Skip navigation
2

A number of tech-savvy BrowserCheck users have asked whether we see the irony in the fact that Qualys BrowserCheck requires a plug-in to check on the security status of plug-ins. That’s a good point, especially for anyone familiar with the Java plug-in and the number of vulnerabilities it introduces to your computer.

 

However, we believe it is worth having one extra plug-in to gain accurate information and help secure your browser, since out-of-date plug-ins are the most likely entry points for hackers. Our statistics have shown that 4 in 5 surfers are open to browser exploits from flaws that have patches available, so are already fixed.

 

Nevertheless, BrowserCheck now has a solution for plug-in averse users - it offers Quickscan, which uses JavaScript instead of a plug-in to inspect the state of your browser and plug-ins. Quickscan inspects all of the plug-ins, but doesn’t provide comprehensive information such as plug-in file location and complete plug-in version.  See items marked “BrowserCheck Plug-in” in the BrowserCheck FAQ for more details.

 

On Windows machines running Chrome and Firefox, BrowserCheck can be run with both the plug-in and using QuickScan. Under Internet Explorer, only the BrowserCheck ActiveX Plug-in is available at this time, because browser inspection is much more accurate via ActiveX.

 

Support for More Browsers and Android

The other advantage of Quickscan is that the JavaScript scanning mechanism ports easily to other browsers. That means Qualys can now offer BrowserCheck Quickscan on a lot more platforms: Maxthon, SeaMonkey, Arora, Fennec, Minefield, Flock, Rockmelt, SR Iron, Dolphin, Sleipnir, Lunascape, Orca, and K-meleon browsers.

 

JavaScript also ports to mobile devices: BrowserCheck is now available on Android, so you now have a tool to help you browse the Web more securely from your Android device.

 

BrowserCheck lets you know which plug-ins are out of date or at end of life, have vulnerabilities even in the latest versions (0-day), or are beta versions, even if you are not using them. With the new platform and JavaScript support, this service is now available to a wider number of Internet users.

 

Many thanks to the BrowserCheck dev team for their efforts in getting the tool to that level and keeping it updated with the latest threats. I constantly get comments on how useful the BrowserCheck is for beginners and experts alike.

0

I was surrounded by numbers, more numbers that I could ever remember or justify.  Every time I tried to add them up they would find a new combination - one I hadn't seen before - and mock me with a sum that was just a few dollars above or below where it was supposed to be.  I spent nearly three days doing calculations before I finally swallowed my pride and put in a "calculation error" entry to finish the process.

 

Reconciling my family's checkbook had defeated me...this time.

 

Over the years I got better at doing the reconciliations, and eventually Microsoft Money made everything easier by automating the process, downloading transactions from my bank and helping me categorize and track all expenses.  Today I can happily say that balancing my account takes just a few minutes each month.

 

In many ways the PCI DSS section 1.1.5 requirement is a lot like reconciling a bank statement.  It states the following:

 

Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.

 

Simply keeping track of the assets in a cardholder data environment (CDE) can be a challenge, and this requirement adds on the responsibility for administrators to keep track of all ports and protocols that are in use in the CDE.  Additionally, the business justification for each port and protocol must be included; for most enterprises this requires involving multiple people and keeping notes about what the justification is and who provided it.

 

I'm pleased to announce that QualysGuard PCI version 5.3 now provides the Open Services Report.  In the same way the Microsoft Money helped me keep track of my spending, the Open Services Report can help you comply with PCI 1.1.5 by automating the workflow for discovering, authorizing, and reporting of the ports and protocols in your CDE.

 

Once you have performed a scan of your CDE you can access the Open Services Report via Network -> Open Services Report.

PCI_Main.JPG

 

You'll immediately see a few key capabilities:

 

  • The Summary section shows you how many services have been identified during the most recent scans and tracks how many have been categorized.  As you perform the workflow to approve/reject services these numbers will be updated.
  • A dynamic listing of all open ports and protocols detected in your CDE is listed in the grid.  You can change the grouping by host IP or by service, and can filter the list to show only the items you are interested in (such as description containing "NetBIOS" or service marked as "Unauthorized")
  • A CSV download of all the services and their status can be downloaded for distribution outside of the PCI application.

 

The Open Services Report includes the ability to classify services as authorized or unauthorized.  To do so, simply select all the services you wish to mark and click on "Classfiy".  You'll be prompted to enter a business justification for that decision:

PCI_Classify.JPG

 

A complete history of all activity - who classified a service, when, and the reasons why - will be maintained and viewable in the report.  You can then proceed to use the report to demonstrate your compliance with the PCI 1.1.5 requirement.

