With Black Hat USA 2019 less than a month away, we continue our blog series with weekly recommendations of training courses and research briefings to attend at the conference. Our pick this week: the research briefing Controlled Chaos: The Inevitable Marriage of DevOps & Security.

This 50-minute presentation focuses on the increasingly critical issue of securing DevOps, as this approach to agile and iterative software development and IT operations becomes the “business engine” for organizations.

Kelly Shortridge, Capsule8’s product strategy VP, and Nicole Forsgren, Google Cloud researcher and strategist, will explain the DevOps basics and the resilience and chaos engineering concepts. The speakers will address the importance of marrying DevOps and security, and the necessary shift away from security for its own sake to security as an enabler of business objectives.

Continue reading …

This new release of the Qualys Cloud Platform (VM, PC), version 8.20.1, includes support for new technologies and platforms, addition of new technology for Windows UDCs as well as an update in an existing option name (“Scan agent hosts in my target”) in the Launch Vulnerability Scan page.

Continue reading …

With Black Hat USA 2019 fast approaching, we continue our blog series highlighting training sessions and research briefings that we think Qualys customers will find relevant and valuable. Our pick this week is the training session An Introduction To IoT Pentesting With Linux.

The course offers “a hands-on, example-driven introduction to IoT hacking” and focuses on tactics for assessing and exploiting devices. Participants will learn why perimeter security falls short for securing private LANs from Internet attackers, and how vulnerability assessment techniques can be implemented using the Bash Unix shell and command language. Such skills are critical today due to the booming popularity and weak security of Internet of Things systems.

The two-day course is aimed at anyone wanting a hands-on introduction on using Linux to perform software-based security analysis of embedded Linux devices. The instructor, Craig Young, is a Tripwire computer security researcher who has used the course’s techniques to identify over 100 CVEs on embedded IoT devices. He has discovered dozens of vulnerabilities in products from Google, Amazon, Apple and others.

Continue reading …

This new release of the Qualys Cloud Platform (VM, PC), version 8.20, includes several new features in Qualys Cloud Platform and additional support for multiple technologies in Qualys Policy Compliance.

Continue reading …

This release of the Qualys Cloud Platform version 2.39 includes updates and new features for Out-of-Band Configuration Assessment (OCA), Vulnerability Management, and Web Application Scanning, highlights as follows.

Continue reading …

Last week, Qualys issued a security advisory for a vulnerability we discovered during a code review of Exim. This vulnerability can lead to Remote Command Injection, and is currently being actively attacked in the wild. This blog will show you how to quickly identify assets that are impacted by this vulnerability.

Continue reading …

This month’s Microsoft Patch Tuesday addresses 88 vulnerabilities with 21 of them labeled as Critical. Of the 21 Critical vulns, 17 are for scripting engines and browsers, and 3 are potential hypervisor escapes in Hyper-V. The remaining vulnerability is an RCE in the Microsoft Speech API. Microsoft also issued guidance on Bluetooth Low Energy FIDO keys, HoloLens, and Microsoft Exchange. Adobe issues patches today for Flash, ColdFusion, and Campaign.

Continue reading …

The rise of sophisticated attacks combined with the security-skills shortage have driven many organizations to go back to basics and review their processes for vulnerability and patch management. The approach is definitely a winning one, given that shrinking and managing the vulnerability surface makes it harder to target and compromise.

Assessing the attack surface requires strengthening key capabilities, such as increasing visibility across the IT landscape and improving the detection, prioritization and remediation of vulnerabilities at scale. Qualys has been boosting these capabilities for its customers over the last two decades.

Read on to learn how Qualys is addressing enterprises’ patch management challenges with integrated breach prevention that includes its new Patch Management cloud application.

Continue reading …

Is your security team struggling to decide which projects will slash risk the most without breaking the bank? If so, we believe your security leaders can end analysis paralysis by perusing Gartner’s “Top 10 Security Projects for 2019” report. As its title states, the report recommends ten security projects for 2019, and the projects selected are supported by technologies available today, address the changing needs of cybersecurity and support what Gartner calls a CARTA (Continuous Adaptive Risk and Trust Assessment) strategic approach through risk prioritization.

Below we highlight five of the projects, provide Gartner’s take, offer our opinion, and explain how Qualys can help you implement them.

Continue reading …

This month’s Microsoft Patch Tuesday included a very high-risk vulnerability (CVE-2019-0708, aka BlueKeep) in Remote Desktop that impacts Windows XP, Windows 7, Server 2003, Server 2008, and Server 2008 R2. This vulnerability allows an unauthenticated attacker (or malware) to execute code on the vulnerable system. It is very likely that PoC code will be published soon, and this may result in a WannaCry-style attack.

Microsoft has not only released patches for Windows 7, Server 2008 & R2, but also has taken the extra step to issue patches for Windows XP and Server 2003. Patch now!

UPDATE: Network Level Authentication (NLA) partially mitigates this vulnerability. QID 90788 (Microsoft Windows Network Level Authentication Disabled) can be used to find hosts that have NLA disabled. This forces the attacker to have valid credentials in order to perform RCE.

UPDATE: A new remote (unauthenticated) check was released under QID 91541. See below for details.

Continue reading …