Network Security Blog | Qualys, Inc. – Page 2 – Expert network security guidance, news and information from the Qualys research team

Securing Public Clouds for Digital Transformation Success

Posted by Hari Srinivasan in Qualys News, Qualys Technology on July 18, 2017

As organizations seek digital transformation benefits and aggressively move workloads to public cloud platforms, InfoSec teams must support their business units’ efforts by adapting and properly protecting these environments.

This may sound surprising to those who think that, when you use a public cloud service, the platform provider takes on all security and compliance tasks. Rather, these public cloud service providers operate on a “shared security responsibility” model, so the burden is split between you and them.

In other words, you get to define your controls in the cloud to protect your data and infrastructure, while the cloud provider takes care of the security of the cloud.

1 Comment
Permalink
Tags: aws, azure, cloud security, google cloud, public cloud

Q&A: Conducting Cloud-Based Vendor Risk Audits With Qualys SAQ

Posted by Juan C. Perez in Qualys News, Qualys Technology on July 12, 2017

Q&A: Conducting Cloud-Based Vendor Risk Audits With Qualys Security Assessment Questionnaire SAQ Third-party security assessments drastically reduce your organization’s risk of suffering a data breach. When carried out properly, these assessments identify poor InfoSec and privacy practices among your vendors, partners, contractors, and other third parties with access to your IT systems and data. Unfortunately, many businesses conduct these assessments manually, using email and spreadsheets, which makes them labor-intensive, slow and imprecise. This manual approach strains InfoSec teams and creates a backlog of security evaluations.

In a recent webcast, “Streamlining Third Party Risk Assessments in the Cloud,” a Qualys customer discussed how his organization tackled this challenge in a way that improved productivity, efficiency, visibility, and risk analysis. Below are the answers to the questions asked by participants during the Q&A portion of the presentation, provided by speakers Jonathan Osmolski, Manager of Enterprise Records and Information Governance at Pekin Insurance, and Hariom Singh, Director of Product Management for Qualys Security Assessment Questionnaire (SAQ).

No Comments
Permalink
Tags: saq, third party risk, vendor risk

July Patch Tuesday: 19 Critical Vulnerabilities from Microsoft, plus Critical Adobe Patches

Posted by Jimmy Graham in The Laws of Vulnerabilities on July 11, 2017

Today Microsoft released patches covering 54 vulnerabilities as part of July’s Patch Tuesday update, with 26 of them affecting Windows. Patches covering 19 of these vulnerabilities are labeled as Critical, all of which can result in Remote Code execution. According to Microsoft, none of these vulnerabilities are currently being exploited in the wild.

Countdown to GDPR: Prioritize Vulnerability Remediation

Posted by Jimmy Graham in Qualys News, Qualys Technology on July 11, 2017

The EU’s GDPR (General Data Protection Regulation) demands that organizations stringently protect EU residents’ data they hold, share and process, which requires having solid InfoSec practices, including threat prioritization.

No, there is no specific mention of prioritization of vulnerability remediation in the regulation’s text. In fact, only a few InfoSec technologies and practices are mentioned by name.

What is stressed throughout the 88-page document is the call for both data “controllers” and data “processors” to protect this customer information by implementing “appropriate technical and organisational measures”, a phrase repeated multiple times.

No Comments
Permalink
Tags: asset inventory, compliance, data breach, gdpr, prioritization, regulations, threatprotect, vulnerability management

SSL Labs Grading Redesign (Preview 1)

Posted by Ivan Ristic in SSL Labs on June 30, 2017

We’re excited to share with you the first preview of our next-generation grading. This is something that’s long overdue but, due to lack of available time, we managed to keep up patching the first-generation grading to keep up with the times. Now, finally, we’re taking the next necessary steps to modernise how we grade servers based on our assessments.

Save Time by Streamlining Vendor Risk Assessments in the Cloud

Posted by Juan C. Perez in Qualys News, Qualys Technology on June 29, 2017

As your organization enthusiastically adopts cloud and mobile services from multiple new vendors, are your already-busy security and compliance teams scrambling to assess the risks of using these new providers’ products?

Are you still using a manual process for conducting these vendor evaluations, even though you’re being asked to do more of them, and to complete them more quickly?

This is an increasingly common scenario in enterprises globally, and it creates a challenge for InfoSec teams: How to do more vendor risk assessments, and faster, so that business units can deploy these new cloud and mobile services quickly and gain the desired competitive edge?

Pekin Insurance, a provider of life, business, auto, home and health coverage, found itself in this position last year: Using a manual process that taxed its InfoSec team members and didn’t scale.

No Comments
Permalink
Tags: saq, third party risk, vendor risk

Countdown to GDPR: Get 20/20 Visibility into Your IT Assets

Posted by Pablo Quiroga in Qualys Technology on June 28, 2017

Anyone questioning the importance of IT asset visibility in an organization’s security and compliance postures ought to review the EU’s General Data Protection Regulation (GDPR), which goes into effect next year.

With the severe requirements the GDPR places on how a business handles the personal data of EU residents, it’s clear a comprehensive IT asset inventory is a must for compliance.

Specifically, companies must know what personally identifiable information (PII) they hold on these individuals, where it’s stored, with whom they’re sharing it, how they’re protecting it, and for what purposes it’s being used.

In this second installment of our blog series on GDPR readiness, we’ll explain how organizations need full visibility into all hardware and software involved in the processing, transmission, analysis and storage of this PII data, so they’re able to protect it and account for it as required by the regulation.

Continue reading …

No Comments
Permalink
Tags: asset inventory, asset management, asset tags, assetview, gdpr, regulations

Petya Ransomware: What You Need to Know

Posted by Jimmy Graham in Security Labs on June 27, 2017

On Tuesday, a variant of the ransomware “Petya” began propagating in several countries across Europe. This new variant leverages the EternalBlue exploit used in WannaCry, and also takes advantage of misconfigured permissions to spread throughout the network.

EternalBlue is a leaked exploit developed by the NSA that leverages the vulnerability patched in MS17-010. All unpatched versions of Windows are vulnerable to EternalBlue, excluding recent versions of Windows 10. Microsoft has also chosen to release patches for some end-of-support versions of Windows.

1 Comment
Permalink
Tags: eternalblue, petya, ransomware, wannacry

Qualys Cloud Suite 8.10.1 New Features

Posted by Tim White in Qualys Technology on June 26, 2017

This new patch release of the Qualys Cloud Suite, version 8.10.1, includes updates to password management, user roles & permissions, and User Defined Control improvements in Qualys Policy Compliance (PC).

1 Comment
Permalink
Tags: notification, pc, platform, product news, qualysguard, vm

Qualys Cloud Platform 2.28 New Features

Posted by Chris Carlson in Qualys Technology on June 21, 2017

This release of the Qualys Cloud Platform version 2.28 includes updates and new features for Cloud Agent, AssetView, ThreatPROTECT, Security Assessment Questionnaire and Web Application Scanning, highlights as follows:

No Comments
Permalink
Tags: api, assetview, cloud agent, questionnaire, saq, threatprotect, was, web application scanning