Rapid7 Blog

Rapid7 Perspective  

NCSAM Security Crash Diet, Week 2: Social and Travel

Rapid7 guinea pig 'Olivia' describes her efforts during week two of her security 'crash diet for National Cyber Security Awareness Month. This week focused on social sharing and travel security.…

Rapid7 guinea pig 'Olivia' describes her efforts during week two of her security 'crash diet for National Cyber Security Awareness Month. This week focused on social sharing and travel security.

Help! What’s going on?

Last month, we announced that we are evolving our community site, and we started directing our customers to two new resources: the Rapid7 blog and the Help site. We’ve heard that people like the new look and feel, but there has been some confusion…

Last month, we announced that we are evolving our community site, and we started directing our customers to two new resources: the Rapid7 blog and the Help site. We’ve heard that people like the new look and feel, but there has been some confusion and concern about the status of the forums. We want to thank everyone who has taken the time to provide feedback, and we also want to apologize for any inconvenience we may have caused while we’re in transition. This post will hopefully explain what we’re doing, why, and give our community of customers and users more insight into a vision for the future of help.rapid7.com. If It Ain’t Broke, Don’t Fix it We’ve heard from customers that they found real value with our forums and can’t understand why we’re changing them. It’s great to know that they are valuable, and we want to continue to deliver that value, but with more consistency and authority for the information. Our community has always served as an important way to engage with us and other users. It gave customers and community members a space to ask questions, search for documentation, get help from others, explore blogs, watch videos, and read release notes--there was so much that you could do. And over time, the community grew into such a dense source of information that it became difficult for audiences to navigate. As we planned for the next generation of community resources, we realized that there were things we needed to do better. The community contained thousands of posts and hundreds of documents, so it wasn’t easy to find things and figure out what was still relevant. Some of the questions we regularly heard were: “Does this solution posted in this comment actually work?” “Is this the latest document? Or this one?” “Why can’t I find something that’s in the user guide?” To answer some of these questions, we knew we needed to create a unified experience that enabled our users to easily find curated, relevant content. Our goal wasn’t to simply replace the functionality and features of the community, but to provide focused spaces for Rapid7 content: a place for blog content and a place for help content. The transition process To ensure continuity after the community transition, we evaluated the gaps that needed to be filled once we had sundowned the old community site. We knew that one of the main draws of the community was that people could ask questions and search for solutions. We value that engagement, so we factored these needs into the redesign of the help site. To address support and troubleshooting needs, we added two areas to the help site: A knowledge base that contains articles to help troubleshoot issues and provides solutions to frequently asked questions. A discussion area that is part of the knowledge base where you can ask your own questions and search for answers. We understand how important it is to create content that addresses real world issues and provides the answers you need. We see the logical connection between the knowledge base and discussion board, so our plan is to leverage the information from the discussion boards to drive the content in the knowledge base and documentation. This is just the beginning of the changes that we plan to make to the help site. These new areas are in the early stages of development and will continue to grow over time. The path forward Our goal is to create a simpler, more impactful content experience so that you can get the information you need to be successful. In order to do this, we are currently focused on building out the following areas of the Help site: Content: As we built out the knowledge base and discussion board, we reviewed the traffic to the community and popular keyword searches to identify the most viewed documents and posts and migrated that content over to the Ask/Answer format. We have also audited the results, and migrated over an initial set of content we felt was up-to-date and most helpful. Going forward, our hope is that we will be able to create new content that will provide you with the information you need to maximize your productivity, and continue to move over content from the community site that is verified as valid answers to questions. In the upcoming months, we plan to add more videos, scenario-based content, chatbots, and in-product guides to create a more comprehensive and delightful learning experience on help.rapid7.com. If there is specific content you would like to see added in the future, please let us know at community [at] rapid7 [dot] com. Information architecture and site navigation: With documentation available for eight different products, we want to make sure that it’s easy for you to find the information you need. We are working to create even better navigational consistency between the product sites to streamline the experiences between help assets. Filtering: To help you find answers you care about, we’re exploring ways to tag posts so you can filter by product and issue type. Site responsiveness: Finally, we want to make sure our site is easy (and beautiful!) to use and share on every device. We are rolling out these changes to the help site incrementally and adding new content daily. We can’t wait for you to see what we’re going to do! Please keep visiting help.rapid7.com to see our progress. Your feedback is invaluable during this process and helps us ensure we are building capabilities that meet your needs. If you have questions, concerns, or requests, please email community [at] rapid7 [dot] com. Thank you!

NCSAM: A Personal Security Crash Diet

We're kicking of National Cyber Security Awareness Month by getting a Rapid7 employee to test out the practicality of common security advice. Follow along throughout October.…

We're kicking of National Cyber Security Awareness Month by getting a Rapid7 employee to test out the practicality of common security advice. Follow along throughout October.

Apache Struts S2-052 (CVE-2017-9805): What You Need To Know

Apache Struts, Again? What’s Going On? Yesterday’s Apache Struts vulnerability announcement describes an XML Deserialization issue in the popular Java framework for web applications. Deserialization of untrusted user input, also known as CWE-502, is a somewhat well-known vulnerability pattern, and I would expect…

Apache Struts, Again? What’s Going On? Yesterday’s Apache Struts vulnerability announcement describes an XML Deserialization issue in the popular Java framework for web applications. Deserialization of untrusted user input, also known as CWE-502, is a somewhat well-known vulnerability pattern, and I would expect crimeware kits to incorporate this vulnerability well before most enterprises have committed to a patch, given the complications that this patch introduces. What’s The Catch? The problem with deserialization vulnerabilities is that oftentimes, application code relies precisely on the unsafe deserialization routines being exploited—therefore, anyone who is affected by this vulnerability needs to go beyond merely applying a patch and restarting the service, since the patch can make changes to how the underlying application will treat incoming data. Apache mentions this in the "Backward Compatibility" section of S2-052. Updates that mention, "it is possible that some REST actions stop working" is enough to cause cold sweats for IT operations folks who need to both secure their infrastructure and ensure that applications continue to function normally. What Can I Do? Organizations that rely on Apache Struts to power their websites need to start that application-level testing now so as to avoid becoming the next victims in a wave of automated attacks that leverage this vulnerability. Remote code execution means everything from defacements to ransoms and everything in between. In the meantime, Rapid7’s product engineering teams are working up coverage for organizations to detect, verify, and remediate this critical issue. A Metasploit module is in progress, and will be released shortly to help validate any patching or other mitigations. InsightVM customers with content at “Wednesday 6th September 2017” or later (check Administration --> General to confirm content version) can determine whether they have a vulnerable version of Apache Struts present on Unix hosts in their environment by performing an authenticated scan. The vulnerability id is struts-cve-2017-9805 should you wish to set up a scan template with just this check enabled. It has also been tagged with 'Rapid7 Critical.' An unauthenticated check for CVE-2017-9805 is available for InsightVM and Nexpose under the same id, struts-cve-2017-9805. This check does not remotely execute code; instead, it detects the presence of the vulnerable component against the root and default showcase URIs of Apache Struts instances. In addition to these specific updates, we’ve also produced a quick guide with step-by-step instructions on how InsightVM and Nexpose can be used to discover, assess, and track remediation of critical vulnerablities, including this Apache Struts vuln. Not an InsightVM customer? Download a free 30-day trial today to get started. Should I Panic? Yes, you should panic. For about two minutes. Go ahead and get it out of your system. Once that’s done, though, the work of evaluating the Apache Struts patch and how it’ll impact your business needs to get started. We can’t stress enough the impact here—Java deserialization nearly always leads to point-and-click remote code execution in the context of the web service, and patching against new deserialization bugs carries some risk of altering the intended logic for your specific web application. It’s not a great situation to be in, but it’s surmountable. If you have any questions about this issue, feel free to comment below, or get in touch with your regular Rapid7 support contacts.

