A scary Bluetooth bug. A crippling ransomware attack. A cyber threat to the U.S. electrical grid. A data leak of trade secrets from major car makers such as Tesla and GM. These were some of the security industry news that caught our eye last week.

Bluetooth vulnerability rattles vendors, end users

The disclosure of a major flaw in Bluetooth last week has sent vendors of all shapes and sizes scrambling to patch their products, including cell phones and computers.

The bug, found by researchers at the Israel Institute of Technology, affects the elliptic curve Diffie-Hellman key exchange mechanism employed by Bluetooth. “The authentication provided by the Bluetooth pairing protocols is insufficient,” they wrote.

The CERT advisory explains that an unauthenticated, remote attacker within range could use a “man-in-the-middle” network position to find out the cryptographic keys used by the device. “The attacker can then intercept and decrypt and/or forge and inject device messages,” it reads.

Continue reading …

In prior installments of this GDPR compliance blog series, we’ve discussed the importance of key security practices such as IT asset inventory and vulnerability management. Today, we’ll focus on another core component for GDPR: policy compliance.

As we’ve stated before, to comply with the EU’s General Data Protection Regulation (GDPR), organizations must show they’re doing all they can to protect their EU customers’ personal data. Thus, InfoSec teams must provide a rock-solid security foundation that gives organizations superior data breach prevention and detection.

With a strong IT policy compliance program, organizations can deploy and manage their IT environment according to applicable government regulations, industry standards and internal requirements.

For organizations, it’s critical to establish a lifecycle for managing assets and controls to protect the data they contain. One must continuously: identify IT assets and scope, define control objectives, automate control assessment, prioritize fixes, and ultimately remediate the security configuration problems.

To be effective, this entire process must be trackable by auditors and must maintain the proper reports and dashboards necessary to drive continuous improvement. Organizations must have this knowledge not only to properly protect their EU customers’ personal data — the regulation’s core goal — but also to comply with other GDPR requirements.

After gaining complete visibility into their IT assets, organizations can create data maps and decide which technical controls it needs to secure EU residents’ personal data in a way that meets GDPR’s considerable expectations and strict requirements.

Continue reading …

Organizations must manage risk from third parties such as contractors and suppliers, and from internal staffers and teams, as part of their compliance program for the EU’s General Data Protection Regulation (GDPR).

The need to manage vendor risk in particular is stressed repeatedly throughout the text of the GDPR, a strict and broad regulation which went into effect last week. GDPR applies to any organization worldwide that controls and processes personal data of EU residents, whose security and privacy the regulation is designed to defend.

In GDPR lingo, “data controllers” must vet the “data processors” they share EU customer information with, and assume joint responsibility for what happens to it. So your organization is liable if one of your third parties gets breached for failing to adhere to GDPR requirements and your EU customers’ personal data gets compromised.

GDPR states that controllers “shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures” and stresses that controllers must detail in contracts how their processors will handle customer data.

In this third installment of our GDPR compliance blog series, we’ll explain the importance of  carefully and continuously assessing the GDPR compliance levels of your third parties and internal staff. We’ll also explain how Qualys can help you beef up these foundational security practices so you can shrink your risk of data breaches that could put your organization on the wrong side of GDPR.

Continue reading …

Data breaches dominated the cyber security headlines last week, as Sears, Delta, Best Buy, Saks, and Lord & Taylor all found themselves in the news.

Sears, Delta and Best Buy: Another vendor risk incident

What do retail giant Sears Holdings, consumer electronics chain Best Buy and Delta Air Lines have in common? A customer service contractor that got hacked, compromising an undetermined number of their customers’ payment card data.

The contractor, called [24]7.ai, got breached in late September of last year, and discovered and contained the incident in mid-October. The company, which provides customer support for a variety of clients via online chats, didn’t offer details about the cause or nature of the hack in its brief statement issued Wednesday.

In its statement, Sears estimated the number of its potentially affected customers at under 100,000, and said that [24]7.ai informed it about the breach in mid-March of this year. Meanwhile, Delta said it was notified on March 28, and that it believes a “small subset” of its customers’ data was exposed, although it can’t say for sure whether the information was accessed or compromised. Best Buy said “a small fraction” of its customers may have been impacted, regardless of whether they used the chat function, according to USA Today.

It’s the latest in the recurring problem of vendor risk, in which an organization’s information security is compromised after a trusted third party — contractor, supplier, consultant, partner — suffers a breach.

Continue reading …

In this edition of Qualys’ infosec news digest, we look at Orbitz’s data breach, AMD’s vulnerabilities controversy, and recent actions by the U.S. government against alleged Russian and Iranian cyber spies.

Orbitz was (kinda, sorta, maybe) hacked

Orbitz disclosed last week that personal information linked to almost 900,000 payment cards may have been compromised, after it detected a “data security incident” in which “there was likely unauthorized access” to customer data.

