Posts tagged Compliance

5 min PCI

PCI 30 seconds newsletter #35 - Patch management, how to comply with PCI.

In the newsletter #15 [/2011/11/28/pci-30-seconds-newsletter-15-nice-look] I addressed the problem of flaws in our working environments. As a follow up I'm covering here the topic of patch management and its applicability within the context of PCI, a domain of 49,5% compliance rate as per the Verizon 2014 PCI Compliance report. What's a patch? In the same way a needlewoman would apply a piece of cloth to repair a hole in your favorite coat, a patch or fix is a piece of software that can be ap

4 min Metasploit

Federal Friday - 1.31.14 - Positioning for a Holistic Cybersecurity Deployment

Hello federal friends, happy last Friday of January. Is the year flying by already for anyone else? I wanted to talk to you this week about how to position your organization to better prepare yourselves from a cybersecurity standpoint. Who better to help me do this than Jennifer Aniston? " "Yeah. Yeah. We do. Although I didn't actually choose these. I, um, I just sorta grabbed fifteen buttons and just...I don't even know what they say! Y'know, I don't really care. I don't really like talkin

1 min Compliance

PCI DSS v3.0 - Rapid7's Guide to PCI Compliance.

If you're one of the many businesses that have to be PCI Compliant, the latest changes that are coming out in 3.0 are probably of great interest to you.  Thankfully, we here at Rapid7 want to make the transition easier, so we present two options for you to learn more about these new changes. First, above, is our PCI DSS 3.0 Whiteboard Wednesday. Our PMM for Nexpose, Nate Crampton, takes you through a brief overview of the changes, and what these new requirements might mean for your business.

4 min PCI

PCI 30 Seconds Newsletter #31 - PCI DSS Crypto-framework

Strong Cryptography is referred to by PCI DSS through the following requirements: 2.3 - Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web- based management and other non- console administrative access. 4.1 - Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks. Cryptographic solutions are also su

4 min Metasploit

Federal Friday - Weekly Recap 7-11-2013

Welcome back to Federal Friday with a happy belated 4th of July. I hope all of you out there had a fantastic holiday and were able to spend some quality time with friends, family, and some fireworks. For this week's blog I wanted to focus on 3 topics that really grabbed my attention over the last two weeks. NIST needs your help. In a blog post on Federal Technology Insider [

6 min PCI

PCI 30 seconds newsletter #30 - Trainings your organization must deliver to comply with PCI DSS

PCI-DSS requires organizations subjected to compliance to deliver three specific trainings, namely: Security Awareness, Secure Coding and Incident response. This newsletter describes what you should know about them in terms of What, Who and How. Security Awareness Associated PCI DSS requirement: 12.6 Audience: Any individual having access to data or system components part of the PCI scope. Objectives: In all domains, awareness of the risks and available safeguards are the first line of defe

1 min PCI

Whiteboard Wednesday - PCI Compliance

Hello all, This week, for Whiteboard Wednesday, it's everyone's favorite Community Manager - Patrick Hellen (ie - me), breaking Today's Whiteboard Wednesday is all about PCI compliance. Watch as Ethan Goldstein, Security Engineer at Rapid7, tells you what PCI is, how to become PCI compliant, and what to look for in vendors that help you become compliant. Whether you are looking for a PCI Approved Scanning Vendor (ASV) or just trying to learn more about PCI, Rapid7 can help. Watch this quick v

2 min Compliance

Vulnerability Assessment Evaluation Criteria

Greetings SecurityStreet! Writing proposals for Rapid7, I get daily exposure to the requests that customers and industry experts have for vulnerability management products and vendors. Throughout my tenure here, I've noticed many patterns in the way customers ask about vulnerability management. I see broad categories of functionality requests all the time, like Asset Discovery and Compliance Scanning, and in many cases I will often see requests written as a verbatim copy between different RFP's!

4 min PCI

PCI 30 seconds newsletter #29 - Do all PCI DSS requirements apply?

I recently assisted a medium size organization to align with PCI. The gap analysis and design phase raised a number of concerns from their side. All of the concerns started as something similar to: "Why do we need this? It induces more risks". Implementing protection mechanisms without considering their added values and impact on the environment and the business does not make sense. Security is a risk mitigation and management discipline and all security responsible individuals know perfectly

2 min Nexpose

Nexpose 5.6 - CIS RHEL Certified!

Nexpose 5.6, released last week, builds on our USGCB, FDCC, and CIS Windows certifications by adding CIS certified assessment of Red Hat Enterprise Linux systems. Nexpose 5.6 includes the CIS "Level I" and "Level II" policies for RHEL 4, 5, & 6.  This means you can now use Rapid7's integrated vulnerability and configuration management [] solution to assess the configuration of your RHEL desktops and servers. The CIS RHEL policies are included by default in

5 min Release Notes

Simplify Vulnerability Management with Nexpose 5.6

We are pleased to announce the next major release of Nexpose, version 5.6.  This release focuses on providing you the most impactful remediation steps to reduce risk to your organization and extends our current configuration assessment functionality. New Look and Feel The most visible change in Nexpose 5.6 is the new look and feel of the user interface.  The action header is now smaller to maximize screen space and usability, and the new colour scheme makes it easier to focus on important areas

11 min PCI

PCI 30 Seconds newsletter #28 - The PCI Library - What docs are required for compliance?

Compliance programs are heavily based on documentation and PCI does not make an exception. Technical and non-technical documents are a major part of the PCI journey and certainly of the compliance audit. Documents (technical description, diagram, policies, procedures, standards, audit trails, scan reports, pen test report, risk analysis report, test report,…) are the auditor's food. Therefore, beside the technical specificities, no one should neglect or underestimate the effort and time neces

4 min PCI

PCI 30 seconds Newsletter #27 - Should I disable my protection system for ASV scans?

In the context of intrusion detection and prevention, PCI DSS requires implementation/configuration of Firewalls (Req 1), Anti-virus (Req 5) and Intrusion detection systems (IDS) (Req 11.4). Optionally, organizations are invited to consider the use of Intrusion Prevention Systems (IPS) in place or in addition to IDS (Req 11.4) as well as Web Application Firewalls (Req 6.6). The first group of required protection systems is known as static systems. They do not dynamically modify their behavior.

2 min PCI

Do You (Un)knowingly Exfiltrate?

A few weeks ago, Twitter was buzzing about new and interesting Google Hacks. If you're been visiting this community for more than one day, you'll probably know this already; a Google Hack is a search query that produces some type of unauthorized access to (supposedly) protected data. In this latest iteration, the query is used to disclose private SSH keys stored on Github [] . Of course, this problem isn't limited

2 min Compliance

Malicious SSIDs And Web Apps

On February 13th 2013, Cisco released a security notice related to CVE-2013-1131 [] . According to Cisco, the vulnerability is due to improper validation of the Service Set Identifier (SSID) when performing a "site survey" to discover other wireless networks. On the face of it, this vulnerability seems to be low-risk. Indeed, site surveys are not often performed and an adversary would need to either be incredibly luc