4 min
PCI
PCI 30 seconds newsletter #36 - Control your privileged accounts - How to contain the "Keys to the kingdom" problem
What's a Privileged account?
The term "Privileged account", also known as "High Privileged account" or "Super
user" refers to any type of account that holds special or extra permissions
within the enterprise systems.
They are generally categorized as:
* IT administrative accounts used to install or configure. E.g.UNIX root,
Windows Administrator accounts or accounts associated with database ownership
and network components.
* Identity and access management accounts used to manage use
4 min
Penetration Testing
7 Tips for Booking Your PCI 3.0 Penetration Testing Service (And Why Consultants Will Book Out Early This Year)
PCI DSS Compliance is driving about 35% of all penetration tests, according to a
Rapid7 Metasploit User Survey with more than 2,200 respondents earlier this
year. With the changes introduced in PCI DSS version 3.0, penetration tests will
become more complex and longer in duration, and more companies will feel the
need to run penetration tests in the first place. Given that it takes a lot of
time and money to train new penetration testers, this will cause consultants to
book out early, and probab
11 min
Metasploit
New Metasploit 4.9 Helps Evade Anti-Virus Solutions, Test Network Segmentation, and Increase Productivity for Penetration Testers
Metasploit 4.9 helps penetration testers evade anti-virus solutions, generate
payloads, test network segmentation, and generally increase productivity through
updated automation and reporting features. Since version 4.8, Metasploit has
added 67 new exploits and 51 auxiliary and post-exploitation modules to both its
commercial and open source editions, bringing our total module count up to
1,974. The new version is available immediately.
Generate AV-evading Dynamic Payloads
Malicious attackers u
2 min
Metasploit
Federal Friday - 3.21.14 - A Day of Reckoning
Friday at last...
Hello federal friends! I'm pleased to announce that the sun is setting here in
Boston at 6:58pm tonight and there is major League Baseball being played this
weekend. Spring officially happened yesterday which should make those of you in
DC put Monday's snow-day out of sight and out of mind.
Did my ominous title catch your attention? Don't worry, this is not the end of
times, or even the end of days [http://www.imdb.com/title/tt0146675/] for that
matter (thank goodness) and mo
2 min
Metasploit
Federal Friday - 2.21.14 - NATO praises NIST's Framework
Happy Friday, federal friends! I hope you all enjoyed your long weekend and
short work-week. We're cruising through February here at the global HQ in
Beantown, with a big office move scheduled for early March. I hope most of you
have begun to thaw out and for those of you out there having a similar winter to
New England, think warm thoughts (it helps).
There was a nice article on Inside Security
[http://insidecybersecurity.com/Cyber-General/Cyber-Public-Content/nato-cybersecurity-center-praises
5 min
PCI
PCI 30 seconds newsletter #35 - Patch management, how to comply with PCI.
In the newsletter #15 [/2011/11/28/pci-30-seconds-newsletter-15-nice-look] I
addressed the problem of flaws in our working environments. As a follow up I'm
covering here the topic of patch management and its applicability within the
context of PCI, a domain of 49,5% compliance rate as per the Verizon 2014 PCI
Compliance report.
What's a patch?
In the same way a needlewoman would apply a piece of cloth to repair a hole in
your favorite coat, a patch or fix is a piece of software that can be ap
4 min
Metasploit
Federal Friday - 1.31.14 - Positioning for a Holistic Cybersecurity Deployment
Hello federal friends, happy last Friday of January. Is the year flying by
already for anyone else?
I wanted to talk to you this week about how to position your organization to
better prepare yourselves from a cybersecurity standpoint. Who better to help me
do this than Jennifer Aniston?
"
"Yeah. Yeah. We do. Although I didn't actually choose these. I, um, I just sorta
grabbed fifteen buttons and just...I don't even know what they say! Y'know, I
don't really care. I don't really like talkin
1 min
Compliance
PCI DSS v3.0 - Rapid7's Guide to PCI Compliance.
If you're one of the many businesses that have to be PCI Compliant, the latest
changes that are coming out in 3.0 are probably of great interest to you.
