September 2009 Archives

Ranked as one of the oldest and largest top public research universities in the nation, University of Utah's IT infrastructure consists of thousands of servers and tens of thousands of endpoints totaling more than 30,000 individual IP addresses.  

Like most regulated organizations, the university's IT security and compliance teams are always under pressure to ensure that the business is running both secure and within compliance.

The network assessment tools the university had relied on were not only inaccurate, but wouldn't enable functional automated scan cycles. They'd also, often times, crash the systems being evaluated.

"Our security program is finally getting to the point we wanted to reach all along: where the vulnerability scans are transparent, said David Feyler, manager of information security operations for the University of Utah. "It's as if there was this angst when the security team showed up before, and, 'oh no, we are going to get scanned again. That's all gone now."

Click here to read more about how QualysGuard was able to reduce the University of Utah's IT risks associated with system misconfigurations and vulnerabilities and achieve automation, accuracy, and transparency.

Network discovery capabilities and the introduction of PCI Connect features highlight the new release.

QualysGuard PCI 4.0 offers merchants and acquirers the following new features:

• Discovery of live devices to help merchants define systems that are in scope for PCI.
• Automated referral program where merchants connect directly with partners offering PCI DSS solutions to validate PCI requirements within the Self Assessment Questionnaire (SAQ).
• Merchants can upload evidence to support SAQ validation in multiple formats including documents and images. This may include reports from log management systems, firewall or other device configuration settings, security policies and procedures, and anything else the merchant wishes to attach to the submission. The merchant can also chose whether or not they want to share that detail with the acquirer.
• PCI Connect technology partners can provide XML uploads from their solutions for SAQ validation. Such XML data includes a summary of compliance posture for any of the requirements in the SAQ. Technology partners that joined PCI Connect include AirTight Networks, Core Security, Imperva, RedSeal Systems, Splunk and Third Brigade.
• Acquiring banks have additional security controls of merchants when validating merchants for compliance. This assists acquires to evaluate whether merchants have met PCI requirements and whether sufficient evidence has been submitted for validation.
  

"QualysGuard PCI 4.0 helps merchants of all sizes better scope their PCI efforts upfront and provides the necessary workflows to connect them with leading PCI DSS solutions in order to complete the SAQ and furnish evidence of compliance. It also provides acquiring banks with a centralized view of the security posture of their merchants and therefore better assessing their risk profile," said Philippe Courtot, CEO and Chairman of Qualys.

Read More
QualysGuard PCI Datasheet

For the third year in a row, Qualys Inc. has come out on top in the Vulnerability Management category. QualysGuard Vulnerability Management is the company's automated vulnerability management and network auditing product. Readers were most pleased with its ease of installation, the accuracy in which it identifies vulnerabilities, as well as the breadth of applications and devices covered.

Read More

A new bi-annual report from security experts TippingPoint®, SANS Institute and Qualys® highlights the most significant attacks over the last six months, as well as the vulnerabilities these attacks exploit and how they can harm business. The report shows that many businesses are still extremely vulnerable to security attacks that can damage brand reputations and business operations. It helps businesses to review their defenses and ensure networks are up to date and able to quickly respond to today's emerging attacks.

Key findings of the Top Risks Report include:

• Unpatched popular client-side applications put businesses at risk for data theft: PC applications often remain unpatched, compromising these machines to be used to propagate attacks and compromise internal computers. This leaves a window open for hackers to steal critical data, impact network performance and affect business continuity. Examples of these applications include Adobe Acrobat Reader, Microsoft Office and Apple QuickTime.
  

• The number of Web application attacks is increasing, elevating the threat posed by previously trusted Web sites: Web applications comprise more than 60 percent of the total attack attempts occurring on the Internet. These vulnerabilities are being exploited widely to convert trusted Web sites into malicious servers serving client-side exploits.
  

• Operating system vulnerabilities are decreasing, but still pose a significant threat to an organization's security resources: Operating systems (OS) have a lower number of vulnerabilities that can be remotely exploited to become massive Internet worms. The Conficker/Downadup is the exception and represents a major hole in many organizations' security strategy. Attacks on Microsoft OS were dominated by Conficker/Downadup worm variants. For the past six months, over 90 percent of the attacks recorded for Microsoft targeted the buffer overflow vulnerability described in the Microsoft Security Bulletin MS08-067.
  

• A growing number of vulnerability researchers is causing a backlog of unpatched software and a greater risk that these will be exploited. The number of people discovering zero day vulnerabilities is growing fast, yielding a growing number of vulnerabilities that remain unpatched - some for as long as two years. This lag time in patching increases the chance of hackers creating an exploits targeting those vulnerabilities.
  

Full Report

Moving away from manual network assessments to an automated vulnerability management program, OfficeMax Mexico, which manages 78 OfficeMax Superstores throughout the country, streamlined PCI DSS compliance and also improved the accuracy of its assessment scans.

