End users and their devices are right smack in the center of the battle between enterprise InfoSec teams and malicious hackers, and it’s not hard to see why.

When compromised, connected endpoints — desktops, laptops, smartphones, tablets — offer intruders major entry points into corporate networks. However, end users are also their organizations’ best threat detection tools.

That’s a key takeaway from SANS Institute’s “2017 Threat Landscape Survey: Users on the Front Line,” a report published in August and co-sponsored by Qualys.

The study, conducted in May and June, polled 263 IT and InfoSec pros from companies of all sizes and major industries such as finance, government, technology and education.

It found that most of the top intrusion methods reported by respondents sought to directly or indirectly compromise end users or their devices. Hackers’ preferred threat vectors included:

• Email attachment or link (flagged by 74 percent of respondents)
• Web-based drive by or download (48 percent)
• App vulnerabilities on endpoints (30 percent)
• Web server / web app vulnerabilities (26 percent)
• Removable storage devices (26 percent)

Continue reading …

After speaking at Qualys’ recent webinar  “Aligning Web Application Security with DevOps and IoT Trends,” Forrester’s Amy DeMartine granted us this Q&A, where she revisits and offers keen insights on issues including IoT security challenges and DevOps’ benefits for secure app dev. DeMartine, a Principal Analyst focused on security and risk professionals, also discusses “red teaming” for cloud products, and identifies signs you need a new automated security analysis tool.

Continue reading …

First the bad news: Internet of Things (IoT) systems have created immense security holes. Now the good news: The problem can be fixed fairly easily.

That was the message from Jason Kent, Qualys’ Vice President of Web Application Security, during his recent webcast, “Aligning Web Application Security with DevOps and IoT Trends.”

“IoT doesn’t have to be scary. We have the knowledge on how to solve all these application security problems,” Kent said. “We just need to put focus on it.”

The effort to create awareness and shine a light on the issue of IoT security must be shared by IoT system manufacturers, application developers, and customers, including both businesses and consumers.

Continue reading …

Enterprises are having a challenging time securing their data and systems. But it doesn’t have to be that way. We recently reached out to Tyler Shields, principal analyst at Forrester to discuss his presentation at Qualys Security Conference 2015, and what it means to be able to secure enterprises at “cloud scale.” And what it’s going to take for enterprises to succeed in security in the years ahead.

Continue reading …

There’s a connected device tsunami coming. Everything from light bulbs to refrigerators to cars to industrial control systems are increasingly becoming Internet connected. Many are under the impression that this “Internet of Things” is primarily a consumer security and privacy issue. Turns out, it’s not. But what precisely will the Internet of Things mean to enterprise security managers and CISOs and how they protect their organization’s infrastructure and information?

Continue reading …

Black Hat USA 2014 is one of the most widely attended security conferences of the year and this year there were a number of interesting briefings on a variety of topics such as automotive attack surfaces, POS malware, cloudbots and more. Qualys presented two pieces of research surrounding TSA vulnerabilities as well as hacking physical devices such as keyless cars and home alarm systems.

Continue reading …