5 min
Release Notes
Simplify Vulnerability Management with Nexpose 5.6
We are pleased to announce the next major release of Nexpose, version 5.6. This
release focuses on providing you the most impactful remediation steps to reduce
risk to your organization and extends our current configuration assessment
functionality.
New Look and Feel
The most visible change in Nexpose 5.6 is the new look and feel of the user
interface. The action header is now smaller to maximize screen space and
usability, and the new colour scheme makes it easier to focus on important areas
2 min
Compliance
Malicious SSIDs And Web Apps
On February 13th 2013, Cisco released a security notice related to CVE-2013-1131
[http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-1131]
. According to Cisco, the vulnerability is due to improper validation of the
Service Set Identifier (SSID) when performing a "site survey" to discover other
wireless networks. On the face of it, this vulnerability seems to be low-risk.
Indeed, site surveys are not often performed and an adversary would need to
either be incredibly luc
5 min
Compliance
5 NON-TECHNICAL REASONS ORGANIZATION GET BREACHED
For every data breach that makes the headlines, there are tens to hundreds that
go unreported by the media, unreported by companies, or even worse, go
unnoticed.
The rash of negative publicity around organizations that have experienced data
breaches would appear to be a sufficient motivator to whip corporate leaders
into bolstering their security programs in order to prevent from being the next
major headline. If that is not reason enough, the litany of regulations imposed
on certain industries
2 min
Metasploit
Creating a PCI 11.3 Penetration Testing Report in Metasploit
PCI DSS Requirement 11.3 requires that you "perform penetration testing at least
once a year, and after any significant infrastructure or application upgrade or
modification". You can either conduct this PCI penetration test in-house
[/2011/10/20/pci-diy-how-to-do-an-internal-pentest-to-satisfy-pci-dss-requirement-113]
or hire a third-party security assessment. Metasploit Pro offers a PCI reporting
template, which helps you in both of those cases. If you are conducting the
penetration test in
1 min
PCI
PCI Compliance Dashboard - New version including SANS Top20 Critical Security Controls
Hi,
According to what we are hearing from the field, there are quite a big number
out there of active users of this PCI Compliance Dashboard. Encouraged by your
feedback and your assitance we worked on this new release. Among other great
enhancements it encompasses references to the SANS Top 20 Critical Security
Controls. A deeper analysis paper on PCI-SANS matching and deviation areas will
follow but for now on, enjoy this new version of the PCI Compliance Dashboard.
What's New?
* Add a tabl
4 min
Release Notes
Configuration assessment and policy management in Nexpose 5.2
We love our policy Dashboards. They are new, hot, intuitive, robust and really
useful. In our latest release of Nexpose, version 5.2, we've made two major
enhancements to our configuration assessment capabilities:
* A policy overview dashboard: To understand the current status of compliance
of configurations delivering a summary of the policy itself.A policy rule
dashboard: To provide further details for a particular rule and the current
compliance status for that rule.
What makes th
2 min
Metasploit
PCI DIY: How to do an internal penetration test to satisfy PCI DSS requirement 11.3
If you're accepting or processing credit cards and are therefore subject to PCI
DSS, you'll likely be familiar with requirement 11.3, which demands that you
"perform penetration testing at least once a year, and after any significant
infrastructure or application upgrade or modification". What most companies
don't know is that you don't have to hire an external penetration testing
consultant - you can carry out the penetration test internally, providing you
follow some simple rules:
* Sufficie
1 min
PCI
What to do if your organization can't demonstrate four passing PCI internal or external scans
Two cases:
1) Your company is assessed for the first time:
Entities participating in their first ever PCI DSS assessment are only required
to demonstrate that the most recent scan result meets the criteria for a passing
scan, and there are policies and procedures in place for future quarterly scans,
to meet the intent of this requirement. So to be compliant with 11.2 the first
time you are assessed, you only need to demonstrate that the most recent scan is
a PASS.
2) Reassessment (from th
3 min
Compliance
Disclosure, Destruction, and Denial
A few years ago while I was working at Defense Cybercrime Center (DC3), one of
my colleagues Terrence Lillard talked about the DDD triad in regards to what
attackers want to do to organization's assets. I haven't heard anyone outside of
him using that term, but I think it's worth sharing. I participated in an
awesome mini-conference event last week with the Metasploit Developement team
and this came up during my talk on Risk Management. When I asked the audience of
seasoned security practicioner
2 min
PCI
PCI Newsletter #2 - Payment processing terminology and workflow
Hi Everyone,
This is our second PCI 30 sec newsletter.
One cannot move through the PCI ecosystem without basic understandings of the
payment processing terminology and workflow. So let's have a look behind the
scene.
The payment processing terminology
In a nutshell, the payment transaction could be depicted as follow:
We have cardholders that make payment card purchases from merchants, merchants
that send payment transaction data to their acquirers, and acquirers that send
payment transacti