Thankfully, we here at Rapid7 want to make the transition easier, so we present
two options for you to learn more about these new changes.
First, above, is our PCI DSS 3.0 Whiteboard Wednesday. Our PMM for Nexpose, Nate
Crampton, takes you through a brief overview of the changes, and what these new
requirements might mean for your business.
4 min
PCI
PCI 30 Seconds Newsletter #31 - PCI DSS Crypto-framework
Strong Cryptography is referred to by PCI DSS through the following
requirements:
2.3 - Encrypt all non-console administrative access using strong cryptography.
Use technologies such as SSH, VPN, or SSL/TLS for web- based management and
other non- console administrative access.
4.1 - Use strong cryptography and security protocols (for example, SSL/TLS,
IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission
over open, public networks.
Cryptographic solutions are also su
4 min
Metasploit
Federal Friday - Weekly Recap 7-11-2013
Welcome back to Federal Friday with a happy belated 4th of July. I hope all of
you out there had a fantastic holiday and were able to spend some quality time
with friends, family, and some fireworks. For this week's blog I wanted to focus
on 3 topics that really grabbed my attention over the last two weeks.
NIST needs your help. In a blog post on Federal Technology Insider
[http://federaltechnologyinsider.com/calling-all-cybersecurity-experts-nist-seeks-public-input-on-protecting-national-cri
6 min
PCI
PCI 30 seconds newsletter #30 - Trainings your organization must deliver to comply with PCI DSS
PCI-DSS requires organizations subjected to compliance to deliver three specific
trainings, namely: Security Awareness, Secure Coding and Incident response. This
newsletter describes what you should know about them in terms of What, Who and
How.
Security Awareness
Associated PCI DSS requirement: 12.6
Audience: Any individual having access to data or system components part of the
PCI scope.
Objectives: In all domains, awareness of the risks and available safeguards are
the first line of defe
1 min
PCI
Whiteboard Wednesday - PCI Compliance
Hello all, This week, for Whiteboard Wednesday, it's everyone's favorite
Community Manager - Patrick Hellen (ie - me), breaking
Today's Whiteboard Wednesday is all about PCI compliance. Watch as Ethan
Goldstein, Security Engineer at Rapid7, tells you what PCI is, how to become PCI
compliant, and what to look for in vendors that help you become compliant.
Whether you are looking for a PCI Approved Scanning Vendor (ASV) or just trying
to learn more about PCI, Rapid7 can help. Watch this quick v
2 min
Compliance
Vulnerability Assessment Evaluation Criteria
Greetings SecurityStreet! Writing proposals for Rapid7, I get daily exposure to
the requests that customers and industry experts have for vulnerability
management products and vendors. Throughout my tenure here, I've noticed many
patterns in the way customers ask about vulnerability management. I see broad
categories of functionality requests all the time, like Asset Discovery and
Compliance Scanning, and in many cases I will often see requests written as a
verbatim copy between different RFP's!
4 min
PCI
PCI 30 seconds newsletter #29 - Do all PCI DSS requirements apply?
I recently assisted a medium size organization to align with PCI. The gap
analysis and design phase raised a number of concerns from their side. All of
the concerns started as something similar to: "Why do we need this? It induces
more risks".
Implementing protection mechanisms without considering their added values and
impact on the environment and the business does not make sense. Security is a
risk mitigation and management discipline and all security responsible
individuals know perfectly
2 min
Nexpose
Nexpose 5.6 - CIS RHEL Certified!
Nexpose 5.6, released last week, builds on our USGCB, FDCC, and CIS Windows
certifications by adding CIS certified assessment of Red Hat Enterprise Linux
systems. Nexpose 5.6 includes the CIS "Level I" and "Level II" policies for RHEL
4, 5, & 6. This means you can now use Rapid7's integrated vulnerability and
configuration management [http://www.rapid7.com/products/nexpose/] solution to
assess the configuration of your RHEL desktops and servers.
The CIS RHEL policies are included by default in