1 min
Incident Detection
Redner's Markets Selects Nexpose & InsightUBA for Compliance and Incident Detection
With breaches making regular headlines, security teams are under more scrutiny
than ever before. This is especially true in retail, where strong security
practices are paramount to protecting customer and organizational data. PCI DSS
compliance is a key component of any retail organization's security program. As
a level 2 merchant, Redner's Markets [http://www.rednersmarkets.com/] must
conduct regular vulnerability scans, collect logs, and review them daily.
“Compliance was what began our rel
1 min
Nexpose
New Policy Reports in Nexpose
With Nexpose, you can assess your network for secure configurations at the same
time as vulnerabilities, giving you a unified view of your risk and compliance
posture. The latest version of Nexpose focuses on making it easier to understand
how well you're doing and the actions to take to improve overall compliance.
Starting with Nexpose 6.2.0, users now have access to two brand new policy
reports that help you take control of your compliance program and focus on what
is important.
The first r
3 min
PCI
Seven Ways UserInsight Helps With PCI Compliance
For any company that deals with credit cards, PCI DSS Compliance still reigns
king. You may be aware of how our Threat Exposure Management solutions, Nexpose
and Metasploit, have been designed to directly meet PCI DSS, as well as comply
with many other standards. Today, let's look at how our Intruder Analytics
solution, UserInsight, joins your security detail to identify threat actors
across your ecosystem, whether it be attackers masking as employees, or insider
threats.
Here is an excerpt of
2 min
Compliance
Top 3 Takeaways from the "PCI DSS 3.0 Update: How to Restrict, Authenticate, and Monitor Access to Cardholder Data" Webcast
In this week's webcast, Jane Man [/author/jane-man] and Guillaume Ross
[/author/guillaume-ross] revisited the latest PCI DSS 3.0 requirements. Security
professionals need to be diligent to remain compliant and secure. Jane and
Guillaume discussed some key results from the Verizon 2015 PCI Compliance
Report, tips and tricks for complying with requirements 7, 8, and 10, and
touched upon upcoming changes in v3.0 and v3.1. Read on for the top 3 takeaways
from the “PCI DSS 3.0 Update: How to Restrict
7 min
PCI
Webcast Followup: Escalate Your Efficiency
Last week, we had a live webcast to talk about how Metasploit Pro helps
pentesters be more efficient and save time. There were so many attendees, which
made it possible to have great conversation. First of all, I want to thank you
folks who have taken the time from their busy schedules to watch us live. There
were many questions our viewers asked us, and we were not able to answer all of
them due to time limitations. In this post, you will find the answers for those
questions.
First things fir
2 min
PCI
Top 3 Takeaways from the "Escalate your Efficiency: How to Save Time on Penetration Testing" Webcast
Penetration Testing is a complex process that requires attention to detail,
multi-tasking, extensive knowledge of different attack vectors, available
vulnerabilities and exploits, and patience. Recently erayymz
[https://twitter.com/erayymz], Senior Product Manager at Rapid7 spoke with pen
testing professionals Leon Johnson, Senior Consultant at Rapid7, and Dustin
Heywood, Manager of Security Assurance at ATB Financial. They discussed how to
take advantage of automation with Metasploit Pro to sim
2 min
Compliance
Top 3 Takeaways from the "Security in Retail: An Industry at a Crossroads" Webcast
Retail is one of the industries hit hardest by the high-profile mega-breaches of
late, so Jane Man [/author/jane-man], product marketing manager at Rapid7, and
Wim Remes [/author/wim-remes], manager of strategic services at Rapid7 (read
his
intro blog here [/2015/02/13/why-i-joined-rapid7]), came together to discuss the
challenges and future of retail security, and how organizations need to think
about the balance between compliance and focusing on attack prevention and
detection. Read on to le
2 min
Compliance
Top 3 Takeaways from the "PCI DSS 3.0: Are You Ready for January?" Webcast
The deadline (January 1, 2015!) for PCI DSS 3.0 compliance is quickly
approaching. Some of our PCI experts addressed this head on in a recent webcast,
“PCI DSS 3.0: Are you Ready for January?
