This month’s Patch Tuesday is medium in size, with 47 vulns covered and only 7 labeled as Critical. Twenty-six of the vulns apply to Windows Servers and Workstation operating systems. Two of the Criticals apply to Hyper-V and could lead to RCE on the host system. Microsoft also issued and out-of-band patch in December for Internet Explorer 9 through 11 due to active attacks in the wild. Last week, Adobe also released out-of-band patches for Acrobat and Reader covering two Critical vulns.

Continue reading …

Capital One prides itself on staying at the forefront of IT innovations to give its business a competitive edge.

For example, it adopted Agile software-development methodologies years ago, and uses artificial intelligence and machine learning. It was the first bank to implement a mobile wallet with “contactless” NFC payments, and to offer voice-activated financial transactions using Amazon’s Alexa. When 2018 ends, Capital One expects 80% of its IT infrastructure to be cloud based, allowing it to go from seven to two data centers.

Given its tech transformation track record, it’s not surprising that Capital One has embraced DevSecOps, embedding automated security checks into its DevOps pipeline. This effort has dramatically accelerated the process of assessing vulnerabilities and mis-configurations in its virtual machine images and containers.

As a result, the code created in the DevOps pipeline is certified as secure and released to production without unnecessary delays. This allows Capital One — one of the United States’ 10 largest banks, based on deposits — to consistently boost its business across the board by quickly and continuously improving its web properties, mobile apps, online services and digital offerings.

“This has provided a huge benefit to the entire company,” said Emmanuel Enaohwo, Senior Manager for Vulnerability/Configuration Management at Capital One, a Fortune 500 company based in McLean, Virginia that offers a broad spectrum of financial products and services to consumers, small businesses and commercial clients.

Read on to learn how the bank has automated vulnerability and compliance checks in its CI/CD software pipeline, helped by Qualys.

Continue reading …

This month’s Patch Tuesday addresses 62 vulnerabilities, with 12 of them labeled as Critical. Out of the Criticals, 8 are for the Chakra Scripting Engine used by Microsoft Edge. A Remote Code Execution vulnerability in Windows Deployment Services’ TFTP server is also addressed in this release. Adobe also patched three Important vulnerabilities this month, although there is a PoC exploit available for Adobe Acrobat and Reader.

Continue reading …

Threat hunting, an often misunderstood but powerful security practice, is gaining traction, as more organizations reap benefits from it and get better at it. However, there is still a lot of room for adoption to increase and for practices to improve.

Those were key findings from the SANS Institute’s 2018 threat hunting study, which experts from SANS, Qualys and other companies discussed recently in the two-part webcast “Threat Hunting Is a Process, Not a Thing.”

“Over the past two to three years, threat hunting has been moving from a ‘What is it?’ discussion into a more formal mentality of: ‘This is what it is. Am I doing it right?’,” said Rob Lee, a SANS instructor. “But we’re still in a transition.”

For starters, there’s still considerable confusion about what threat hunting is. For example, it’s very common for many to equate it with reactive practices such as incident response. Rather, threat hunting is by definition proactive. It assumes that the organization’s prevention defenses have been bypassed, and the IT environment breached, without any alerts being triggered.

Using threat intelligence analysis and other tactics, hunters formulate and act on a hypothesis about where the intruders are likely to be lurking in silence while pursuing their nefarious goals.

Continue reading …

In this month’s Patch Tuesday release there are 49 vulnerabilities patched with 12 Criticals. Out of the criticals, over half are browser-related, with the rest including Hyper-V and MSXML Parser.  Microsoft Exchange covers CVE-2010-3190 which was not identified as in-scope product when originally published, per Microsoft. Microsoft Office covers 9 Important CVEs including Sharepoint and Graphics component.

Continue reading …

In this month’s Patch Tuesday release there are 61 vulnerabilities patched with 17 Criticals. Out of the criticals, most are browser-related, with the rest including Windows, Hyper-V, and .net Framework. A vulnerability (CVE-2018-8475) in Windows’ image parsing has been publicly disclosed, in addition to a vulnerability (CVE-2018-8457) in the Scripting Engine.

Continue reading …

In this month’s Patch Tuesday release there are 63 vulnerabilities patched with 20 Criticals. Out of the criticals, over half are browser-related, with the rest including Windows, SQL, and Exchange. Active exploits have been detected against CVE-2018-8373, one of the scripting engine vulnerabilities.

Continue reading …

WannaCry rears its ugly head again. Reddit gets hacked, despite using two-factor authentication. A cryptojacking campaign targets carrier-grade routers. Here are some recent security industry news that have caught our attention.

WannaCry hits Taiwan Semi

The notorious WannaCry ransomware re-appeared recently, when Taiwan Semiconductor Manufacturing, a chip supplier to Apple and other smartphone makers, suffered an infection that dented its operations.

Specifically, the ransomware disrupted chip production to a point that will delay shipments and cut revenue in the third quarter, although no confidential data was compromised, the company said.

According to Sophos’ Naked Security blog, the chip maker, which is Taiwan’s largest company, blamed the incident on a careless supplier that installed software infected with a WannaCry variant on its network. “When the virus hit, it spread quickly, affecting production at semiconductor plants in Tainan, Hsinchu and Taichung,” Naked Security’s Lisa Vaas wrote.

Of course, WannaCry can be avoided altogether by patching vulnerable systems, as Ben Lovejoy reminds us in 9to5Mac.

That’s the major lesson from last year’s WannaCry global rampage, which infected 300,000-plus systems, disrupting critical operations globally. Long before WannaCry erupted in May of last year, organizations should have patched the vulnerability that the ransomware exploited. Now they’ve had more than a year to fix it.

Continue reading …

The digital transformation revolution waits for — and spares — no one. It forces all businesses to adopt tech innovations, like cloud, IoT and mobility, and to protect the resulting IT environments as they become hybrid, distributed and elastic.

With traditional network perimeters dissolved, securing digital transformation efforts gets more challenging by the day, especially for smaller organizations. That’s why Qualys is putting its Qualys Cloud Platform at the disposal of this underserved small-business market — for free.

With the new Qualys Community Edition, smaller organizations will now have access — at no charge — to the cloud-based security that many of the world’s largest companies rely upon to protect their global IT environments.

By tapping the robust, massively scalable Qualys Cloud Platform, they’ll be able to discover IT assets and their vulnerabilities, identify compliance gaps and get detailed, customizable reports.

The Qualys Community Edition is not only aimed at organizations that’ll use it internally. It’s also intended for smaller security practitioners that want to provide exceptional assessments to clients, outclass their competitors and boost revenues.

Continue reading …

When vulnerability risk management is proactive, organizations don’t have to hurriedly react to attacks that exploit bugs for which patches are available, as happened with WannaCry. 

“The vast majority of WannaCry remediation took place as an emergency type process,” Jimmy Graham, a Qualys Director of Product Management, said during QSC18 Virtual Edition.

It’s key to have an integrated breach prevention program with asset inventory, vulnerability management, threat prioritization and patch management, he said. 

Graham also outlined how Qualys can help customers comprehensively and proactively manage their vulnerability risk.

Read on to learn more.

Continue reading …