Retired four-star General Peter Pace, USMC has joined the Qualys Board of Directors. With four decades of distinguished Marine Corps service, most recently as the 16th Chairman of the Joint Chiefs of Staff of the U.S. Military, General Pace brings expertise and interest in cyber-security and geo political issues to help guide Qualys expansion within state and government agencies.  

"Cyber-security threats have become a national priority and I look forward to working with the Qualys team to provide strategic guidance around the issues that affect IT security and foreign and domestic governance," said General Pace.

"We are honored to have General Pace join the Qualys Board of Directors and look forward to working with him," said Philippe Courtot, CEO of Qualys. "His long and highly-regarded service history and global perspective will help us better understand and address security

requirements in state and government agencies." 

Read More

With its six casinos offering more than 340,000 square feet of gaming space outfitted with 7,000 slot machines and 400 gaming tables, 1,416 guest rooms, meeting space and conference rooms, needed to find the most, efficient way to discover and fix system vulnerabilities, and to maintain regulatory compliance. 

Central to running its enterprise and IT infrastructure is making sure Foxwoods casino's financial, ERP, guest management, and Web site stay up and running free from viruses, spyware, and criminal hacks. Also, because Foxwoods accepts reservations online, and even runs its own online shopping site - it must comply with the Payment Card Industry Data Security Standard (PCI DSS).

"QualysGuard is our main tool for PCI compliance. It's fully automated and helps with many of the tasks associated with PCI, from assessing relevant systems to providing full reports to the acquiring bank," says Leonard A. Szczygiel, Network Engineer, at Foxwoods. "And we needed a clear way to quantify the security information we were telling our management about. We would discuss the risks of not patching certain systems, and management wouldn't really get what we were trying to explain to them.  Now thanks to the QualysGuard, they do." 

Click here to read more about how Foxwoods Resort Casino assesses and report its PCI

compliance.

Ignite Media Solutions, a marketing services firm, collects and processes Level 1 payment information for its clients. With multi millions of transactions annually, Ignite must remain compliant to the Payment Card Industry Data Security Standard (PCI DSS).

In order to operationalize its IT security and PCI compliance program, Ignite deployed network monitoring, log management, and file integrity monitoring software while the central solution to these efforts is managing proactively all of the software vulnerabilities, configurations, and security policies of its IT systems.

"The quality of Qualys' PCI DSS certification documentation set it apart from its competition," said Mike DeMatteo, PCI Compliance Administrator for Ignite Media Solutions. "The documentation makes applying QualysGuard to the PCI requirements a no-brainer. The other companies I researched didn't do this; it was like pulling teeth to just find out what PCI requirements the others actually covered. Qualys just pulls it all together, making it so easy that one doesn't have to be an information security expert to attain PCI compliance. It's easy to use, does network discovery and mapping, and its dashboard provides the information we need."

When it comes to software vulnerabilities, 2008 will go down as a seminal year. It turned out to be a year when the types of applications targeted by attackers shifted, and we witnessed a significant rise in both the number of vulnerabilities discovered and the number of vulnerabilities found in web applications.

Consider this: Though there was an overall 15 percent rise in vulnerabilities discovered last year, 60 percent of those uncovered were web application flaws. The biggest jump in that class of vulnerabilities was seen in SQL-injection flaws, which doubled year over year. And while desktop and client-side software still is targeted heavily, Microsoft Office's Excel spreadsheet application had the most number of critical vulnerabilities within that productivity suite. In addition, 11 percent of web vulnerabilities were cross-site scripting flaws, while all other web related vulnerabilities accounted for 26 percent of the total.

One of the most important trends last year was a surge in critical server vulnerabilities that don't require user intervention to exploit, such as CVE 2008-1447, which described a weakness in the DNS protocol that made it possible to conduct DNS cache poisoning attacks. In this type of attack, name servers can be made to send users to an incorrect, even malicious, host web site, e-mail server, and redirect other types of traffic to systems under the attacker's control.

Read Full Article

Security executives and thought leaders from leading organizations presented their security and compliance best practices at the Qualys booth during RSA '09. Each speaker discussed how they are using Qualys' security-as-a-service suite to secure their organization and comply with industry regulations. Full presentations can be seen here:

• Best Practices for a Successful VM Program
  Tim Proffitt, Technology Security and Risk Compliance Specialist, Administaff
• Deploying VM and PC Solutions at Cisco
  Doug Dexter, Audit Lead, Cisco
• Building a Full Life Cycle Program for Security and Compliance
  Kam Golpariani, Director of Security Operations, First Advantage
• Using CVSS to Monitor Risk and Prioritize Remediation in a Healthcare Organization
  Rich Seiersen, Principle Solutions Engineer, Kaiser Permanente

Listen to David French and Bill Olson, as they provide an overview on the QualysGuard Security + Compliance Suite and the benefits of the SaaS model:

• QualysGuard Security + Compliance SaaS Suite, David French, VP of US Field Operations, Qualys
• QualysGuard Security + Compliance SaaS Suite, Bill Olson, Field Operations Director, Qualys

As the leading voice for the U.S. technology industry and foundation of the global innovation economy, TechAmerica has elected CEO Philippe Courtot to its Board of Directors.

