In prior installments of this GDPR compliance blog series, we’ve discussed the importance of key security practices such as IT asset inventory and vulnerability management. Today, we’ll focus on another core component for GDPR: policy compliance.

As we’ve stated before, to comply with the EU’s General Data Protection Regulation (GDPR), organizations must show they’re doing all they can to protect their EU customers’ personal data. Thus, InfoSec teams must provide a rock-solid security foundation that gives organizations superior data breach prevention and detection.

With a strong IT policy compliance program, organizations can deploy and manage their IT environment according to applicable government regulations, industry standards and internal requirements.

For organizations, it’s critical to establish a lifecycle for managing assets and controls to protect the data they contain. One must continuously: identify IT assets and scope, define control objectives, automate control assessment, prioritize fixes, and ultimately remediate the security configuration problems.

To be effective, this entire process must be trackable by auditors and must maintain the proper reports and dashboards necessary to drive continuous improvement. Organizations must have this knowledge not only to properly protect their EU customers’ personal data — the regulation’s core goal — but also to comply with other GDPR requirements.

After gaining complete visibility into their IT assets, organizations can create data maps and decide which technical controls it needs to secure EU residents’ personal data in a way that meets GDPR’s considerable expectations and strict requirements.

Continue reading …

This last week or so of May has been busy with security news and incidents, as the FBI put out an unprecedented call to do a massive wave of reboots of home and small office routers, while Intel confirmed the existence of yet another Spectre / Meltdown variant. And, yes, we had yet another high-profile instance of an unprotected AWS storage bucket exposing data, as well as more IoT security bad news.

Unplug and reset that router pronto!

As you may have heard by now, THE FBI WANTS YOU TO REBOOT YOUR ROUTERS!

Sorry, we didn’t mean to use our outside voice and startle you, but the urgent and extraordinary plea from the feds has been ubiquitous in recent days and we wouldn’t want you to be out of the loop.

The reason: It takes a village to dismantle a botnet that has infected 500,000 home and small office routers, as well as other networked devices, with the VPNFilter malware.

The FBI discovered the botnet, which it says was assembled by Russian hacker group Sofacy. Also known as Fancy Bear, the group has targeted government, military, security and intelligence organizations since 2007. It’s credited with the hack of the Democratic National Committee in 2016.

By rebooting their home and small business routers, people won’t get rid of the malware, but the move will prevent it from escalating to more destructive stages, and allow the FBI to deepen its intervention.

As Cnet explained: “Rebooting your router will destroy the part of the malware that can do nasty things like spy on your activities, while leaving the install package intact. And when that install package phones home to download the nasty part, the FBI will be able to trace that.”

Continue reading …

This release of the Qualys Cloud Platform version 2.33 includes the release for CertView, plus updates and new features for AssetView, Cloud Agent, EC2 Connector, Security Assessment Questionnaire, Web Application Scanning, and Web Application Firewall, highlights as follows.

Continue reading …

Organizations must manage risk from third parties such as contractors and suppliers, and from internal staffers and teams, as part of their compliance program for the EU’s General Data Protection Regulation (GDPR).

The need to manage vendor risk in particular is stressed repeatedly throughout the text of the GDPR, a strict and broad regulation which went into effect last week. GDPR applies to any organization worldwide that controls and processes personal data of EU residents, whose security and privacy the regulation is designed to defend.

In GDPR lingo, “data controllers” must vet the “data processors” they share EU customer information with, and assume joint responsibility for what happens to it. So your organization is liable if one of your third parties gets breached for failing to adhere to GDPR requirements and your EU customers’ personal data gets compromised.

GDPR states that controllers “shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures” and stresses that controllers must detail in contracts how their processors will handle customer data.

In this third installment of our GDPR compliance blog series, we’ll explain the importance of  carefully and continuously assessing the GDPR compliance levels of your third parties and internal staff. We’ll also explain how Qualys can help you beef up these foundational security practices so you can shrink your risk of data breaches that could put your organization on the wrong side of GDPR.

Continue reading …

Qualys Security Conference 2018, held in Mumbai on May 10, fortified Qualys’ stand as the leader in securing Digital Transformation in the current global IT landscape. In his keynote, “Our Journey into the Cloud: The Qualys Platform and Architecture”, Qualys Vice President of Product Management Chris Carlson spoke about the company’s journey so far and how it has impacted the way Qualys customers do business, especially in India.

Carlson mentioned at the conference that drives organizations to achieve newer heights, but at the same time, it introduces challenges too. India claims a large market share in the global IT and ITeS market and continues to grow at a steady pace, Carlson added. Factors such as ensuring confidentiality of customer and corporate data, and protecting the integrity of IT environments are of paramount importance today for businesses in India and elsewhere. Carlson touched upon the challenges that India faces and how Qualys solutions have successfully helped Indian enterprises to meet those challenges and surge ahead of their competitors.