2017 Cybersecurity Horoscopes

What does 2017 hold for cybersecurity? Our mystics have drawn cards, checked crystal balls, and cast runes to peer into the future. See what the signs have in store for you in the new year. Sage Corey Thomas, Rapid7 Gazing into the future of 2017,…

What does 2017 hold for cybersecurity? Our mystics have drawn cards, checked crystal balls, and cast runes to peer into the future. See what the signs have in store for you in the new year. Sage Corey Thomas, Rapid7 Gazing into the future of 2017, I believe we will continue to see market consolidation of security vendors. With a focus on increasing productivity, organizations will move further from disparate, point-solutions that solve just one problem to solutions that can be leveraged throughout the IT environment. This will drive security and IT vendors to integrate, consolidate, and better collaborate. It will become increasingly clear that IT and security professionals want to manage fewer solutions that are easy to use. I also expect to see the skills gap start to right itself. Security has reached a state of accessibility, by necessity. In most cases, you don't need an advanced degree to enter the security field and you can often gain skills through certifications. K Seer Ellis (aka: Casey Ellis, Bugcrowd) In 2016, we reached a level of dystopian weirdness that will be hard to top in 2017. Toasters brought down half the Internet, a hacker accidentally bricked an entire metropolitan transit system – and then got hacked himself by a vigilante, and there was a steady stream of "biggest breach ever" events. But we know that it will be topped. Gazing into the future, I see DDOS and Ransomware evolving and becoming more pervasive in both consumer and corporate contexts, leading to the rapid formation of policy around security best practices for consumer products and increased consumer pressure on vendors to demonstrate their proxy indicators of security. Finally, as companies learn how to use the crowd, we'll see an evolution and improvement of penetration testing and eventually the widespread adoption of vulnerability disclosure programs as a means to achieve and maintain resilience faster. The Todonomicon (aka: Tod Beardsley, Rapid7) Peering into my BlueTooth-ready crystal ball, I can see that many, many more hobby hackers publishing vulnerabilities in IoT. Cost of entry is low, there are tons of new devices with old bugs and the DMCA now exempts consumer device research, which means boatloads of public vulnerability disclosures. Which is good – and also chaotic. You could say that how IoT manufacturers respond to these disclosures will be make or break for the industry. On the one hand, you might expect more mature companies to respond quickly and positively – patching and updating devices – but it's also plausible that smaller, younger companies will be more nimble, and therefore able to respond faster. Katie Moussoothsayer (aka: Katie Moussouris, Luta Security) Gazing into the future, not everything is as clear as my crystal ball. Attribution for cyber attacks will still be hard. You can bet your nation-state-sophisticated-actor that ThreatButt.com may give as credible, if not more credible, attributions for attacks then the leading expert firms or intelligence agencies. Because who wants facts and experts, when you can instead have a pew-pew map and a nifty sticker. Besides, ThreatButt has Viking-grade encryption, unlike APTFriendFinder.com, which is basically the MySpace of parody attribution - ahead of its time. Additionally, the next US administration's cybersecurity policies will likely defy most conventional wisdom in this area, known as "the Cyber" to the president-elect. Not just any Cyber, but THE Cyber. Who knows, we may see some interesting funding for new cyber offense capabilities. Just who may find the capabilities truly offensive defies prediction. And while there is no such thing as a "cyber Pearl harbor," next year will likely be one where Cyber Claus rains down with lumps of coal for the masses, both naughty and nice. On DDOS, on botnet, on malware, on clicked 'em! On ransom, on car hack, on Bitcoin, on victim! We're all on the list. Sleep tight. Hierophant Geiger (aka: Harley Geiger, Rapid7) The dual nature of Gemini reflects both the progress and work still to be done this year. We may see a flat warrant standard for government access to stored digital content may pass Congress, but there is increased likelihood that there will be important exceptions that undermine the standard. Additionally, it's possible that we'll see action on standards for government access to stored data across borders, either through legislation and/or renegotiated trade agreements. As Saturn makes its way through the policy house, law enforcement access to encrypted data will continue to be a hot issue. If Congress attempts to require a backdoor into encryption standards, or attempts to forbid private use of end-to-end encryption, a major battle may ensue. Herald Deiland (aka: Deral Heiland, Rapid7) There's no such thing as retrograde for IoT in 2017. If 2016 was the year IoT exploded, 2017 will be the year that IoT comes to life. I believe 2017 will be the first year IoT is used to inflict physical harm on a human. I also believe that audio information – voice data – gathered from home automation systems, such as the Amazon Echo will be used for the first time to solve a crime. I also expect to see MFP device security issues directly tied to a major corporate breach. Madame Bell LaPadula (aka: Wendy Nather, Duo Security) As Mars passes into the Upper Right Magic Quadrant of the heavens, we will see the influence of cyberwar grow across the world. This will take the form of pitched battles over botnet assets rather than land, but just as civilians get caught in the real-world crossfire, consumers will pay the price for DDoS attacks, ransomware and other disruptions. Beware of empty promises and standards. Robsputin (aka: Robert Graham, Errata Security) When Jupiter aligns with Mars, regulation of software will become a thing. "Contraband" software and IoT will become a thing, as our only choices will be boring IoT devices from big corporations like GE and Apple, or innovative new devices from the Chinese grey market. Kickstarter IoT products will be dead. IoT botnets fail to become larger than they are now, not because of regulation, but because most devices around the world are behind firewalls. Teleparsons (aka: Trevor Parsons, Rapid7) Relationships will blossom this year as more organizations look for synergies between their technology departments, namely IT and security. Connections will become deeper and more meaningful when these departments start thinking more about how they're leveraging data, what tools are giving them the best visibility, etc., rather than accepting and managing several desperate solutions that aren't necessarily helping to increase productivity. The year will not be without complexities for IT environments however, so monitoring tools will need to become more flexible and comprehensive in terms of data collection and correlation. Consolidation will result in more meaningful insights as we expect to see more technologies combining data sources (e.g. logs, metrics, endpoint data) to give a richer view into their environments. Cyber Oracle Squirrel While 2017 may be the year of the rooster, for us it is of course always the year of the squirrel. We will continue our cyberwar operation disrupting your power over 400 times in 2017. Your pundits will continue to shout Cyberwar! from the podium and yet it is doubtful that any such cyber action will impact your power in 2017. Craigvoyant Smith (aka: Craig Smith, Rapid7) Much as a series of eclipses block Venus from influencing travel, we will see malware used to shut down a major transportation sector. I anticipate that the malware will be intentionally targeted to halt a transportation sector either for the purpose of ransomware or political gain. There will be a large uptick in hardware related security attacks. As security research increasingly bleeds into hardware, we will see creative ways to patch vulnerabilities when no update mechanism is readily available. We will see the concept of an internal trusted network deteriorate. Internal networks will be treated the same as any external non-trusted network. With the increase of IoT devices, phishing attacks, and social engineering, even the concept of a corporate trusted laptop will need to be re-evaluated. Mystic Scutt (aka: Mike Scutt, Rapid7) Under Saturn's watchful eye, we can expect breaches to take an earthier standpoint. We're expecting a significant uptick in "living off the land" style compromises and malware, a lot more script-based malware (powershell, js, vbs, etc.), and an increase in the use of native operating system tools to execute malware, persist, and perform recon.