TechAmerica President Phil Bond stated: "We are pleased that TechAmerica members and their supporting organizations elected Philippe Courtot to the 2009 Board of Directors.  Philippe's proven industry knowledge and global expertise brings a new perspective and resource to the association enabling us to be the loudest and strongest voice in Washington, D.C., Wall Street and the major markets for electronics and IT."

Representing approximately 1,500 member companies, of all sizes, from the public and commercial sectors of the economy, TechAmerica is the industry's largest advocacy organization dedicated to helping members' top and bottom lines. It is also the technology industry's only grassroots-to-global advocacy network, with offices in state capitals around the United States, Washington, D.C., Europe (Brussels) and Asia (Beijing).  TechAmerica was formed by the merger of AeA (formerly the American Electronics Association), the Cyber Security Industry Alliance (CSIA), the Information Technology Association of America (ITAA) and the Government Electronics & Information Technology Association (GEIA).

Read More

The notion of supervisory-control and data-acquisition system security, SCADA, seemed not long ago to be a topic of interest only to those who ran complex industrial control systems, water treatment plants, and power generation - and in some ways it still is. But for anyone who attended the SANS 2009 SCADA and Process Control Summit recently, it became clear that the convergence of IT security and physical security is accelerating.

This is happening as more IT systems are managing physical systems - and it's no longer only utilities and the critical infrastructure that rely on SCADA systems for management. These days we see more traditional industries, such as manufacturing, turning to SCADA systems, while health care and many other industries are, or soon will be, using telematics to manage all types of far-flung devices. In coming years, the security of physical control systems will be part of many IT security managers' bag of responsibilities. 

One thing certainly is clear to me after researching the subject: Many SCADA systems are inherently vulnerable. First, these systems never were designed with network security in mind, and these systems increasingly are being connected to the internet. That's not an especially encouraging situation. 

In fact, increasingly, SCADA devices are falling vulnerable to the same kind of software vulnerabilities that have been plaguing IT systems and applications for years. Just last month, Paris-based Areva warned its customers that an important part of its energy management software was vulnerable after software flaws were found in several versions (5.5, 5.6, 5.7) of its e-terrahabitat package. As the U.S. Computer Emergency Readiness Team (US-CERT) warned, a number of buffer overflow and denial-of-service vulnerabilities made versions 5.5, 5.6, and 5.7 of e-terrahabitat susceptible to tampering. Customers using earlier versions needed to upgrade as well.

Theoretically, SCADA systems should not be exposed to the internet, but I fear they increasingly are being connected to IP networks. In most industries, SCADA systems should be completely air-gapped from data networks, thus significantly mitigating the risk of attack. However, more installations are using SCADA to manage their systems remotely, or even connect the systems to an internet-enabled corporate network to collect and analyze data. As this trend continues, SCADA systems increasingly must be treated as any other networked device: They must be identified, inventoried, and analyzed for vulnerabilities.

Read Full Article

With the goal of improving and enhancing the Ohio Dominican University IT security and risk management program, Ohio Dominican began a year-long journey to build an optimized set of security management processes. Some of the initial enhancements included creating a security awareness program and streamlining the university's vulnerability management process, as well as gaining more near real-time insight into network security events.

"We chose QualysGuard as it not only helps us to secure our systems better, but it adds value because it makes us more efficient. It streamlines our vulnerability management efforts so that we can focus better on innovative IT initiatives that add value to the university," stated Mike Young, CIO.

Click here to read more about how Mike Young and his team added 100 improvements to the university's IT security program.

For on-demand Web Content Management (WCM) provider Clickability, the benefits of Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS) offer more efficiency and affordably than traditional software. In an effort to reduce its carbon footprint and create a greener enterprise, Clickability supports the reliability and sustainability of the green SaaS model. In fact, the company runs its entire business via SaaS delivered solutions.

When Clickability sought a way to secure its infrastructure - which houses and delivers content for a spectrum of global brands in financial services, technology, broadcasting, and publishing, it turned to Qualys and its on-demand SaaS IT risk and compliance management platform, QualysGuard.

"Qualys is the most accurate [vulnerability assessment solution] we've used, and the SaaS solution makes it easy and transparent because we don't have to maintain the server or the software, or manage the updates." Tom Cignarella, VP of Technical Operations, Clickability. "And, because Qualys is the leading vulnerability assessment provider, most of our customers are familiar with QualysGuard's reputation and are happy to know that it's part of how we keep their information secure."

Click here to read more about how Clickabitlity's easily manages, builds and maintains its secure infrastructure.