Is your security team struggling to decide which projects will slash risk the most without breaking the bank? If so, we believe your security leaders can end analysis paralysis by perusing Gartner’s “Top 10 Security Projects for 2019” report. As its title states, the report recommends ten security projects for 2019, and the projects selected are supported by technologies available today, address the changing needs of cybersecurity and support what Gartner calls a CARTA (Continuous Adaptive Risk and Trust Assessment) strategic approach through risk prioritization.

Below we highlight five of the projects, provide Gartner’s take, offer our opinion, and explain how Qualys can help you implement them.

Continue reading …

This release of the Qualys Cloud Platform version 2.37 includes updates and new features for Security Assessment Questionnaire and Web Application Scanning, highlights as follows.

Continue reading …

This release of the Qualys Cloud Platform version 2.35 includes updates and new features for AssetView, Cloud Agent, Security Assessment Questionnaire, and Web Application Scanning, highlights as follows.  (Note: this post has been edited after publishing to remove the Rule-Based Method to Purge/Uninstall Cloud Assets and Cloud Agents, and Azure Cloud Connector, which will be available in a subsequent release.)

Continue reading …

This release of the Qualys Cloud Platform version 2.34.1 includes updates and new features for Cloud Agent & AWS EC2 Connector, AssetView, CloudView, and Security Assessment Questionnaire, highlights as follows.

Continue reading …

This release of the Qualys Cloud Platform version 2.34 includes updates and new features for Cloud Agent, EC2 Connector, Continuous Monitoring, Security Assessment Questionnaire, Web Application Scanning, and Web Application Firewall, highlights as follows.

Continue reading …

In prior installments of this GDPR compliance blog series, we’ve discussed the importance of key security practices such as IT asset inventory and vulnerability management. Today, we’ll focus on another core component for GDPR: policy compliance.

As we’ve stated before, to comply with the EU’s General Data Protection Regulation (GDPR), organizations must show they’re doing all they can to protect their EU customers’ personal data. Thus, InfoSec teams must provide a rock-solid security foundation that gives organizations superior data breach prevention and detection.

With a strong IT policy compliance program, organizations can deploy and manage their IT environment according to applicable government regulations, industry standards and internal requirements.

For organizations, it’s critical to establish a lifecycle for managing assets and controls to protect the data they contain. One must continuously: identify IT assets and scope, define control objectives, automate control assessment, prioritize fixes, and ultimately remediate the security configuration problems.

To be effective, this entire process must be trackable by auditors and must maintain the proper reports and dashboards necessary to drive continuous improvement. Organizations must have this knowledge not only to properly protect their EU customers’ personal data — the regulation’s core goal — but also to comply with other GDPR requirements.

After gaining complete visibility into their IT assets, organizations can create data maps and decide which technical controls it needs to secure EU residents’ personal data in a way that meets GDPR’s considerable expectations and strict requirements.

Continue reading …

Organizations must manage risk from third parties such as contractors and suppliers, and from internal staffers and teams, as part of their compliance program for the EU’s General Data Protection Regulation (GDPR).

The need to manage vendor risk in particular is stressed repeatedly throughout the text of the GDPR, a strict and broad regulation which went into effect last week. GDPR applies to any organization worldwide that controls and processes personal data of EU residents, whose security and privacy the regulation is designed to defend.

In GDPR lingo, “data controllers” must vet the “data processors” they share EU customer information with, and assume joint responsibility for what happens to it. So your organization is liable if one of your third parties gets breached for failing to adhere to GDPR requirements and your EU customers’ personal data gets compromised.

GDPR states that controllers “shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures” and stresses that controllers must detail in contracts how their processors will handle customer data.

In this third installment of our GDPR compliance blog series, we’ll explain the importance of  carefully and continuously assessing the GDPR compliance levels of your third parties and internal staff. We’ll also explain how Qualys can help you beef up these foundational security practices so you can shrink your risk of data breaches that could put your organization on the wrong side of GDPR.

Continue reading …

Data breaches dominated the cyber security headlines last week, as Sears, Delta, Best Buy, Saks, and Lord & Taylor all found themselves in the news.

Sears, Delta and Best Buy: Another vendor risk incident

What do retail giant Sears Holdings, consumer electronics chain Best Buy and Delta Air Lines have in common? A customer service contractor that got hacked, compromising an undetermined number of their customers’ payment card data.

The contractor, called [24]7.ai, got breached in late September of last year, and discovered and contained the incident in mid-October. The company, which provides customer support for a variety of clients via online chats, didn’t offer details about the cause or nature of the hack in its brief statement issued Wednesday.

In its statement, Sears estimated the number of its potentially affected customers at under 100,000, and said that [24]7.ai informed it about the breach in mid-March of this year. Meanwhile, Delta said it was notified on March 28, and that it believes a “small subset” of its customers’ data was exposed, although it can’t say for sure whether the information was accessed or compromised. Best Buy said “a small fraction” of its customers may have been impacted, regardless of whether they used the chat function, according to USA Today.

It’s the latest in the recurring problem of vendor risk, in which an organization’s information security is compromised after a trusted third party — contractor, supplier, consultant, partner — suffers a breach.

Continue reading …

With the EU’s General Data Protection Regulation (GDPR) going into effect in late May, organizations are hungry for clarifying information regarding its vaguely-worded requirements, in particular as they apply to cyber security and IT compliance. This interest in better understanding how to comply with GDPR was evident among participants of a recent Qualys webcast titled “The GDPR deadline readiness and impact to global organizations outside the EU.”

Here we’re providing an edited transcript of their questions and of the answers provided by webcast host and Qualys Director of Product Management Tim White. Darron Gibbard, Qualys’ Chief Technical Security Officer and Managing Director of the EMEA North region, contributed to some of the answers.

Are there any recommended frameworks for implementing controls and processes for information security that I could follow to ensure GDPR readiness?
There are a variety of different ways of implementing general security best practices. There are some specific recommendations and each member country is starting to post the requirements. The most advanced one is the U.K.’s ICO (Information Commissioner’s Office). They provided a lot more depth about what InfoSec requirements you should put in place, but even their recommendations are still very vague. This isn’t like PCI where they say you have to implement a change detection solution to monitor critical changes to configuration files, and you must monitor log files on a regular basis. GDPR doesn’t have prescriptive controls like that. GDPR indicates that you have to implement the controls that are appropriate for the level of risk and that you need to protect the data from breaches of confidentiality, integrity and availability. So they basically say: “Do a good job at security.”

Continue reading …

With the General Data Protection Regulation (GDPR) going into effect in under three months, the countdown clock is fast approaching zero for organizations worldwide that handle personal data of EU residents.

GDPR is a very broad and wide-ranging regulation that requires organizations to obtain a lot of legal advice, and to implement business controls. Although these controls exceed the scope of information security, IT security and compliance are a significant subset of the regulation.

A special challenge for InfoSec teams is GDPR’s lack of details about specific security measures and requirements for protecting EU residents’ data.

“The GDPR regulation is extremely vague and doesn’t give any detailed prescriptive requirements of what the expectations are for data protection, but they’re very far-reaching,” Tim White, a Qualys Product Management Director, said during a recent webcast.

GDPR puts a heavier burden of accountability on organizations, forcing them, among other things, to accommodate significant new rights for individuals. For example, EU residents can request that organizations delete, disclose, correct and transfer their personal information.

To comply with these GDPR “subject access requests,” organizations must know what data they have, where it’s stored, with whom they’re sharing it, how they’re protecting it, and what they’re using it for.

Unfortunately, many organizations are far from ready to comply with GDPR.

Continue reading …