Recently in Industry News Category

Trend Micro today expanded its security and compliance coverage through the announcement of a strategic relationship with Qualys, a recognized leader in on demand IT security risk and compliance management solutions. Under the agreement, Trend Micro will repackage and sell the QualysGuard IT Security and Compliance Suite with its Trend Micro™ Enterprise Security compliance offerings to provide a more comprehensive solution for customers worldwide.

Click here to see the full news release.

By Alessandro Perilli, CISSP, Founder and Chief Editor, virtualization.info

Virtualization and Security Expert Alessandro Perilli discusses the future of cloud computing and its security implications.

The data centers of tomorrow will be computing clouds - massive aggregations of resources that are served inside geographically dispersed computers. As customers put their data into these clouds, they don't have to buy the software to manipulate and process their data anymore. They just pay for the time the cloud is used to perform a certain task with their data.
But who will secure these clouds? This piece will discuss the future of computing and its impact on security.

Click here to read the full article.

A new Enterprise Management Associates® (EMA™) brief describes how Qualys has led the charge for a business approach to vulnerability management.

Excerpt: "The company's success has come directly from its business-focused approach to vulnerability management...In addition to being on the leading edge of SaaS delivery models, Qualys has been an early adopter of several technologies that were meant to enhance the end-user experience. Furthermore, Qualys has focused their efforts on delivering better services to customers."

Click here to read the full report.

Follow this link to read answers from Dr. Chenxi Wang, principal analyst, security and risk management, Forrester Research, Inc., to questions from a discussion on cloud computing and its impact on IT security featuring Qualys Chairman and CEO Philippe Courtot and Cisco Chief Security Officer (CSO) John Stewart.

Click here to listen to the recorded webinar.

On Dec. 22, The White House announced President Obama's new White House Cybersecurity Coordinator, Howard Schmidt. Along with his distinguished career, Howard chaired our CSO Advisory Board to offer enterprise insight on security needs and strategic direction in the further development of Qualys' IT security and compliance management SaaS solutions.



"We sincerely congratulate Howard on his appointment as the White House Cybersecurity Coordinator," said Philippe Courtot, Chairman and CEO of Qualys. "Needless to say, this is a very important post that we all have been awaiting, and Howard with his distinguished career record that spans over forty years of experience in government, business and law enforcement brings a unique and deep experience to this post and all the issues it encompasses."

The notion of supervisory-control and data-acquisition system security, SCADA, seemed not long ago to be a topic of interest only to those who ran complex industrial control systems, water treatment plants, and power generation - and in some ways it still is. But for anyone who attended the SANS 2009 SCADA and Process Control Summit recently, it became clear that the convergence of IT security and physical security is accelerating.

This is happening as more IT systems are managing physical systems - and it's no longer only utilities and the critical infrastructure that rely on SCADA systems for management. These days we see more traditional industries, such as manufacturing, turning to SCADA systems, while health care and many other industries are, or soon will be, using telematics to manage all types of far-flung devices. In coming years, the security of physical control systems will be part of many IT security managers' bag of responsibilities. 

One thing certainly is clear to me after researching the subject: Many SCADA systems are inherently vulnerable. First, these systems never were designed with network security in mind, and these systems increasingly are being connected to the internet. That's not an especially encouraging situation. 

In fact, increasingly, SCADA devices are falling vulnerable to the same kind of software vulnerabilities that have been plaguing IT systems and applications for years. Just last month, Paris-based Areva warned its customers that an important part of its energy management software was vulnerable after software flaws were found in several versions (5.5, 5.6, 5.7) of its e-terrahabitat package. As the U.S. Computer Emergency Readiness Team (US-CERT) warned, a number of buffer overflow and denial-of-service vulnerabilities made versions 5.5, 5.6, and 5.7 of e-terrahabitat susceptible to tampering. Customers using earlier versions needed to upgrade as well.

