Qualys Blog

A new zero-day vulnerability (CVE-2017-7269) impacting Microsoft IIS 6.0 has been announced with proof-of-concept code. This vulnerability can only be exploited if WebDAV is enabled. IIS 6.0 is a component of Microsoft Windows Server 2003 (including R2.) Microsoft has ended support for Server 2003 on July 14, 2015, which means that this vulnerability will most likely not be patched. It is recommended that these systems be upgraded to a supported platform. The current workaround is to disable the WebDAV Web Service Extension if it is not needed by any web applications.

The Qualys Cloud Platform can help you detect the vulnerability, track and manage Server 2003 Assets, as well as block exploits against web-based vulnerabilities like this one.

Continue reading …

An Interview with SSL Expert and SSL Labs Founder Ivan Ristić

Even though SSL/TLS is critical for the privacy, integrity, and security of internet communications, the protocol is implemented in an optimal way in only a small percentage of web servers, meaning that most websites and web apps aren’t as secure as they could be.

It doesn’t have to be that way, which is why Ivan Ristić, a security researcher, engineer, and author known for his expertise on various aspects of InfoSec, has spent years contributing to the field of SSL/TLS.

He launched SSLLabs.com in 2009 to provide SSL/TLS tools, research and documentation, brought it with him when he joined Qualys in 2010, and ran it until mid-2016, when he became an advisor. Under his leadership, SSLLabs.com became a de-facto standard for secure server assessment and the go-to site for organizations looking for help improving their SSL/TLS configurations.

Ristić also wrote an entire book about the topic titled “Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications.” We recently had a chance to catch up with Ivan and pick his brain about SSL/TLS challenges, best practices and trends. Here’s what he told us.

Continue reading …

Organizations that use automated scanners to test the security of their web apps must watch out for instances where these tools may trigger user account lockouts inadvertently.  Here we explain why this occurs and offer some tips for how to prevent this from happening with Qualys Web Application Scanning (WAS).

Continue reading …

Cross-Site Request Forgery (CSRF) is an attack that tricks the victim’s browser into executing malicious requests designed by the attacker.  A successful CSRF attack can force the victim’s browser to perform state-changing requests like transferring funds or changing his email address. Clearly these are attacks that need to be prevented.

Continue reading …

Qualys is proud to announce that it was named Best Security Company earlier this week at the 2014 SC Magazine Awards. The awards acknowledge companies with superior security products that help customers tackle today’s most pressing information-technology (IT) challenges. The announcement was made on February 25, 2014 at the 17th annual SC Awards U.S. Gala in San Francisco, in conjunction with the annual RSA Conference. The criteria for the judging included: product line strength, customer base, customer service/support, research and development, and innovation.

“The SC Awards are the security industry’s most prestigious accolade, bestowed only to the most impressive companies in the security industry,” said Illena Armstrong, VP of editorial, SC Magazine. “Qualys can be very proud of this achievement and the many long hours of dedicated service that it represents.”

“We are honored to be named the Best Security Company by SC Magazine,” said Philippe Courtot, chairman and CEO, Qualys. “We share this honor with our customers and partners, who throughout the years, have been our guiding force to continue improving our existing cloud-based security and compliance solutions and design new innovative ones.”

Qualys also won the award for SC Award for Best Security Company in 2011. Read the full news release.

Qualys today announced that it has been named a 2014 SC Awards U.S. finalist for outstanding leadership and achievement in information security in five categories. Qualys was named a finalist for Best Security Company and for Best Customer Service. QualysGuard Vulnerability Management (VM) was named a finalist in the Reader’s Trust Award for Best Vulnerability Management Solution, and Qualys’ solutions were also recognized in two Excellence Awards, including:  QualysGuard Express for Best SME Security Solution and QualysGuard Policy Compliance (PC) for Best Regulatory Compliance Solution.

“We are honored to be recognized in these five categories that highlight the strength of our company vision, our solutions, and our world-class customer service,” said Philippe Courtot, chairman and CEO of Qualys. “We’d like to thank the SC Magazine judging panels along with our customers and partners for their support.”

Continue reading …

LAS VEGAS — At a reception late last week at Qualys Security Conference 2013, I talked to a Qualys customer who said Qualys does a great job at vulnerability scanning, in fact, too great of a job in the opinion of some of his IT staff. As QualysGuard identifies vulnerabilities, you must triage the problems to fix them.

We all know that what you don’t know can definitely hurt you when it comes to computer security. With QualysGuard data in hand, it is important to determine: Which issues are the most important? What can be done to remediate them effectively and efficiently? The answers to these questions depend on the customer’s specific networks and operations, which only the customer can truly understand.

photo credit: James Lumb

QualysGuard is integrated with tools that can help customers prioritize their remediation steps. Corey Bodzin, solution manager for RSA, gave an overview of RSA’s Archer Risk Management solution, which helps organizations assess and resolve risks identified by Qualys. Marlene Veum, director of security for product development IT at Oracle, talked about how organizations can find the “actionable needle in the compliance haystack” by using Oracle Application Express.