Why Security Assessments are Often not a True Reflection of Reality

Inmates running the asylum. The fox guarding the henhouse. You've no doubt heard these terms before. They're clever phrases that highlight how the wrong people are often in charge of things. It's convenient to think that the wrong people are running the show elsewhere but…

Inmates running the asylum. The fox guarding the henhouse. You've no doubt heard these terms before. They're clever phrases that highlight how the wrong people are often in charge of things. It's convenient to think that the wrong people are running the show elsewhere but have you taken the time to reflect inward and determine how this very dilemma might be affecting your organization? I see this happening all the time in terms of security assessments. In organizations both large and small, I see improper testing - or no testing at all - of the systems that should otherwise be in scope and fair game for assessment. The very people in charge of security assessments are the ones who are determining how things are going to turn out. I see everyone from CIOs to network admins and all of the IT/security roles in between setting parameters on what can and cannot be tested. Ditto for how it can be tested. Oftentimes, an external security assessment/penetration test is performed but not everything is being looked at. Sometimes it's something relatively benign like a marketing website but other times it's actual enterprise applications that are being overlooked (often in the name of “someone else is hosting it and therefore responsible for it"). Other times, I hear people stating that their auditors or customers aren't asking for certain systems to be tested, therefore, it doesn't really matter.I think the general consensus of the stakeholders who are reading the actual assessment reports is that they are getting the current status of everything. But that's not the case in many situations. There's no doubt that people need what they need and nothing more. In fact, legal counsel would likely advise to do the bare minimum, document the bare minimum, and share the bare minimum. That's just how the world works. At the end of the day, people presumably know what they want/need. I'm just not convinced that the approaches that are currently being taken whereby IT and security staff are defining the systems to be tested along how they need to be tested (and, therefore, the outcomes) is the best approach.Most security assessment reports have a notes/scope section that outlines what was tested and what was not. However, what's often missing is all of the details regarding other things that people don't often think about in this context such as:How the systems that may not have been tested can/will impact those that were tested if they have exploitable vulnerabilitiesWhether or not authentication was used (it's important to distinguish the two – and do both)What network security controls, i.e. firewall and IPS, were disabled or left in place (you have to look past any blocking)What level of manual analysis/penetration testing was performed, including how much time was spent and whether or not social engineering/email phishing were a part of the testing (it makes a difference!)There are so many caveats associated with modern-day security testing that no one really knows if everything has been looked at in the proper ways. So, what do you do? Do you question the validity of existing testing methods and reports? Do you step back and ask tougher questions of those who were doing the testing? Perhaps there needs to be an arm's-length entity involved with defining what gets tested and how it gets tested, including very specific approaches, systems in scope, and tools that are to be used.This challenge is similar to certain aspects of healthcare – something we can all relate to. Take, for instance, when a patient gets a MRI or CAT scan, the results for the radiologist to analyze will be different than a more focused x-ray or ultrasound. Perhaps the prescribing doctor thinks the patient just needs an x-ray when, in fact, they actually need a PET scan. That very thing happened to my mother when she was fighting lung cancer. Her doctors focused on her lungs and hardly anything else. Her chemotherapy was working well and her lungs continued to look good over time. What was missed, however, was the cancer that had spread to other parts of her body. The prescribed diagnostics were focused on what was thought to be important but they completely missed what was going on in the rest of her body. Unfortunately, given how much time had passed for the cancer to spread elsewhere (while being overlooked), the outcome was not a positive one. Similarly, it's important to remember that any security testing that's assumed to paint the entire picture may not be doing that at all.Are the inmates running the asylum? Is the fox guarding the henhouse? Perhaps a bit here and there. However, it's not always people in IT and security intentionally “limiting” the scope of security testing by keeping certain systems out of the loop and looking the other way to generate false or misrepresented outcomes. I do know that is going on in many situations but this issue is a bit more complicated. I don't think there's a good solution to this other than closer involvement on the part of management, internal auditors, and outside parties involved with scoping and performing these assessments. If anything, the main focus should be ensuring that expectations are properly set.A false sense of security is the enemy of decision makers. Never, ever should someone reading a security assessment report assume that all the proper testing has been done or that the report is a complete and accurate reflection of where things truly stand. Odds are that's it not.

On the Recent DSL Modem Vulnerabilities

by Tod Beardsley and Bob Rudis What's Going On? Early in November, a vulnerability was disclosed affecting Zyxel DSL modems, which are rebranded and distributed to many DSL broadband customers across Europe. Approximately 19 days later, this vulnerability was leveraged in widespread attacks across the…

