Rapid7 Blog

Deral Heiland  

AUTHOR STATS:

20

The Term Internet of Things (IoT) Should Change

I have been the IoT Research Lead at Rapid7 for nearly two years. During those two years, we’ve seen the industry struggle to define IoT. Many organizations are still thinking of IoT as simple consumer toys that do not impact them, but that is…

ROCA: Vulnerable RSA Key Generation

In the KRACK-related and BadRabbit-related chaos of the past week and a half, some people missed a less flashy vulnerability that nevertheless dug up key long-term questions on IoT supply chains and embedded technology. The Czech-based Center for Research on Cryptography and Security published research…

IoT Mobile Application Credential Encryption

Rapid7 IoT Research Lead Deral Heiland offers several of his takeaways from testing IoT mobile applications.…

In Fear of IoT Security

I wish I had a dime for every time I have heard someone say “With so many vulnerabilities being reported in the Internet of Things, I just don't trust that technology, so I avoid using any of it." I am left scratching my head…

IoT Security Testing Methodology

By Deral Heiland IoT - IoT Research Lead Rapid7 Nathan Sevier - Senior Consultant Rapid7 Chris Littlebury  - Threat Assessment Manage Rapid7 End-to-end ecosystem methodology When examining IoT technology, the actionable testing focus and methodology is often applied solely to the embedded device. This is…

IoT: Friend or Foe?

Since IoT can serve as an enabler, I prefer to consider it a friend.  However, the rise of recent widespread attacks leveraging botnets of IoT devices has called the trust placed in these devices into question. The massive DDoS attacks have quieted down for now,…

12 Days of HaXmas: 2016 IoT Research Recap

Merry HaXmas to you! Each year we mark the 12 Days of HaXmas with 12 blog posts on hacking-related topics and roundups from the year. This year, we're highlighting some of the “gifts” we want to give back to the community. And while these gifts…

IoT Security vs Usability

Recently we all have found ourselves talking about the risk and impact of poorly secured IoT technology and who is responsible. Fact is there is enough blame to go around for everyone, but let's not go there. Let us start focusing on solutions that can…

Research Lead (IoT)

It has been an amazing journey serving as the Research Lead for the Internet of Things (IoT) at Rapid7 for past 10 months. I came into the role with more than a decade of experience as a security penetration tester and nearly 15 years of…

Avoiding Default Fail

As the Internet of Things (IoT) quickly flood into the market place, into our homes and into our places of employment, my years of pen testing experience and every research project I spin up reminds me IoT has weak defaults -- especially default passwords, which…

What Is the Internet of Things? The Current Struggle With Defining IoT

Nearly every conversation I have had around the Internet of Things (IoT) and what it means to an organization starts off with the question, “What is IoT?” This question is often followed by many people giving many different answers. I'm sure I won't…

Getting a Handle on the [Internet of] Things in the Enterprise

This blog post was written by Bob Rudis, Chief Security Data Scientist and Deral Heiland, Research Lead. Organizations have been participating in the “Internet of Things” (IoT) for years, long before marketers put this new three-letter acronym together. HVAC monitoring/control, badge access, video surveillance…

SNMP Data Harvesting During Penetration Testing

A few months back I posted a blog entry, SNMP Best Practices, to give guidance on best methods to reduce security risks as they relate to SNMP. Now that everyone has had time to fix all those issues, I figured it's time to give some…

Jumping Off Into The IoT World

Recently I transitioned from a Principal Consultant role into a new role at Rapid7, as Research Lead with a focus on IoT technology, and it has been a fascinating challenge. Although I have been conducting research for a number of years, covering everything from Format…

Brute Force Attacks Using US Census Bureau Data

Currently one of the most successful methods for compromising an organization is via password-guessing attacks. To gain access to an organization using brute force attack methods, there are a minimum of three things a malicious actor needs: A username, a password, and a target. Often…

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now