Last updated at Wed, 03 Jan 2024 21:05:21 GMT

Held every October, National Cybersecurity Awareness Month (NCSAM) aims to educate organizations and individuals on the ever-changing field of cybersecurity and encourage proper security practices. This year, NCSAM’s overarching theme focuses on three key areas where extra steps are necessary to remain safe both at home and in the workplace: Own IT, Secure IT, and Protect IT. In this blog series, we have compiled a list of top Rapid7 blogs that correlate with each NCSAM theme to offer readers a comprehensive overview of the space and some actionable cybersecurity tips to implement through the rest of October and beyond.

Once you’ve established where and how you could be at risk of digital wrongdoing, the next phase includes securing data and personal information that is already located online. Becoming aware of the security features found in online accounts and devices better prepares users for possible attacks against their digital profile.

In this blog, we will highlight must-read blog posts that align with NCSAM’s “Secure IT” sub-themes of strong passwords, multi-factor authentication, work secure, phishing, and e-commerce.

Strong passwords

Implementing a strong password is the first line of defense on any device or account. Passwords should be long, complex, and unique to the respective account they are associated with. An array of strong passwords will be the easiest initial step to ensure better security measures across the board, and this compilation of blogs will instruct you on all the common mistakes to avoid.

1. Password Tips from a Pen Tester: Are 12-Character Passwords Really Stronger, or Just a Dime a Dozen?

How many characters should a password contain to be as secure as possible? In this blog, we break down the optimal length for strong passwords and address some common security myths.

2. Password Tips from a Pen Tester: Taking the Predictability Out of Common Password Patterns

Humans are, by nature, inherently predictable. Even when you believe your account is secure, malicious actors can still make educated guesses to assist them with the password-cracking process.

3. Password Tips From a Pen Tester: Common Patterns Exposed

Coming back to password predictability, this blog highlights a more in-depth look at the statistics behind the most common password configurations. A single weak password has the opportunity to damage the entire security framework of a company if attackers play their cards right.

4. Password Tips From a Pen Tester: 3 Passwords to Eliminate

Regardless of company policy, there are three password variations that must be avoided at all costs to keep accounts safe at a baseline level. Eliminating these password examples is one of the easiest techniques to keep attackers at bay.

Multi-factor authentication (MFA)

Multi-factor authentication, also known simply as “MFA,” adds a second layer of online defense following a strong password. If you’ve ever needed to provide your mother’s maiden name or which street you grew up on to get into an account, then you’ve experienced one form of multi-factor authentication.

1. Two Factor Authentication Methods and Technologies

Determining the strengths and weaknesses of the various two-factor authentication (2FA) options is vital to making a well-informed security decision. Our blog outlines everything you need to know about the three types of Authentication Factors: Knowledge, Possession, and Biometric.

2. Designing Authentication

In order to ensure potential attackers are unable to discover easy hints from an account login page, UX designers must incorporate numerous security measures to guard user data.

Work secure

Businesses and large corporations are always at risk of being compromised by attackers due to their sheer size alone. With myriad employees and online applications to choose from in a single business, hackers can take advantage of human error to retrieve sensitive workplace information.

1. 10 Steps Towards the Path of Better Security for Your Business

Every business aims to provide its customers with a pledge that the security of their personal data is a top priority. These 10 steps can assist organizations that are looking to quickly upgrade their security practices by cutting down on large, common problem areas.

2. Password Tips from a Pen Tester: What is Your Company’s Default Password?

Default company passwords for new hires are notorious for being incredibly weak when they are first provided by an employer. With these default passwords carrying such a high risk of being compromised by bad actors, how can this process be adjusted for optimal protection?


Have you ever been sent an email from an unknown source that attempts to get you to click and open a “sketchy” link? If so, then you have likely been the target of malicious digital phishing. Cybercriminals phish for personal information by masquerading as a reputable source in order to trick users into clicking on a dodgy link or downloading a corrupt file. Phishing attacks continue to rise in popularity across the globe, so possessing the proper knowledge to defend against these schemes is becoming exceedingly important.

1. How to Automate Phishing Investigations and Remediation

With 92% of today’s security breaches involving phishing attacks, keeping up with the volume of high-priority alerts can be challenging. In this blog, we share four benefits of automating the phishing attack investigation process.

2. Tips for a Successful Phishing Engagement

Running a successful phishing engagement across a company can be a complicated task. Although the end goal of the exercise is to promote proper cybersecurity protocol, employees may feel discouraged if they fall for the ruse. Finding the proper balance is crucial for companies that aspire to be as protected as possible.

3. What You Can Learn from Our Successful Simulated Phishing Attack of 45 CEOs

Phishing attacks can be so deceitful that even top executives have the possibility of being compromised. Learn how 45 CEOs were successfully tricked by a clever phishing engagement and the lessons to take away from the attack.

4. How Attackers Can Harvest Users’ Microsoft 365 Credentials with New Phishing Campaign

This blog might be more specific than the previous installations found in the phishing category, but it offers more insight into a particular product, rather than a company as a whole. The Rapid7 Managed Detection and Response (MDR) team demonstrates how the attack occurs on a step-by-step basis and explains how organizations should counter a similar situation.


The 2018 holiday season saw an explosion of malware called “Magecart,” which injected itself into multiple online checkout sites and impacted various retailers. Bad actors will typically use cross-site scripting (XSS) to expose a website’s vulnerabilities and take action.

1. How to Prevent Cross-Site Scripting (XSS) Attacks

Cross-site scripting (XSS) attacks are becoming an ever-increasing issue for online businesses and retailers to defend against. Once a successful attack occurs, the consequences can be extensive. Introducing the correct XSS prevention methods beforehand is much more manageable than dealing with an ongoing attack.

2. How Retailers Can Protect Against Magecart This Black Friday and Holiday Season

Magecart, a targeted XSS attack on e-commerce institutions, rose to prominence throughout the 2018 holiday season. If Magecart makes a return in 2019, it is vital to understand how to recognize the malware and prevent it from doing extra damage.

That’s a wrap!