Posts tagged Public Policy

8 min Public Policy

How Do We De-Criminalize Security Research? AKA What's Next for the CFAA?

Anyone who read my breakdown on the President's proposal for cybersecurity legislation [/2015/01/23/will-the-president-s-cybersecurity-proposal-make-us-more-secure] will know that I'm very concerned that both the current version of the Computer Fraud and Abuse Act (CFAA) [http://www.law.cornell.edu/topn/computer_fraud_and_abuse_act_of_1986], and the update recently proposed by the Administration [http://www.whitehouse.gov/sites/default/files/omb/legislative/letters/updated-law-enforcement-tool

10 min Public Policy

Will the President's Cybersecurity Proposal Make Us More Secure?

Last week, President Obama proposed a number of bills to protect consumers and the economy from the growing threat of cybercrime and cyberattacks. Unfortunately in their current form, it's not clear that they will make us more secure. In fact, they may have the potential to make us more INsecure due to the chilling effect on security research. To explain why, I've run through each proposed bill in turn below, with my usual disclaimer that I'm not a lawyer. Before we get into the details, I want

2 min CISOs

Top 3 Takeaways from "CyberSecurity Awareness Panel: Taking it to the C-Level and Beyond"

Hi, I'm Meredith Tufts. I recently joined Rapid7 and if you were on the live Oct. 30th's webcast, “CyberSecurity Awareness Panel: Taking to the C-Level and Beyond” – I was your moderator. It's nice to be here on SecurityStreet, and this week I'm here to provide you with the Top 3 Takeaways from our CyberSecurity Awareness month webcast where we were joined by a panel of experts: Brian Betterton - Director, Security, Risk and Compliance at Reit Management & Research Trey Ford - Global Security

3 min Public Policy

Cyber Security Awareness Month: Why Your Organization Needs Security Policies

October is "cyber security awareness month" in the US [http://www.staysafeonline.org/ncsam/] and across the European Union [http://www.enisa.europa.eu/activities/stakeholder-relations/nis-brokerage-1/european-cyber-security-month-advocacy-campaign] . We're marking this with a series of posts designed to help you talk to your executive team about security. Given the number of high profile breaches in the past year alone, the C-suite and Board are starting to pay attention to cyber security and th

4 min Public Policy

Petition for Reform of the DMCA and CFAA - Why I Care, and Why I Think You Should Too.

Here's the TL;DR: Software now runs everything and all software has flaws, which means that we, as consumers, are at risk. This includes YOU, and can impact your safety or quality of life. Sign this petition to protect your right to information on how you are exposed to risk: https://petitions.whitehouse.gov/petition/unlock-public-access-research-software -safety-through-dmca-and-cfaa-reform/DHzwhzLD The petition Last weekend a petition [https://petitions.whitehouse.gov/petition/unlock-public

2 min Compliance

Vulnerability Assessment Evaluation Criteria

Greetings SecurityStreet! Writing proposals for Rapid7, I get daily exposure to the requests that customers and industry experts have for vulnerability management products and vendors. Throughout my tenure here, I've noticed many patterns in the way customers ask about vulnerability management. I see broad categories of functionality requests all the time, like Asset Discovery and Compliance Scanning, and in many cases I will often see requests written as a verbatim copy between different RFP's!

2 min Nexpose

Nexpose 5.6 - CIS RHEL Certified!

Nexpose 5.6, released last week, builds on our USGCB, FDCC, and CIS Windows certifications by adding CIS certified assessment of Red Hat Enterprise Linux systems. Nexpose 5.6 includes the CIS "Level I" and "Level II" policies for RHEL 4, 5, & 6.  This means you can now use Rapid7's integrated vulnerability and configuration management [http://www.rapid7.com/products/nexpose/] solution to assess the configuration of your RHEL desktops and servers. The CIS RHEL policies are included by default in

11 min PCI

PCI 30 Seconds newsletter #28 - The PCI Library - What docs are required for compliance?

Compliance programs are heavily based on documentation and PCI does not make an exception. Technical and non-technical documents are a major part of the PCI journey and certainly of the compliance audit. Documents (technical description, diagram, policies, procedures, standards, audit trails, scan reports, pen test report, risk analysis report, test report,…) are the auditor's food. Therefore, beside the technical specificities, no one should neglect or underestimate the effort and time neces

1 min Public Policy

White House Cybersecurity Executive Order

Last night, in the State of the Union, President Obama highlighted the risk that America faces from cyber-attack. He also signed an executive order on cybersecurity [http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity] , expanding the availability of unclassified threat information to critical infrastructure companies and appointing NIST to lead the development of a cybersecurity framework. These are positive steps to improving th

2 min Release Notes

Getting the Most from Customizable CSV Exports - Part 6

Hi, my name is Eden Martinez, and I'm a Federal Sales Engineer with Rapid7. Larger environments often list scalability as one of their top problems; specifically, too much data. With current tools, it's not hard to generate large data sets. Most tools are comprehensive with a focus on the largest list of results wins. While you can turn all the knobs on Nexpose up to 11, I've found many enterprise environments prefer to focus on prioritization of vulnerabilities and trending of the results. M

4 min Release Notes

Configuration assessment and policy management in Nexpose 5.2

We love our policy Dashboards. They are new, hot, intuitive, robust and really useful. In our latest release of Nexpose, version 5.2, we've made two major enhancements to our configuration assessment capabilities: * A policy overview dashboard: To understand the current status of compliance of configurations delivering a summary of the policy itself.A policy rule dashboard: To provide further details for a particular rule and the current compliance status for that rule. What makes th