The Qualys® Newsletter

Former Chairman of the Joint Chiefs of Staff Joins Qualys' Board of Directors

2009-06-29T15:00:00Z

Qualys, Inc. http://www.qualys.com

Retired four-star General Peter Pace, USMC has joined the Qualys Board of Directors. With four decades of distinguished Marine Corps service, most recently as the 16th Chairman of the Joint Chiefs of Staff of the U.S. Military, General Pace brings expertise and interest in cyber-security and geo political issues to help guide Qualys expansion within state and government agencies.

"Cyber-security threats have become a national priority and I look forward to working with the Qualys team to provide strategic guidance around the issues that affect IT security and foreign and domestic governance," said General Pace.

"We are honored to have General Pace join the Qualys Board of Directors and look forward to working with him," said Philippe Courtot, CEO of Qualys. "His long and highly-regarded service history and global perspective will help us better understand and address security

requirements in state and government agencies."

]]>

Foxwoods Resort Casino Not Rolling Dice When it Comes to IT Security & Compliance

2009-06-29T14:59:00Z

Qualys, Inc. http://www.qualys.com

With its six casinos offering more than 340,000 square feet of gaming space outfitted with 7,000 slot machines and 400 gaming tables, 1,416 guest rooms, meeting space and conference rooms, needed to find the most, efficient way to discover and fix system vulnerabilities, and to maintain regulatory compliance.

Central to running its enterprise and IT infrastructure is making sure Foxwoods casino's financial, ERP, guest management, and Web site stay up and running free from viruses, spyware, and criminal hacks. Also, because Foxwoods accepts reservations online, and even runs its own online shopping site - it must comply with the Payment Card Industry Data Security Standard (PCI DSS).

"QualysGuard is our main tool for PCI compliance. It's fully automated and helps with many of the tasks associated with PCI, from assessing relevant systems to providing full reports to the acquiring bank," says Leonard A. Szczygiel, Network Engineer, at Foxwoods. "And we needed a clear way to quantify the security information we were telling our management about. We would discuss the risks of not patching certain systems, and management wouldn't really get what we were trying to explain to them. Now thanks to the QualysGuard, they do."

Click here to read more about how Foxwoods Resort Casino assesses and report its PCI

compliance.

]]>

PCI Compliance Simplified

2009-06-24T18:41:02Z

Qualys, Inc. http://www.qualys.com Ignite Media Solutions, a marketing services firm, collects and processes Level 1 payment information for its clients. With multi millions of transactions annually, Ignite must remain compliant to the Payment Card Industry Data Security Standard (PCI DSS).

In order to operationalize its IT security and PCI compliance program, Ignite deployed network monitoring, log management, and file integrity monitoring software while the central solution to these efforts is managing proactively all of the software vulnerabilities, configurations, and security policies of its IT systems.

"The quality of Qualys' PCI DSS certification documentation set it apart from its competition," said Mike DeMatteo, PCI Compliance Administrator for Ignite Media Solutions. "The documentation makes applying QualysGuard to the PCI requirements a no-brainer. The other companies I researched didn't do this; it was like pulling teeth to just find out what PCI requirements the others actually covered. Qualys just pulls it all together, making it so easy that one doesn't have to be an information security expert to attain PCI compliance. It's easy to use, does network discovery and mapping, and its dashboard provides the information we need."

Click here to read more about how Ignite Media implements and maintains PCI compliance.

]]>

Hot or Not: Web Application Vulnerabilities Hit Inflection Point

2009-06-11T00:23:26Z

Qualys, Inc. http://www.qualys.com When it comes to software vulnerabilities, 2008 will go down as a seminal year. It turned out to be a year when the types of applications targeted by attackers shifted, and we witnessed a significant rise in both the number of vulnerabilities discovered and the number of vulnerabilities found in web applications.

Consider this: Though there was an overall 15 percent rise in vulnerabilities discovered last year, 60 percent of those uncovered were web application flaws. The biggest jump in that class of vulnerabilities was seen in SQL-injection flaws, which doubled year over year. And while desktop and client-side software still is targeted heavily, Microsoft Office's Excel spreadsheet application had the most number of critical vulnerabilities within that productivity suite. In addition, 11 percent of web vulnerabilities were cross-site scripting flaws, while all other web related vulnerabilities accounted for 26 percent of the total.

One of the most important trends last year was a surge in critical server vulnerabilities that don't require user intervention to exploit, such as CVE 2008-1447, which described a weakness in the DNS protocol that made it possible to conduct DNS cache poisoning attacks. In this type of attack, name servers can be made to send users to an incorrect, even malicious, host web site, e-mail server, and redirect other types of traffic to systems under the attacker's control.

