When vulnerability risk management is proactive, organizations don’t have to hurriedly react to attacks that exploit bugs for which patches are available, as happened with WannaCry.
“The vast majority of WannaCry remediation took place as an emergency type process,” Jimmy Graham, a Qualys Director of Product Management, said during QSC18 Virtual Edition.
It’s key to have an integrated breach prevention program with asset inventory, vulnerability management, threat prioritization and patch management, he said.
Graham also outlined how Qualys can help customers comprehensively and proactively manage their vulnerability risk.
Maintaining an IT asset inventory is essential for a strong security posture, but digital transformation has further complicated this already challenging task.
“The volume and variety of assets, including cloud, virtualization, mobility and IoT, is disrupting IT, and security takes center stage,” Pablo Quiroga, a Qualys Director of Product Management, said during QSC18 Virtual Edition.
Consequently, many security teams can’t definitively answer questions like: What are your IT assets? Where are they located? Who are their owners and users? How are assets related?
Having asset-inventory blind spots heightens security risks, which is why most regulations and standards highlight this practice. For instance, the Center for Internet Security’s Top 20 controls begin with inventory and control of hardware and software, because attackers constantly look to exploit vulnerable assets.
In his presentation, titled “Global IT Asset Discovery, Inventory, and Management,” Quiroga explained the importance of a complete and accurate inventory, and how Qualys can help. Read on to learn more.
Turned into law in 2016, the EU’s General Data Protection Regulation (GDPR) finally goes into effect this week, slapping strict requirements on millions of businesses and subjecting violators to severe penalties. The complex regulation applies to any organization worldwide — not just in Europe — that controls and processes personal data of EU residents, whose security and privacy GDPR fiercely protects.
GDPR calls this data’s protection a “fundamental right” essential for “freedom, security and justice” and for creating the “trust” needed for the “digital economy” to flourish. Its requirements amount to what some have called zero-tolerance on mishandling EU residents’ personal data.
A PwC survey found that more than half of U.S. multinationals say GDPR is their main data-protection priority, with 77% planning to spend $1 million or more on GDPR readiness. “Data protection has been a thing organizations know about, but GDPR has brought it all to the forefront,” Richard Sisson, Senior Policy Officer at the U.K.’s Information Commissioner’s Office (ICO) said during a recent GDPR roundtable.
With the General Data Protection Regulation (GDPR) going into effect in under three months, the countdown clock is fast approaching zero for organizations worldwide that handle personal data of EU residents.
GDPR is a very broad and wide-ranging regulation that requires organizations to obtain a lot of legal advice, and to implement business controls. Although these controls exceed the scope of information security, IT security and compliance are a significant subset of the regulation.
A special challenge for InfoSec teams is GDPR’s lack of details about specific security measures and requirements for protecting EU residents’ data.
“The GDPR regulation is extremely vague and doesn’t give any detailed prescriptive requirements of what the expectations are for data protection, but they’re very far-reaching,” Tim White, a Qualys Product Management Director, said during a recent webcast.
GDPR puts a heavier burden of accountability on organizations, forcing them, among other things, to accommodate significant new rights for individuals. For example, EU residents can request that organizations delete, disclose, correct and transfer their personal information.
To comply with these GDPR “subject access requests,” organizations must know what data they have, where it’s stored, with whom they’re sharing it, how they’re protecting it, and what they’re using it for.
Unfortunately, many organizations are far from ready to comply with GDPR.
In a perfect world, organizations would patch vulnerabilities immediately after they’re disclosed, preemptively blocking exploits and dodging most cyber attacks.
Of course, reality is far from that hypothetically ideal state. Organizations often leave critical vulnerabilities unpatched for months, even years. Hackers routinely feast on all that low-hanging fruit to hijack systems, steal data, deface websites and disrupt operations.
We all know it’s impossible to patch every single vulnerability. Thousands are disclosed every year, and patching systems can be complicated, time-consuming and inconvenient. But InfoSec teams agree that fixing the most dangerous bugs on a timely basis is not only doable but also necessary.
The problem is that prioritizing remediation and pinpointing those critical vulnerabilities is difficult when — as is often the case — organizations lack continuous and automated vulnerability management, asset inventorying and threat analysis.
Unsurprisingly, recent Qualys data on patching behavior shows that remediation activity is directly related to the level of risk attached to specific vulnerabilities. And in some cases, specifically when it comes to the realm of IoT devices, patching is always slow, and often non-existent.
Corden Pharma needed a standardized security program to meet customer requirements. Link3 Technologies wanted to prioritize its network security improvements. Telenet was looking for a road map to implement its ISO-27000 compliance program.
They are among the thousands of organizations that over the years have successfully adopted the CSCs, a set of 20 security best practices that map effectively to most security control frameworks, as well as regulatory and industry mandates.
If a CISO needed to cut cyber attack risk by 85%, how would this security chief go about accomplishing that? Would the CISO even know where to begin? It’s safe to say that such a mandate would be considered daunting, and maybe even overwhelming.
CISOs are scrambling to protect IT infrastructures whose boundaries are increasingly fluid due to the adoption of mobility, cloud computing, IoT, and other new technologies. They get bombarded daily with information — research studies, threat warnings, vendor announcements, regulatory requirements, industry recommendations. Making sense out of it all is a challenge.
For InfoSec pros, it’s easy to get overwhelmed by the constant noise from cybersecurity industry players — vendors, research firms, consultants, industry groups, government regulators and media outlets. A good antidote for this hyperactive chatter is to refocus on foundational InfoSec practices. That’s what SANS Institute Senior Analyst John Pescatore and I will do this week: An immersion into the Center for Internet Security’s Critical Security Controls (CSCs).
During an hour-long webcast on Sept. 28, we’ll be discussing the benefits of implementing these 20 recommended controls. Initially published in 2008, these information security best practices have been endorsed by many leading organizations and successfully adopted by thousands of InfoSec teams over the years. Now on version 6.1, the CIS CSCs map effectively to most security control frameworks, as well as regulatory and industry mandates, and are more relevant and useful than ever.
Destruction of service. Get acquainted with this newly-minted term, and with its acronym — DeOS. It’s a particularly disturbing type of cyber attack InfoSec teams may face regularly in the not too distant future.
That’s one of the main findings featured in the Cisco 2017 Midyear Cybersecurity Report, a comprehensive cyber security study the networking giant has been publishing for almost a decade.
Due to several troubling developments, including the expected popularization of DeOS attacks — intended to wreck breached IT systems — and the proliferation of IoT device use in DDoS attacks, this report blares a special alarm.
“We must raise our warning flag even higher,” reads the report, which is based on research and data from Cisco and several of its technology partners, including Qualys. “Our security experts are becoming increasingly concerned about the accelerating pace of change — and yes, sophistication — in the global cyber threat landscape.” Continue reading …
The EU’s GDPR (General Data Protection Regulation) demands that organizations stringently protect EU residents’ data they hold, share and process, which requires having solid InfoSec practices, including threat prioritization.
No, there is no specific mention of prioritization of vulnerability remediation in the regulation’s text. In fact, only a few InfoSec technologies and practices are mentioned by name.
What is stressed throughout the 88-page document is the call for both data “controllers” and data “processors” to protect this customer information by implementing “appropriate technical and organisational measures”, a phrase repeated multiple times.
When vulnerability risk management is proactive, organizations don’t have to hurriedly react to attacks that exploit bugs for which patches are available, as happened with WannaCry.