In this latest roundup of cyber security news, we look at serious Bluetooth chip-level bugs, a zero-day vulnerability on Cisco software, a raft of Apple security fixes, and a massive customer data breach at Cathay Pacific.

Enterprise Wi-Fi access points vulnerable to Bluetooth bug

A pair of critical Bluetooth bugs could make popular wireless access points used in many enterprises vulnerable to breaches.

The critical vulnerabilities reside in Bluetooth Low Energy (BLE) chips from Texas Instruments which are present in Wi-Fi access points from Cisco, Cisco Meraki and Aruba.

Dubbed Bleedingbit, the bugs were discovered by researchers from Armis and disclosed last week.

If exploited, the vulnerabilities could allow unauthenticated attackers to stealthily break into enterprise networks, take over access points, spread malware, and move laterally across network segments.

The first vulnerability affects TI BLE chips cc2640 and cc2650, used in Cisco and Cisco Meraki Wi-Fi access points. The second bug impacts the Aruba Wi-Fi access point Series 300 with TI BLE chip cc2540 and its use of TI’s over-the-air firmware download (OAD) feature.

“These vulnerabilities are a sharp reminder that we need to ensure the security of the infrastructure we employ to support IoT devices is not undermined by those IoT devices or the protocols that support them,” Brian Honan, CEO at BH Consulting, told Help Net Security.

To exploit either vulnerability, an attacker would have to physically be within Bluetooth range of the targeted access point. TI, Cisco, Cisco Meraki and Aruba have all responded with patches, mitigations and information.

Continue reading …

Discussions about the EU’s General Data Protection Regulation (GDPR) reached a crescendo on May 25, the compliance deadline, but many companies continue seeking guidance.

The reason: A majority of companies missed the deadline, according to estimates from various sources, including Gartner, Crowd Research, IDC, Spiceworks, TrustArc, and Ponemon Institute, so it’s very likely that millions are still working on GDPR compliance.

Although GDPR has been in effect for months, “it’s clear that many organizations lack such a strategy or the tools needed to effectively protect sensitive data and maintain privacy and protection,” Gartner analyst Deborah Kish said in August.

To help companies still in the process of meeting the regulation’s requirements, the IT GRC Forum recently held a webcast titled “GDPR 101: Monitoring & Maintaining Compliance After the Deadline.” The webcast’s panelists included Qualys expert Tim White, who spoke about the importance of managing vendor risk and leveraging a control framework.

White explained that IT security is a small yet key subset of GDPR. “The need to protect the privacy of the information, to prevent accidental or intentional disclosure, is a critical sub-component,” he said.

It’s also important to know that GDPR offers vague, general requirements for IT security, unlike other industry mandates and regulations that are very specific and prescriptive in this regard, said White, Qualys’ Director of Product Management for Policy Compliance.

“In GDPR, you’ve got to implement a good security program and apply the appropriate technical compensating and procedural controls to do due diligence to protect the information privacy,” he said.

The best way to achieve this is by leveraging a technical control framework, like the Center for Internet Security’s (CIS) Critical Security Controls or the National Institute for Standards and Technology’s (NIST) 800-53 controls.

“It’s really important to make sure you have comprehensive coverage of all aspects of IT security, including vulnerability management, configuration management and patching, as well as all appropriate detection and preventative controls at the network layers,” White said.

Continue reading …

Most discussions about the EU’s General Data Protection Regulation (GDPR) have naturally focused on best practices for achieving compliance and avoiding penalties.  

With GDPR now a reality for all companies that store and process personal data of EU residents, an often overlooked aspect has been the overall business advantage of GDPR preparedness.

In this GDPR blog series’ last installment, Hariom Singh, Director of Policy Compliance at Qualys, delves into this topic.  Later, we round up major areas covered in previous posts, and summarize how Qualys can help with GDPR compliance.

Continue reading …

With organizations aggressively moving workloads to public cloud platforms, such as Amazon’s AWS, protecting these environments is critical for complying with the EU’s General Data Protection Regulation (GDPR).

GDPR, which went into effect in May, imposes strict requirements on millions of businesses worldwide that control and process the personal data of EU residents.

Public cloud platforms are being used to power digital transformation initiatives across many business functions where EU residents’ personal data is likely to be stored, processed and shared.

Thus, organizations need complete visibility into their public clouds, and they must have a solid security and compliance posture in these environments that includes vulnerability management, asset inventory, web app scanning, DevSecOps pipeline protection, and IT configuration controls.

Continue reading …

With web and mobile apps becoming a preferred vector for data breaches, organizations must include application security in their plans for complying with the EU’s General Data Protection Regulation (GDPR.)

GDPR went into effect in May, imposing strict requirements on millions of businesses worldwide that control and process the personal data of EU residents.

While GDPR makes only a few, vague references to technology, it’s clear that, for compliance, infosec teams must demonstrate that their organizations are doing their best to prevent accidental or malicious misuse of EU residents’ personal data.