Read Full Article ]]>

Qualys Customers Speak at RSA '09

2009-06-05T16:14:09Z

Qualys, Inc. http://www.qualys.com

Security executives and thought leaders from leading organizations presented their security and compliance best practices at the Qualys booth during RSA '09. Each speaker discussed how they are using Qualys' security-as-a-service suite to secure their organization and comply with industry regulations. Full presentations can be seen here:

Best Practices for a Successful VM Program
Tim Proffitt, Technology Security and Risk Compliance Specialist, Administaff
Deploying VM and PC Solutions at Cisco
Doug Dexter, Audit Lead, Cisco
Building a Full Life Cycle Program for Security and Compliance
Kam Golpariani, Director of Security Operations, First Advantage
Using CVSS to Monitor Risk and Prioritize Remediation in a Healthcare Organization
Rich Seiersen, Principle Solutions Engineer, Kaiser Permanente

]]>

QualysGuard Security + Compliance SaaS Suite

2009-06-05T16:07:05Z

Qualys, Inc. http://www.qualys.com

Listen to David French and Bill Olson, as they provide an overview on the QualysGuard Security + Compliance Suite and the benefits of the SaaS model:

QualysGuard Security + Compliance SaaS Suite, David French, VP of US Field Operations, Qualys
QualysGuard Security + Compliance SaaS Suite, Bill Olson, Field Operations Director, Qualys

]]>

Qualys CEO Elected to TechAmerica Board of Directors

2009-05-19T17:37:37Z

Qualys, Inc. http://www.qualys.com
As the leading voice for the U.S. technology industry and foundation of the global innovation economy, TechAmerica has elected CEO Philippe Courtot to its Board of Directors.

TechAmerica President Phil Bond stated: "We are pleased that TechAmerica members and their supporting organizations elected Philippe Courtot to the 2009 Board of Directors. Philippe's proven industry knowledge and global expertise brings a new perspective and resource to the association enabling us to be the loudest and strongest voice in Washington, D.C., Wall Street and the major markets for electronics and IT."

Representing approximately 1,500 member companies, of all sizes, from the public and commercial sectors of the economy, TechAmerica is the industry's largest advocacy organization dedicated to helping members' top and bottom lines. It is also the technology industry's only grassroots-to-global advocacy network, with offices in state capitals around the United States, Washington, D.C., Europe (Brussels) and Asia (Beijing). TechAmerica was formed by the merger of AeA (formerly the American Electronics Association), the Cyber Security Industry Alliance (CSIA), the Information Technology Association of America (ITAA) and the Government Electronics & Information Technology Association (GEIA).

Read More]]>

Hot or Not: SCADA Security is Hot

2009-05-19T17:21:28Z

Qualys, Inc. http://www.qualys.com The notion of supervisory-control and data-acquisition system security, SCADA, seemed not long ago to be a topic of interest only to those who ran complex industrial control systems, water treatment plants, and power generation - and in some ways it still is. But for anyone who attended the SANS 2009 SCADA and Process Control Summit recently, it became clear that the convergence of IT security and physical security is accelerating.

This is happening as more IT systems are managing physical systems - and it's no longer only utilities and the critical infrastructure that rely on SCADA systems for management. These days we see more traditional industries, such as manufacturing, turning to SCADA systems, while health care and many other industries are, or soon will be, using telematics to manage all types of far-flung devices. In coming years, the security of physical control systems will be part of many IT security managers' bag of responsibilities.

One thing certainly is clear to me after researching the subject: Many SCADA systems are inherently vulnerable. First, these systems never were designed with network security in mind, and these systems increasingly are being connected to the internet. That's not an especially encouraging situation.

In fact, increasingly, SCADA devices are falling vulnerable to the same kind of software vulnerabilities that have been plaguing IT systems and applications for years. Just last month, Paris-based Areva warned its customers that an important part of its energy management software was vulnerable after software flaws were found in several versions (5.5, 5.6, 5.7) of its e-terrahabitat package. As the U.S. Computer Emergency Readiness Team (US-CERT) warned, a number of buffer overflow and denial-of-service vulnerabilities made versions 5.5, 5.6, and 5.7 of e-terrahabitat susceptible to tampering. Customers using earlier versions needed to upgrade as well.

Theoretically, SCADA systems should not be exposed to the internet, but I fear they increasingly are being connected to IP networks. In most industries, SCADA systems should be completely air-gapped from data networks, thus significantly mitigating the risk of attack. However, more installations are using SCADA to manage their systems remotely, or even connect the systems to an internet-enabled corporate network to collect and analyze data. As this trend continues, SCADA systems increasingly must be treated as any other networked device: They must be identified, inventoried, and analyzed for vulnerabilities.

Read Full Article]]>

Established University Writes a New Security Curriculum

2009-05-04T18:10:38Z

Qualys, Inc. http://www.qualys.com With the goal of improving and enhancing the Ohio Dominican University IT security and risk management program, Ohio Dominican began a year-long journey to build an optimized set of security management processes. Some of the initial enhancements included creating a security awareness program and streamlining the university's vulnerability management process, as well as gaining more near real-time insight into network security events.

"We chose QualysGuard as it not only helps us to secure our systems better, but it adds value because it makes us more efficient. It streamlines our vulnerability management efforts so that we can focus better on innovative IT initiatives that add value to the university," stated Mike Young, CIO.

