Vulnerability Management

FEATURED RESOURCES:

Vulnerability Management for Dummies

Vulnerability Management for Dummies arms you with the facts and shows you how to implement a successful Vulnerability Management program. Whether your network consists of just a handful of computers or thousands of servers distributed around the world, this 5-part book will help:

• Explain the critical need for Vulnerability Management (VM)
• Detail the essential best-practice steps of a successful VM Program
• Outline the various VM Solutions - including the pros & cons of each
• Highlight the award-winning QualysGuard VM solution
• Provide a 10-point checklist for removing vulnerabilities from your key resources

Cloud Computing: A Positive Disruption for IT Security

Forrester Research's Dr. Chenxi Wang, Cisco's John Stewart, and Qualys' Philippe Counrtot discuss Cloud Computing and how it impacts IT security. Topics include:

• Why Cloud Computing has "changed the game" for IT security professionals.
• How leading organizations are embracing (and preparing for) the continued shift to the Cloud.
• What Best-practice steps information security professionals can follow to strengthen their Cloud Computing environment.

Whitepaper:

Creating a Comprehensive Vulnerability Assessment Program for a Large Company Using QualysGuard

Creating a Comprehensive Vulnerability Assessment Program for a Large Company Using QualysGuard

Overview:

Independent author Tim Proffitt writes his thesis, as part of his GIAC certification requirements, on how large companies should implement a Vulnerability Assessment Program using QualysGuard. The white paper is hosted in the SANS Institute Reading Room, and provided by SANS as a resource to benefit the security community at large.

In this paper Tim Profitt provides a step-by-step guide for implementing a Vulnerability Assessment Program using QualysGuard. Topics include:

• What is Vulnerability Assessment?
• Introduction to QualysGuard
• Creating Security Policies and Controls
• Categorization of Assets
• Discovery of Assets
• Host and Asset Configuration
• Configuring Scanning Details
• Report on Your Results
• Rank Your Risks and Remediate
• Handling Verification and False Positives
• Compliance and Life Cycles

Whitepaper:

The Need for Vulnerability Management

The Need for Vulnerability Management

Overview:

This guide describes the need for vulnerability management. It introduces the sources of vulnerabilities and their related fallout, then relates why the nature of modern threats to the network requires automated technology to counter sophisticated exploits. The guide defines elements of vulnerability management and how it controls the detection and remediation process. As an important byproduct, vulnerability management can also document compliance with security provisions mandated by legislation, industry and business policy. Vulnerability management can be implemented for networks of all sizes with cost-effective technology that automates much of what used to be a complex, manual process.

Whitepaper:

7 Essential Steps to Achieve, Measure and Prove Optimal Security Risk Reduction

7 Essential Steps to Achieve, Measure and Prove Optimal Security Risk Reduction

Overview:

Whether protecting 5 servers or 5,000, organizations must be able to:

1. Measure the security status of their infrastructure
2. Continuously monitor and mitigate emerging threats

This paper details the essential aspects of putting into place a measurable and sustainable vulnerability management program.

Whitepaper:

Dynamic Best Practices of Vulnerability Management

Dynamic Best Practices of Vulnerability Management

Overview:

Yankee Group research reveals best practices in proactively identifying and correcting network weaknesses. Guidelines are based on Qualys' "Laws of Vulnerabilites" research.

Whitepaper:

Business Enablement with On Demand Vulnerability Management

Business Enablement with On Demand Vulnerability Management

Overview:

This whitepaper discusses the challenges of security in today's business world and provides insight into the value of an on demand Web based service for vulnerability assessment. It closes with summary information and feedback regarding the QualysGuard service, as compiled from Qualys customers.

Whitepaper:

4 Key Steps to Automate IT Security Compliance

4 Key Steps to Automate IT Security Compliance

Overview:

A Unified Approach for IT, Audit and Operation Teams

This paper provides a detailed discussion of the internal and external regulatory challenges now faced by organizations, the scope of these challenges, and 4 key ways in which they can be addressed through better business processes and automation.