"QualysGuard has been easy for us to deploy, and makes it possible for us to secure our systems, save time, and maintain PCI compliance more easily," said Ricardo Rodriguez, Information Security Manager for OfficeMax Mexico.

QualysGuard provides OfficeMax Mexico a proactive way to protect the company's network throughout the entire vulnerability management lifecycle, including asset discovery, asset prioritization, vulnerability assessment, and analysis, remediation, and fix verification. And its highly flexible, on-demand architecture means that it's easy for each of OfficeMax's team members to successfully meet their individual security responsibilities.

Click here to read more about how OfficeMax Mexico streamlined PCI DSS compliance and improved the accuracy of its assessment scans.

SANS is offering Qualys customers a 10% discount on the vLive Course: Web App Penetration Testing and Ethical Hacking

To sign up and/or for more details, please click here.

Make sure to use the code qualys542 when you register to receive the 10% discount. 

By Philippe Courtot, Chairman and CEO, Qualys

The software industry is entering another age of astonishing innovation. It's a time when not only is software advancing at an astounding rate, but so are hardware devices - where power is increasing as quickly as size is decreasing. This is making software and computing power near ubiquitous.

Consider this: a handful of years ago, few would have believed that customer relationship management software would have moved almost completely to the cloud. Or that Lotus Notes, that gray old lady of IT, would have made the jump as well. Even among the proponents of cloud computing, few believed corporate software and data wanted to be liberated so quickly - and make itself readily available anywhere, anytime, on any device, and from within any web browser. Today, it seems more unusual not to have a software as a service (SaaS) or cloud offering that complements, or completely replaces, a software maker's traditional software applications.

Yet, I believe that the SaaS and cloud computing revolution holds the potential to benefit everyone in the software industry, and all who rely on it for their business. For instance, we in the industry are well aware that software is evolving too quickly. It's a never-ending process of software enhancements, upgrades, security fixes and new installations. And, few would disagree that there are too many vulnerabilities affecting too many applications. In this disorder, most of the burden has fallen on the shoulders of corporations that have had to dedicate extraordinary resources to patch and mitigate the security holes.

Here is an interesting statistic that reveals the magnitude of the challenge. According to Qualys' The Laws of Vulnerabilities 2.0 research, companies take an average of 59 days to patch their vulnerabilities. Five years ago, that number was 60 days. That's a reduction of one day in the past five years. When one considers all the effort and automation that has gone into patch management in the past five years, that's not much in the way of improvement. And this shows not just how steep the challenge is, but just how broken the current ecosystem of traditional software is.

Fortunately, the SaaS and cloud computing models are positive disruptions on the infrastructure of both private networks and the internet. Unlike when individual organizations patch (work that must be duplicated for every installation), when SaaS vendors update their software applications, all of their customers are patched instantaneously as well. Because of this simple fact, many of the security problems that plague today's business-technology systems -- such as patches and software misconfiguration issues -- are solved. So, in this, and many other ways, the burden of maintaining a secure application largely is transferred from the software user to the software service provider. The effect of proper patching is amplified throughout all the IT systems the SaaS and cloud providers touch.

Some still are fighting the shift to SaaS and cloud computing. But, I don't believe that resistance to the transformation of on-premise business IT to cloud computing-based IT is a viable option. Not for long. The business benefits, cost savings and reduction in complexity are just too compelling for businesses to overlook. Actually, today, the strongest resistance we see is emanating from IT departments and IT security staff -- mainly out of fear of what might happen if one were to lose control of data. This is a false choice, and the market will not reward cloud or SaaS providers that attempt customer data lock-in.

Nevertheless, despite reservations from IT, businesses will march forward, because the business has no choice but the path that simplifies many of today's IT complexities. And in this, the primary -- and strategic -- role of IT security will be successfully and securely managing the privacy and security risks associated with data living in the cloud.

While the SaaS and cloud computing revolution is well underway, there still is much work to be achieved before the core infrastructure and associated services are as secure, reliable and trustworthy as they can be. For instance, we need ISPs to coordinate so that network traffic flows more cleanly and is free of malicious packets. We'll also need a simple, universal way to recognize and manage the identities of people and devices.

There also is the crucial business of defining accurately how enterprises can integrate and secure their current infrastructure as more of it is moved to cloud services. For this effort, I encourage all businesses, security professionals, CIOs and vendors to work together to make the transformation as beneficial as possible for all. Some of the organizations working hard to ensure that we build this new cloud infrastructure right from the beginning include the Cloud Security Alliance and the Jericho Forum, both of which are promoting cloud computing best practices.

While the visible shift to cloud computing to date has been the movement of applications and data to the cloud, it's not going to stop there. Soon, the day will come when companies outsource not only their software but their network infrastructure as well. One day, most everything we do on private networks -- manage information, applications, infrastructure and services -- will be accessible instantly and securely from anywhere and from any web browser. It's time to prepare.

Full Article