Continue reading …

The EU’s General Data Protection Regulation (GDPR) goes into effect  today, imposing strict security requirements on any company worldwide that handles the personal data of EU residents. Qualys Security Assessment Questionnaire (SAQ) – a Qualys app that helps you with this type of procedural risk assessment — has been enhanced with new GDPR-specific templates.

Assessing  procedural controls can be challenging. However, a huge amount of time and money can be saved if you have out-of-the-box questionnaire templates that you can distribute as is or slightly modify as necessary, instead of having to craft questionnaires from scratch.  

This is one of the ways that Qualys SAQ can help you carry out holistic assessments of GDPR procedural compliance and generate reports based on responses.

Continue reading …

Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations that are most commonly used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS as well as the ones based on security guidelines from OS and application vendors and other industry best practices.

In order to keep up with the latest changes in security control requirements and new technologies, Qualys publishes new content to the Policy Library every month.

This release includes the following new policy and updates:

• CID 3777 and 3781 will be removed in 30 days and have newer replacement controls.
• CIS Benchmark coverage for Network Devices including Cisco Firewall ASA, Palo Alto Firewall, Cisco NX-OS, JunOS 12/13
• CIS for Oracle 11gR2, 12c, and Microsoft Windows 10 r1607/r1703
• Adobe Common Controls Framework for Google Chrome and Microsoft Internet Explorer
• Refresh of several DISA STIG and CIS Benchmarks to latest versions
• Updated control settings in mandate-based policies

Continue reading …

To provide the level of data protection required by the EU’s General Data Protection Regulation (GDPR), your organization must continuously detect vulnerabilities, and prioritize their remediation.

Why? An InfoSec team that’s chronically overwhelmed by its IT environment’s vulnerabilities and unable to pinpoint the critical ones that must be remediated immediately is at a high risk for data breaches, and, consequently, for GDPR non-compliance.

The Center for Internet Security (CIS) ranks “Continuous Vulnerability Assessment and Remediation” as the fourth most important practice in its 20 Critical Security Controls. “Organizations that do not scan for vulnerabilities and proactively address discovered flaws face a significant likelihood of having their computer systems compromised,” CIS states.

In fact, hackers constantly exploit common vulnerabilities and exposures (CVEs) for which patches have been available for weeks, months and even years. The reason: Many organizations fail to detect and remediate critical bugs on a timely basis, leaving them like low-hanging fruit for cyber data thieves to feast on.

In this second installment of our GDPR compliance blog series, we’ll explain the importance of vulnerability management and threat prioritization, and how Qualys can help you solidify these practices so you can slash your risk of data breaches.

Continue reading …

Turned into law in 2016, the EU’s General Data Protection Regulation (GDPR) finally goes into effect this week, slapping strict requirements on millions of businesses and subjecting violators to severe penalties. The complex regulation applies to any organization worldwide — not just in Europe — that controls and processes personal data of EU residents, whose security and privacy GDPR fiercely protects.

GDPR calls this data’s protection a “fundamental right” essential for “freedom, security and justice” and for creating the “trust” needed for the “digital economy” to flourish. Its requirements amount to what some have called zero-tolerance on mishandling EU residents’ personal data.

A PwC survey found that more than half of U.S. multinationals say GDPR is their main data-protection priority, with 77% planning to spend $1 million or more on GDPR readiness. “Data protection has been a thing organizations know about, but GDPR has brought it all to the forefront,” Richard Sisson, Senior Policy Officer at the U.K.’s Information Commissioner’s Office (ICO) said during a recent GDPR roundtable.

Continue reading …

To properly and effectively protect DevOps pipelines, organizations can’t blindly apply conventional security processes they’ve used for traditional network perimeters. Since DevOps’ value is the speed and frequency with which code is created, updated and deployed, security must be re-thought so that it’s not a last step that slows down this process.

Hampering the agility of DevOps teams has terrible consequences. These teams produce the code that digitally transforms business tasks and makes them more innovative and efficient. Thus, it’s imperative for security to be built into — not bolted onto — the entire DevOps lifecycle, from planning, coding, testing, release and packaging, to deploying, operating and monitoring.

If security teams take existing processes and tools, and try to jam them into the DevOps pipeline, they’ll break the automation, agility and flexibility that DevOps brings. 

“This doesn’t work,” Qualys Vice President of Product Management Chris Carlson said during a recent webcast, in which he explained how security teams can seamlessly integrate security into DevOps using Qualys products.

Continue reading …