[https://information.rapid7.com/pci-ready-for-january.html?CS=blog]”. Derek
Kolakowski, Brian Tant, and ncrampton
[https://community.rapid7.com/people/ncrampton] discussed what it will take for
security professionals to get over the finish line and achieve 3.0 compliance,
and to be secure and ready when aud
3 min
PCI
PCI 30-second newsletter #38 - The Holy Grail vs ROC-Fission: The only way to reach compliance
A big thanks to Andy Barratt [https://www.linkedin.com/in/andrewbarratt] -
Managing Director, Europe and QSA, Coalfire for his contribution to this
newsletter.
“Any darn fool can make something complex; it takes a genius to make something
simple.”― Peter Seeger
If you are the glorious knight responsible for getting your company up to
mandatory compliance levels (and keep it there), you could potentially feel
desperate facing this enormous and tedious undertaking. This is especially true
fo
2 min
Nexpose
How to use Nexpose as part of your internal PCI compliance program
If your systems process, store, or transmit credit card holder data, you may be
using Nexpose to comply with the Payment Card Industry (PCI) Security Standards
Council Data Security Standards (DSS
[https://www.pcisecuritystandards.org/security_standards]). The newest PCI
internal audit scan template released as part of Nexpose 5.11.4 is designed to
help you conduct your internal assessments as required in the DSS.
To learn more about PCI DSS 3.0, visit our resource page
[http://www.rapid7.com/r
2 min
PCI
ControlsInsight: Server Controls - Single Critical role
NIST CM-7, Australian DSD Mitigation #24, SANS critical control 11-6 and PCI-DSS
2.2.1 suggest that servers deployed in a production environment must only be
serving one critical role.
For example, if we add another critical role like file services to a web server
then we increase the attack vectors on that server. Generally, web servers
deployed in a production environment are open to public internet and are more
susceptible to attacks. They require high maintenance with respect to installing
3 min
PCI
Cyber Security Awareness Month: Data Custodianship
By now, you know that October is Cyber Security Awareness Month in the US
[http://www.staysafeonline.org/ncsam/] and across the European Union
[http://www.enisa.europa.eu/activities/stakeholder-relations/nis-brokerage-1/european-cyber-security-month-advocacy-campaign]
. We know many SecurityStreet readers work in information security and are
already “aware” - so this year we're equipping you for executive tier cyber
security discussions. We kicked this off last week with a piece on why security
3 min
PCI
PCI 30 Seconds newsletter #37 - And PCI said "Get Pen-Tested"!
This newsletter clarifies what is expected to comply with PCI DSS 11.3:
Penetration testing.
Why is Pen-test needed?
In the same way that wellness checks support a doctor's diagnosis by determining
what's wrong or not working as expected (a.k.a. an analysis) and establish the
appropriate treatment (a.k.a. a remediation plan), penetration testing aims to:
* Determine and validate a diagnosis by determining the genuineness and
severity of identified vulnerabilities
* Validate that defense m
2 min
Metasploit
Federal Friday - 9.5.14 - Keeping 3rd Parties Honest
Happy Friday, Federal friends! I hope all of you enjoyed the nice long Labor Day
weekend, and the short week to follow. I happily took last week off as well,
maximizing the effect of the "long" weekend effect. Additionally, a group of 25
Rapid7 Moose took on the "Great Northeast" Tough Mudder event back on 8/23. I'm
happy to say all of the "Dirty Moose" made it through the mud and obstacles, for
the 2nd year in a row, and we helped generate funds for the Wounded Warrior
Project [http://www.wound
2 min
PCI
Top 4 Takeaways from "Mind the Gap: 5 Steps to Perform Your Own PCI DSS 3.0 Gap Analysis" Webcast
PCI is never far from mind these days as the January 1, 2015 deadline for most
organizations to be compliant with PCI DSS 3.0 by approaches quickly. In light
of these deadlines, ncrampton [https://community.rapid7.com/people/ncrampton]
and ospannero [https://community.rapid7.com/people/ospannero] hosted a webcast
earlier this week on the, "5 Steps to Perform Your Own PCI DSS 3.0 Gap Analysis
[https://information.rapid7.com/5-steps-to-perform-pci-gap-analysis-webcast.html?CS=blog]
", so that org