4 min
Tips and Tricks
Feel Like Family Tech Support? Tips for Securing Your Loved Ones This Holiday Season
In this post, we offer some specific advice on how you can make some headway on battening down the cyber-hatches of your loved ones’ home networks.
7 min
API
Your Guide to InsightVM’s RESTful API
A Security Automation-Focused API for Forward-Thinking Vulnerability Management
Released in January of 2018, Rapid7 InsightVM
[https://www.rapid7.com/products/insightvm/]’s API version 3—the RESTful API
[/2018/01/18/a-restful-api-for-insightvm/]—was a highly anticipated, perhaps
somewhat inconspicuous, addition to our vulnerability management solution
[https://www.rapid7.com/solutions/vulnerability-management/]. Introduced as a
successor to previous API versions, the RESTful API was designed for
4 min
Application Security
How DevOps Can Use Quality Gates for Security Checks
Your team has been working at all hours to put the final touches on code for a
new big feature release. All the specs are in, the feature works as expected,
and the code is pushed to production. A few hours later, the daily security scan
runs and the alerts start piling in. What went wrong? And what do you do now?
Typically when this happens, it means rolling back the entire deployment,
retroactively fixing the bugs and vulnerabilities in the code, and a week or two
later, re-deploying. If you’
4 min
InsightVM
How to Streamline Your Vulnerability Remediation Workflows with InsightVM Projects
If you’re like many security practitioners, you spend a lot of time working with
spreadsheets. Whether you’re trying to prioritize your findings or distribute
work to remediation teams, an all-too-common workflow is to export this data
into a spreadsheet to then be sorted, filtered, copied, and distributed.
This tedious, manual effort seems to be the standard for vulnerability
management programs [https://www.rapid7.com/solutions/vulnerability-management/]
everywhere, but with our vulnerabil
4 min
Rapid7 Perspective
5 Tips for a Cyber Holiday Season
Five tips on how to approach security this holiday season with family and friends
4 min
Nexpose
Creating your First Vulnerability Scan: Nexpose Starter Tips
Welcome to Nexpose and the Rapid7 family! This blog is a step by step guide for
new Nexpose [https://www.rapid7.com/products/nexpose/?CS=blog] customers to show
you how to set up your first site, start a scan, and get your vulnerability
management
[https://www.rapid7.com/solutions/vulnerability-management.jsp?CS=blog] program
under way.
First thing's first: A few definitions in Nexpose:
Site: A (usually) physical group of assets; i.e. what you want to scan
Scan Template: The things that your
4 min
Skills
Are You Enabling Corporate Espionage?
While I was flipping through some news stories the other day, a small headline
appeared that piqued my interest
[http://www.darkreading.com/attacks-breaches/former-st-louis-cardinals-exec-pleads-guilty-to-cyber-espionage-charges/d/d-id/1323824?_mc=RSS_DR_EDT]
.
The headline reads: Former St. Louis Cardinals Exec Pleads Guilty To Cyber
Espionage Charges
Cyber espionage… in baseball? That was too intriguing to pass up!
It essentially describes this: employees from one club, the St Louis Cardina
10 min
Tips and Tricks
12 Days of HaXmas: Advanced Persistent Printer
This post is the second in the series, "The 12 Days of HaXmas."
By Deral Heiland, Principal Consultant, and Nate Power, Senior Consultant, of
Rapid7 Global Services
Year after year we have been discussing the risk of Multi-Function Printers
(MFP) in the corporate environment and how a malicious actor can easily leverage
these devices to carry out attacks, including extraction of Windows Active
Directory credentials via LDAP and abusing the "Scan to File" and "Scan to
E-mail" features. To take
3 min
Skills
Tis the season! For user outreach
As we prepare to move into the end of the year holiday season, organizations
tend to enter into one of two modes: they are either winding down end of the
year activities in preparation to close their books, or they are sprinting to
get things done before the end of the year. Sometimes it's a mixture of both
these things. One common theme no matter what mode you are in, is your users
will be distracted by the holidays. And if they are distracted, they are more
prone to error, which means more vul
2 min
Skills
How Does #cyberaware Broaden Our Community?
We all know, from experience or the Verizon DBIR, that stolen credentials are
the most common attack vector. Users still present massive risk to our
organizations, yet there's plenty of debate about the effectiveness of user
training. Meanwhile, users are getting all the FUD of breaches in the news, and
aren't yet armed to have constructive conversations about them.
Now, this is not to say there aren't awesome security teams running security
training programs out there – there most definitely a
2 min
Phishing
Top 3 Takeaways from the "How to Make your Workplace Cyber-Safe" Webcast
In the first of four Cyber Security Awareness Month webcasts
[https://information.rapid7.com/cyber-security-awareness-month-2015.html?CS=blog]
, a panel of security experts, including Bob Lord, CISO in Residence at Rapid7,
Ed Adams, President and CEO at Security Innovation, Chris Secrest, Information
Security Manager at MetaBank, and Josh Feinblum, VP of Information Security at
Rapid7, came together to discuss, "How to Make your Workplace Cyber-Safe
[https://information.rapid7.com/how-to-make-yo
3 min
Events
The Black Hat Attendee Guide, Part 1 - How to Survive Black Hat
If you're like me, you have wanted to go to Black Hat
[http://blackhat.com/us-15/] for ages. If you're going, have a game plan. For
first timers, this series will be a primer full of guidance and survival tips.
For returning attendees, this will help maximize your experience at Black Hat.
First, I want to give you perspective on my bias, coloring guidance offered
here. My slant is that of someone who was a booth babe (sales engineer), a
speaker, an attendee, Review Board member and former Gen
3 min
Skills
Top 4 Takeaways from the "2015 Security New Year's Resolutions: Expert Panel" Webcast
In this week's webcast, our panel of security experts took the time to reflect
on the past year and discuss their 2015 Security New Year's Resolutions
[https://information.rapid7.com/2015-security-resolutions.html?CS=blog]. For
this discussion Trey Ford [/author/trey-ford/], Global Security Strategist at
Rapid7, and Josh Feinblum [/author/josh-feinblum/], VP of Information Security
at Rapid7 were joined by Andrew Plato, President/CEO at Anitian, Chris Calvert,
Senior Strategy Manager – Red Team
4 min
Metasploit Weekly Wrapup
Weekly Metasploit Update: Post-4.10 Edition
Since we Last Left Our Heroes...
Wow, it's been a busy couple weeks here, post-DefCon/Black Hat. As you no doubt
have noticed, we released Metasploit 4.10
[/2014/08/13/credentials-are-the-new-exploits-make-credentials-work-for-you-with-with-metasploit-410]
, which brings some major architectural changes to how our brute force login
scanners are written, run, and logged -- you can read up on all that over at
Dave TheLightCosine [https://twitter.com/TheLightCosine] Maloney's delightful
documentati
3 min
Phishing
How Vulnerable Are Your Phishing Targets?
When you're assessing the exposure to phishing in your organization, one
important part are the client-side vulnerabilities that would enable a malicious
attacker to exploit a browser. In this blog post, I'd like to outline a
non-invasive (and free!) way to get visibility into your client-side risk
landscape.
There are essentially two ways to use phishing as part of your security program.
* Phish 2 Pwn: If you are a penetration tester, you'll likely use spear
phishing of a couple of users