The NAIC Insurance Data Security Model Law suggests a modern approach to detecting and responding to threats. This post looks at a few interesting requirements and shares how we can partner with your team across people, process, and technology.…
Knowing what you are scanning, how often, and with how much success is vital to knowing your vulnerability data is accurate, up-to-date, and reflects your security position. InsightAppSec can help.…
From conference talks and business hall exhibitions to security trainings and personal conversations, the big takeaway from the past week was undeniable. Our industry is at an inflection point, and everyone is focused on a common theme: unification.…
Microsoft's updates this month address over 60 vulnerabilities, 20 of which are classified as Critical. As usual, most of this month's fixes are browser-related, and nearly half of the flaws could lead to remote code execution (RCE). Patches for Exchange, SQL Server, and Microsoft Office…
An effective incident response plan helps you quickly discover attacks, contain the damage, eradicate the attacker's presence, and restore the integrity of your network and systems.…
Check Yourself Before You Wreck Yourself Even if you're a pro sleuth who can sniff out a vulnerability on even the most hardened of networks, it's always nice to be have some added validation that your attack is going to be successful. That's why it's…
Active Directory serves as the keys to your kingdom, managing user and system access and policies on a daily basis. As such, it’s arguably one of the most important systems to secure, but are you doing it right?…
Application software security (Critical Control 18) may seem overwhelming, but when upheld, it can make your SDLC wishes and SecOps dreams come true.…
Meterpreter on Axis Everyone loves shells, but Meterpreter sessions are always better. Thanks to William Vu, the axis_srv_parhand_rce module is now capable of giving you a Meterpreter session instead of a regular shell with netcat. DLL Injection for POP/MOV SS Another…
Many parallels can be drawn between the Philippines Data Protection Act and GDPR, but there are some nuances between the two laws—and one massive difference.…
In this post, we’ll review results and trends from Under the Hoodie 2018 as they relate to incident detection, including where our red team found success.…
Cracking a cybersecurity case often requires more than one viewpoint—just look at Starsky and Hutch. For internet-related cases in particular, Rapid7 Labs' Project Sonar and Project Heisenberg each offer unique strengths.…
Developing out a new security program but neglecting to train your employees on it is like shipping out this year’s hottest product but forgetting to stash the instruction manual in the box. The key principle behind CIS Critical Control 17 is implementing a security awareness and training program.…
CMS Exploitation Made Simple "CMS Made Simple" is an open-source Content Management System. Mustafa Hasen discovered and reported that versions 2.2.5 and 2.2.7 include a vulnerability in file uploads that permit an authenticated attacker to gain execution of arbitrary…
Hear from Rebekah Brown, Rapid7’s threat intel lead, on Attacker Behavior Analytics and how Rapid7 is developing next gen threat detections for customers.…