Guide:

The Top 10 Reports for Managing Vulnerabilities

The Top 10 Reports for Managing Vulnerabilities

Overview:

New network vulnerabilities appear constantly and the ability for IT security professionals to handle new flaws, fix misconfigurations and protect against threats requires constant attention. However, with shrinking budgets and growing responsibilities, time and resources are at constrained. Therefore, sifting through pages of raw vulnerability information yields few results and makes it impossible to accurately measure your security posture.

This paper cuts through the data overload generated by some vulnerability detection solutions and introduces The Top 10 Reports for Managing Vulnerabilities. This free guide covers the key aspects of the vulnerability management lifecycle and shows you what reports today's best-in-class organizations are using to reduce risks on their network infrastructure.

Guide:

Strengthening Network Security with On Demand Vulnerability Management & Policy Compliance

Strengthening Network Security with On Demand Vulnerability Management & Policy Compliance

Overview:

Despite defensive efforts with firewalls, intrusion detection, antivirus and the like, criminals, careless employees and contractors have exposed more than 158 million digital records of consumers' personally identifiable information since 2005. This security guide describes the requirements and on demand software-as-a-service (SaaS) solution called QualysGuard for effective vulnerability management and policy compliance.

Guide:

Effective Remediation of Network Vulnerabilities & Policy Compliance

Effective Remediation of Network Vulnerabilities & Policy Compliance

Overview:

Consistent, ongoing execution of vulnerability management and policy compliance is difficult, if not impossible to do on a manual basis. There are simply too many "moving parts" to juggle and act on in a timely and cost-effective manner. This guide provides a step-by-step guide for automating the vulnerability and compliance workflow process.

8 step vulnerability and compliance workflow:

1. Create security policies and controls
2. Track inventory and categorize assets
3. Scan systems for vulnerabilities
4. Compare vulnerabilities against inventory
5. Classify and rank risks
6. Pre-test patches, fixes and workarounds
7. Apply patches, fixes and workarounds
8. Re-scan to confirm fixes and verify compliance

Guide:

Vulnerability Management Buyer's Checklist

Vulnerability Management Buyer's Checklist

Overview:

Key Questions to Ask Before You Select a VM Solution

Choosing a solution for Vulnerability Management (VM) is a critical step toward protecting your organization's network and data. Without proven, automated technology for precise detection and remediation, no network can withstand the daily onslaught of new vulnerabilities that threaten security.

To help finalize your decision on which solution to buy, Qualys provides this 12-point short list of considerations that will help you determine what will work best for your organization.

Brief:

Vulnerability and Policy Management for NERC Compliance

Vulnerability and Policy Management for NERC Compliance

Overview:

NERC Standards are a U.S. regulation for managing the Critical Cyber Assets of Bulk Electric Systems. CIP-002 through CIP-009 provides a cyber security framework for the identification and protection of these assets, and supports reliable operation of the Bulk Electric System. This brief explains how on demand vulnerability and policy management can ensure NERC compliance.

Webcast:

Fast Track: Planning & Deploying an Effective Vulnerability Management Program

Fast Track: Planning & Deploying an Effective Vulnerability Management Program

Speaker:

Jonathan Bitle, Qualys

Overview:

This webcast covers the essential components of a successful Vulnerability Management program that allows you proactively identify risk to protect your network and critical business assets.

Key take-aways:

• Integrating the 3 critical factors - people, processes & technology
• Saving time and money via automated tools
• Anticipating and overcoming common Vulnerability Management roadblocks
• Meeting security regulations and compliance requirements with Vulnerability Management

Webcast:

Proactive Vulnerability Management

Proactive Vulnerability Management

Speaker:

Dr. Chenxi Wang, Principal Analyst, Security and Risk Management, Forrester Research, Inc.

Overview:

In this talk, Dr. Chenxi Wang, Principal Analyst for Security and Risk Management at Forrester Research, will cover the key aspects of proactive vulnerability management and more importantly, the steps via which you can follow to achieve proactive vulnerability management. More specifically:

• Continuing assessment of network and devices
• Integration with your IT risk management systems
• Effective analysis of assessment results
• Implementation of proactive remediation

We will also cover success metrics via which organizations can use to measure the maturity of their vulnerability management programs.

