Back to qualys.com
313 posts

The Sky Is Falling! Responding Rationally to Headline Vulnerabilities

It’s happening more and more.

Gill Langston, a Qualys Director of Product Management, speaks at RSA Conference 2018

High profile vulnerabilities like Meltdown and Spectre are disclosed, and become headline-grabbing news not just in the technology press, but on general news outlets worldwide.

Even if the vulnerabilities aren’t associated with an attack, the news reports rattle C-level executives, who ask the security team for a plan to address the by now notorious bug, and pronto.

Often, a counter-productive disruption of the normal vulnerability and patch management operations ensues, as those involved scramble to draft a response against the clock in a panic atmosphere, punctuated by confusion and finger-pointing.

“Should I just immediately be jumping and reacting? Should I start deploying patches, and then go from there? I’m going to argue that that’s not always the case,” Gill Langston, a Product Management Director at Qualys, said Wednesday during a presentation at RSA Conference 2018.

Continue reading …

Qualys: Cloud Security Must Move Towards ‘Transparent Orchestration’

What does the “My Little Pony” television series and cyber security have in common? Ask Qualys Chief Product Officer Sumedh Thakar.

Whenever his 7-year old daughter wanted to see an episode of this show, the process involved multiple steps: Turning on the smart TV, scrolling through the app menu, picking Netflix, searching for “My Little Pony,” navigating the seasons and list of episodes, and finally clicking on the one she wanted to watch.

Sumedh Thakar, Qualys’ Chief Product Officer, speaks at the Cloud Security Alliance (CSA) Summit during RSA Conference 2018.

But that process became a thing of the past at Thakar’s house after he got a Google Home smart speaker and home assistant, and linked it up with his smart TV.  Now all his daughter needs to do is tell Google Home to play her favorite show on the living room TV, and all the steps are carried out in an automated, seamless way, without anyone even having to grab the TV remote control.

“That’s transparent,” Thakar said on Monday during his keynote speech at the Cloud Security Alliance (CSA) Summit being held at the RSA Conference in San Francisco.

Continue reading …

Indication of Compromise: Another Key Practice for GDPR Compliance

In this ongoing blog series on preparing for complying with the EU’s General Data Protection Regulation (GDPR), we’ve explained the importance of having solid, foundational security practices like asset management and threat prioritization. Today, we’ll discuss how another such practice can help organizations stay on the right side of GDPR: Indication of Compromise (IOC).

In a nutshell, IOC can help customers who are dealing with unauthorized access to customer personal data by an external threat actor or adversary. This makes IOC particularly relevant to GDPR’s stringent requirements for data integrity, control, accountability and protection.

To comply with GDPR, which goes into effect on May 25, companies worldwide — not just in the EU — must know what personal data of EU residents they have, where it’s stored, with whom they’re sharing it, how they’re protecting it, and what they’re using it for.

Continue reading …

Vendor Risk Bites Sears, Delta and Best Buy, while Saks, Lord & Taylor Deal With Breach

Data breaches dominated the cyber security headlines last week, as Sears, Delta, Best Buy, Saks, and Lord & Taylor all found themselves in the news.

Sears, Delta and Best Buy: Another vendor risk incident

What do retail giant Sears Holdings, consumer electronics chain Best Buy and Delta Air Lines have in common? A customer service contractor that got hacked, compromising an undetermined number of their customers’ payment card data.

The contractor, called [24]7.ai, got breached in late September of last year, and discovered and contained the incident in mid-October. The company, which provides customer support for a variety of clients via online chats, didn’t offer details about the cause or nature of the hack in its brief statement issued Wednesday.

In its statement, Sears estimated the number of its potentially affected customers at under 100,000, and said that [24]7.ai informed it about the breach in mid-March of this year. Meanwhile, Delta said it was notified on March 28, and that it believes a “small subset” of its customers’ data was exposed, although it can’t say for sure whether the information was accessed or compromised. Best Buy said “a small fraction” of its customers may have been impacted, regardless of whether they used the chat function, according to USA Today.

It’s the latest in the recurring problem of vendor risk, in which an organization’s information security is compromised after a trusted third party — contractor, supplier, consultant, partner — suffers a breach.

Continue reading …

Put FIM in Your GDPR Toolbox

File integrity monitoring, like other foundational security practices such as vulnerability management, helps organizations comply with the EU’s General Data Protection Regulation (GDPR). FIM specifically provides security controls in three key areas for GDPR:

  • Ensuring integrity of data stored in filesystems
  • Protecting confidentiality of data by detecting changes to filesystem access controls
  • Detecting breaches  

Qualys File Integrity Monitoring’s ability to quickly detect changes in all of these cases makes it a critical tool that helps you meet general security requirements of GDPR. This regulation goes into effect in late May and applies to any organization worldwide that handles personal data of EU residents.

