LAb QUalys

Policy Compliance
Agenda
Account & Application Setup (LAB 1)

Policy Overview and Control Library
User Defined Controls (LAB 2)
Compliance Scanning (LAB 3)
Policies (LAB 4)
Compliance Reports (LAB 5)
Security Assessment Questionnaire (LAB 6)
2 Qualys, Inc. Corporate Presentation
Policy Compliance Overview

Compliance Coverage
Policy Compliance
Define, Audit and Document IT Security Compliance
• Automate the assessment of thousands of technical controls
• Controls are define in the Qualys Control Library.

Qualys Policy Compliance
• Provides proof of compliance across multiple compliance

frameworks and initiatives.
• Documents evidence where the organization has discovered and

fixed lapses.
• Helps to configure and secure host systems, to guard against

internal and external threats

Compliance Hierarchy - a “Top – Down” Approach
Simple Compliance Framework
Framework Level Regulations SOX CobiT PCI

Frameworks HIPAA COSO NIST
GLBA ISO17799 NERC
Policies & “Example: Vulnerable

Business Processes must be
Requirements eliminated..”
Standards, Procedures and

Procedures
and Guidelines
Guidelines Detail
AIX 5.x Technology Telnet
streams are transmitted in clear CID 1130
text, including usernames and
The telnet
passwords. The entire session is
Detailed Technical Controls susceptible to interception by daemon
shall be
Threat Agents.
disabled

SCAP Support
• Import policies from the
Qualys SCAP policy
library.
• Upload your own
custom SCAP policies.
• Perform SCAP scans to
check compliance
against SCAP 1.0, 1.1,
and 1.2.

Application and Account Setup

Path To Compliance 1. Data points are defined
within each CID in the
Control Library.
Qualys Control 2. Compliance scan collects

Library (CIDs) ACTUAL “data points”
from target hosts.
3. Qualys Policy specifies

the EXPECTED values for
all host “data points”
Scan Results Policy
(ACTUAL) (EXPECTED) 4. Policy Report compares
actual to expected
values, producing
PASS/FAIL status
Exceptions 5. Interactive Reports are

Policy Report
used to request
(PASS/FAIL)
exceptions for FAILED
controls

Policy Compliance Setup
1. Create Users
2. Add Hosts to Subscription
3. Build Asset Groups
4. Scan Hosts
5. Create Qualys Policy
6. Generate Policy Report
7. Request Exceptions
Add Hosts to Policy Compliance

Basic User Roles
Least privileged Most privileged
Reader Scanner Unit Manager Manager
Readers can Scanners can Management of Management

run reports. launch maps assigned authority for the
and scans, and business unit. subscription
run reports.
Search the online help for “User Roles Comparison” for a complete list.

Auditor User Role
• Responsible for handling exceptions
• Create policies, controls and reports
• Cannot run Compliance scans or join Business Unit.

Default Access
• Only Managers and Auditors have “default” access to Policy Compliance.

• Unit Managers, Scanners, and Readers must be granted “extended”
permissions to access Policy Compliance.

Managing Assets
• Asset Group, and Asset Tags – can define the “Scope” of a Policy
Matching Tags created

for each Group

Asset Group Setup
• Logical grouping based on importance, location, and ownership
Asset Groups for Scanning

Asset Groups for defining a Policy*
Example:
Example:
Scan_Chicago_Desktops
CIS-Windows2008-Chicago
Scan_Chicago_Servers
CIS-Windows2008-London
Scan_London_Desktops
CIS-Windows2008-All
Scan_London_Servers
* Recommended to create specific asset groups for your Compliance hosts

Lab 1
Account and Application Setup

Control Library & User Defined Controls (UDC)

Control Library

User Define Controls
Windows Controls Unix Controls

User Define Controls
Why have them?

Custom applications that require compliance audits.
Systems use filenames / locations other than default settings.
Determine if specific service packs are installed.
What happens if I write a duplicate UDC?
The system will present an error.
How do we write them?
Requires an understanding of the requirements and a technical
understanding of the system.
Usually the auditor and the SysAdmin must be involved

Lab 2
User Defined Controls

Compliance Scanning

Qualys Cloud Platform
Remote Users
LAN 1 • EC2/VPC IaaS Providers
• Azure
• Google
LAN 2 DMZ
Qualys Cloud Platform

Cloud Agent Benefits
1. Qualys agent installs as a local system service.

2. Agent serves as a “data collector” – All vulnerability testing is
performed in the Qualys cloud.
3. Changes (deltas) are detected and sent to the Qualys platform.
4. Remote registry access is NOT required.
5. Authentication record is NOT required.
6. Firewall configuration changes are NOT required.
7. Cloud Agent is NOT a replacement for a PCI scan.

