Posts by Trey Ford

3 min Exploits

What is SQL Injection?

The SQL Injection [https://www.rapid7.com/fundamentals/sql-injection-attacks/] is one of the oldest and most embarrassing vulnerabilities web enabled code faces. It is so old that there really is no excuse for only a niche of people (namely web security professionals) to understand how it works. Every time I think we've beat this topic to death, SQL Injection finds its way back into the news. This post is my attempt to help anyone and everyone understand how it works and why it's such a persist

1 min Verizon DBIR

Getting Started with VERIS

We did a webcast with @hrbrmstr @gdbassett from the Verizon team last week, discussing how to get started VERIS, the Vocabulary for Event Recording and Incident Sharing. If you joined us, thanks for coming out. We've attached an Excel spreadsheet with a couple of examples to help you get started at VERIS level 2, a couple of layouts to consider using... and we will be providing some updates. Special thanks to Judy Nowak for her hard work on the spreadsheet -- be looking for a blog post from her

7 min CISOs

Security Budget Tips, from CISOs, for CISOs

CISO Series: Budgeting I have provided a brief overview of the genesis of the CISO series [/2015/10/27/introducing-the-ciso-blog-series], and now it is time to tackle our first topic: security budgets. Whether you're the CISO of a large public company or leading security at an early-stage startup, rich in headcount or forced to be tight with the purse strings, reporting into the CIO, COO, or elsewhere in the organization, the fact remains that budget conversations are among the most critical and

2 min Verizon DBIR

What is VERIS?

Data driven security is all the rage, and laughably few of us encode and analyze our programs… and for good reason. It isn't easy. This post will talk about VERIS, a framework for describing security incidents in a precise way. We all have a plan, a security program, compliance regulations, and super busy calendars—but what is working? The answer is hidden in plain sight, it just needs to be analyzed. And this is why we all love the DBIR. If you aren't familiar with Verizon's DBIR (Data Breach

4 min Events

The Black Hat Attendee Guide Part 5a - The Magic of People

Joining us for the first time? This post is part of a series that starts right here [/2015/07/13/the-black-hat-attendee-guide-part-1]. So this post is a bit of a bonus. I've asked my dear friend Quinton Jones [https://www.linkedin.com/in/quintonjones] to share some wisdom and inspiration on how he injects passion and energy into his introductions. He's simply unforgettable, one of the greatest customer champions and business development folks I know, thanks to his passion for people. Please enj

5 min Events

The Black Hat Attendee Guide Part 7: Your Survival Kit

Joining us for the first time? This post is part seven of a series that starts right here [/2015/07/13/the-black-hat-attendee-guide-part-1]. Hacker Summer Camp is no joke, and you've got to have a game plan when you head for Vegas. If you don't travel frequently, this is for you. Ignoring sartorial conundrums and basic hygiene, this post is focused on keeping your body operating at peak… or at least somewhat operational. Vegas: It's nothing like home for most of us. Desert allergens, low humi

10 min Events

The Black Hat Attendee Guide Part 6: The Sponsor Hall, Arsenal, and more

If you are just joining us, this is the sixth post in the series starting here [/2015/07/13/the-black-hat-attendee-guide-part-1]. Conferences are magical and serendipitous. YouTube can't capture the electricity you remember in the room as you tell someone “I watched Barnaby jackpot an ATM,” as others echo back “I was there that year too!” At technical conferences, the content leads the way—it is what brings us to the show. Catching up on that research and work being done at “the tip of the spe

5 min Events

The Black Hat Attendee Guide Part 5 - Meaningful Introductions

If you are just joining us, this is the fifth post in the series starting here [/2015/07/13/the-black-hat-attendee-guide-part-1]. Making An Introduction I might be wrong, but I'll argue that networking is a transitive verb, so ENGAGE! The real magic starts happening as you progress: * Level 1-- Start with a “Hi, my name is… ” Yes, it's that simple, thanks to Slim Shady [https://youtu.be/dQw4w9WgXcQ?t=43s] * Level 2-- Demonstrate that you have an idea of the world the other person live

7 min Events

The Black Hat Attendee Guide Part 2 - The Briefings

If you are just joining us, this is the second post in the series starting here [/2015/07/13/the-black-hat-attendee-guide-part-1]. Content is king. Research is what binds us, and you should not be surprised that some of the best in the game focus their annual research calendar on the Black Hat USA CFP. Offensive security research is the tail that wags the dog—many vendors and architects spend the year trying to get back in front of some of the bombs dropped at Black Hat each year. There's a

3 min Events

The Black Hat Attendee Guide, Part 1 - How to Survive Black Hat

If you're like me, you have wanted to go to Black Hat [http://blackhat.com/us-15/] for ages. If you're going, have a game plan. For first timers, this series will be a primer full of guidance and survival tips. For returning attendees, this will help maximize your experience at Black Hat. First, I want to give you perspective on my bias, coloring guidance offered here. My slant is that of someone who was a booth babe (sales engineer), a speaker, an attendee, Review Board member and former Gen

4 min

Securing Credit Lines: Eating Our Own Dogfood

We InfoSec (or cybersecurity) folks, we're full of all kinds of sage wisdom: “Put a password on your phone, tell it to self destruct after 10 failed attempts” … check! “Set up WPA2 on your home network!” … check! “Install patches as fast as you can!” … (well, as best as I can?) …check! “Freeze your credit reports!” … static “Dogfooding [http://en.wikipedia.org/wiki/Eating_your_own_dog_food]” (verb, slang) is a term used to reference a scenario in which a company uses its own product to va

3 min

The true cost of "free": Xfinity Comcast's new WiFi offering

Just in case you missed it… Comcast recently launched the first of its planned public WiFi hotspots, which leverage equipment being used in the homes of millions of its current customers to extend service availability. At first glance, this bold move by Comcast seems like a brilliant way to use the existing hardware in millions of homes to extend internet access for customers on the go. The way it works is this: XFINITY customers using the Comcast hardware (Arris 852 or 862 wireless routers)

5 min

Heartbleed War Room - Product FAQ

Quick reference links before we dive in: * Heartbleed Vulnerability Resources [http://information.rapid7.com/heartbleed-vulnerability-resources.html] * Heartbleed War Room - FAQ [/2014/04/11/heartbleed-war-room-faq] * Using Nexpose to stop the bleeding [/2014/04/10/using-nexpose-to-stop-the-bleeding-scanning-for-cve-2014-0160] * Metasploit's Heartbleed scanner module [/2014/04/09/metasploits-heartbleed-scanner-module-cve-2014-0160] Following up on our Heartbleed War Room webcast f