Qualys Blog

Destruction of service. Get acquainted with this newly-minted term, and with its acronym — DeOS. It’s a particularly disturbing type of cyber attack InfoSec teams may face regularly in the not too distant future.

That’s one of the main findings featured in the Cisco 2017 Midyear Cybersecurity Report, a comprehensive cyber security study the networking giant has been publishing for almost a decade.

Due to several troubling developments, including the expected popularization of DeOS attacks — intended to wreck breached IT systems — and the proliferation of IoT device use in DDoS attacks, this report blares a special alarm.

“We must raise our warning flag even higher,” reads the report, which is based on research and data from Cisco and several of its technology partners, including Qualys. “Our security experts are becoming increasingly concerned about the accelerating pace of change — and yes, sophistication — in the global cyber threat landscape.”
Continue reading …

If your organization needs a compelling reason for establishing or enhancing its vulnerability management program, circle this date in bold, red ink on your corporate calendar: May 25, 2018.

On that day, the EU’s General Data Protection Regulation (GDPR) goes into effect, intensifying the need for organizations to painstakingly protect EU residents’ data from accidental mishandling and foul play.

While complying with GDPR involves adopting and modifying a variety of IT systems and business processes, having comprehensive and effective vulnerability management should be key in your efforts.

Why? Too many preventable data breaches occur because hackers exploit well-known vulnerabilities for which patches are available but haven’t been installed.

Continue reading …

The EU’s GDPR (General Data Protection Regulation) demands that organizations stringently protect EU residents’ data they hold, share and process, which requires having solid InfoSec practices, including threat prioritization.

No, there is no specific mention of prioritization of vulnerability remediation in the regulation’s text. In fact, only a few InfoSec technologies and practices are mentioned by name.

What is stressed throughout the 88-page document is the call for both data “controllers” and data “processors” to protect this customer information by implementing “appropriate technical and organisational measures”, a phrase repeated multiple times.

Continue reading …

It didn’t have to happen.

That’s the simple yet profound lesson from WannaCry’s ransomware rampage that has infected 300,000-plus systems in more than 150 countries, disrupting critical operations across industries, including healthcare, government, transportation and finance.

If vulnerable systems had been patched and maintained as part of a proactive and comprehensive system configuration and vulnerability management program, the attack would have been a dud, barely registering on anyone’s InfoSec radar.

“WannaCry was totally preventable with the proper patching and the proper build configurations,” Mark Butler, Qualys’ Chief Information Security Officer (CISO), said during a webcast this week. “That’s a reminder to all of us that you didn’t have to be a victim.”

There are various workarounds for mitigating the underlying WannaCry vulnerability, but those are stopgap measures. “The primary way to remediate this vulnerability is through disciplined and timely patching,” Qualys Product Management Director Jimmy Graham said during the webcast, titled “How to Rapidly Identify Assets at Risk to WannaCry Ransomware.”

Continue reading …

The SANS Institute recently released its 2017 report on cybersecurity trends. We examined the report’s six threat trends in a recent blog post, as well as in a webcast with the report’s author, security analyst John Pescatore, and with Qualys Product Management Vice President Chris Carlson. Now, we’re providing you with a useful checklist to help put you in a better position to respond these trends, which are expected to continue to dominate this year.

Continue reading …

A major challenge for enterprise InfoSec teams is keeping their finger on the pulse of two constantly changing elements: external cyber threats and internal technology needs.

Staying a step ahead and proactively adjusting their organization’s security posture accordingly is a must in order to keep attack risks as low as possible. So what are the major shifts in threats and business technology use that CISOs and their staff face in 2017? And how should they respond to these changes?

You will find comprehensive answers to those and other critical InfoSec questions in a new SANS Institute whitepaper written by security analyst John Pescatore.

Continue reading …

Considering that database systems hold extremely valuable and sensitive information, one would assume that most organizations would fiercely protect these “crown jewels” with great care. Unfortunately, that is not the case.

Throngs of databases in organizations worldwide are unsafe, at high risk of being breached by malicious hackers, rogue employees and crooked partners. This sorry state of database security puts financial data, customer information, health records, intellectual property treasures and more in grave danger.

Below we’ll discuss the two main causes for database security breakdowns — unpatched vulnerabilities and configuration errors — along with helpful tips for reducing the risk of database breaches.

Continue reading …

In the first installment of this blog series on automated asset inventorying, we met Max, the CISO of a large manufacturer whose InfoSec team lost full visibility of the company’s hardware and software.

Dangerous blind spots appeared progressively over time as Max’s company adopted more and more digital transformation technologies, such as cloud computing, mobility, IoT, and virtualization.

Eventually, Max and his team became alarmed at the inability of their legacy on-premises security products to account for the new cloud instances, virtualized environments, mobile endpoints and other assets outside of the traditional, tightly-controlled network perimeter.

They were concerned that this lack of visibility could lead to an increase in employee use of unapproved personal devices and unauthorized software, as well as to data breaches.

Continue reading …

With 2017 still in its infancy, plenty of time remains for InfoSec practitioners to make concrete strides toward better security and compliance in their organizations. That’s why to help you start off the year on the right foot, we’ve shared best practices, ideas and recommendations in our Qualys Top 10 Tips for a Secure & Compliant 2017 blog series.

Continue reading …

As we continue our Qualys Top 10 Tips for a Secure & Compliant 2017 blog series, we zoom in on the all important area of compliance and risk monitoring, a key element of any comprehensive security program.

IT compliance and risk managers don’t have it easy. You face an increasingly complex regulatory landscape, constantly evolving industry standards and a technology environment that’s changing at a dizzying pace. It falls on your shoulders to make sure your organizations follow rules, regulations, laws, standards and practices in areas of IT across all business functions.

In this post, we’ll offer tips 5 – 7 on our list, to help you:

• Ensure internal and external IT compliance

• Assess procedural and technical controls among vendors to reduce the risk of doing business with them

• Comply with the Payment Card Industry Data Security Standard (PCI DSS)

Continue reading …