Scan Configuration
Scan
(On-Demand or Scheduled)
Scanner
Compliance Profile Assets
appliance
Scan Preferences Groups
Authentication
Tags
(required)
IP addresses

Compliance Scanning Options

Compliance Scan Workflow
• Validates that the hosts are “ALIVE”

Host Discovery
• Host authentication, provides for accurate OS

detection. If authentication fails, the scan
Authentication processing stops.
• The service scan to gather data points to use

Compliance during compliance assessment
Scan

Scan Results – Authentication Issues

Unit Root Delegation
• Sudo
• PowerBroker
• Pimsu

Authentication Vaults
• In large organizations where thousands of machines are scanned
regularly managing passwords is a challenge.
• Some organizations are reluctant to let their credentials leave the
network.

Vault Integration: How it works
1. User launches a
trusted scan from the
Qualys SOC.
2. The Scanner Appliance

(SA) get the
credentials from the
Vault.
3. The SA scans the

target using the
credentials (Windows
and Unix).
4. Scan results are

exported to the Qualys
SOC.

Authentication Best Practices
Setup
• Configure your
Compliance Compliance profile
profile
Set-up • Be sure you have Authentications

Authentication Record(s) setup
• Scan your hosts and verify the scan

Scan Hosts finished processing
Verify • Run an Authentication Report

Authentication to view Scan Results

Lab 3
Compliance Scanning

Policies

Policy Creation Options
• Create New Policy from scratch

• Create New Policy using existing host
• Import Policy from Policy Library
• Import Policy from XML file
Create Empty Policy POLICY
Set
1. Select a technology for Technology
you policy
• Operating System
•
•
Web Server
Database
Add
Controls
2. Add controls to policy
3. Assign host assets to

the policy
Add Hosts

Create Policy From Existing Host

Import Policy from Library

XML Export / Import
• Download a Policy (share that policy)
• Import another policy from a file or from library
For exceptionally large Policies (e.g. those created with Golden Image), you can Export (download) and
edit in bulk, and then Import (upload) the edited Policy.
Cardinality of Controls
• Compares the “data point” collected during a scan, to the
control’s expected value.
CARDINALITY YOU ARE COMPLIANT WHEN

contains X contains all of Y
does not contains X does not contain any of Y
matches All strings in X match all strings in Y (listed
in any order)
intersects Any string in X matches any strings in Y
is contained in All strings in X are contained in Y

Cardinality of Controls : contains
• X contains all of Y
Cardinality of Controls : intersects
• Any string in X matches any string in Y

Cardinality of Controls : does not contain
• X does not contain any of Y

Cardinality of Controls : matches
• All strings in X match all strings in Y (any order)

Cardinality of Controls : is contained in
• All strings in X are contained in Y

Testing Regular Expressions
Lab 4
Controls and Policies

Reporting

Policy Compliance Reports
Authentication Report
Policy Report
• Policy Report
includes compliance
status with a
specific policy
• The report lists the

hosts assigned to
the policy with the
controls tested
• Results are shown

as a passed/failed
status
Certified Reports
Scheduled Reports Setup
Requesting Exceptions
1. Request exceptions.
2. Review exceptions.
3. Accept/Reject exceptions.
4. View exception history.
Exceptions can only be requested via Interactive Reports

Interactive Reports
• Individual Host Compliance Report identifies the compliance status for

a particular host.
• Control Pass/Fail Report identifies the compliance status for a
particular control.
Exception Report Options
Check the Status options for: Passed, Failed, and Error.

Exception Request

Exceptions Tab
• Exceptions are created through the interactive report.

• An Auditor will click on “Edit” to open the ticket.
Exceptions End Date
• Set a time limit on an exception.
• Regardless of action, comments

are required.
Passing with Exceptions
Note the “E” above the “passed” Posture

Example of Exceptions
• Requirement: FTP, or any form thereof should not be enabled on

any external facing device.
Reality: The support team must have FTP enabled to allow customers to send files
larger than 5Mb when their email will not allow such attachments.
• Requirement: All workstations must have the latest service packed

installed.
Reality: You are in the midst of an upgrade and it will take 30 days to have all
systems tested and updated.

Exceptions – The Reality
• Exceptions address sensitive business issues:

• Changing the corporate stance on password length.
• Allowing FTP on certain machines but not others.
• Changes to policies and controls should go through the normal

chain of command:
• Business owners and auditors should approve and adjustments or modifications
to policies and controls.
• Do not make adjustments within the Policy Compliance module without

appropriate approval and documentation.

Compliance Best Practices
• At first, focus on controls with CRITICAL and URGENT severity.

• Use the Qualys API to share compliance data with third party
applications or GRC solutions.
• AUTOMATE, schedule compliance scans and reports to run on a
regular basis, automatically.

Compliance Best Practices
• How many audits do we need a year?

Continual auditing will allow you to take very consistent, repeatable measurements
or your environment.
• What is the fastest way to get to compliance?

User Qualys to schedule compliance scans and reports on a regular basis.