With Archer, IT admins can pull the technical data into one place, set up a workflow and rules, prioritize issues and measure outcomes to make the best business decisions possible. Maybe a proof-of-concept that has been ignored should now be paid attention to because it’s being used in active watering hole attacks targeting the customer’s industry. “Something has changed that makes me want to respond differently,” Bodzin said in this scenario. “Archer sees that it’s flagged and that it’s part of the PCI data world… Now I’ve got to go in and ask people what are you going to do and address this change.” Archer can also help admins measure the results, find out what the average remediation time, for instance. “If an issue is 45 days old but it took 28 days to make a decision, then we need to fix it,” Bodzin said. The outcomes can be published in Archer dashboards and viewed by executives as a part of the company’s overall IT, operational and financial risk. “Qualys grabs the technical bits and Archer helps grab the human bits,… and make good business decisions in a timely fashion,” he said.

Meanwhile, Oracle’s system helps companies pull data from other sources within the company to put the Qualys data into context. Qualys “is so good at collecting information that that’s the challenge — how do you deal with it?” Veum said. By pulling in asset, system and network information, and establishing a baseline, an organization can get better understand its environment. It’s important to “have the ability to see we have a problem and to share the information with people who can act on it,” she said. Oracle Application Express, a free html-based tool that works with Oracle Database, has an executive dashboard for executives to see consolidated scans broken down by line of business and viewable by project status, scan summary and categories like vulnerability type.

Having data on vulnerabilities is just one part of managing risk; you need to know enough about your network to decide how to act on the information. These tools in the Qualys ecosystem can help organizations get the most out of their vulnerability data.

LAS VEGAS — When John Streufert was CISO at the U.S. State Department he saw that the agency was losing a lot of money and wasting a lot of employee time trying to defend against cyber attacks. And despite all the audits and reports, the defense wasn’t working – the bad guys were getting in and stealing data.

Video: John Streufert Keynote at QSC

So, he overtook a move to continuous monitoring of the network that was able to reduce as much as 90% of the security risk, he said in a keynote at the Qualys Security Conference 2013 today. Specifically, they were able to identify the worst problems in minutes rather than years, to fix the worst problems in days as opposed to months, and get costs down to about $200 million compared to $600 million per year.

Now, Streufert is bringing that same game plan to the Department of Homeland Security where he is director of federal network resilience.  “We are in the process of making a shift in the federal government as to how we handle our security challenges,” he said. “Continuous Diagnostics and Mitigation can stop 85% of cyber related attacks” and report on attacks in near real time, as well as enable system administrators to respond to exploits much faster.

The system can help the agency avoid being low-hanging fruit.  According to CSIS and Verizon reports: 75% of attacks use known vulnerabilities that could be patched; more than 90% of successful attacks require only the most basic techniques; and 96% of them could be avoided if there had been simple or intermediate controls in place.

At the State Department the statistics of the environment before the changes made for a strong economic case, Streufert said:

• Every three days there were trillions of security events; millions of attempted attacks; thousands new flaws introduce; and hundreds of successful attacks.

• Every three months there were over 10,000 successful attacks; terabytes of data stolen; 7,200 reports written; and hundreds of labor hours wasted.

• Every three years there are thousands of assessments and other reports written, each requiring 3-9 months to prepare and out-of-date the moment they are printed; and the data provide only a snapshot in time versus real-time identification and mitigation of problems.

These manual processes, reports and audits cost between $600 million and $1.9 billion a year, or $1,400 per page, and result in the equivalent of 438 feet of paperwork. They also consume as much as 65% of the overall IT security effort in the agencies involved, according to Streufert.

He was asked to go to DHS to work on moving the agency from a cybersecurity defense strategy modeled on process and compliance to one focused on continuous diagnostics and mitigation. The first phase will be completed this year, the second phase next year and the final phase in 2015. The cost will be about $600 million over three years.

Update: See attachments for data sheet describing the US Department of Homeland Security Continuous Diagnostics and Mitigration Program.

Attachments

Continuous Diagnostics and Mitigation Program 175.4 K

Java security has been in the spotlight this year, first because of hackers’ frequent use of Java applets to get onto end-user systems (Microsoft reported in 2013 that over 30% of all web based attacks make use of Java applets). Also, there are concerns about the end-of-life of Java 6, whose public version is now frozen at Java 6u45 from April 2013. Most recently, security researchers at F-Secure reported on the discovery of the first public exploits against vulnerabilities (CVE-2013-2463 and CVE-2013-2470) present in Java 6u45, but they remain unfixed due to its end-of-life status.

Continue reading …

Oracle got it right when it delayed a brand new release of Java 8 and redirected its engineering effort to fixing security issues in the current version of Java.  It underscores the acknowledgement form Oracle about the seriousness of Java security flaws and their resolve to fix those issues. Java 8 was scheduled to be released in the September 2013 time frame with many new features, including support for programming in a multicore environment. This decision should make sure that Java 8 will not only include all security fixes of Java 7, but also will go through a thorough security testing cycle. You can find comments from Java platform group’s chief architect Mark Reinhold here.

In my opinion, the delay in release of Java 8 is worth the wait.

For an overview of recent Java 0day vulnerabilities please see our Java coverage bellow:

New 0-day for Oracle Java – Update 2

Oracle updates the Java February 2013 CPU

Oracle releases early CPU for Java 7

New Java 0-day vulnerability – Update 3

Oracle CPU October 2012 – Update