via the SaaS model. Among the most critical of those items include whether or not the service provider complies with SAS 112 audit requirements (which applies to nonprofits), how it documents its procedures for handling a security breach, and how it handles requests for changes and customized features, Mucha says.

Even more important will be the simple policies that a SaaS provider uses among its staff to protect your data. “We have complete access to the data, and we are the only ones with control of the authentication,” Mucha says. “The point is that you need a consistent approach to all these situations.”