Click here to read more about how Mike Young and his team added 100 improvements to the university's IT security program. ]]>

Global Leader in On-Demand Web Content Management Finds Powerful, Simple Security

2009-05-04T18:09:48Z

Qualys, Inc. http://www.qualys.com For on-demand Web Content Management (WCM) provider Clickability, the benefits of Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS) offer more efficiency and affordably than traditional software. In an effort to reduce its carbon footprint and create a greener enterprise, Clickability supports the reliability and sustainability of the green SaaS model. In fact, the company runs its entire business via SaaS delivered solutions.

When Clickability sought a way to secure its infrastructure - which houses and delivers content for a spectrum of global brands in financial services, technology, broadcasting, and publishing, it turned to Qualys and its on-demand SaaS IT risk and compliance management platform, QualysGuard.

"Qualys is the most accurate [vulnerability assessment solution] we've used, and the SaaS solution makes it easy and transparent because we don't have to maintain the server or the software, or manage the updates." Tom Cignarella, VP of Technical Operations, Clickability. "And, because Qualys is the leading vulnerability assessment provider, most of our customers are familiar with QualysGuard's reputation and are happy to know that it's part of how we keep their information secure."

Click here to read more about how Clickabitlity's easily manages, builds and maintains its secure infrastructure. ]]>

For IT Security, University of Idaho Raises Its Grade

2009-05-04T18:05:27Z

Qualys, Inc. http://www.qualys.com With the rising need to secure employee and student data and increased regulatory compliance demands, University of Idaho sought a way to enhance the effectiveness of its vulnerability and risk management program.

"QualysGuard is accurate and easy to use. We didn't trust the open source tool we were using, and we couldn't get consistent results. Each time someone ran a scan, the settings and the results were different. With QualysGuard, anyone on my team can use it, and its results are accurate and consistent," says Dave Lien, Networks and Systems Manager, University of Idaho.

In addition, because Qualys is an approved PCI scanning vendor, the university is able to scan and validate the security and PCI compliance of the systems that serves as gateways to their credit card processors. "Using QualysGuard, anyone can quickly complete and submit the PCI self-assessment questionnaire, and perform pre-defined PCI scans on all relevant systems to identify and resolve network and system vulnerabilities," added Dave.

Click here to read more about how University of Idaho restructured its approach to PCI compliance.]]>

SC Magazine EU Names Qualys Best VM Solution

2009-04-30T23:14:20Z

Qualys, Inc. http://www.qualys.com Just on the heels of being named Best Vulnerability Management Solution by SC Magazine US readers, EU readers also voted QualysGuard for this distinct honor.

Qualys also won the highly commended award for the category "Security Vendor of the Year" in the European awards.

"We are incredibly honoured to be recognized by SC Magazine both in the Europe and the US" said Philippe Courtot, CEO and chairman of Qualys. "We attribute this recognition to our customers around the world who helped us make our QualysGuard SaaS offering address their security and compliance requirements."

Qualys CEO Philippe Courtot RSA 2009 Keynote

2009-04-27T18:01:40Z

Qualys, Inc. http://www.qualys.com Missed Thursday's RSA keynote? Check out Philippe Courtot's keynote in it's entirety as he talks about Security's "Inconvenient Truth" and the Impact of Cloud Computing on the Security Industry.
View Keynote Webcast in a Sized Pop-Up

]]>

Qualys Wins Two SC Magazine US Awards

2009-04-27T18:00:00Z

Qualys, Inc. http://www.qualys.com

QualysGuard was voted Best Vulnerability Management Solution for a third consecutive year by SC Magazine readers. The SC Magazine Reader's Trust Awards recognize the best products, services and security teams in the industry over the past year as decided by a panel of judges and readers of SC Magazine.

Qualys has also won the Excellence Award for Best Enterprise Security Solution. Winners are decided by an expert panel of judges. These judges are hand-picked by SC Magazine's editorial team for their breadth of knowledge and experience in the information security industry.

Read More]]>

Q&A with Qualys CEO Philippe Courtot

2009-04-23T16:38:02Z

Qualys, Inc. http://www.qualys.com SC Magazine sits down with Philippe Courtot at the 2009 RSA Conference to discuss security. Questions asked:

What are the best ways organizations can address compliance and data security issues this year, given the challenging economic climate in which we all find ourselves?
What problems or challenges is your company facing in the face of a declining economy and how are you and your executives going to overcome these?
According to SC Magazine's research and many experts in the industry, the information security market may not see as difficult a time in this degraded economy as others since protection of data has become so critical to bottom lines. What are your thoughts on this?
Speaking of data protection, we're still seeing a great many exposures of personal and critical information, the most recent and largest being the Heartland incident. Where do companies keep making the biggest mistakes in protecting their customers' data?
As we move through 2009, what will be the biggest threats IT security practitioners will need to be mindful of and what are the ways to best address these?
More...

Read Interview ]]>