by Tod Beardsley and Bob Rudis What's Going On? Early in November, a vulnerability was disclosed affecting Zyxel DSL modems, which are rebranded and distributed to many DSL broadband customers across Europe. Approximately 19 days later, this vulnerability was leveraged in widespread attacks across the Internet, apparently connected with a new round of Mirai botnet activity. If you are a DSL broadband customer, you can check to see if your external TCP port 7547 is accessible to the Internet by using popular public portscanning services provided by WhatsMyIP, SpeedGuide, or your own favorite public portscanning service. If it is, your ISP should be able to confirm if your modem is vulnerable to this attack. Vulnerability Details On November 7, "Kenzo" disclosed two vulnerabilities affecting the Zyxel D1000 DSL modem on the Reverse Engineering blog, here. This DSL modem is used by residential DSL subscribers in Ireland, and appears to be distributed by the Irish ISP, Eir. It's unknown if Kenzo disclosed these issues to either Zyxel or Eir prior to public disclosure. Two issues were identified, both involving the TR-064 SOAP service on the DSL modem, running on TCP port 7547. The first is a command injection vulnerability in the way the device parses new NTP server configurations, where an attacker can enclose an arbitrary shell command in backticks when setting the NewNTPServer1 parameter. The second is an information leak vulnerability where an attacker can access the GetSecurityKeys command to learn the device's WiFi and administrative password. Kenzo provided a proof-of-concept Metasploit module to exercise these vulnerabilities to expose the administrative web service on the Internet-facing side of the modem and to extract the administrative password to that admin web service. On November 26th, the command injection issue was being actively exploited in the wild, apparently as part of another wave of Mirai-style IoT botnet activity. In particular, DSL modems provided to Deutsche Telekom customers in Germany and Austria, under the brandname "Speedport," appeared to be vulnerable. As a result of this attack, many Telekom subscribers were knocked offline on November 27th, and DT has since updated the Speedport firmware. Today, on November 29th, the Metasploit open source project has started work on converting Kenzo's original, special purpose proof-of-concept exploit to a more generally useful Metasploit module that can be used to test the vulnerability in a safer and more controlled way. That work continues on Pull Request #7626. Exploit Activity Details Rapid7's Heisenberg Cloud started picking up malicious SOAP HTTP POST requests to port 7547 on November 26th. We were able to pick up these requests due to the “spray and pray” nature of the bots searching for vulnerable targets. To-date, we've seen over 63,000 unique source IP addresses associated with these attempts to take over the routers, peaking at over 35,000 unique attempts per day on November 27th. As the map below shows, the bots attempting to take over the routers are geographically dispersed. As the below temporal flow diagram shows, different regions are more prevalent as sources of this activity on different days (the source regions are on the left, the days they were active are on the right). There was little change in the top 10 source countries (by unique node count) over the attack period, but some definitely stood out more than others (like Brazil and the U.K.). We've also seen all malicious payload types, though not all of them appeared on all days as seen in the third chart. Not all payloads were evenly distributed across all countries: What Can You Do to Protect Yourself? The vulnerabilities being exploited in these attack are present in Zyxel DSL modems, which are commonly used in European and South American consumer markets, and may be rebranded by regional ISPs, as they are for Eir and Deutsche Telekom. The vulnerabilities described do not appear to affect the cable modems commonly used in the United States. If you are a DSL customer and concerned that you may be vulnerable, you can use popular portscanning services provided by WhatsMyIP, SpeedGuide, or others to assess if your external TCP port 7547 is accessible from the Internet. If the port times out or is otherwise not reachable, you're in the clear. If it is accessible, you should contact your ISP to see if a) this can be restricted, and b) if you are running a vulnerable device. For ISPs, it is A Bad Idea to expose either TR-069 or TR-064 services to arbitrary sources on the Internet; while ISPs may need access to this port to perform routine configuration maintenance on customer equipment, it should be possible for local and edge firewall rules to restrict access to this port to only IP addresses that originate from the ISP's management network. Meanwhile, penetration testers should follow the progress of converting Kenzo's original proof-of-concept to a fully functional Metasploit module over at Pull Request #7626 on Metasploit's GitHub repository. If you are an open source security software developer, we'd love to have your input there. Update (2016-Nov-30): This blog post originally referred to the vulnerable service as TR-069, but it's since become clear this issue is in a related service, TR-064.

Opportunity Now Means Success Later: Q&A with Rapid7 Sales

This post is a Q&A with John O'Donnell, Director of Sales at Rapid7. For more information about career opportunities with Rapid7, visit https://www.rapid7.com/company/careers.jsp. Q: What separates Rapid7 from other security or software companies in the area? A:…

This post is a Q&A with John O'Donnell, Director of Sales at Rapid7. For more information about career opportunities with Rapid7, visit https://www.rapid7.com/company/careers.jsp. Q: What separates Rapid7 from other security or software companies in the area? A: The diversity we have here separates us from the competition. Our teams are created by integrating people from all walks of life and then submerging them in the ever-changing and exciting cybersecurity industry. The belief is that you will change your career five times in life and once you move into your second career your goals often shift to loftier financial goals. However, without the proper experience it can be hard to make that transition and achieve those goals. Rather than focusing on direct experience, Rapid7 has created a work environment where people create a mosaic. So no matter what dream you were following before, we help our employees grow together to create success together. Unlike other companies that are challenged by slower growth, Rapid7 has more opportunities for its employees to grow and further their careers. We have a 90 percent promotion rate from the Business Development Representative (BDR) program to Account Executive roles and are proud to say that nine out of 10 current managers started as either an AE or in the BDR program. Q: What kind of advantage can someone expect to have starting in Q4 or the end of the year at Rapid7? A: By starting in Q4, you can be in a position to ramp up more quickly and experience more volume of activity during the busiest time of the year. While some may be reluctant to start at the end of the year because of the anticipated learning curve, by starting in Q4 you have the opportunity to hit the ground running, go through the enablement program and be part of the excitement during a peak time of year. Essentially, you'll be able to shadow and align with peer members of the Rapid7 sales team and collaborate on many opportunities as businesses close out the year and finalize their investment in cybersecurity software. Additionally, you'll get more exposure as the team builds out the strategy and sets goals for the new year. This will allow you to understand the expectations for Q1 while also having gone through training and being exposed to the busier time of year. By the time you attend the global sales kickoff in Q1, you're already trained and have the opportunity to make the most of a full year. By investing your time to training during Q4 you're really investing in your career and creating the opportunity to have a significant financial impact at the end of the sales year. The possibility of something happening (like a bonus or a deal coming in) could have someone waiting forever, but there comes a time when you need to close the door, open a new window and look forward. Q: What can a new Account Executive expect during the initial ramp up period? A: The enablement program at Rapid7 is split into a few weeks of training. The first two weeks are classroom training where Rapid7 specialists from other departments give lessons that focus on sales methodology to product line information to the overall competitive and industry market. The next few weeks are meant to expand on the classroom training by focusing on heavy collaboration and role playing to get comfortable speaking to products and services. The final two weeks are spent getting involved in day to day tasks with managers, directors and team leads. However, training is ongoing at Rapid7 with leaders providing industry updates, marketplace trends and skills sharing. Q: How does Rapid7 support new AE's to help ensure success? A: In addition to ongoing enablement and training, each new hire is assigned a mentor – someone that's separate from the enablement team, manager or director. Your mentor will meet with you throughout the day and have an end of day meeting to review overall successes, challenges and outlook for the next day. Outside of the daily mentor meetings, there are scheduled one-on-one meetings with managers or team leads for coaching sessions as well as regular team meetings to talk through successes and challenges. Because we focus on getting new AEs ramped up quickly and efficiently, most new hires are able to close their first deal within 60 days. Q: How are territories broken out for new AE's and what does a typical day look like? A: We've developed a scoring system to make sure territories are properly defined based on the number of prospects and past experiences with Rapid7. Territories can be entire states or cities within, but the scoring metric makes it fair for all team members. On a typical day, the team starts with either a team meeting, training or industry perspective during the morning session. After that, the team goes into reviews with security engineers for meetings or calls scheduled for the day. The rest of the day consists of following up with current customers, prospects and opportunities they are currently engaged. The focus is to help our clients understand the technology, industry and making sure they are comfortable with creating a meaningful partnership with Rapid7. Q: What attributes do the top performing AE's at Rapid7 have? A: Our top performers have an entrepreneur mentality and approach their territory as their own individual business within Rapid7. The most successful people here get submerged within the security community. They attend networking events and focus on understanding the industry to provide clients with cutting edge insight on what the bad guys are doing to influence the space and how Rapid7 technology and services can provide value to their business. The top performers are the true definition of a rock star: they are able to perform, have a huge fan base and their dedication and passion to keep that fan base happy is second to none. In my opinion, the most successful AEs at Rapid7 have the drive not to fail. They are passionate about their career and their lifestyle. They are looking to work hard and have the understanding that through that hard work they will advance their career and achieve their goals.

