Data breaches dominated the cyber security headlines last week, as Sears, Delta, Best Buy, Saks, and Lord & Taylor all found themselves in the news.

Sears, Delta and Best Buy: Another vendor risk incident

What do retail giant Sears Holdings, consumer electronics chain Best Buy and Delta Air Lines have in common? A customer service contractor that got hacked, compromising an undetermined number of their customers’ payment card data.

The contractor, called [24]7.ai, got breached in late September of last year, and discovered and contained the incident in mid-October. The company, which provides customer support for a variety of clients via online chats, didn’t offer details about the cause or nature of the hack in its brief statement issued Wednesday.

In its statement, Sears estimated the number of its potentially affected customers at under 100,000, and said that [24]7.ai informed it about the breach in mid-March of this year. Meanwhile, Delta said it was notified on March 28, and that it believes a “small subset” of its customers’ data was exposed, although it can’t say for sure whether the information was accessed or compromised. Best Buy said “a small fraction” of its customers may have been impacted, regardless of whether they used the chat function, according to USA Today.

It’s the latest in the recurring problem of vendor risk, in which an organization’s information security is compromised after a trusted third party — contractor, supplier, consultant, partner — suffers a breach.

Continue reading …

With the EU’s General Data Protection Regulation (GDPR) going into effect in late May, organizations are hungry for clarifying information regarding its vaguely-worded requirements, in particular as they apply to cyber security and IT compliance. This interest in better understanding how to comply with GDPR was evident among participants of a recent Qualys webcast titled “The GDPR deadline readiness and impact to global organizations outside the EU.”

Here we’re providing an edited transcript of their questions and of the answers provided by webcast host and Qualys Director of Product Management Tim White. Darron Gibbard, Qualys’ Chief Technical Security Officer and Managing Director of the EMEA North region, contributed to some of the answers.

Are there any recommended frameworks for implementing controls and processes for information security that I could follow to ensure GDPR readiness?
There are a variety of different ways of implementing general security best practices. There are some specific recommendations and each member country is starting to post the requirements. The most advanced one is the U.K.’s ICO (Information Commissioner’s Office). They provided a lot more depth about what InfoSec requirements you should put in place, but even their recommendations are still very vague. This isn’t like PCI where they say you have to implement a change detection solution to monitor critical changes to configuration files, and you must monitor log files on a regular basis. GDPR doesn’t have prescriptive controls like that. GDPR indicates that you have to implement the controls that are appropriate for the level of risk and that you need to protect the data from breaches of confidentiality, integrity and availability. So they basically say: “Do a good job at security.”

Continue reading …

With the General Data Protection Regulation (GDPR) going into effect in under three months, the countdown clock is fast approaching zero for organizations worldwide that handle personal data of EU residents.

GDPR is a very broad and wide-ranging regulation that requires organizations to obtain a lot of legal advice, and to implement business controls. Although these controls exceed the scope of information security, IT security and compliance are a significant subset of the regulation.

A special challenge for InfoSec teams is GDPR’s lack of details about specific security measures and requirements for protecting EU residents’ data.

“The GDPR regulation is extremely vague and doesn’t give any detailed prescriptive requirements of what the expectations are for data protection, but they’re very far-reaching,” Tim White, a Qualys Product Management Director, said during a recent webcast.

GDPR puts a heavier burden of accountability on organizations, forcing them, among other things, to accommodate significant new rights for individuals. For example, EU residents can request that organizations delete, disclose, correct and transfer their personal information.

To comply with these GDPR “subject access requests,” organizations must know what data they have, where it’s stored, with whom they’re sharing it, how they’re protecting it, and what they’re using it for.

Unfortunately, many organizations are far from ready to comply with GDPR.

Continue reading …

Most successful cyber attacks exploit known vulnerabilities for which patches are available, or take advantage of weak configuration settings that could have been easily hardened. You can significantly lower the risk of being victimized by this type of common, preventable attack by adopting the Center for Internet Security’s Critical Security Controls (CSCs).

This set of 20 structured InfoSec best practices offers a methodical and sensible plan for securing your IT environment, and maps to most security control frameworks, government regulations, contractual obligations and industry mandates.

The CSCs were first developed in 2008 and are periodically updated by a global community of volunteer cybersecurity experts from government, academia and industry. “The CIS Controls provide a prioritized approach to cyber security, starting with the most essential tasks and progressing to more sophisticated techniques,” Tony Sager, CIS Chief Evangelist, wrote recently.

