January 2009 Archives

Just released - "Dummies Guide to PCI Compliance" in conjunction with publisher John Wiley & Sons. This handbook is the first accessible, easy-to-read written guide designed to educate merchant organizations about Payment Card Industry (PCI) Data Security Standard (DSS) which is now a mandatory requirement for companies that store, processes, or transmits payment cardholder data. PCI Compliance for Dummies provides the need to know information about PCI DSS and how merchants can best comply with its requirements for secure results. This book is co-authored by Qualys' Sumedh Thakar and Terry Ramos.

In five succinct parts, the book guides readers through a primer on security risks faced by merchants who accept payment cards and also looks at the PCI requirements themselves and how each applies specifically to the merchant. Readers will also become familiar with best practices and outlined steps to ensure compliance to prevent cardholder data breaches.

To download a free copy, visit http://www.qualys.com/pcifordummies

Recent IDC surveys and customer interviews support the finding that the harsh economic climate will actually accelerate the growth prospects for the software as a service (SaaS) model as vendors position offerings as right-sized, zero-CAPEX alternatives to on-premise applications. Buyers will opt for easy-to-use subscription services which meter current use, not future capacity, and vendors and partners will look for new products and recurring revenue streams. As such, IDC has increased its SaaS growth projection for 2009 from 36% growth to 42% growth over 2008.

Additional findings from the IDC study include:

• By the end of 2009, 76% of U.S. organizations will use at least one SaaS-delivered application for business use. 
• The percentage of U.S. firms which plan to spend at least 25% of their IT budgets on SaaS applications will increase from 23% in 2008 to nearly 45% in 2010. 
• This market's growth prospects will accelerate the shift to SaaS for the whole value chain as the promise of a recurring revenue stream, and the opportunity to tap OPEX and project-related dollars, will benefit the whole SaaS ecosystem. 
• While demand for SaaS is strongest in North America, new contracts from customers in Europe, Middle East, Africa (EMEA) and Asia/Pacific (excluding Japan) also look particularly positive, and IDC expects that by year-end 2009, nearly 35% of worldwide revenue will be earned outside of the U.S. 
• On the downside, IDC interviews with SaaS providers highlighted several issues, such as cash-flow shortfalls related to slow-paying current clients, liquidity challenges stemming from tight credit at lenders, and - on the horizon - limited resources to scale up with expanded infrastructure to support new customers and new service offerings.

SC Magazine speaks with Isabelle Theisen, CSO of First Advantage (FADV). Theisen shares how QualysGuard has enabled FADV, with more than 4,500 employees spread across the globe, to prioritize their security threats and risks.

"A technical solution like Qualys provides us with a real-time scorecard of vulnerabilities existing in our IT environment, and then allows us take immediate measures against these vulnerabilities based on risks. QualysGuard identifies vulnerabilities on FADV systems. This can be a very time-consuming activity to perform without an automated solution. Also, the Qualys tool helps FADV assess these vulnerabilities based on specific risks. That is, it allows the IT staff to prioritize the remediation action items in "buckets," starting with high-risks action items - instead of trying to resolve everything at once."

"With Qualys, we are able to assess vulnerabilities following a two-tier approach: vulnerabilities are assigned an 'inherent' risk based on the operating system vendors' suggested risk rankings, and vulnerabilities are assigned a 'customized' risk based on the relevancy of the vulnerability for the company and the criticality of the systems impacted."

"Qualys has always been an integral component within our security risk management program for our high-and medium-risk computer systems (we have implemented a methodology to calculate the risks of our systems). "With Qualys, we have a 'living' baseline of security levels for our systems across multiple locations with minimal time and labor from the security department and IT department."

Click here to read full interview.

CEO Philippe Courtot has been elected to the Board of Management of the Jericho Forum. Philippe joins industry luminaries from AstraZeneca, Boeing, BP, Capgemini, Dresdner Kleinwort and Eli Lilly on the governing board.

The Jericho Forum is dedicated to the idea that success in today's business environment is dependant upon the ability to collaborate and conduct business by enabling the secure flow of data over the Internet. In 2009, the Jericho Forum will focus its efforts on securing cloud computing.

Philippe stated: "The Jericho Forum has evolved into an international IT security thought-leadership group dedicated to defining ways to deliver secure, effective IT solutions that match the increasing business demands in an open, Internet-driven, globally networked world. I'm proud to be elected to the Jericho Forum Board of Management and look forward to working with its members to define a blueprint for enterprise cloud computing that will allow all of us to operate securely in the cloud."