Conflicting perspectives on the TLS 1.3 Draft

In the security industry, as in much of life, a problem we often face is that of balance. We are challenged with finding the balance between an organization's operational needs and the level of security that can be implemented. In many situations an acceptable, if…

In the security industry, as in much of life, a problem we often face is that of balance. We are challenged with finding the balance between an organization's operational needs and the level of security that can be implemented. In many situations an acceptable, if less than optimal, solution can be found but there are cases where this balance cannot be achieved. I recently saw of case of this on the mailing list of the IETF TLS Working Group where Andrew Kennedy, a representative of a finance industry group, asked for changes to be made to the draft proposal of the next version of TLS. In the eyes of many in the security community honoring the request would undermine one of the goals of the new standard and enable the continuation of real time and after the fact decryption of TLS traffic. From the perspective of the Mr. Kennedy the TLS draft changes break existing security controls for the industry as well as prevents organizations from meeting governmental regulations and requirements. In other words, they actually increase risk for the industry that he represents. Background on how RSA certificates are used Before I continue I'll need to provide a little background information in order to provide context for Mr. Kennedy's request. At a very high level RSA certificates are a pair of mathematically linked encryption keys. One of the keys, "private," must be protected and known only to the server.  The other key, "public," is expected to be shared with any party trying to communicate with the server.  Within the SSL/TLS protocols RSA certificates can be used for two purposes that are relevant to this discussion: proof of identity and key exchange. Proof of identity The use of RSA certificates that most people are familiar with is proof of identity. While making a TLS connection to a service, the server must present a valid certificate matching the hostname the client sent the request to. The certificate must be signed by, or be in a chain of signed certificates that are signed by, a certificate that the client trusts. This proves that the server is actually the one that the client intended to communicate with and not some malicious actor. Key exchange A lesser known use for the RSA certificate is encrypting secret data used during the key exchange portion of TLS session negotiation. Asymmetric encryption, such that which is performed with RSA keys, isn't actually what is used for encrypting the application traffic in a TLS session. This is due to multiple factors but the most significant is speed. Encrypting all data using the asymmetric encryption would be so slow as to be unusable. Application traffic is encrypted with a symmetric cipher such as AES. For this to work both sides of the conversation need to know a session specific secret key. When RSA key exchange is used the information used to create the session key is generated by the client. The data is then encrypted using the server's RSA public key and transmitted to the sever. One downside of using RSA certificates to perform key exchange is that if the server's RSA private key is compromised then all TLS communications to that server can be decrypted. The private key of the server's RSA certificate can be used to decrypt the TLS session setup phase and extract the session key. At this point all traffic for that particular session can be decrypted. What makes this particularly dangerous is that this technique works for any sessions that have been captured in the past. If traffic to a server was captured by a malicious party for three years and at the end of this time the party compromised the RSA certificate used for key exchange during that time then ALL of that traffic could be decrypted and the contents compromised. To address this risk endpoints can be configured to use other methods of key exchange that don't use long lived keys like RSA certificates. This provides Forward Secrecy where compromise of long-term keys does not compromise past session keys. The TLS Working Group and contributors considered Forward Secrecy important enough that they removed support for RSA static key exchange from the TLS 1.3 draft specification in mid-2014. This change does fantastic things for the security of an endpoint's communications but it severely breaks the ability of authorized parties to monitor traffic. The request This brings us back to Mr. Kennedy's request. On September 22, 2016 Mr. Kennedy, who is with the Financial Services Roundtable BITS Cybersecurity team, sent an email to the TLS Working Group email list requesting that RSA key exchange remain in the TLS 1.3 specification. His reasons for requesting this essentially boil down to: His industry is generally required by regulation and contract to implement security technologies aligning with best practices such as IPS, DLP, malware detection, etc. His industry is often required to provide an audit trail of all actions taken by certain employees and systems Network and application troubleshooting often require inspection of traffic contents Removing RSA key exchange from TLS 1.3 breaks capability to decrypt TLS traffic in real time or retroactively At some point regulations, contractual obligations, or technology requirements will force the implementation of TLS 1.3 Using Man in the Middle (MitM) techniques add overhead, latency, and complexity Capturing the required data on the endpoint is subject to failure, adds complexity, and requires control of all endpoints He has a point Having spent some time as an InfoSec professional in the Finance industry I can see the value in his arguments and, whether you agree with him or not, those are legitimate business needs and drivers. From a practical risk perspective for the average financial institution the current TLS specification is “good enough” for general usage because of the extremely low likelihood of attacks against the TLS session itself. On the other hand the ability to detect attacks against infrastructure in real time is critical. Additionally, real risk can come in the form of financial penalties and sanctions due to non-compliance with regulation and rules. Non-State actors are unlikely to decrypt an organizations internal communications, but failure to meet U.S. Security and Exchange Commission (SEC) requirements can have real and measurable impacts in the form lost revenue due to the inability to trade. Further, changes such as the one discussed here can reduce or remove the incentive to adopt new technologies and the benefits they represent when the opportunity arises. This is particularly true in industries where change itself causes risk. But there are problems All of this being said, I think the train has left the station on this one. One of the goals of the current TLS 1.3 draft specification was to remove weak/broken key exchange and lock in forward secrecy. To a large degree this stance is in response to increased awareness of State level surveillance and the potential impacts of compromised server keys. The efforts to harden TLS are also being driven by the large number of TLS and general cryptography related security issues that have been discovered over the last decade. The IETF mailing lists responses to Mr. Kennedy generally trend towards ‘no', ‘where were you a dozen drafts ago?', ‘you are doing security wrong', and ‘that particular technique for surveillance/monitoring will be dead soon, deservedly so'. Obviously there is a lot of nuance in both positions that can't be captured in a short blog post. Unbalanced exchange One point that I don't feel like was made strongly enough was that what Mr. Kennedy has asked for has limited, local benefits. Using the RSA certificate to decrypt the traffic only works when you have the certificate from the server side of the conversation. The tools will be unable to decrypt and inspect traffic to 3rd parties, malicious hosts and services within the network, and traffic to endpoints where forward secrecy is a requirement implemented via technical configuration. This does provide value when monitoring for attacks against your web servers but is going to have limited value when deploying Data Loss Prevention (DLP) to detect information exfiltration. It also won't detect when an organization's stock brokers are handling trades via Facebook or malware is calling out to command and control servers. While not ideal, these problems are more completely solved in the form of constrained networks and hosts, end point solutions, and logging. In short, the requested change to the TLS draft adds risk to others but doesn't truly solve the industry's problems. Looking into the future I think there are a couple of take-aways from this situation: Implementing TLS 1.3 as it currently stands WILL break, BY DESIGN, certain methods of traffic surveillance/monitoring. Organizations with requirements to monitor traffic will need to either MitM or implement endpoint monitoring (traffic logging, inspection, session key retention). Organizations will have to rely on MitM network egress filtering to deal with traffic between endpoints they don't control. This is not a change to how things are done today. Organizations will have many years to deal with this for assets they control. You will still find SSLv2 within enterprises and SSLv3 is still a thing on the Internet. Regulations and the speed of technology adaption to the new protocol will slow the progress of implementation. That being said, I expect TLS 1.3 to be deployed much faster than its predecessors. At the end of the day I think Mr. Kennedy's request to the IETF TLS Working Group was well formulated, appropriately targeted, and based on legitimate business drivers. Despite this I don't think that he will find the balance between security and business needs that he is looking for. One could argue that the request was too late in the process but I honestly think the outcome would not be different had it been sent during the first draft of the TLS 1.3 specifications. On the other hand, increased awareness and involvement at that time would have allowed more time to review options and work with regulators and vendors to meet the industry's needs.

