Posts tagged Compliance

2 min PCI

Top 3 Takeaways from the "Escalate your Efficiency: How to Save Time on Penetration Testing" Webcast

Penetration Testing is a complex process that requires attention to detail, multi-tasking, extensive knowledge of different attack vectors, available vulnerabilities and exploits, and patience. Recently erayymz [], Senior Product Manager at Rapid7 spoke with pen testing professionals Leon Johnson, Senior Consultant at Rapid7, and Dustin Heywood, Manager of Security Assurance at ATB Financial. They discussed how to take advantage of automation with Metasploit Pro to sim

2 min Compliance

Top 3 Takeaways from the "Security in Retail: An Industry at a Crossroads" Webcast

Retail is one of the industries hit hardest by the high-profile mega-breaches of late, so Jane Man [/author/jane-man], product marketing manager at Rapid7, and Wim Remes [/author/wim-remes], manager of strategic services at Rapid7 (read his intro blog here [/2015/02/13/why-i-joined-rapid7]), came together to discuss the challenges and future of retail security, and how organizations need to think about the balance between compliance and focusing on attack prevention and detection. Read on to le

2 min Compliance

Top 3 Takeaways from the "PCI DSS 3.0: Are You Ready for January?" Webcast

The deadline (January 1, 2015!) for PCI DSS 3.0 compliance is quickly approaching. Some of our PCI experts addressed this head on in a recent webcast, “PCI DSS 3.0: Are you Ready for January? []”. Derek Kolakowski, Brian Tant, and ncrampton [] discussed what it will take for security professionals to get over the finish line and achieve 3.0 compliance, and to be secure and ready when aud

3 min PCI

PCI 30-second newsletter #38 - The Holy Grail vs ROC-Fission: The only way to reach compliance

A big thanks to Andy Barratt [] - Managing Director, Europe and QSA, Coalfire for his contribution to this newsletter. “Any darn fool can make something complex; it takes a genius to make something simple.”― Peter Seeger If you are the glorious knight responsible for getting your company up to mandatory compliance levels (and keep it there), you could potentially feel desperate facing this enormous and tedious undertaking. This is especially true fo

2 min Nexpose

How to use Nexpose as part of your internal PCI compliance program

If your systems process, store, or transmit credit card holder data, you may be using Nexpose to comply with the Payment Card Industry (PCI) Security Standards Council Data Security Standards (DSS []). The newest PCI internal audit scan template released as part of Nexpose 5.11.4 is designed to help you conduct your internal assessments as required in the DSS. To learn more about PCI DSS 3.0, visit our resource page [

2 min PCI

ControlsInsight: Server Controls - Single Critical role

NIST CM-7, Australian DSD Mitigation #24, SANS critical control 11-6 and PCI-DSS 2.2.1 suggest that servers deployed in a production environment must only be serving one critical role. For example, if we add another critical role like file services to a web server then we increase the attack vectors on that server. Generally, web servers deployed in a production environment are open to public internet and are more susceptible to attacks. They require high maintenance with respect to installing

3 min PCI

Cyber Security Awareness Month: Data Custodianship

By now, you know that October is Cyber Security Awareness Month in the US [] and across the European Union [] . We know many SecurityStreet readers work in information security and are already “aware” - so this year we're equipping you for executive tier cyber security discussions. We kicked this off last week with a piece on why security

3 min PCI

PCI 30 Seconds newsletter #37 - And PCI said "Get Pen-Tested"!

This newsletter clarifies what is expected to comply with PCI DSS 11.3: Penetration testing. Why is Pen-test needed? In the same way that wellness checks support a doctor's diagnosis by determining what's wrong or not working as expected (a.k.a. an analysis) and establish the appropriate treatment (a.k.a. a remediation plan), penetration testing aims to: * Determine and validate a diagnosis by determining the genuineness and severity of identified vulnerabilities * Validate that defense m

2 min Metasploit

Federal Friday - 9.5.14 - Keeping 3rd Parties Honest

Happy Friday, Federal friends! I hope all of you enjoyed the nice long Labor Day weekend, and the short week to follow. I happily took last week off as well, maximizing the effect of the "long" weekend effect. Additionally, a group of 25 Rapid7 Moose took on the "Great Northeast" Tough Mudder event back on 8/23. I'm happy to say all of the "Dirty Moose" made it through the mud and obstacles, for the 2nd year in a row, and we helped generate funds for the Wounded Warrior Project [http://www.wound

2 min PCI

Top 4 Takeaways from "Mind the Gap: 5 Steps to Perform Your Own PCI DSS 3.0 Gap Analysis" Webcast

PCI is never far from mind these days as the January 1, 2015 deadline for most organizations to be compliant with PCI DSS 3.0 by approaches quickly. In light of these deadlines, ncrampton [] and ospannero [] hosted a webcast earlier this week on the, "5 Steps to Perform Your Own PCI DSS 3.0 Gap Analysis [] ", so that org

4 min PCI

PCI 30 seconds newsletter #36 - Control your privileged accounts - How to contain the "Keys to the kingdom" problem

What's a Privileged account? The term "Privileged account", also known as "High Privileged account" or "Super user" refers to any type of account that holds special or extra permissions within the enterprise systems. They are generally categorized as: * IT administrative accounts used to install or configure. E.g.UNIX root, Windows Administrator accounts or accounts associated with database ownership and network components. * Identity and access management accounts used to manage use

4 min Penetration Testing

7 Tips for Booking Your PCI 3.0 Penetration Testing Service (And Why Consultants Will Book Out Early This Year)

PCI DSS Compliance is driving about 35% of all penetration tests, according to a Rapid7 Metasploit User Survey with more than 2,200 respondents earlier this year. With the changes introduced in PCI DSS version 3.0, penetration tests will become more complex and longer in duration, and more companies will feel the need to run penetration tests in the first place. Given that it takes a lot of time and money to train new penetration testers, this will cause consultants to book out early, and probab

11 min Metasploit

New Metasploit 4.9 Helps Evade Anti-Virus Solutions, Test Network Segmentation, and Increase Productivity for Penetration Testers

Metasploit 4.9 helps penetration testers evade anti-virus solutions, generate payloads, test network segmentation, and generally increase productivity through updated automation and reporting features. Since version 4.8, Metasploit has added 67 new exploits and 51 auxiliary and post-exploitation modules to both its commercial and open source editions, bringing our total module count up to 1,974. The new version is available immediately. Generate AV-evading Dynamic Payloads Malicious attackers u

2 min Metasploit

Federal Friday - 3.21.14 - A Day of Reckoning

Friday at last... Hello federal friends! I'm pleased to announce that the sun is setting here in Boston at 6:58pm tonight and there is major League Baseball being played this weekend. Spring officially happened yesterday which should make those of you in DC put Monday's snow-day out of sight and out of mind. Did my ominous title catch your attention? Don't worry, this is not the end of times, or even the end of days [] for that matter (thank goodness) and mo

2 min Metasploit

Federal Friday - 2.21.14 - NATO praises NIST's Framework

Happy Friday, federal friends! I hope you all enjoyed your long weekend and short work-week. We're cruising through February here at the global HQ in Beantown, with a big office move scheduled for early March. I hope most of you have begun to thaw out and for those of you out there having a similar winter to New England, think warm thoughts (it helps). There was a nice article on Inside Security [