Webcast:

On Demand Vulnerability Management

On Demand Vulnerability Management

Speaker:

Jonathan Bitle, Senior Product Manager, Qualys

Overview:

This podcast examines what to look for in a self-auditing solution, how to use vulnerability management to ease the pain and why your software solution really matters.

Government and industry regulations, along with mounting security threats, are causing corporations to consider continual self-audits. These drive down costs, help focus remediation efforts and improve your overall security posture. Learn how to start your own self-auditing process by setting goals and answering key questions about your infrastructure.

Webcast:

There's a Hole in Your Network - Vulnerability Management Is No Mystery

There's a Hole in Your Network - Vulnerability Management Is No Mystery

Speaker:

Paul Gillin, Principal, Paul Gillin Communications

Overview:

Learn how vulnerability management allows you to keep on top of these problems by identifying an organization's greatest security vulnerabilities and proactively recommending fixes.

Open networks and supply chain integration create great business opportunities but also substantial security risks. The bad guys are using more sophisticated tools to create viruses, worms, rootkits and other attacks, and malware is spreading faster than ever. Learn how vulnerability management allows you to keep on top of these problems by identifying an organization's greatest security vulnerabilities and proactively recommending fixes.

Webcast:

Developing a Vulnerability Management Habit the Easy Way

Developing a Vulnerability Management Habit the Easy Way

Speaker:

Simon Herring, Founder and CTO of Jacadis

Overview:

Listen to Core Security, Jacadis and Qualys discuss how you can bring potent vulnerability management into your organization. Simon Herring, founder and CTO of Jacadis, shares his insights on how you can develop and maintain a vulnerability management program that provides ongoing protection against hacking, spear phishing, and other IS threats. In this webcast, you'll also see security testing tools that allow you to:

• Identify network weaknesses and safely prove their exploitability
• Evaluate end-user response to social engineering attacks
• Test and tune defensive applications such as IPS, IDS and firewalls
• Validate patches and other vulnerability fixes
• Establish a comprehensive, in-house VM methodology

Webcast:

Effective Workflow for Fixing Network Vulnerabilities & Policy Compliance

Effective Workflow for Fixing Network Vulnerabilities & Policy Compliance

Speaker:

Sandra Gittlen, Technology Editor, NetworkWorld

Speaker:

Terry Ramos, Director of Strategic Development, Qualys

Overview:

This webcast overviews the 8 workflow processes that create an effective vulnerability management solution to ensure security and document compliance. Discover how the right software-as-a-service (SaaS) solution automates these processes for fast, cost-effective remediation and policy compliance.

View this webcast and learn about and effective remediation plan that provides continuous protection from network vulnerabilities and helps comply with regulations such as PCI, GLBA and HIPAA.

Webcast:

Addressing Compliance Challenges with Automated Vulnerability Management

Addressing Compliance Challenges with Automated Vulnerability Management

Speaker:

Dr. Chenxi Wang, Principal Analyst, Security and Risk Management, Forrester Research, Inc.

Overview:

Automated, on-demand vulnerability assessment and management is a powerful instrument for organizations to stay compliant and stay one step ahead of attackers. In this webcast, we will briefly address different compliance requirements and the industry best practices of using vulnerability management to achieve compliance.

Webcast:

How One Company Conquered the Audit Challenge

How One Company Conquered the Audit Challenge

Speaker:

Randy Harris, Network Manager, United States Marine Corps - MCCS

Overview:

The Marine Corps Community Services (MCCS) manages a global network that serves Marines and their families. MCCS chose a managed service to conduct comprehensive vulnerability assessments and prioritize patches and fixes.

With thousands of nodes spread throughout the world, security is a real concern. MCCS chose a managed service to conduct comprehensive vulnerability assessments and prioritize patches and fixes. The service has saved time and money while contributing to peace of mind. MCCS manager of network services Randy Harris talks about the project.

Webcast:

Web 2.0 Security Threats: How to Protect Your Enterprise Network

Web 2.0 Security Threats: How to Protect Your Enterprise Network

Speaker:

Dr. Chenxi Wang, Principal Analyst, Security and Risk Management, Forrester Research, Inc.

