What's up Security Street! My name is Ethan Goldstein and I am a Security Consultant here at Rapid7. As you've seen over the past few weeks, we have been demonstrating how data, when placed into proper context, can tell a story. It's also important to note how powerful visualization can be. With our new custom CSV export, we have made it easier to massage the data collected by Nexpose to tell a variety of types of stories. These are mine *Law and Order sound*
Report 1 – Security is NOT Compliance
WHO: Managers and Directors who need to communicate the potential risks associated with meeting a minimum compliance checkbox.
WHAT: This report showcases the number of exploits and skill level to exploit in contrast to CVSS and PCI Pass/Fail scores.
WHY: This chart clearly demonstrates that there are a variety of exploits associated with vulnerabilities that are actually PASSING scores per PCI DSS. This tells a compelling story that we are still at risk while under the “safety blanket” of meeting minimum baseline compliance. While it is important to manage compliance, the better strategy is to meet a security baseline that includes proactively eliminating vulnerabilities where an exploit path exists in the wild, either via Metasploit, or other publicly available exploit code. It also shows that the real true risk is not in many vulnerabilities, but in as few as one potential area of weakness where an attacker may be able to gain a foothold.
Report 2 – Desktops Matter Too
WHO: Information security teams who need to better prioritize remediation efforts
WHAT: This report pivot table shows the assets with the corresponding vulnerability tags which show the top ten categories of vulnerability by count. Overlaid on top of that, we have the number of malware kits in the wild associated with those vulnerabilities.
WHY: The graph clearly shows that in this case, the number of vulnerabilities and corresponding Malware is staggering in relation to other devices. While this is certainly not surprising, it paints a picture that Desktops and Endpoints matter too, and are typically the jumping off point for attackers to anchor into the network and spread to other parts of your environment. Many companies often time overlook these devices because the actual data lives on servers.