Theoretically, SCADA systems should not be exposed to the internet, but I fear they increasingly are being connected to IP networks. In most industries, SCADA systems should be completely air-gapped from data networks, thus significantly mitigating the risk of attack. However, more installations are using SCADA to manage their systems remotely, or even connect the systems to an internet-enabled corporate network to collect and analyze data. As this trend continues, SCADA systems increasingly must be treated as any other networked device: They must be identified, inventoried, and analyzed for vulnerabilities.

Read Full Article

In the Qualys Booth #1717 at RSA 2009, Qualys customers including General Electric, Cisco, First Advantage, Kaiser Permanente, Fifth Third Bank and Administaff are scheduled to share their IT Security and Compliance Best Practices. For a full daily schedule and speaker bios, visit: http://www.qualys.com/rsa.

Qualys Speaks @ RSA

• On Wednesday, April 22, 9:10-10:20 a.m.  Qualys CMO, Amer Deeba will join the panel to discuss "Using SaaS to Solve Network Management and Security Challenges".
• On Thursday, April 23, 2:10-3:00 p.m. Qualys CTO, Wolfgang Kandek will present an RSA Featured Session on "The Laws of Vulnerabilities Research 2.0".
• Philippe Courtot, Qualys CEO will be Keynoting on April 23 at 3:40-4:15 p.m. with "Changing Security As We Know It - Software as a Service (SaaS) Has Arrived Giving Rise to Plethora of Security Applications".

The Tech Herald speaks with Qualys CTO, Wolfgang Kandek about Microsoft security updates and the importance of these patches specifically to Internet Explorer (IE7).

"Every month when Microsoft issues its security advisories we get asked what patch to apply first? Typically we are reluctant to elevate one vulnerability over the other, however looking at the 2008 data we agree that Internet Explorer vulnerabilities should be given the highest priority and patched first," said Qualys CTO, Wolfgang Kandek.

"The browser is the heaviest used software application that interacts with the Internet, the most likely source of malicious content. It is not only used for professional purposes but also in private interactions, e-commerce, social networking, private e-mail, etc. Browser patches are heavily tested by Microsoft and unlikely to break any existing functionality on the desktop."

Sometimes these updates are for Windows, sometimes they are for Internet Explorer or Office, sometimes they are for all three, and then some. Yet, after each Microsoft release, new attacks on vulnerabilities addressed in the monthly updates appear online. This month, the attacks are aimed at Internet Explorer, which after all this time, many people fail to update consistently.

Read More

Recent IDC surveys and customer interviews support the finding that the harsh economic climate will actually accelerate the growth prospects for the software as a service (SaaS) model as vendors position offerings as right-sized, zero-CAPEX alternatives to on-premise applications. Buyers will opt for easy-to-use subscription services which meter current use, not future capacity, and vendors and partners will look for new products and recurring revenue streams. As such, IDC has increased its SaaS growth projection for 2009 from 36% growth to 42% growth over 2008.

Additional findings from the IDC study include:

• By the end of 2009, 76% of U.S. organizations will use at least one SaaS-delivered application for business use. 
• The percentage of U.S. firms which plan to spend at least 25% of their IT budgets on SaaS applications will increase from 23% in 2008 to nearly 45% in 2010. 
• This market's growth prospects will accelerate the shift to SaaS for the whole value chain as the promise of a recurring revenue stream, and the opportunity to tap OPEX and project-related dollars, will benefit the whole SaaS ecosystem. 
• While demand for SaaS is strongest in North America, new contracts from customers in Europe, Middle East, Africa (EMEA) and Asia/Pacific (excluding Japan) also look particularly positive, and IDC expects that by year-end 2009, nearly 35% of worldwide revenue will be earned outside of the U.S. 
• On the downside, IDC interviews with SaaS providers highlighted several issues, such as cash-flow shortfalls related to slow-paying current clients, liquidity challenges stemming from tight credit at lenders, and - on the horizon - limited resources to scale up with expanded infrastructure to support new customers and new service offerings.

While security managers find it challenging enough to maintain secure patch levels across their organisations' desktops, servers and networking gear, there's a new class of network equipment that you'll need to add to the list: high-end networked scanners, copiers, printers and multi-function devices.These may not be the devices most targeted for attack right now, but they're likely to move up that list very soon.