In this blog series, we’re explaining how Qualys Cloud Platform — a single, integrated, end-to-end platform for discovery, prevention, detection, and response — and its Qualys Cloud Apps can help security teams of any size to broadly and comprehensively adopt the CIS controls.

Continue reading …

Qualys Product Management Director Tim White and SANS Institute Analyst John Pescatore did a deep dive into the Center for Internet Security’s Critical Security Controls during a recent webcast, and answered questions from audience members about these 20 foundational security practices, and about the importance of maintaining basic security hygiene.

In this blog post, we’re providing edited transcripts of their answers to all the questions, including those that they didn’t have time to address during the one-hour webcast, which was titled “Automating CIS Critical Security Controls for Threat Remediation and Enhanced Compliance.” We hope you find their explanations insightful and useful.

In addition, if you didn’t catch the webcast live, we invite you to listen to the CIS controls webcast recording. We also encourage you to download a copy of a highly detailed guide that maps the CIS controls and sub-controls directly to specific features in Qualys apps.

Continue reading …

To comply with GDPR, organizations typically must overhaul and update a number of internal processes and systems, but they can’t ignore a critical area: risk from vendors and other third parties such as contractors, partners, suppliers and service providers.

It’s a point that’s stressed repeatedly throughout the 88-page text of the EU’s General Data Protection Regulation (GDPR), which goes into effect in May 2018 and requires that organizations worldwide properly identify, track and protect their EU customers’ personal data.

In GDPR lingo, “data controllers” must vet the “data processors” they share this customer information with, and assume joint responsibility for what happens to it. In other words, you’re liable if one of your third parties gets breached for failing to adhere to GDPR requirements and as a result your customers’ personal data gets compromised.

Continue reading …

Third-party security assessments drastically reduce your organization’s risk of suffering a data breach. When carried out properly, these assessments identify poor InfoSec and privacy practices among your vendors, partners, contractors, and other third parties with access to your IT systems and data. Unfortunately, many businesses conduct these assessments manually, using email and spreadsheets, which makes them labor-intensive, slow and imprecise. This manual approach strains InfoSec teams and creates a backlog of security evaluations.

In a recent webcast, “Streamlining Third Party Risk Assessments in the Cloud,” a Qualys customer discussed how his organization tackled this challenge in a way that improved productivity, efficiency, visibility, and risk analysis. Below are the answers to the questions asked by participants during the Q&A portion of the presentation, provided by speakers Jonathan Osmolski, Manager of Enterprise Records and Information Governance at Pekin Insurance, and Hariom Singh, Director of Product Management for Qualys Security Assessment Questionnaire (SAQ).

Continue reading …

As your organization enthusiastically adopts cloud and mobile services from multiple new vendors, are your already-busy security and compliance teams scrambling to assess the risks of using these new providers’ products?

Are you still using a manual process for conducting these vendor evaluations, even though you’re being asked to do more of them, and to complete them more quickly?

This is an increasingly common scenario in enterprises globally, and it creates a challenge for InfoSec teams: How to do more vendor risk assessments, and faster, so that business units can deploy these new cloud and mobile services quickly and gain the desired competitive edge?

Pekin Insurance, a provider of life, business, auto, home and health coverage, found itself in this position last year: Using a manual process that taxed its InfoSec team members and didn’t scale.

Continue reading …

This release of the Qualys Cloud Platform version 2.28 includes updates and new features for Cloud Agent, AssetView, ThreatPROTECT, Security Assessment Questionnaire and Web Application Scanning, highlights as follows:

Continue reading …

First discussed in the 1990s and turned into law last year, the EU’s General Data Protection Regulation (GDPR) finally goes into effect in May 2018, imposing strict requirements on millions of businesses and subjecting violators to severe penalties.

The complex regulation is of concern not just to European businesses. It applies to any organization worldwide that controls and processes the data of EU citizens, whose privacy the GDPR is meant to protect.

A recent PwC survey found that more than half of U.S. multinationals say GDPR is their main data-protection priority, with 77% of them planning to spend $1 million or more on GDPR readiness and compliance.

“The GDPR is putting data protection practices at the forefront of business agendas worldwide,” Steve Durbin, Information Security Forum’s managing director, wrote recently.

In other words, it’s crunch time for companies that fall within the GDPR’s broad scope and that haven’t completed their preparations to comply with this regulation. Gartner estimates that about half of organizations subject to the GDPR will be non-compliant by the end of 2018. You don’t want to be in this group of laggards.

Continue reading …