3 min
CIS Controls
CIS Critical Security Control 13: Data Protection Explained
This is a continuation of our CIS critical security controls blog series
[/2017/04/19/the-cis-critical-security-controls-series].
Data protection is one of the cornerstones of a solid security program, and it
is a critical function of the CIA Triad of Confidentiality, Integrity, and
Availability. Data protection, as characterized by Critical Control 13, is
essentially secure data management. What do we mean by that?
What is CIS Critical Security Control 13?
Secure data management encompasses c
4 min
CIS Controls
CIS Critical Control 12: Boundary Defense Explained
This blog is a continuation of our blog series on the CIS Critical Controls
[/2017/04/19/the-cis-critical-security-controls-series/].
Key Principle: Detect/prevent/correct the flow of information transferring
networks of different trust levels with a focus on security-damaging data.
What Is It?
Boundary defense is control 12
[https://www.cisecurity.org/controls/boundary-defense/] of the CIS Critical
Controls [https://www.rapid7.com/solutions/compliance/critical-controls/] and is
part of the ne
6 min
CIS Controls
CIS Critical Control 11: Secure Configurations for Network Devices
This blog is a continuation of our blog series on the CIS Critical Controls
[/2017/04/19/the-cis-critical-security-controls-series/].
We’ve now passed the halfway point in the CIS Critical Security Controls
[https://www.rapid7.com/fundamentals/cis-critical-security-controls/]. The 11th
deals with Secure Configurations for Network Devices. When we say network
devices, we’re referring to firewalls, routers, switches, and network IDS
[https://en.wikipedia.org/wiki/Intrusion_detection_system] setup
3 min
Vulnerability Management
Rapid7 Named a Leader in Forrester Wave for Vulnerability Risk Management
Today, we’re excited to announce a major milestone for InsightVM
[https://www.rapid7.com/products/insightvm/]: Recognition as a Leader in The
Forrester Wave™: Vulnerability Risk Management, Q1 2018, earning top scores in
both the Current Offering and Strategy categories. We are proud of the
achievement not only because of years of hard work from our product team, but
also because we believe that it represents the thousands of days and nights
spent working with customers to understand the challen
4 min
CIS Controls
CIS Critical Control 10: Data Recovery Capability
hope you enjoyed your stop at Center for Internet Security (CIS) Critical
Control 9: Limitation and Control of Network Ports, Protocols, and Services
[/2018/03/05/cis-critical-control-9-limitation-and-control-of-ports-protocols-and-services/]
! If you missed the previous stops on this journey, please check out our full
blog series on the CIS Top 20 Critical Controls
[/2017/04/19/the-cis-critical-security-controls-series/]; each blog provides
educational information regarding the control of focus
4 min
CIS Controls
CIS Critical Control 9: Limitation and Control of Ports, Protocols, and Services
This is a continuation of our CIS Critical Control Series blog series. Need help
addressing these controls? See why SANS listed Rapid7 as the top solution
provider addressing the CIS top 20 controls
[https://www.rapid7.com/solutions/compliance/critical-controls/].
If you’ve ever driven on a major metropolitan highway system, you’ve seen it:
The flow of traffic is completely engineered. Routes are optimized to allow
travelers to reach their destinations as quickly as possible. Traffic laws
speci
3 min
Compliance
HIPAA Security Compliance Fallacies (And How To Avoid Them)
Health Insurance Portability and Accountability Act (HIPAA) compliance hasn’t
been what I thought it was going to be. When I first started out as an
independent security consultant, I was giddy over the business opportunities
that I just knew HIPAA compliance was going to bring. Around that time, I
learned something from sales expert, Jeffrey Gitomer, that has had a profound
impact on my career. He said that if you work for yourself and are in sales,
which I am, that you must write and speak if
3 min
InsightVM
Vulnerability Management Year in Review, Part 1: Collect
Sometimes, it seems change is the only permanent thing in information security. To help deal with change on your terms, we set out to help maintain visibility to your environment as it is presented to you. How? By efficiently collecting vulnerability data at scale.
4 min
Haxmas
An Evaluation of the North Pole’s Password Security Posture
Co-written by Jonathan Stines [https://twitter.com/fr4nk3nst1ner] and Tommy Dew
[https://twitter.com/tommydew3]. See all of this year's HaXmas content here
[/tag/haxmas].
He sees your password choices;
He knows when they’re not great.
So don’t reuse those passwords, please,
And make them all longer than eight.
Now that Christmas has passed and all of the chaos from the holidays is winding
down, Santa and the elves are finally able to sit back and recover from the
strenuous Holiday commotion. H
2 min
Application Security
Takeaways from 2017 SANS State of Application Security Survey
The training and research organization SANS recently released their 2017 State
of Application Security survey results. The new report proves that now, more
than ever, organizations need to invest in solutions that automate application
security testing [https://www.rapid7.com/solutions/application-security/] in
order to reap benefits like:
* Identifying security vulnerabilities earlier in the development cycle, when
they’re cheaper to fix.
* Reduced friction between Security and Development
5 min
Metasploit
Testing Developer Security with Metasploit Pro Task Chains
In this modern age, technology continues to make inroads into all sorts of
industries. Everything from smartphones to late-model automobiles to
internet-connected toasters requires software to operate, and this proliferation
of software has brought along gaggles of software developers with their
tools-of-the-trade. All this technology —not to mention the people utilizing it—
can result in an increased attack surface for organizations doing software
development.
In this blog post, we’ll explore
6 min
Metasploit
Testing SMB Security with Metasploit Pro Task Chains: Part 2
This is part two of our blog series on testing SMB security with Metasploit Pro.
In the previous post, we explained how to use Metasploit Pro’s Task Chains
feature to audit SMB passwords automatically. Read it here
[/2017/10/31/testing-smb-server-security-with-metasploit-pro-task-chains-part-1/]
if you haven’t already.
In today’s blog post, we will talk about how to use a custom resource script in
a Task Chain to automatically find some publicly-known high-profile
vulnerabilities in SMB. Publi
6 min
Metasploit
Testing SMB Server Security with Metasploit Pro Task Chains: Part 1
A step-by-step guide to testing SMB server security using Metasploit Pro Task Chains.
2 min
Endpoint Security
Addressing the issue of misguided security spending
It's the $64,000 question in security – both figuratively and literally: where
do you spend your money? Some people vote, at least initially, for risk
assessment. Some for technology acquisition. Others for ongoing operations.
Smart security leaders will cover all the above and more. It's interesting
though – according to a recent study titled the 2017 Thales Data Threat Report
[http://www.prnewswire.com/news-releases/2017-thales-data-threat-report-security-spending-decisions-leave-sensitive-dat
4 min
Security Strategy
Checks and Balances - Asset + Vulnerability Management
Creating a Positive Feedback Loop
Recently I've focused on some specific use cases for vulnerability analytics
within a security operations program. Today, we're taking a step back to
discuss tying vulnerability management
[https://www.rapid7.com/solutions/vulnerability-management/] back in to asset
management
[https://www.rapid7.com/fundamentals/what-is-it-asset-management-itam/] to
create a positive feedback loop. This progressive, strategic method can
mitigate issues and oversights caused b