Qualys Blog

www.qualys.com
287 posts

Meltdown and Spectre Aren’t Business as Usual

The new year brought a new vulnerability type — the CPU-based Meltdown and Spectre bugs — that’s forcing vendors and IT departments to modify long-standing ways of identifying threats, prioritizing remediation, managing patches and evaluating risk.

“Meltdown and Spectre are different vulnerabilities from what you’re used to seeing,” Jimmy Graham, a Product Management Director at Qualys, said during a webcast on Wednesday.

As a result, it’s essential for organizations to fully understand the nature of these vulnerabilities, stay on top of the latest information, and analyze the vulnerabilities’ impact in their IT environments, in order to stay as safe as possible.

“It’s not a simple [process] of just install a patch and you’re done,” he said.

Continue reading …

Meltdown / Spectre Mitigation Is a Work in Progress

Since researchers disclosed the Meltdown and Spectre vulnerabilities on Jan. 3, vendors and IT departments have been consumed trying to figure out how to properly address the potentially devastating effects of these kernel-level bugs.Meltdown Spectre Mitigation is a Work in Progress

By now, one thing we know for sure is that dealing with the vulnerabilities is a moving target. This situation is compounded by the fact that they have broad implications and that every day seems to bring new, relevant information that must be factored into ongoing mitigation efforts.

Thus, it’s important to stay on top of the latest developments, so we’re providing a snapshot of what we know to date, how Qualys can help and and what InfoSec teams can do. We’re also tracking a list of Qualys resources.

Continue reading …

Continuous Security & Compliance Webcast Series

This webcast series shows you how to effectively navigate security risks, new regulations and new technologies in support of a secure and compliant digital transformation. Qualys product managers walk you through the new features of Qualys Cloud Platform and Apps and show you how to get maximum leverage across eight critical areas.

Continue reading …

Qualys Policy Compliance Notification: Policy Library Update

Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations that are most commonly used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS as well as the ones based on security guidelines from vendors such as Microsoft and VMware.

In order to keep up with the latest changes in security control requirements and new technologies, Qualys publishes new content to the Policy Library every month.

This release includes the following new policies and updates:

  • New CIS policies for Internet Explorer and Chrome on Windows, Apache Tomcat, RHEL, Windows 10, Sybase ASE, and MongoDB
  • New DISA STIG policies for Internet Explorer 10 and 11
  • New Best Practice & Mandate Policies for SAP ASE 16 and HiTRUST CSF on Linux
  • Several updates to existing library policies

Continue reading …

PCI DSS v3.2 & Private IP Address Disclosure

Private IP addresses disclosure such as QID 86247 “Web Server Internal IP Address/Internal Network Name Disclosure Vulnerability” will be marked as a Fail for PCI as of February 1, 2018 in accordance with PCI DSS v3.2.

Continue reading …

Visualizing Spectre/Meltdown Impact and Remediation Progress

In order to determine the impact of Spectre/Meltdown and track remediation progress across your entire environment, it is important to visualize vulnerability detections in a dynamic dashboard. For more information on Spectre and Meltdown, please see our previous blog.

Using Qualys AssetView, we have created a dashboard with preloaded widgets that can help track remediation progress as you patch against Spectre and Meltdown. These widgets were built with out-of-the-box functionality, and can be imported into any Qualys subscription.

Continue reading …

Qualys Cloud Platform 2.31 New Features

This release of the Qualys Cloud Platform version 2.31 includes updates and new features for AssetView, Cloud Agent, EC2 Connector, Web Application Scanning, Web Application Firewall, and Security Assessment Questionnaire, highlights as follows.

Continue reading …

Cloud Security Improves, But Much Work Still Remains to Be Done

As cloud computing adoption accelerates among businesses, InfoSec teams are struggling to fully protect cloud workloads due to a lack of visibility into these environments, and to hackers’ increasingly effective attacks.

That’s the main finding from SANS Institute’s “Cloud Security: Defense in Detail if Not in Depth” report, which surveyed IT and security pros from organizations of all sizes representing many industries.

“We’re seeing more organizations moving to the cloud. They’re definitely moving quickly. And security teams aren’t wholly comfortable with the way cloud providers are giving us details about what’s going on in the environments,” report author Dave Shackleford, a SANS Institute analyst and instructor, said during a webcast to discuss the study findings.

Continue reading …

Implementing the CIS 20 Critical Security Controls: Make Your InfoSec Foundation Rock Solid

For almost 10 years, thousands of organizations eager to solidify their security and compliance foundations have found clarity and direction in the the Center for Internet Security’s Critical Security Controls (CSCs).

This structured set of 20 foundational InfoSec best practices, first published in 2008, offers a methodical and prioritized approach for securing your IT environment. Mapping effectively to most security control frameworks, government regulations, contractual obligations and industry mandates, the CSCs can cut an organization’s risk of cyber attacks by over 90%, according to the CIS.

Continue reading …

Implementing the CIS 20 Critical Security Controls: Delving into More Sophisticated Techniques

Corden Pharma needed a standardized security program to meet customer requirements. Link3 Technologies wanted to prioritize its network security improvements. Telenet was looking for a road map to implement its ISO-27000 compliance program.

These three companies — a German pharmaceutical contract manufacturer, an IT services provider in Bangladesh and a large telecom in Belgium — all found the InfoSec clarity and guidance they needed in the Center for Internet Security’s Critical Security Controls (CSCs).

They are among the thousands of organizations that over the years have successfully adopted the CSCs, a set of 20 security best practices that map effectively to most security control frameworks, as well as regulatory and industry mandates.

Continue reading …