Overview:

As Enterprises are increasingly connected to the Internet and as hard organizational boundaries are fast disappearing, security professionals are facing fresh challenges in Enterprise computing. One crucial element of success in this environment is application security, which serves as a foundation to all information security initiatives. This webcast explores the following topic in detail:

• Global trends and the enterprise security impact of Web 2.0 adoption, de-perimeterization, and the consumerization of corporate IT.
• Steps information security professionals can follow to strengthen application security, especially in an open and collaborative environment.
• An overall application security maturity model, and steps to create best-practices for application security.

Demo:

Vulnerability Management & Policy Compliance Overview

Vulnerability Management & Policy Compliance Overview

Overview:

Watch a quick introduction to Qualys' vulnerability management and policy compliance solutions.

Policy Compliance

FEATURE DOC:

Strengthening Network Security with On Demand Vulnerability Management & Policy Compliance

Despite defensive efforts with firewalls, intrusion detection, antivirus and the like, criminals, careless employees and contractors have exposed more than 158 million digital records of consumers' personally identifiable information since 2005. This security guide describes the requirements and on demand software-as-a-service (SaaS) solution called QualysGuard for effective vulnerability management and policy compliance.

More Information >

Guide:

Effective Remediation of Network Vulnerabilities & Policy Compliance

Effective Remediation of Network Vulnerabilities & Policy Compliance

Overview:

Consistent, ongoing execution of vulnerability management and policy compliance is difficult, if not impossible to do on a manual basis. There are simply too many ""moving parts"" to juggle and act on in a timely and cost-effective manner. This guide provides a step-by-step guide for automating the vulnerability and compliance workflow process.

8 step vulnerability and compliance workflow:

1. Create security policies and controls
2. Track inventory and categorize assets
3. Scan systems for vulnerabilities
4. Compare vulnerabilities against inventory
5. Classify and rank risks
6. Pre-test patches, fixes and workarounds
7. Apply patches, fixes and workarounds
8. Re-scan to confirm fixes and verify compliance

Whitepaper:

Using Qualysguard To Meet Sox Compliance & IT Control Objectives

Using Qualysguard To Meet Sox Compliance & IT Control Objectives

Overview:

This paper outlines how organizations can use the CobiT framework to assess the effectiveness of an organization's internal control as a means to achieve compliance with Section 404 of the Sarbanes-Oxley act.

Whitepaper:

EU Compliance and Regulations for the IT Security Professional

EU Compliance and Regulations for the IT Security Professional

Overview:

The growth of compliance requirements over the past few years has sometimes been seen as a US-based phenomenon as regulations are implemented to address various corporate failures and scandals over the past decade or so. In fact, compliance, rules and regulations to protect data stored by EU-based organisations can be just as onerous as those originating from the US.

This paper highlights key directives and legislation as it affects the member states of the EU.

Guide:

HIPAA Guide

HIPAA Guide

Overview:

The Health Insurance Portability and Accountability Act has had substantial impact on the healthcare industry. Our free guide explains how on demand security audits make HIPAA compliance easier to achieve.

Guide:

GLBA Guide

GLBA Guide

Overview:

Security provisions of GLBA are complex and process intensive. Our free guide explains how on demand security audits make GLBA compliance easier to achieve.

Guide:

FISMA Guide

FISMA Guide

Overview:

Becoming FISMA compliant can be challenging. To help you overcome the pitfalls faced by all agencies, we've put together a step-by-step guide to ease compliance and help you make the grade. When you download our complimentary guide, you will learn:

How FIMSA is Defined

Receive detailed information on the major requirements of FISMA and how to implement a best practice based approach to overcome common challenges.

How QualysGuard Supports FISMA Compliance

See how QualysGuard's tailored solution meets each of the FISMA requirements and delivers the proper reports so you can achieve indisputable compliance.

How QualysGuard Automates Compliance

Learn how QualysGuard's on demand solution provides an automated solution so you're always in control of your network security - even during fast-moving worm and virus attacks.

Guide:

SB 1386 Guide

SB 1386 Guide

Overview:

Prevention of security breaches is vital. Download our free guide to learn more about compliance with SB1386.

Guide:

Avoiding 7 Common Mistakes of IT Security Compliance

Avoiding 7 Common Mistakes of IT Security Compliance

Overview:

Currently, there is no single standard framework that explicitly defines what your organization must do for compliance. A big challenge for IT security professionals is navigating this ambiguity and achieving the organization's compliance goals effectively and on budget.