Lab 5
Compliance Report

Security Assessment Questionnaire

Cloud-Based Questionnaires
Visually design questionnaires

Assign assessment leveraging embedded
workflow
Intuitive Responding
Track using an operational dashboard
Review answers and evidences
Use Case:
Vendor Risk Assessment Assess cyber security controls of vendors &
3-parties
• Gather Evidence
• Review answers
• Take corrective actions
Approach
• How: Classification Questionnaire, Risk
Assessment questionnaires
• Who: Vendor Contact, Vendor Manager, Risk
Manager
• What: Critical Assets, Processes, Business
Unit, Applications Vendors
² Centrally manage Vendor Risk Assessment, through an online portal

Use Case:
Internal Audit/Risk Assessment
Assess compliance of
in-scope assets or entities
• Verify relevant controls are in place
• Gather Evidence
• Review answers
Approach
• How: Self Assessment questionnaires
• Who: Asset Owner, Compliance/Risk
Manager
• What: In Scope Assets, Processes,
Business Unit, Applications Vendors
² Centrally manage compliance effort and compliance artifacts

SAQ Users
Contains the users who will be participating in the campaign

SAQ Template
• Defines the questions you want to ask and the structure of your
questionnaire.
• A question may include requirements for evidence, comments and
attachments.
• Create a Template:
• Build from scratch—Blank Template
• Import from Qualys Template Library
• Import from XML file

SAQ Campaign
• Contains a Questionnaire and identifies Campaign participants:
• Recipient – Responsible for answering questions.

• Reviewer – Reviews answers submitted by recipient.
• Approver – Provides final approval of specific questions.

Campaign Workflow
• Simple – 2 Stage
• Reviewable – 3 Stage
• Full – 4 Stage
Stages
1. Recipient receives invitation to complete questionnaire.
2. Recipients submit answers.
3. Answers are reviewed.
4. Answers are reviewed and approved.

Lab 6

Exam

Exam Tips and CPE
• You have five attempts to pass

• The test is linear, no going back to an older question
• Passing score: 75% and above
• No negative marking
• Test can be taken anytime
• 30 questions (Multiple choice included)
• You may use presentation slides, lab exercises, Qualys Community,
and you may have an active Qualys session open while attempting
the exam.
• No set time limit (please start a new LMS session, before launching
the exam.
• A CPE credit is earned for each hour of attendance.

Thank You
training@qualys.com

LAb QUalys

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

LAb QUalys

Uploaded by

Copyright:

Available Formats

Policy Compliance

Account & Application Setup (LAB 1)

3 Qualys, Inc. Corporate Presentation

• Automate the assessment of thousands of technical controls

• Controls are define in the Qualys Control Library.

4 Qualys, Inc. Corporate Presentation

• Provides proof of compliance across multiple compliance

• Documents evidence where the organization has discovered and

• Helps to configure and secure host systems, to guard against

5 Qualys, Inc. Corporate Presentation

Framework Level Regulations SOX CobiT PCI

Policies & “Example: Vulnerable

Standards, Procedures and

6 Qualys, Inc. Corporate Presentation

7 Qualys, Inc. Corporate Presentation

8 Qualys, Inc. Corporate Presentation

Qualys Control 2. Compliance scan collects

3. Qualys Policy specifies

Exceptions 5. Interactive Reports are

9 Qualys, Inc. Corporate Presentation

2. Add Hosts to Subscription

3. Build Asset Groups

5. Create Qualys Policy

6. Generate Policy Report

11 Qualys, Inc. Corporate Presentation

Least privileged Most privileged

Reader Scanner Unit Manager Manager

Readers can Scanners can Management of Management

12 Qualys, Inc. Corporate Presentation

• Responsible for handling exceptions

• Create policies, controls and reports

• Cannot run Compliance scans or join Business Unit.

13 Qualys, Inc. Corporate Presentation

• Only Managers and Auditors have “default” access to Policy Compliance.

14 Qualys, Inc. Corporate Presentation

Matching Tags created

15 Qualys, Inc. Corporate Presentation

• Logical grouping based on importance, location, and ownership

Asset Groups for Scanning

* Recommended to create specific asset groups for your Compliance hosts

16 Qualys, Inc. Corporate Presentation

Account and Application Setup

17 Qualys, Inc. Corporate Presentation

18 Qualys, Inc. Corporate Presentation

19 Qualys, Inc. Corporate Presentation

20 Qualys, Inc. Corporate Presentation

Why have them?

Usually the auditor and the SysAdmin must be involved

21 Qualys, Inc. Corporate Presentation

User Defined Controls

22 Qualys, Inc. Corporate Presentation

23 Qualys, Inc. Corporate Presentation

Qualys Cloud Platform

24 Qualys, Inc. Corporate Presentation

1. Qualys agent installs as a local system service.

25 Qualys, Inc. Corporate Presentation

Scan Preferences Groups

26 Qualys, Inc. Corporate Presentation

28 Qualys, Inc. Corporate Presentation

• Validates that the hosts are “ALIVE”

• Host authentication, provides for accurate OS

• The service scan to gather data points to use

29 Qualys, Inc. Corporate Presentation

30 Qualys, Inc. Corporate Presentation