Posts tagged Vulnerability Management

8 min Vulnerability Management

No-Priority, Post-Auth Vulnerabilities

In the course of collecting and disclosing vulnerabilities, I occasionally come across an issue that walks like a vuln, quacks like a vuln, but… it’s not exactly a vuln. As per our usual vulnerability disclosure process [https://www.rapid7.com/security/disclosure/], we still report these issues to vendors. The behavior observed is nearly always a bug of some sort, but it’s not immediately exploitable, or the “exploit” is merely exercising the expected level of privilege, but in an unexpected con
1 min Patch Tuesday

Patch Tuesday - September 2017

It's a big month, with Microsoft patching [https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/5984735e-f651-e711-80dd-000d3a32fc99] 85 separate vulnerabilities including the two Adobe Flash Player Remote Code Execution [https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170013] (RCE) fixes bundled with the Edge and Internet Explorer 11 updates. Continuing recent trends, the bulk of Critical RCE vulnerabilities are client-side, primarily in Edge, IE,

2 min Vulnerability Management

Apache Struts S2-052 (CVE-2017-9805): What You Need To Know

Apache Struts, Again? What’s Going On? Yesterday’s Apache Struts vulnerability announcement [https://www.bleepingcomputer.com/news/security/new-apache-struts-vulnerability-puts-many-fortune-companies-at-risk/] describes an XML Deserialization issue in the popular Java framework for web applications. Deserialization of untrusted user input, also known as CWE-502 [https://cwe.mitre.org/data/definitions/502.html], is a somewhat well-known vulnerability pattern, and I would expect crimeware kits to
3 min Vulnerability Management

Live Threat-Driven Vulnerability Prioritization

We often hear that security teams are overwhelmed by the number of vulnerabilities [https://www.rapid7.com/fundamentals/vulnerabilities-exploits-threats/] in their environments: every day they are finding more than they can fix. It doesn't help when rating schemes used for prioritization, like the Common Vulnerability Scoring System (CVSS), don't really work at scale or take the threat landscape into account. How do you know where to focus if your vulnerability management solution [https://www.
2 min Vulnerability Management

CVE-2017-5242: Nexpose/InsightVM Virtual Appliance Duplicate SSH Host Key

Today, Rapid7 is notifying Nexpose [https://www.rapid7.com/products/nexpose/] and InsightVM [https://www.rapid7.com/products/insightvm/] users of a vulnerability that affects certain virtual appliances. While this issue is relatively low severity, we want to make sure that our customers have all the information they need to make informed security decisions regarding their networks. If you are a Rapid7 customer who has any questions about this issue, please don't hesitate to contact your custome
2 min Endpoint Security

Live Vulnerability Monitoring with Agents for Linux

A few months ago, I shared news of the release of the macOS Insight Agent. Today, I'm pleased to announce the availability of the the Linux Agent within Rapid7's vulnerability management solutions [https://www.rapid7.com/solutions/vulnerability-management/]. The arrival of the Linux Agent completes the trilogy that Windows and macOS began in late 2016. For Rapid7 customers, all that really matters is you've got new capabilities to add to your kit. Introducing Linux Agents Take advantage of the

5 min CIS Controls

The CIS Critical Security Controls Explained - Control 3: Continuous Vulnerability Management

Welcome to the third blog post on the CIS Critical Security Controls [https://rapid7.com/solutions/compliance/critical-controls/]! This week, I will be walking you through the third Critical Control: Continuous Vulnerability Management. Specifically, we will be looking at why vulnerability management [https://rapid7.com/solutions/vulnerability-management/] and remediation is important for your overall security maturity, what the control consists of, and how to implement it. Organizations operat
5 min CIS Controls

The CIS Critical Security Controls Explained - Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

Stop No. 5 on our tour of the CIS Critical Security Controls [https://www.rapid7.com/solutions/compliance/critical-controls/] (previously known as the SANS Top 20 Critical Security Controls) deals with Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers. This is great timing with the announcement of the death of SHA1. (Pro tip: don't use SHA1 [https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/]
3 min Nexpose

"Informational" Vulnerabilities vs. True Vulnerabilities

A question that often comes up when looking at vulnerability management [https://www.rapid7.com/fundamentals/vulnerability-management-and-scanning/] tools is, “how many vulnerability checks do you have?” It makes sense on the surface; after all, less vulnerability checks = less coverage = missed vulnerabilities during a scan right? As vulnerability researchers would tell you, it's not that simple: Just as not all vulnerabilities are created equal, neither are vulnerability checks. How “True”

4 min Nexpose

Nexpose: Live Assessment and the Passive Scanning Trap

With the launch of Nexpose Now in June, we've talked a lot about the “passive scanning trap” and “live assessment” in comparison. You may be thinking: what does that actually mean? Good question. There has been confusion between continuous monitoring and continuous vulnerability assessment – and I'd like to propose that a new term “continuous risk monitoring” be used instead, which is where Adaptive Security and Nexpose Now fits. The goal of a vulnerability management program [https://www.rapid
3 min Nexpose

Vulnerability Assessment Reports in Nexpose: The Right Tool for the Right Job

Nexpose supports a variety of complementary reporting solutions that allows you to access, aggregate, and take action upon your scan data. However, knowing which solution is best for the circumstance can sometimes be confusing, so let's review what's available to help you pick the right tool for the job. I want to pull a vulnerability assessment report out of Nexpose. What are my options? Web Interface The Nexpose web interface provides a quick and easy way to navigate through your data. You ca
3 min Nexpose

Publishing Nexpose Asset Risk Scores to ePO

Security professionals today face great challenges protecting their assets from breaches by hackers and malware. A good vulnerability management solution [https://www.rapid7.com/solutions/vulnerability-management/] could help mitigate these challenges, but vulnerability management solutions often produce huge volumes of data from scanning and require lots of time spent in differentiating between information and noise. Rapid7 Nexpose [https://www.rapid7.com/products/nexpose/] helps professionals
2 min Nexpose

Nexpose integrates with McAfee ePO and DXL: The first unified vulnerability management solution for Intel Security customers!

We wanted to give you a preview into Nexpose's new integration with both McAfee ePolicy Orchestrator (ePO) and McAfee Data Exchange Layer (DXL); this is the next stage of our partnership with Intel as their chosen vendor for vulnerability management . This partnership is also a first for both Rapid7 and Intel, as Nexpose is the only vulnerability management [https://www.rapid7.com/solutions/vulnerability-management/] solution to not only push our unique risk scoring into ePO for analysis, but al
11 min Vulnerability Disclosure

Multiple Bluetooth Low Energy (BLE) Tracker Vulnerabilities

Executive Summary While examining the functionality of three vendors' device tracker products, a number of issues surfaced that leak personally identifying geolocation data to unauthorized third parties. Attackers can leverage these vulnerabilities to locate individual users' devices, and in some cases, alter geolocation data for those devices. The table below briefly summarizes the twelve vulnerabilities identified across three products. VulnerabilityDeviceR7 IDCVECleartext PasswordTrackR Brav
4 min Security Strategy

Checks and Balances - Asset + Vulnerability Management

Creating a Positive Feedback Loop Recently I've focused on some specific use cases for vulnerability analytics within a security operations program.  Today, we're taking a step back to discuss tying vulnerability management [https://www.rapid7.com/solutions/vulnerability-management/] back in to asset management [https://www.rapid7.com/fundamentals/what-is-it-asset-management-itam/] to create a positive feedback loop.  This progressive, strategic method can mitigate issues and oversights caused b

Popular Topics

Tags