This guide covers seven typical IT security compliance errors and outlines the best practices you can immediately apply to your environment to help your company achieve compliance.

Brief:

Vulnerability and Policy Management for NERC Compliance

Vulnerability and Policy Management for NERC Compliance

Overview:

NERC Standards are a U.S. regulation for managing the Critical Cyber Assets of Bulk Electric Systems. CIP-002 through CIP-009 provides a cyber security framework for the identification and protection of these assets, and supports reliable operation of the Bulk Electric System. This brief explains how on demand vulnerability and policy management can ensure NERC compliance.

Webcast:

Addressing Compliance Challenges with Automated Vulnerability Management

Addressing Compliance Challenges with Automated Vulnerability Management

Speaker:

Dr. Chenxi Wang, Principal Analyst, Security and Risk Management, Forrester Research, Inc.

Overview:

Automated, on-demand vulnerability assessment and management is a powerful instrument for organizations to stay compliant and stay one step ahead of attackers. In this webcast, we will briefly address different compliance requirements and the industry best practices of using vulnerability management to achieve compliance.

Webcast:

Effective Workflow for Fixing Network Vulnerabilities & Policy Compliance

Effective Workflow for Fixing Network Vulnerabilities & Policy Compliance

Speaker:

Sandra Gittlen, Technology Editor, NetworkWorld

Speaker:

Terry Ramos, Director of Strategic Development, Qualys

Overview:

This webcast overviews the 8 workflow processes that create an effective vulnerability management solution to ensure security and document compliance. Discover how the right software-as-a-service (SaaS) solution automates these processes for fast, cost-effective remediation and policy compliance.

View this webcast and learn about and effective remediation plan that provides continuous protection from network vulnerabilities and helps comply with regulations such as PCI, GLBA and HIPAA.

Webcast:

Automating Policy Compliance and IT Governance

Automating Policy Compliance and IT Governance

Speaker:

Jason Creech, Qualys

Overview:

This webcast covers the foundations of a successful IT Governance and Policy Compaliance program and how your organization can seamlessly align IT controls and processes with strategic business objectives.

Key take-aways

• Defining current IT GRC challenges
• Reviewing regulatory lansdscape and compliance requirements
• Automating IT GRC with Software-as-a-Service

PCI Compliance

FEATURED RESOURCES:

PCI Compliance for Dummies

Complying with the PCI Data Security Standard may seem like a daunting task for merchants. This book is a quick guide to understanding how to protect cardholder data and comply with the requirements of PCI - from surveying the standard's requirements to detailing steps for verifying compliance.

PCI Compliance for Dummies arms you with the facts, in plain English, and shows you how to achieve PCI Compliance. In this book you will discover:

• What the Payment Card Industry Data Security Standard (PCI DSS) is all about
• The 12 Requirements of the PCI Standard
• How to comply with PCI
• 10 Best-Practices for PCI Compliance
• How QualysGuard PCI simplifies PCI compliance

PCI Data Security Standards - What You Need to Know

This 20 minute audiocast provides answers to Merchants regarding:

• Why We Need PCI?
• Cost of Data Breaches vs. Network Protection
• Consume Data and Why Fraud Rates Are Rapidly Rising
• How Much PCI Compliance Costs?
• What Are the Top Technical Challenges in Achieving PCI Compliance?
• How Should Merchants Prioritize Their PCI Compliance Efforts?
• What Are the 3 Main Lessons Learned Regarding PCI Compliance?

Whitepaper:

Winning the PCI Compliance Battle

Winning the PCI Compliance Battle

A Guide for Merchants and Member Service Providers

This white paper reviews the basics of PCI, including who must comply, compliance requirements, validation requirements and penalties. It also examines key things to look for when selecting a PCI network testing service and introduces QualysGuard PCI.