First, the manufacturers are increasingly moving away from proprietary operating systems and software that run these devices in favour of readily-available operating systems. Second, there has been heightened visibility regarding the vulnerabilities associated with these devices, including a presentation at this year's Black Hat security conference. Recently, while at a customer site, we identified vulnerabilities on a networked printer that left the organisation open to attack.

Until recently, these types of devices were based on specialised software running on RISC-based processors, and few attackers had the knowledge or skills necessary to identify and exploit the vulnerabilities that would make a successful attack possible. Today, more of these devices are built on traditional Intel processors running common operating systems such as Linux, and even Apache Web server software. That's why high-end multi-function devices and printers are beginning to look amazingly similar to any other IT appliance attached to the network.

The result is that they're now vulnerable to the same types of attacks as standard desktops and servers, and can be used as a potential jump-point to other devices and systems, to even monitor data traveling across the network, or be used to launch DoS attacks. And the data actually residing on these devices can be critical, even regulated. More and more of these devices are coming equipped with hard disks, and everything copied can be cached.

Read More

The out-of-band security update fixes a a vulnerability can be exploited through JavaScript code posted on malicious Web sites. Internet Explorer users may be redirected to these sites through hacked legitimate sites. If the malicious code is successful, it silently downloads malware onto the victim's computer. Microsoft security researchers estimated that as many as 1 in 500 users of Internet Explorer could have been exposed to malware attempting to exploit the flaw. Microsoft is urging users of IE to test and deploy this update as soon as possible.

Qualys customers can immediately audit their networks for this vulnerability by accessing their QualysGuard subscription and performing the following check:

QID: 100067: Microsoft Internet Explorer Pointer Reference Memory Corruption (MS08-078)

Read More

Optimism around software-as-a-service appears strong, with 90 percent of organisations expecting to maintain or grow their use of software based on the model, according to Gartner.

The analyst company recently released a report on a global user survey that found cost-effectiveness, and ease and speed of deployment were "primary reasons" for enterprises adopting SaaS (software as a service).

Companies moving to SaaS also looked to the model to help lower their TCO (total cost of ownership) and to solve issues with "unmet performance expectations" with their on-premise implementations.

Sharon Mertz, research director at Gartner, said on Wednesday in a statement: "Use of SaaS has been evolving during the past decade and the SaaS model has become increasingly popular over the past three or four years."

"When asked why their organisations were transitioning from a current on-premises solution to a SaaS solution, respondents' consistent message was that the TCO [for on-premise solutions] was becoming too financially onerous."

Together with budget cuts next year, Gartner expects the focus on driving down TCO to foster greater demand for SaaS compared to on-premise purchases.

Read More

If your business accepts credit card payments it must be compliant with Payment Card Industry (PCI) and the way you handle that data is now governed by Payment Card Industry Data Security Storage Standards (PCI DSS), not as a matter of law, but as part of your contract with the credit card companies whose cards you accept. Inc.com's Minda Zetlin outlines the latest requirements in "What New PCI Standards Mean to You.

1. WEP is disallowed.
2. All systems "commonly affected" by malware must run anti-malware software. 
3. Application firewalls are mandatory for Web applications. 
4. Logs must be saved for a year. 
5. New-user passwords must be changed. 

Read More

There's been considerable discussion recently about how automatic software updates, such as those to download security patches, can be used as potential vectors of attack. This is unfortunate, as one of the primary tenets of keeping systems relatively secure is to maintain current patch levels. And when most users, including probably most businesses, need to update their systems, they tend to trust and download the updates presented to them without confirming their authenticity.

In SC Magazine's Hot or Not: Software update vulnerabilities, Amol Sarwate of the Qualys Vulnerabilities Research Lab discusses how automatic update features in many software applications are proving to be vulnerable to attack now that hackers are taking notice. 

Read Article

"Vendors have to go well beyond the requirements of SLAs if they want to keep their customers," said InternetNews' Richard Adhikari from one of the panel discussions at SIIA On Demand - the Software Information Industry Association's conference on SaaS.