 

We hope you find these new capabilities helpful in tracking and justifying the business needs for services in your CDE, and look forward to hearing your feedback.

0

Ever wonder what 314159265358979 or 161803399999999 stand for in a compliance policy?  You’re not alone.  These special values, known as Pi and Golden Ratio, are used to report specific status conditions within QualysGuard Policy Compliance.  The translation of these special values vary by technology and configuration.  With the release of QualysGuard 6.18, these special values will be converted to check boxes in the policy editor, providing clear translation of these special values.  In addition, policy reports will no longer display these special values; only the translated values.

The Use of Pi and Golden Ratio

Policy Compliance uses two special values to indicate status information about a compliance check, also referred to as a data point. These special values are:

 

  1. 314159265358979 (the first 15 digits of PI)
  2. 161803399999999 (the first 15 digits of the "Golden Ratio")

 

These values are highly unique numbers which represent various conditions encountered during scanning.  The status values will have slightly different results according to which technology the control is using.  Valid examples of these special values include, but are not limited to, the following:

 

  1. Registry key path was not found.
  2. Registry key parameter was not found.
  3. File was not found.
  4. Setting was not found.

Previous Policy Editor and Reports

Previously, these special values would appear in your policies as the expected value for various data point checks. Below are a few examples of the policy editor prior to QualysGuard 6.18:

 

  1. The first example below uses a complex control to verify the 'Number of days prior to password expiry before a warning is displayed at login'.  Notice the AND condition makes sure that the value is less then Golden Ratio.  Golden Ratio is returned when the setting is not found, and therefore not set.  This additional AND condition is required to prevent false positives, as we do not want to pass the control if the setting is not found.
    Hybrid before Mask Pi-GR.png
    Figure 1: Complex Control using Golden Ratio

  2. The second example below uses multiple values in the regular expression to verify the startup state of the 'Clipbook' service.  Notice both Pi and Golden Ratio are included in the regular expression.  Pi is returned when the registry key path is not found and Golden Ratio is returned when the registry key parameter is not found, both meaning the service is not installed.  Since the service should be disabled, represented by 4, we should also pass the control if the service is not installed, represented by Pi and Golden Ratio.
    Fixed Values before Pi-GR.png
    Figure 2: Complex Regular Expression using Pi and Golden Ratio

 

These special values may also appear in your compliance reports.  We have been converting the actual values to translated values in the reports for several releases, however the expected values may still use Pi or Golden Ratio.

Improved Policy Editor and Reports

With the release of QualysGuard 6.18, the policy editor will start to display Pi and Golden Ratio as check boxes with their translated meanings.  Not all of the controls will be translated initially, as we will be updating the existing controls to use the new feature over time.  However, new controls will be created using this new feature. 

 

After QualysGuard 6.18, all controls will fall into one of the following categories:

 

  • Values Only: The control only allows user-customized criteria. User must select the operator, cardinality and enter an expected value. This is how controls work prior to this release.
  • Fixed Values Only: The control only allows fixed value selections. User must select/clear checkboxes.
  • Hybrid: The control allows a combination of user-customized criteria and fixed value selections.

 

Below are the same samples from above using the new feature in QualysGuard 6.18:

 

  1. The first example below simplifies the control to verify the 'Number of days prior to password expiry before a warning is displayed at login'.  Notice the AND condition has been removed and replaced with check boxes.  These check boxes will allow you to pass the control if the setting is not found.
    Hybrid after Mask Pi-GR.png
    Figure 3: Hybrid Control using Value and Fixed Values

  2. The second example below converts all values in the regular expression to fixed values to verify the startup state of the 'Clipbook' service.  Notice that all values, including Pi and Golden Ratio, have been converted to check boxes.  By checking the appropriate check boxes, we can now check all conditions of the service.
    Fixed Values after Mask Pi-GR.png
    Figure 4: Fixed Values Control

 

Updated compliance reports will now display the translated values for the 'Expected' column.  A sample report for the Fixed Values example above is provided below:

Fixed Values Report after Pi-GR.png

Figure 5: Fixed Values Report

 

In addition to resolving the translation of Pi and Golden Ratio, we also improved the layout of the policy editor and reports.  We added shading to both the policy editor and reports to highlight the values associated with each control.  We also added auto-sized text boxes in the policy editor to make it easier to see larger strings of text, especially for file integrity hashes.

Demo

To see a demo of this new feature, please view the Improved Policy Editor and Reporting Demo.

Bookmarked By (1)

Actions