The out-of-band release of Qualys PCI Compliance that adds support for PCI DSS 3.1 is out! The primary intention of this release is to address SSL and TLS encryption issues that have evolved recently. Effective immediately merchants are prohibited from implementing new technologies that rely on SSL or early TLS. SSL and early TLS cannot be used in any way as standalone security control after June 30, 2016. So basically merchants have about 14 months to remove SSL and early TLS from their environments. ‘Early TLS’ is TLS version 1.0 and in some cases 1.1 depending on where it’s used and how it’s implemented.
In recent years cybercrime has gone from an array of independent hackers to a global industrialized operation that utilizes collaboration, worldwide coordination and advanced criminal techniques to evade detection. One would expect this increased organization and sophistication would improve the speed at which “hackers hack.” And you would be correct: according to a recently released report, the time between an exploit announcement and the first attack is typically just 7.5 days, down from just under 10 days in 2008.
Your organization is likely already struggling with meeting internal and regulatory requirements for patch times. In addition, vulnerabilities and their risk to the organization are increasing each day, as hackers are now able to weaponize new vulnerabilities faster than ever.
At Infosecurity Europe today, Qualys announced it analyzed QualysGuard Policy Compliance (PC) data from more than five million scans performed by organizations worldwide to help enterprises understand key trends as they plan their compliance strategies.
Key trends include:
- A large number of devices scanned – more than half of the scan target – are out of support, showing that companies are depending on a large number of computer technologies, especially operating systems that are no longer supported by their manufacturers through standard support.
- Newer computer technologies have a higher rate of passing compliance, confirming the general trend of higher security for newer technologies also on the compliance side.
- Companies with more frequent compliance scans have a higher rate of passing scans. This trend confirms recent findings in the area of Continuous Monitoring, where organizations that monitor more frequently also show accelerated improvements.
- Passwords are high on controls lists. Thirteen out of the top 20 controls are password-related. At the same time, top failing controls are password related