What is FIM, anyway?

File integrity monitoring systems can help you to promptly detect a variety of changes stemming from normal IT activities, compliance and change control violations, or malicious acts such as malware attacks and configuration tampering.  FIM systems use snapshot data and real time detection on the endpoints to identify when files on a system are changed, and when necessary, log the file changes so system administrators, compliance teams, and incident response teams can verify the events and determine if the activity was normal, a policy violation, or a sign of compromise.

Aside from compliance and breach detection use cases, FIM can be invaluable in making sure scripts used for automation and critical application configurations are not changed without proper change control and approval. That way, organizations can prevent downtime and enable fast recovery, both key to ensuring availability of critical applications.

Continue reading …

Microsoft Misfires with Meltdown Patch, while WannaCry Pops Up at Boeing

In our weekly roundup of InfoSec happenings, we start, as has often been the case this year, with concerning Meltdown / Spectre news — this time involving Microsoft — and also touch on a password hack at Under Armour, a WannaCry infection at Boeing, and a severe Drupal vulnerability.

Microsoft patches its Meltdown patch, then patches it again

In an instance of the cure possibly being worse than the disease, a Microsoft patch for Meltdown released in January created a gaping security hole in certain systems in which it was installed.

It took Microsoft two tries to fix the issue, which affects Windows 7 (x64) and Windows Server 2008 R2 (x64) systems. The company thought it had solved the vulnerability (CVE-2018-1038) with a scheduled patch last Tuesday, but then had to rush out an emergency fix two days later.

Security researcher Ulf Frisk, who discovered the vulnerability, called it “way worse” than Meltdown because it “allowed any process to read the complete memory contents at gigabytes per second” and made it possible to write to arbitrary memory as well.

“No fancy exploits were needed. Windows 7 already did the hard work of mapping in the required memory into every running process,” Frisk wrote. “Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required — just standard read and write.”

Continue reading …

Continuous Web Security Assessment for Production and DevOps Environments

Web applications have become essential for business, as they simplify and automate key functions and processes for employees, customers and partners, making organizations more agile, innovative and efficient.

Unfortunately, many web applications are also unsafe due to latent vulnerabilities and insecure configurations. Web application attacks rank as the most likely to trigger a data breach, according to the 2016 and 2017 editions of the Verizon Data Breach Investigations Report.

Those findings are consistent with SANS Institute’s 2016 State of Application Security Report, which found that “public-facing web applications were the largest items involved in breaches and experienced the most widespread breaches.”

“Insecure web applications are a real problem today,” Dave Ferguson, Director of Product Management for Web Application Scanning at Qualys, said during a recent webcast. “Web apps are a foothold into your organization for potential attackers.”

Continue reading …

Securing your Cloud and Container DevOps Pipeline

Organizations are aggressively moving workloads to public cloud platforms, such as Amazon’s AWS, Google Cloud, and Microsoft’s Azure, upping the ante for InfoSec teams, which must protect these new environments.

Driving this growth in cloud computing adoption is its essential role in digital transformation initiatives, which help businesses be more efficient, effective, flexible and innovative in areas like e-business, supply chain management, customer support and employee collaboration.

Digital transformation projects are typically delivered using web and mobile apps created in DevOps pipelines, where developers and operations staff work collaboratively at every step of the software lifecycle, releasing apps or app updates frequently.

But security must be integrated throughout the DevOps process — planning, coding, testing, releasing, deploying, monitoring — in an automated way, organically building it into the software lifecycle instead of bolting it on at the end.

That way, vulnerabilities, misconfigurations, policy violations, malware and other safety issues can be addressed before code is released, reducing the risk of exposing your organization and your customers to cyber attacks.

In a recent webcast, Hari Srinivasan, Qualys’ Director of Product Management for Cloud and Virtualization Security, explained how Qualys can help you secure your cloud and container deployments across your DevOps pipeline.

Continue reading …

QID 86725 “F5 BIG-IP Load Balancer Internal IP Address Disclosure”

PCI DSS v3.2 logoQID 86725 “F5 BIG-IP Load Balancer Internal IP Address Disclosure Vulnerability” will be marked as a PCI Fail as of May 1, 2018 in accordance with its CVSS score.

Continue reading …

Qualys Cloud Platform (VM, PC) 8.13 New Features

This new release of the Qualys Cloud Platform (VM, PC), version 8.13, includes several new feature improvements across the apps such as the ability to test authentication records, as well as improvements to UDC’s and report options in Qualys Policy Compliance.

Continue reading …