The customer data at risk includes payment card details, full names, dates of birth, phone numbers and e-mail and home addresses.

Orbitz doesn’t think that passport numbers nor travel itineraries were compromised. It doesn’t collect Social Security numbers. Orbitz, which is owned by Expedia, isn’t sure if data was stolen, but a privacy rights experts recommends that customers not rest easy.

“I think consumers should assume that their personal information has been compromised even though they may not have been notified. There have been so many data breaches that you just can’t assume that you haven’t been affected,” Beth Givens, executive director of the Privacy Rights Clearinghouse, told Consumer Reports.

Continue reading …

With the General Data Protection Regulation (GDPR) going into effect in under three months, the countdown clock is fast approaching zero for organizations worldwide that handle personal data of EU residents.

GDPR is a very broad and wide-ranging regulation that requires organizations to obtain a lot of legal advice, and to implement business controls. Although these controls exceed the scope of information security, IT security and compliance are a significant subset of the regulation.

A special challenge for InfoSec teams is GDPR’s lack of details about specific security measures and requirements for protecting EU residents’ data.

“The GDPR regulation is extremely vague and doesn’t give any detailed prescriptive requirements of what the expectations are for data protection, but they’re very far-reaching,” Tim White, a Qualys Product Management Director, said during a recent webcast.

GDPR puts a heavier burden of accountability on organizations, forcing them, among other things, to accommodate significant new rights for individuals. For example, EU residents can request that organizations delete, disclose, correct and transfer their personal information.

To comply with these GDPR “subject access requests,” organizations must know what data they have, where it’s stored, with whom they’re sharing it, how they’re protecting it, and what they’re using it for.

Unfortunately, many organizations are far from ready to comply with GDPR.

Continue reading …

It’s been a busy week in InfoSec land, as Intel released a new Spectre patch, iOS source code was leaked online, and a zero-day Flash bug got exploited in the wild.

Also making noise these past few days: A major security hole in the Grammarly web app, WordPress updates tripping over each other, and a data breach at a Swiss telecom company.

As has been the case these past few weeks, we’ll lead off with the latest on Meltdown and Spectre, the hardware vulnerabilities whose disclosure on Jan. 3 sent shockwaves through the IT industry due to their scope and severity, and which are expected to remain an issue for years.

Continue reading …

Most successful cyber attacks exploit known vulnerabilities for which patches are available, or take advantage of weak configuration settings that could have been easily hardened. You can significantly lower the risk of being victimized by this type of common, preventable attack by adopting the Center for Internet Security’s Critical Security Controls (CSCs).

This set of 20 structured InfoSec best practices offers a methodical and sensible plan for securing your IT environment, and maps to most security control frameworks, government regulations, contractual obligations and industry mandates.

The CSCs were first developed in 2008 and are periodically updated by a global community of volunteer cybersecurity experts from government, academia and industry. “The CIS Controls provide a prioritized approach to cyber security, starting with the most essential tasks and progressing to more sophisticated techniques,” Tony Sager, CIS Chief Evangelist, wrote recently.

In this blog series, we’re explaining how Qualys Cloud Platform — a single, integrated, end-to-end platform for discovery, prevention, detection, and response — and its Qualys Cloud Apps can help security teams of any size to broadly and comprehensively adopt the CIS controls.

Continue reading …

Qualys Product Management Director Tim White and SANS Institute Analyst John Pescatore did a deep dive into the Center for Internet Security’s Critical Security Controls during a recent webcast, and answered questions from audience members about these 20 foundational security practices, and about the importance of maintaining basic security hygiene.

In this blog post, we’re providing edited transcripts of their answers to all the questions, including those that they didn’t have time to address during the one-hour webcast, which was titled “Automating CIS Critical Security Controls for Threat Remediation and Enhanced Compliance.” We hope you find their explanations insightful and useful.

In addition, if you didn’t catch the webcast live, we invite you to listen to the CIS controls webcast recording. We also encourage you to download a copy of a highly detailed guide that maps the CIS controls and sub-controls directly to specific features in Qualys apps.

Continue reading …

To comply with GDPR, organizations typically must overhaul and update a number of internal processes and systems, but they can’t ignore a critical area: risk from vendors and other third parties such as contractors, partners, suppliers and service providers.

It’s a point that’s stressed repeatedly throughout the 88-page text of the EU’s General Data Protection Regulation (GDPR), which goes into effect in May 2018 and requires that organizations worldwide properly identify, track and protect their EU customers’ personal data.

In GDPR lingo, “data controllers” must vet the “data processors” they share this customer information with, and assume joint responsibility for what happens to it. In other words, you’re liable if one of your third parties gets breached for failing to adhere to GDPR requirements and as a result your customers’ personal data gets compromised.

Continue reading …