Who Are Your Heroes, and Why?

For those that don't know me, I'm Corey Thomas, the CEO of Rapid7, which I consider to be a position of privilege given the extraordinary group of colleagues, customers, and partners I get to work with. I am very passionate about the security community and…

For those that don't know me, I'm Corey Thomas, the CEO of Rapid7, which I consider to be a position of privilege given the extraordinary group of colleagues, customers, and partners I get to work with. I am very passionate about the security community and the role that you play in safeguarding technology for users around the world. Rapid7 strives to support this community in a number of ways – from research, to policy work, to offering open source tools, to driving constant innovation in our solutions to meet customers' needs. I've been thinking about what else I can personally do to support the community, and so I'm going to offer a series of posts in which I will share some of the learnings and experiences I have accrued in my journey.  Perhaps it will help some of you as you travel through your own journey.Last month I had the privilege of delivering the keynote address to Bentley University graduates at their 2016 Commencement Ceremony. Given the audience, I decided to share some of my own learnings about innovation, disruption, and collaboration – all of which seemed like timely topics for up-and-coming business leaders setting out on the next stage of their careers. I also see these themes as hugely relevant to IT and security pros – the reality is that we cannot be successful in reducing and managing risk unless we are able to build productive models for collaboration and trust.I can't thank Bentley enough for the experience, as well as for my honorary doctor of commercial science degree. It truly was an honor!The Class of 2016 will undoubtedly go on to great things. In the spirit of encouraging others to do the same, here are my opening remarks from the ceremony (you can also view the video here). As you read them, I hope they inspire you to challenge yourself, unite those around you, find joy in your work, and ultimately create a better world.***President Larson, Board of Trustees, and most importantly Graduates, thank you for allowing me the privilege of celebrating your achievements with you today.One of the things I love about working in cybersecurity is the opportunity for disruption. This stems from a question I was asked when I was young, and that I ask of you today: “Who are your heroes, and why?” We don't tend to talk and share much about our heroes today. But we all have them and our ideal of them – real or imagined – influences not just how we see the world but how we live in it. My heroes were always the rebels, disrupters, the challengers. In the fictional world, I loved Han Solo, Shaft, and Dirty Harry. In the real world, they were 1980s version of Bill Gates, Steve Jobs, and Michael Jordan. Not the polished philanthropic versions we've seen in the last 15 years, but the gritty, aggressive, no-holds-barred versions of the 1980s. They challenged the way the world worked, delivered amazing innovations, and brought existing powers to their knees. I wanted to be them. For me, technology was a way to escape my world and enter a new one.I fell in love with innovation and technology at an early age. I remember vividly when my mother got one of her co-workers to teach me how to program. It opened up a whole new world for me. I saw it for what it was: beauty, power, and magic all in one. For those with imagination and determination it created a world without constraints. And that was a world that I desperately wanted and needed.As my heroes before me, I set out to be both an innovator and disruptor. The world from my lens was one that needed disrupting and I was excited to be on this path. The learning curve on both has been more challenging and difficult than I expected. So I've come to you today to share what I have learned in my struggle to achieve these twin goals.For a long time, I was a part of teams that made functional products but not great ones, and definitely not innovative ones. The same could be said about the business and the teams that I was a part of and led. We were aggressive, smart and understood “best practices” in depth, but the organizations themselves were not innovative. I always thought that innovation was about fighting entrenched competitors, or even pushing the boundaries of technology itself. However, what I discovered was that learning to innovate was really a struggle against myself.My career started much slower than I expected; I finished school with good grades and was energized to take on the world. I poured my heart and soul into my work! But while the results met the goal, they left both me and my clients uninspired. To add insult to injury, I wasn't relating well to my team or my clients. I still remember the time that I was asked to “sit this one out” because the client “didn't like my style.” This to me was the horror of mediocrity! My heroes would not have been impressed, and I myself was not impressed either!I craved the magic formula, the rules of the road that would make the path to success easier.So I changed, I evolved. I learned the “best practices” on building business and designing products. I learned how best to communicate in various settings, how to present. I nearly memorized the Dale Carnegie book, How to Win Friends and Influence People. In short, I mastered the art of functional learning. And it worked, on paper at least, and my career started to accelerate….. But something about the way I was learning and growing nagged at me. Deep down, I know that I had just moved to a better car on the same mediocre, uninspired train. And while I had gained so much through academic and functional learning, I lost my sense of self... I had lost my joy. And when the joy was gone, I lost the magic, the wonder. Recovering the joy required both a change in attitude and a change in approach. I had held the foolish notion that I was a finished product, so I was really just making changes to appease others, get a promotion, or fix a specific situation. And the joy remained elusive.What I learned is that there will always be times when your best is not enough. In those situations, you'll have to decide whether you change and adapt, or whether you stagnate and accept the consequences.  