Topics in this white paper include:

• Compliance Requirements of the PCI Data Security Standard
• Participation and Validation Requirements
• Selecting a PCI Network Security Testing Service
• Automating the PCI Validation Process with QualysGuard PCI

Brief:

Meeting Vulnerability Scanning Requirements for PCI

Meeting Vulnerability Scanning Requirements for PCI

Overview:

The credit card industry is stepping up efforts to strengthen cardholder data security by raising member validation requirements for compliance with the Payment Card Industry Data Security Standard (PCI-DSS). As part of these requirements, both internal and external network scanning play a critical role in achieving compliance. This security guide describes the scanning requirements for PCI-DSS and provides a quick-reference requirements matrix for both Merchants and Service Providers of all levels.

Webcast:

PCI Compliance 2008: What You Need to Know

PCI Compliance 2008: What You Need to Know

Speaker:

Sumedh Thankar, PCI Compliance Lead Engineer, Qualys

Overview:

This webcast covers the key facts you need to know about the current and upcoming PCI compliance requirements. In less than 30 minutes, this session gives you the straightforward break-down on all the new PCI changes. You'll also learn about today's best practice methodologies used by leading organizations to achieve compliance and avoid penalties. This webcast concludes with a comprehensive merchant Q&A session.

Key take-aways:

• What are the new PCI Compliance changes (current and planned)
• When the changes go into effect & how they impact your business
• How to automate the PCI Compliance processes

Webcast:

Winning the PCI Compliance Battle - Best Practices to Manage the PCI Process

Winning the PCI Compliance Battle - Best Practices to Manage the PCI Process

Speaker:

Terry Ramos, Director Strategic Development, Qualys

Overview:

The Payment Card Industry Security Data Standard, or PCI, protects cardholders and businesses by establishing standard practices for processing, storing and transmitting credit card data but thefts still occur at an unprecedented rate.

This webcast will explore:

• Compliance Requirements of the PCI Data Security Standard
• Participation and Validation Requirements
• Selecting a PCI Network Security Testing Service
• Automating the PCI Validation Process with QualysGuard PCI

Webcast:

PCI Tools & Techniques

PCI Tools & Techniques

Overview:

Technologies for Meeting the PCI DSS

Webcast:

QualysGuard PCI Web Application Scanning Demonstration

QualysGuard PCI Web Application Scanning Demonstration

Overview:

QualysGuard PCI 3.0 Web Application Scanning module is an automated tool for evaluating Web applications before and after deployment.

This 10 minute demonstration is available on demand and includes a brief overview of the product along with a detailed walkthrough of the new features.

Demo:

QualysGuard PCI Demo

QualysGuard PCI Demo

Overview:

See how QualysGuard PCI makes achieving compliance with the PCI Data Security Standard easy and cost effective.

Web Application Scanning

Guide:

Web Application Security — How to Minimize Prevalent Risk of Attacks

Web Application Security — How to Minimize Prevalent Risk of Attacks

Overview:

Vulnerabilities in web applications are now the largest vector of enterprise security attacks. Stories about exploits that compromise sensitive data frequently mention culprits such as "cross-site scripting," "SQL injection," and "buffer overflow." Vulnerabilities like these fall often outside the traditional expertise of network security managers.

To help you understand how to minimize these risks, Qualys provides this guide as a primer to web application security. The guide covers:

• typical web application vulnerabilities
• comparison of options for web application vulnerability detection
• QualysGuard Web Application Scanning solution

Whitepaper:

Building a Web Application Security Program

Building a Web Application Security Program

Author

Rich Mogul (Securosis, LLC)

Overview:

Current web applications exist in an environment markedly different from the early days of businesses entering the Internet. They have become essential tools interconnecting organizations in ways never anticipated when the first web browsers were designed. These changes have occurred so rapidly that, in many ways, we've failed to adapt operational processes to meet current needs. This is particularly apparent with web application security, where although most organizations have some security controls in place, few organizations have comprehensive web application security programs.

This detailed report shows how to build a pragmatic web application security program that constrains costs while still providing effective security.

Webcast:

QualysGuard PCI Web Application Scanning Demonstration

QualysGuard PCI Web Application Scanning Demonstration

Overview:

QualysGuard PCI 3.0 Web Application Scanning module is an automated tool for evaluating Web applications before and after deployment.

This 10 minute demonstration is available on demand and includes a brief overview of the product along with a detailed walkthrough of the new features.