Posts tagged Compliance

4 min PCI

PCI 30 seconds newsletter #36 - Control your privileged accounts - How to contain the "Keys to the kingdom" problem

What's a Privileged account? The term "Privileged account", also known as "High Privileged account" or "Super user" refers to any type of account that holds special or extra permissions within the enterprise systems. They are generally categorized as: * IT administrative accounts used to install or configure. E.g.UNIX root, Windows Administrator accounts or accounts associated with database ownership and network components. * Identity and access management accounts used to manage use

4 min Penetration Testing

7 Tips for Booking Your PCI 3.0 Penetration Testing Service (And Why Consultants Will Book Out Early This Year)

PCI DSS Compliance is driving about 35% of all penetration tests, according to a Rapid7 Metasploit User Survey with more than 2,200 respondents earlier this year. With the changes introduced in PCI DSS version 3.0, penetration tests will become more complex and longer in duration, and more companies will feel the need to run penetration tests in the first place. Given that it takes a lot of time and money to train new penetration testers, this will cause consultants to book out early, and probab

11 min Metasploit

New Metasploit 4.9 Helps Evade Anti-Virus Solutions, Test Network Segmentation, and Increase Productivity for Penetration Testers

Metasploit 4.9 helps penetration testers evade anti-virus solutions, generate payloads, test network segmentation, and generally increase productivity through updated automation and reporting features. Since version 4.8, Metasploit has added 67 new exploits and 51 auxiliary and post-exploitation modules to both its commercial and open source editions, bringing our total module count up to 1,974. The new version is available immediately. Generate AV-evading Dynamic Payloads Malicious attackers u

2 min Metasploit

Federal Friday - 3.21.14 - A Day of Reckoning

Friday at last... Hello federal friends! I'm pleased to announce that the sun is setting here in Boston at 6:58pm tonight and there is major League Baseball being played this weekend. Spring officially happened yesterday which should make those of you in DC put Monday's snow-day out of sight and out of mind. Did my ominous title catch your attention? Don't worry, this is not the end of times, or even the end of days [] for that matter (thank goodness) and mo

2 min Metasploit

Federal Friday - 2.21.14 - NATO praises NIST's Framework

Happy Friday, federal friends! I hope you all enjoyed your long weekend and short work-week. We're cruising through February here at the global HQ in Beantown, with a big office move scheduled for early March. I hope most of you have begun to thaw out and for those of you out there having a similar winter to New England, think warm thoughts (it helps). There was a nice article on Inside Security [

5 min PCI

PCI 30 seconds newsletter #35 - Patch management, how to comply with PCI.

In the newsletter #15 [/2011/11/28/pci-30-seconds-newsletter-15-nice-look] I addressed the problem of flaws in our working environments. As a follow up I'm covering here the topic of patch management and its applicability within the context of PCI, a domain of 49,5% compliance rate as per the Verizon 2014 PCI Compliance report. What's a patch? In the same way a needlewoman would apply a piece of cloth to repair a hole in your favorite coat, a patch or fix is a piece of software that can be ap

4 min Metasploit

Federal Friday - 1.31.14 - Positioning for a Holistic Cybersecurity Deployment

Hello federal friends, happy last Friday of January. Is the year flying by already for anyone else? I wanted to talk to you this week about how to position your organization to better prepare yourselves from a cybersecurity standpoint. Who better to help me do this than Jennifer Aniston? " "Yeah. Yeah. We do. Although I didn't actually choose these. I, um, I just sorta grabbed fifteen buttons and just...I don't even know what they say! Y'know, I don't really care. I don't really like talkin

1 min Compliance

PCI DSS v3.0 - Rapid7's Guide to PCI Compliance.

If you're one of the many businesses that have to be PCI Compliant, the latest changes that are coming out in 3.0 are probably of great interest to you.  Thankfully, we here at Rapid7 want to make the transition easier, so we present two options for you to learn more about these new changes. First, above, is our PCI DSS 3.0 Whiteboard Wednesday. Our PMM for Nexpose, Nate Crampton, takes you through a brief overview of the changes, and what these new requirements might mean for your business.

4 min PCI

PCI 30 Seconds Newsletter #31 - PCI DSS Crypto-framework

Strong Cryptography is referred to by PCI DSS through the following requirements: 2.3 - Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web- based management and other non- console administrative access. 4.1 - Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks. Cryptographic solutions are also su

4 min Metasploit

Federal Friday - Weekly Recap 7-11-2013

Welcome back to Federal Friday with a happy belated 4th of July. I hope all of you out there had a fantastic holiday and were able to spend some quality time with friends, family, and some fireworks. For this week's blog I wanted to focus on 3 topics that really grabbed my attention over the last two weeks. NIST needs your help. In a blog post on Federal Technology Insider [

6 min PCI

PCI 30 seconds newsletter #30 - Trainings your organization must deliver to comply with PCI DSS

PCI-DSS requires organizations subjected to compliance to deliver three specific trainings, namely: Security Awareness, Secure Coding and Incident response. This newsletter describes what you should know about them in terms of What, Who and How. Security Awareness Associated PCI DSS requirement: 12.6 Audience: Any individual having access to data or system components part of the PCI scope. Objectives: In all domains, awareness of the risks and available safeguards are the first line of defe

1 min PCI

Whiteboard Wednesday - PCI Compliance

Hello all, This week, for Whiteboard Wednesday, it's everyone's favorite Community Manager - Patrick Hellen (ie - me), breaking Today's Whiteboard Wednesday is all about PCI compliance. Watch as Ethan Goldstein, Security Engineer at Rapid7, tells you what PCI is, how to become PCI compliant, and what to look for in vendors that help you become compliant. Whether you are looking for a PCI Approved Scanning Vendor (ASV) or just trying to learn more about PCI, Rapid7 can help. Watch this quick v

2 min Compliance

Vulnerability Assessment Evaluation Criteria

Greetings SecurityStreet! Writing proposals for Rapid7, I get daily exposure to the requests that customers and industry experts have for vulnerability management products and vendors. Throughout my tenure here, I've noticed many patterns in the way customers ask about vulnerability management. I see broad categories of functionality requests all the time, like Asset Discovery and Compliance Scanning, and in many cases I will often see requests written as a verbatim copy between different RFP's!

4 min PCI

PCI 30 seconds newsletter #29 - Do all PCI DSS requirements apply?

I recently assisted a medium size organization to align with PCI. The gap analysis and design phase raised a number of concerns from their side. All of the concerns started as something similar to: "Why do we need this? It induces more risks". Implementing protection mechanisms without considering their added values and impact on the environment and the business does not make sense. Security is a risk mitigation and management discipline and all security responsible individuals know perfectly

2 min Nexpose

Nexpose 5.6 - CIS RHEL Certified!

Nexpose 5.6, released last week, builds on our USGCB, FDCC, and CIS Windows certifications by adding CIS certified assessment of Red Hat Enterprise Linux systems. Nexpose 5.6 includes the CIS "Level I" and "Level II" policies for RHEL 4, 5, & 6.  This means you can now use Rapid7's integrated vulnerability and configuration management [] solution to assess the configuration of your RHEL desktops and servers. The CIS RHEL policies are included by default in