Evolution and development are good, but the attitude you have towards that evolution is what matters most. Our attitude is what sets us apart, and determines what we get out of the process.  Will every dime we spend trying to fix ourselves put a corresponding dollar in our resentment account? None of us can maintain joy that way.And the problem wasn't just my attitude about myself; it was also my attitude and approach to learning. I had always enjoyed learning in the academic sense. I even enjoyed learning in the functional and work sense. But somehow, I missed that true learning is about more than facts and science, it's also about people: their motivations, their behaviors, their beliefs and biases. It's not a skill you can just read about; it's experienced through engagement of not just the mind, but also the senses. In short, it's expansionary.Today, many of my colleagues and I think of ourselves as expansionary beings. We look for opportunities to grow and evolve and in the process we hope and expect that we'll be better people in the future than we are today. I don't know if we'll be successful, but I can tell you it makes the ups, downs, and the process of learning in this messy world a whole lot more fun!And by the way, once I embraced myself as expansionary, the magic came back. Our teams began to innovate and create in truly inspiring ways.I believe the best innovators are those who expand not just their knowledge, but also their perspectives, their senses, and their connections. They notice deeper truths about the world, imagine new ways of being, and then bring that vision to life. This is what I loved about the power and potential of innovation.But I still yet had more to learn…... Bringing the vision to life is not a solitary journey. It's about the power and impact of teams, organizations, and society. Unfortunately, I had to learn this the hard way, and it changed the way I thought about my disruption, and the way I thought about my heroes in the world we face today. For me this was a struggle against an idea. And, truth be told, it's a struggle against an idea that I love. It's the idea of the disruptor, the rebel, the lone wolf as hero. The story of the solitary man or women facing down all odds has always been seductive.But how could I reconcile this idea of a lone disruptor – a hero – against the reality I saw, where it takes teams and organizations to make any type of significant impact? For me, it clicked when my thinking evolved from the idea of a lone hero to seeing a team of heroes. So I set out to create just that: a team of amazing individuals with shared goals.I believed I had the right formula but it was tested in the fall of 2013, and I had to innovate on the idea itself. It was one of those moments when everything seemed to go wrong at once. My wife and I struggled to support our son who was born prematurely with a birth injury, while at the same time taking care of our daughter and each other. My company was going through one of the toughest periods in its history. It was one of those moments when you need a great team. But instead, what we had – what I had built – was a group of amazing people. You may ask what the difference is.The best of both have amazing people at the core.But a great team has not only a shared purpose, but also shared commitment to one another.Groups communicate, but great teams are deeply aware of each other. They notice the nuance and subtext in each other, and that noticing allows them to not only support each other, but build off the ideas and insights of others in the most powerful ways.But most importantly, teams employ the most powerful weapon in the world. Strangely, it is a weapon that we've been taught today is the greatest sign of weakness. They negotiate. The most powerful innovations are brought to life through a collection of diverse individuals with diverse backgrounds working on behalf of highly diverse customers. The power is not in the diversity itself, the power comes from channeling these differences to create something greater. How often do you see something fragmented and inconsistent defeat something whole and purposeful?Negotiation is not and should not be used to create watered down, uninspiring compromises. Negotiation and commonality are the tools that allow great teams to harmonize and channel their power for maximum impact. In early 2014, I started employing these tools to create a truly innovative team. It was time-consuming and expensive. We honed our purpose by creating a clear mission. I went through the painful and incredibly messy process of getting people to truly listen and pay attention to one another. Instead of allowing people to make decisions in isolation, I forced them to make shared decisions. And I had to teach myself and the team how to negotiate with one another as partners. It was a painful process, but we came out of the other side not just stronger, but more resilient, more committed, and more effective.Purpose, commitment, awareness, and negotiation. I see these as the building blocks of great teams and great organizations. But these are not the tools of disruption, these are the tools of builders. And so I decided to give up the mantra of disrupter, and instead pick up the one of builder.I can tell you today without any doubt that building something up is 100 times harder than disrupting it. The experience that you gained at the McCallum School, with its focus on the intersection of business, technology, and ethics, prepares you well to be the builders that our society so desperately needs.So finally, before you answer my opening question of "Who are your heroes?", here are a few other pieces of context to consider.Increasingly, we've seen reports that:People don't trust their government, their employers, or their churchesGovernments don't trust employers and employers don't trust governmentsChurch membership is on the decline (at least here)High-integrity journalism is dyingWe are becoming more divided all the timeThese times demand a different type of hero. A hero who is able to build, bind, and bring together the best in people. Jobs and industries can be created, trust can be earned, and we can negotiate and engage one another to become stronger and more united.So I ask you today to be the new expansionary heroes we need and invent a better world.

