Posts tagged Compliance

1 min Incident Detection

Redner's Markets Selects Nexpose & InsightUBA for Compliance and Incident Detection

With breaches making regular headlines, security teams are under more scrutiny than ever before. This is especially true in retail, where strong security practices are paramount to protecting customer and organizational data. PCI DSS compliance is a key component of any retail organization's security program. As a level 2 merchant, Redner's Markets [] must conduct regular vulnerability scans, collect logs, and review them daily. “Compliance was what began our rel

1 min Nexpose

New Policy Reports in Nexpose

With Nexpose, you can assess your network for secure configurations at the same time as vulnerabilities, giving you a unified view of your risk and compliance posture. The latest version of Nexpose focuses on making it easier to understand how well you're doing and the actions to take to improve overall compliance. Starting with Nexpose 6.2.0, users now have access to two brand new policy reports that help you take control of your compliance program and focus on what is important. The first r

3 min PCI

Seven Ways UserInsight Helps With PCI Compliance

For any company that deals with credit cards, PCI DSS Compliance still reigns king. You may be aware of how our Threat Exposure Management solutions, Nexpose and Metasploit, have been designed to directly meet PCI DSS, as well as comply with many other standards. Today, let's look at how our Intruder Analytics solution, UserInsight, joins your security detail to identify threat actors across your ecosystem, whether it be attackers masking as employees, or insider threats. Here is an excerpt of

2 min Compliance

Top 3 Takeaways from the "PCI DSS 3.0 Update: How to Restrict, Authenticate, and Monitor Access to Cardholder Data" Webcast

In this week's webcast, Jane Man [/author/jane-man] and Guillaume Ross [/author/guillaume-ross] revisited the latest PCI DSS 3.0 requirements. Security professionals need to be diligent to remain compliant and secure. Jane and Guillaume discussed some key results from the Verizon 2015 PCI Compliance Report, tips and tricks for complying with requirements 7, 8, and 10, and touched upon upcoming changes in v3.0 and v3.1. Read on for the top 3 takeaways from the “PCI DSS 3.0 Update: How to Restrict

7 min PCI

Webcast Followup: Escalate Your Efficiency

Last week, we had a live webcast to talk about how Metasploit Pro helps pentesters be more efficient and save time. There were so many attendees, which made it possible to have great conversation. First of all, I want to thank you folks who have taken the time from their busy schedules to watch us live. There were many questions our viewers asked us, and we were not able to answer all of them due to time limitations. In this post, you will find the answers for those questions. First things fir

2 min PCI

Top 3 Takeaways from the "Escalate your Efficiency: How to Save Time on Penetration Testing" Webcast

Penetration Testing is a complex process that requires attention to detail, multi-tasking, extensive knowledge of different attack vectors, available vulnerabilities and exploits, and patience. Recently erayymz [], Senior Product Manager at Rapid7 spoke with pen testing professionals Leon Johnson, Senior Consultant at Rapid7, and Dustin Heywood, Manager of Security Assurance at ATB Financial. They discussed how to take advantage of automation with Metasploit Pro to sim

2 min Compliance

Top 3 Takeaways from the "Security in Retail: An Industry at a Crossroads" Webcast

Retail is one of the industries hit hardest by the high-profile mega-breaches of late, so Jane Man [/author/jane-man], product marketing manager at Rapid7, and Wim Remes [/author/wim-remes], manager of strategic services at Rapid7 (read his intro blog here [/2015/02/13/why-i-joined-rapid7]), came together to discuss the challenges and future of retail security, and how organizations need to think about the balance between compliance and focusing on attack prevention and detection. Read on to le

2 min Compliance

Top 3 Takeaways from the "PCI DSS 3.0: Are You Ready for January?" Webcast

The deadline (January 1, 2015!) for PCI DSS 3.0 compliance is quickly approaching. Some of our PCI experts addressed this head on in a recent webcast, “PCI DSS 3.0: Are you Ready for January? []”. Derek Kolakowski, Brian Tant, and ncrampton [] discussed what it will take for security professionals to get over the finish line and achieve 3.0 compliance, and to be secure and ready when aud

3 min PCI

PCI 30-second newsletter #38 - The Holy Grail vs ROC-Fission: The only way to reach compliance

A big thanks to Andy Barratt [] - Managing Director, Europe and QSA, Coalfire for his contribution to this newsletter. “Any darn fool can make something complex; it takes a genius to make something simple.”― Peter Seeger If you are the glorious knight responsible for getting your company up to mandatory compliance levels (and keep it there), you could potentially feel desperate facing this enormous and tedious undertaking. This is especially true fo

2 min Nexpose

How to use Nexpose as part of your internal PCI compliance program

If your systems process, store, or transmit credit card holder data, you may be using Nexpose to comply with the Payment Card Industry (PCI) Security Standards Council Data Security Standards (DSS []). The newest PCI internal audit scan template released as part of Nexpose 5.11.4 is designed to help you conduct your internal assessments as required in the DSS. To learn more about PCI DSS 3.0, visit our resource page [

2 min PCI

ControlsInsight: Server Controls - Single Critical role

NIST CM-7, Australian DSD Mitigation #24, SANS critical control 11-6 and PCI-DSS 2.2.1 suggest that servers deployed in a production environment must only be serving one critical role. For example, if we add another critical role like file services to a web server then we increase the attack vectors on that server. Generally, web servers deployed in a production environment are open to public internet and are more susceptible to attacks. They require high maintenance with respect to installing

3 min PCI

Cyber Security Awareness Month: Data Custodianship

By now, you know that October is Cyber Security Awareness Month in the US [] and across the European Union [] . We know many SecurityStreet readers work in information security and are already “aware” - so this year we're equipping you for executive tier cyber security discussions. We kicked this off last week with a piece on why security

3 min PCI

PCI 30 Seconds newsletter #37 - And PCI said "Get Pen-Tested"!

This newsletter clarifies what is expected to comply with PCI DSS 11.3: Penetration testing. Why is Pen-test needed? In the same way that wellness checks support a doctor's diagnosis by determining what's wrong or not working as expected (a.k.a. an analysis) and establish the appropriate treatment (a.k.a. a remediation plan), penetration testing aims to: * Determine and validate a diagnosis by determining the genuineness and severity of identified vulnerabilities * Validate that defense m

2 min Metasploit

Federal Friday - 9.5.14 - Keeping 3rd Parties Honest

Happy Friday, Federal friends! I hope all of you enjoyed the nice long Labor Day weekend, and the short week to follow. I happily took last week off as well, maximizing the effect of the "long" weekend effect. Additionally, a group of 25 Rapid7 Moose took on the "Great Northeast" Tough Mudder event back on 8/23. I'm happy to say all of the "Dirty Moose" made it through the mud and obstacles, for the 2nd year in a row, and we helped generate funds for the Wounded Warrior Project [http://www.wound

2 min PCI

Top 4 Takeaways from "Mind the Gap: 5 Steps to Perform Your Own PCI DSS 3.0 Gap Analysis" Webcast

PCI is never far from mind these days as the January 1, 2015 deadline for most organizations to be compliant with PCI DSS 3.0 by approaches quickly. In light of these deadlines, ncrampton [] and ospannero [] hosted a webcast earlier this week on the, "5 Steps to Perform Your Own PCI DSS 3.0 Gap Analysis [] ", so that org