Panelist Philippe Courtot, chairman and CEO of Qualys, added - "It is critical for SaaS players to exceed SLAs because there are few obstacles to a customer abandoning one supplier in favor of another.  It's much easier to switch from a SaaS application than a normal application because you don't have to pull out the application and replace it and test it and secure it.  

"In the future, customers will demand more from SaaS vendors," Courtot warned. "I can see that, in the near future, they would want guarantees of quality of service, guarantees of security of data, guarantees of data privacy."

Read More

InformationWeek discovers how IT can implement an effective vulnerability management program that works.  

For an effective vulnerability management that works -- apply risk management principles and logic relative to the business value. IT must also engage across business units to determine a company-wide security posture that is within acceptable risk tolerance levels, create operational processes that address the computing environment as a whole, and select the right technology platforms to bolster those processes.Critical steps to break the cycle of ineffectiveness:

    Step 1: Integrate Data Collection
    Step 2: Prioritize
    Step 3: Continue to Refine

Read More

InformationWeek outlines four principles to achieve ongoing vulnerability management success:

Principle 1: Focus on Output, Not Input
Tools are only a means to an end. Data collection is a fundamental requirement for vulnerability management, but providing timely, accurate, contextual reports to appropriate individuals is critical. Many organizations develop programs that generate vast amounts of data, but struggle to make it actionable and measurable.

Principle 2: Align with Business Processes
Vulnerability management process integration with and awareness of business processes is critical to understanding enterprise risk and focusing on the areas that matter most.

Principle 3: Continue to Integrate Technologies
Incorporating change and configuration technologies will increase the reliability of data, build accurate reporting, and increase overall effectiveness in lowering enterprise risk and achieving compliance objectives.

Principle 4: Leverage Measurement and Promote Visibility
Defining key performance indicators, such as an acceptable host-to-vulnerability ratio, and using measurement tools will help focus the program on activities that will have the most impact.

Read More

In this MarketScope report, Gartner details the challenges and tools to consider when evaluating and deploying Vulnerability Assessment technologies. MarketScope includes Gartner's vendor rating where Qualys received the highest possible rating ('Strong Positive').

Read Report

PCI DSS 1.2 represents an update to the original 12 requirements found in PCI DSS version 1.1.  The intent of the latest specification is to clarify existing requirements and provide clarification and flexibility in terms of interpretation of the standard.

• Guidance around scope of PCI DSS and elaborate on segmentation of Cardholder data environment 
• Clarification of wireless technology requirements and provide sunset date for use of WEP - All WEP implementations must be discontinued as of June 30, 2010 
• Clarification around requirement 6.6 for web application security to remove references to source code review and add use of automated assessment tools 
• Require employees that interact with cardholder data to review and accept security policy annually
• Compensating controls should now be reviewed and validated annually by a qualified assessor 
• Flexibility for incorporation of evolving technologies and threats 
• Announcement of Quality Assurance program for assessors
  

Listen to Podcast
Read Summary

Related Coverage:
Credit-Card Security Standard Issued After Much Debate, by Ellen Messmer, Network World
Payment Card Security Toughens With DSS 1.2 Release, by Jabulani Leffall, Redmond

When it comes to security, Apple isn't sitting still. Amol Sarwate, guest columnist for SC Magazine's Hot or Not column looks at some of the new features inherent in OS X 10.5 that help keep the system secure. According to Apple, these security enhancements were added to 10.5, released last fall:

• Tagging and first-run warning: Mac OS X 10.5 marks files that are downloaded to help prevent users from inadvertently running malicious downloaded applications. 
• Runtime protection: New technologies such as execute disable, library randomization, and sandboxing help prevent attacks that try to hijack or modify system software. 
• Improved firewall: After the new application firewall is activated, the firewall configures itself so that users get the benefits of firewall protection without having to understand the details of network ports and protocols.
• Mandatory access control: These enforce restrictions on access to system resources. Not even a compromised "root" user can change some settings.
• Application signing: This enables users to verify the integrity and identity of applications on the Mac. 
• Improved secure connectivity: Virtual private network (VPN) support has been enhanced to connect to more of the most popular VPN servers-without additional software.
  

Read More