Read More

Qualys® Vulnerability R&D Lab has a released new vulnerability check in QualysGuard® to protect organizations against 1 new vulnerability present in Microsoft Windows. Customers can immediately audit their networks for this and other new vulnerabilities by accessing their QualysGuard subscription.

Microsoft released on January 13, 1 security patch to fix newly discovered flaws in Microsoft Windows. The Qualys Vulnerability R&D Lab has released the following check for this new vulnerabilities:

        - Microsoft SMB Could Allow Remote Code Execution

Read Alert
Listen to Podcast

Related Coverage:
Microsoft Quietly Patches First Tuesday In '09, by Jason Lee Miller, SecurityProNews
Microsoft, Oracle Issue Patches, While Zero-Day Exploits Surface, by Thomas Claburn, InformationWeek
Microsoft Patches 'Super Nasty' Windows Bugs, by Gregg Keizer, Computerworld
Microsoft, RIM, Oracle Release Critical Patches, by Robert McMillan, ITworld

Cloud computing is all the rage now. But Qualys, a fast-growing Redwood City-based network security firm, was a pioneer in offering computing applications and services over the Internet when it was founded in 1999. And Qualys is poised for more growth as cloud computing caters to companies looking for ways to avoid costly licensed products during a recession. Today, Qualys is almost an insider, with nearly 40 Fortune 100 companies among its 4,000 customers and revenue growing quickly.

John Pescatore, vice president of Internet security at Gartner, said that Qualys is a top-rated vendor, was indeed a leader in providing security as a service, and has a reputation for making clients happy. "They have a really good reputation for customer service," he said. "They are not tremendously differentiated technologically anymore." Qualys got out front with its vulnerability assessment service, its first product, and it has become an industry leader in providing credit card database security, Pescatore said. Customers for those products include General Electric, Google, eBay, DuPont, Hershey Foods, BASF, Hewlett-Packard and even Symantec.
 
This year, Qualys introduced two less innovative products, a policy compliance tool in June, and a web application scanning service last month, that are similar to what other companies like Symantec and Whitehat, respectively, already offer, Pescatore said. Qualys has an advantage, Philippe Courtot, Chairman & CEO of Qualys said, in that it can instantly add new services to its platform without customers having to spend major capital for equipment, software or labor. In addition, clients can instantly scale up or down based on their needs because Qualys is subscription-based. Pescatore said the ability to layer on new services easily could be a big advantage, particularly given Qualys' excellent relationships with its
clients.
 
Courtot said Qualys, which is profitable, reinvests 25 percent of its revenue in research and development. It now employs 210 people, up from 194 last year, with about half of them at its headquarters in Redwood Shores. Qualys is one of a handful of software-as-a-service pathbreakers, like Salesforce.com and Netsuite, that survived the bursting of the Internet bubble and a retrenchment in venture capital investing, and today are leading the charge into the cloud, he said.
 
Read More

While security managers find it challenging enough to maintain secure patch levels across their organisations' desktops, servers and networking gear, there's a new class of network equipment that you'll need to add to the list: high-end networked scanners, copiers, printers and multi-function devices.These may not be the devices most targeted for attack right now, but they're likely to move up that list very soon.

First, the manufacturers are increasingly moving away from proprietary operating systems and software that run these devices in favour of readily-available operating systems. Second, there has been heightened visibility regarding the vulnerabilities associated with these devices, including a presentation at this year's Black Hat security conference. Recently, while at a customer site, we identified vulnerabilities on a networked printer that left the organisation open to attack.

Until recently, these types of devices were based on specialised software running on RISC-based processors, and few attackers had the knowledge or skills necessary to identify and exploit the vulnerabilities that would make a successful attack possible. Today, more of these devices are built on traditional Intel processors running common operating systems such as Linux, and even Apache Web server software. That's why high-end multi-function devices and printers are beginning to look amazingly similar to any other IT appliance attached to the network.

The result is that they're now vulnerable to the same types of attacks as standard desktops and servers, and can be used as a potential jump-point to other devices and systems, to even monitor data traveling across the network, or be used to launch DoS attacks. And the data actually residing on these devices can be critical, even regulated. More and more of these devices are coming equipped with hard disks, and everything copied can be cached.

Read More