Thus, organizations must have a rock-solid security foundation for superior data breach prevention and detection, and web application security has to be a core component of it.

Continue reading …

In this blog series, we’re discussing solid security practices that are key for General Data Protection Regulation (GDPR) compliance, and today we’ll address another crucial one: Indication of compromise (IOC).

In a nutshell, IOC can help customers who are dealing with unauthorized access to customer personal data by an external threat actor or adversary.

This makes IOC particularly relevant to GDPR’s stringent requirements for providing integrity, control, accountability and protection of EU residents’ personal data.

Read on to learn why IOC is critical for complying with GDPR, which went into effect in May, and how Qualys can help you.

Continue reading …

In this latest post of our series on the EU’s General Data Protection Regulation, we’ll explain how file integrity monitoring (FIM) can be crucial in helping organizations comply with this severe regulation.

GDPR, which went into effect in May and applies to organizations worldwide that handle EU residents’ personal data, provides few details of specific security technologies and processes organizations should adopt.

However, it’s clear from the GDPR text that the regulators expect organizations to demonstrate that  they’re doing all they can to protect their EU customers’ personal data from malicious and accidental misuse. For InfoSec teams this means providing a rock-solid security foundation that gives their organizations superior data breach prevention and detection.

File integrity monitoring (FIM) specifically provides security controls in three key areas for GDPR:

• Ensuring integrity of data stored in filesystems
• Protecting confidentiality of data by detecting changes to filesystem access controls
• Detecting breaches 

Continue reading …

In prior installments of this GDPR compliance blog series, we’ve discussed the importance of key security practices such as IT asset inventory and vulnerability management. Today, we’ll focus on another core component for GDPR: policy compliance.

As we’ve stated before, to comply with the EU’s General Data Protection Regulation (GDPR), organizations must show they’re doing all they can to protect their EU customers’ personal data. Thus, InfoSec teams must provide a rock-solid security foundation that gives organizations superior data breach prevention and detection.

With a strong IT policy compliance program, organizations can deploy and manage their IT environment according to applicable government regulations, industry standards and internal requirements.

For organizations, it’s critical to establish a lifecycle for managing assets and controls to protect the data they contain. One must continuously: identify IT assets and scope, define control objectives, automate control assessment, prioritize fixes, and ultimately remediate the security configuration problems.

To be effective, this entire process must be trackable by auditors and must maintain the proper reports and dashboards necessary to drive continuous improvement. Organizations must have this knowledge not only to properly protect their EU customers’ personal data — the regulation’s core goal — but also to comply with other GDPR requirements.

After gaining complete visibility into their IT assets, organizations can create data maps and decide which technical controls it needs to secure EU residents’ personal data in a way that meets GDPR’s considerable expectations and strict requirements.

Continue reading …

Organizations must manage risk from third parties such as contractors and suppliers, and from internal staffers and teams, as part of their compliance program for the EU’s General Data Protection Regulation (GDPR).

The need to manage vendor risk in particular is stressed repeatedly throughout the text of the GDPR, a strict and broad regulation which went into effect last week. GDPR applies to any organization worldwide that controls and processes personal data of EU residents, whose security and privacy the regulation is designed to defend.

In GDPR lingo, “data controllers” must vet the “data processors” they share EU customer information with, and assume joint responsibility for what happens to it. So your organization is liable if one of your third parties gets breached for failing to adhere to GDPR requirements and your EU customers’ personal data gets compromised.

GDPR states that controllers “shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures” and stresses that controllers must detail in contracts how their processors will handle customer data.

In this third installment of our GDPR compliance blog series, we’ll explain the importance of  carefully and continuously assessing the GDPR compliance levels of your third parties and internal staff. We’ll also explain how Qualys can help you beef up these foundational security practices so you can shrink your risk of data breaches that could put your organization on the wrong side of GDPR.

Continue reading …

To provide the level of data protection required by the EU’s General Data Protection Regulation (GDPR), your organization must continuously detect vulnerabilities, and prioritize their remediation.

Why? An InfoSec team that’s chronically overwhelmed by its IT environment’s vulnerabilities and unable to pinpoint the critical ones that must be remediated immediately is at a high risk for data breaches, and, consequently, for GDPR non-compliance.

The Center for Internet Security (CIS) ranks “Continuous Vulnerability Assessment and Remediation” as the fourth most important practice in its 20 Critical Security Controls. “Organizations that do not scan for vulnerabilities and proactively address discovered flaws face a significant likelihood of having their computer systems compromised,” CIS states.

In fact, hackers constantly exploit common vulnerabilities and exposures (CVEs) for which patches have been available for weeks, months and even years. The reason: Many organizations fail to detect and remediate critical bugs on a timely basis, leaving them like low-hanging fruit for cyber data thieves to feast on.

In this second installment of our GDPR compliance blog series, we’ll explain the importance of vulnerability management and threat prioritization, and how Qualys can help you solidify these practices so you can slash your risk of data breaches.

Continue reading …