An American Idiot Abroad - No More.

Hopefully, this reads nothing like those awful clip-show highlight episodes which lost all value once you could buy box sets, but my family's adventure on a portion of the world's twentieth largest island has ended. I will try not to rehash the many learnings I've…

Hopefully, this reads nothing like those awful clip-show highlight episodes which lost all value once you could buy box sets, but my family's adventure on a portion of the world's twentieth largest island has ended. I will try not to rehash the many learnings I've shared in my previous blogs [which started almost exactly 20 months ago], but rather my many failings and a few final experiences I'll probably forget if I don't put them out on the Internet to be thrown back in my face for eternity. A man and his [many] failings Throughout the wandering rants of this blog, some of you may have noticed I was mostly discussing things I learned and exposing annoyingly inefficient processes from filing for a UK visa to topping up my gas to almost anything in global airports. Well, now that the secondment is over, I want to go through the many objects and behaviours I never managed to understand. I must be too brainwashed by my American youth. It likely seems silly to care so damn much, but everywhere you go on the island, there are sinks with separate taps for hot and cold water. I understand this might have been a limitation of plumbing a hundred years ago, but my gym was built in 2014 and I cannot think of a single time, ever, that I have wanted to burn my left hand as I chill my right. Ever. I have ridden the pink bus in Belfast to and from work for eighteen months and every single time, I hear a large majority of passengers thank the bus driver while departing. I understand politeness, but this is a country where you only tip a waiter at lunch for doing an exceptional job, so why thank the seemingly psychotic driver who treats the accelerator and brake pedals like they have binary settings of ‘fully depressed' and ‘untouched' while people are still walking to their seats? Is it just an appreciation for removing your appetite? Regarding that tip, I failed to ever convince my wife it was appropriate not to tip a server who had been both rude and mostly unavailable. In nineteen months. In every UK building I've entered, all inside doors are fire doors which snap shut behind you. In offices, this leads to a great deal of slamming doors or fire door violations when doorstops are planted. At home, this leads to fathers taking toddlers to the A&E on a Sunday night because automatically closing doors are insane in a house with children. Can we have a US-UK debate over fire codes? Is slamming doors more important than emergency exit doors opening outward without a panic bar? In the US, beer is the highest point in the taxonomy, with ales and lagers being the two classes separated by the type of yeast and its top vs. bottom location of preference for the fermentation process. In the UK, I failed to learn which because it baffles me, but either ‘lager' or ‘ale' is a synonym of ‘beer'. I think ale is not beer, but I have no idea why. Dual carriageways very closely resemble Dwight D. Eisenhower Interstate Highways in the US, but there is absolutely no rule preventing pedestrians from walking twenty miles along the dual carriageway as large, metal objects pass at 75 miles per hour. Why are the zippers on the opposite side of the jacket in the UK from the US? Is this a knight and squire scenario like the right-handed knights causing cars to drive on the left? While at the Oddyssey cinema for an absurdly affordable matinee (£1.50 per seat), it took at least twenty minutes to get tickets because they were sold at the concession stand and nowhere else. Why does this make any sense? I never learned the Northern Ireland MOT rules, but I don't think anyone actually has. It's the only region of the UK in which these tests need to be at a dedicated centre, but you can pay for an “MOT prep” visit to a garage. When we failed ours and brought the car to get the two items fixed, the rear brake light in the window was not even mandatory, so we never fixed it yet passed the second time. Right? I never learned the Sunday parking rules. Whenever you drive around Belfast on a Sunday, you witness cars parked on sidewalks, corners, major roads, and basically anywhere, but did I still manage to get two parking tickets on Sundays? Of course I did. I am proud to say I never hit anything in a Northern Ireland car park [an Irish stone wall, though…], but I cannot understand why they are all tight enough that the concrete walls are decorated with black smears from hundreds of car bumpers. I never learned how an American could actually get a UK driving licence. I am certain it has been done at some point in history, but I cannot imagine trusting my passport through the post for over a month just to validate its authenticity. And a non-UK failing: I never did figure out how Newark Liberty airport employees can possibly answer the same questions about where to go thousands of times and still think we are all the stupid ones. Signs and airport layout are important. Come on. Nineteen canine months in a new country I haven't really mentioned my dog here since she had a stress-induced sickness just after we arrived. Well, here's what she learned on the adventure: Scottish terriers represent everything evil and wrong in the world so it is appropriate to point them out to all via loud screeches and growls. It rains. Carpets are better than hardwood for demonstrating anxiety. The more natural play doh in the UK is delicious. She's very insightful. Toddlers and a distorted reality Having moved to Belfast when our daughters were not yet two and half years old, there has been a dramatic change in them and it's strange to think they will likely never remember learning to talk while residing in another country. And do they ever talk. But it will only get more confusing for them when we return. No longer will they know when to say “pants” instead of “trousers”. I'm certain they'll say “hiya” to strangers and ask a few people if they're “cross”. They'll probably expect a nativity play next year. Many people may think they're misspeaking when they call a wet surface “slippy”. I'm sure they'll remember nothing of this adventure, but at least we have an obscene amount of pictures as evidence it happened. Maybe they'll stop making us sound wealthy to strangers, as well, once they realise we no longer have “another house in America”. Rewiring my brain to the new/old “normal” Having only lived in one tiny region of the world before, it is going to be very strange to regularly come back to The Big Smoke [just learned this nickname] as a visitor, but I probably learned more in these two years than in the previous ten, so at least the close ties and familiarity will make it permanently comforting. Regarding the Rapid7 Belfast office, I don't anticipate ever working in another that feels so familial. There are a couple of guys in the office who turn into walking advent calendars in December with a different Christmas jumper every day, including one with a light up fireplace and the most popular in Belfast this year: Rudolph with a red-nose pom-pom. We set the standard for future Christmas parties with a private Star Wars: The Force Awakens screening at noon, Swapping Santa with an array of shenanigans and two gifted bottles of Buckfast, then a “casino night” in the office, followed by a three-course Christmas meal at the Ivory. To truly make it my best ever last day in an office, I finally tasted Buckfast [and was both impressed and depressed when it tasted like Coca-Cola and cheap wine], lost my voice from having done the Dublin office party the night before, and received dozens of hugs on a night typically known for coworkers punching each other. But it was a good time. An Eddie Rockets just opened on Lisburn Road as that entire street has been filled with thriving, new businesses since our arrival, so obviously it needed an American-style fast food joint. So it is time to move away from Una [our original aide in learning the city], Oonagh [my bus stop friend from County Donegal], and Oonagh [my wife's very close Northern Irish friend] to a place where I know absolutely no one by that name. But just don't ever ask us if we felt safe while living in Belfast. The forty years of “The Troubles” which are so often seen as a dark and dangerous time in Northern Ireland are in the past and never as frequently involved innocent victims as what I've seen in the reports from The States today. The riots which take place annually are not remotely as damaging as the results of most “celebration” riots when a US city's professional sports team wins a championship. The rest of the world knows Belfast is much safer than most every US city. The actual journey home was incredibly less painful than the original trip overseas, thanks mostly to a perfect string of helpful members of the service industry. Our dog travelled with us down to Dublin in Daniel's full-sized van as the girls left Northern Ireland on a gorgeous, sunny last day of Autumn exactly as they first entered it: sleeping soundly. Niamh [pronounced “Neeve”] from Aer Lingus escorted us from the check-in counter to the oversize baggage weighing counter to the one oversize counter which takes pets to the cargo area to a final ticket desk where one pays one tenth of the fee for bringing the same dog to the rabies-free island. The [happily] uneventful flight arrived early, leading to the anxious thought of the dog underneath us completely unaware of why we were sitting completely still on the runway because air traffic control has still not solved the fragility of its gate-scheduling process. The final taxi van driver dropped us at home and kindly carried our bags onto the porch as we were placing sleeping toddlers on random couches. Less than an hour later, I was nearly broadsided as I jaywalked while looking the wrong direction. End. That's it.

What is your biggest prediction for 2016?

Following up our earlier post with 2015 key learnings, we asked our panel of lovely infosec pros to gaze into their crystal balls, consult the runes, and read their tea leaves to make their predictions for 2016. In many cases, their notes are less prophetic…

Following up our earlier post with 2015 key learnings, we asked our panel of lovely infosec pros to gaze into their crystal balls, consult the runes, and read their tea leaves to make their predictions for 2016. In many cases, their notes are less prophetic and more ardent hopes for a better, more secure future. We've listed their predictions below, including several from our own fabulous Team Rapid7 (though I'm obviously biased!).  We hope you'll share your own predictions too -- what do you think 2016 has in store for us? Tell us your thoughts in the comments. If you'd like to hear more in-depth predictions for the coming year, please join us for our webcast this Thursday, December 10, at 2pm ET: "2016 Security Predictions" with Rick Holland and Lee Weiner. Chris Hadnagy (@humanhacker), President and CEO of Social-Engineer Inc I almost hate to do this as I fear speaking it out loud… but lots more vishing this year coming.  I think we will see multi-vectored attacks on the rise. That is where attackers use phishing followed by a call, or visa versa.  I think we will see a higher level of sophistication in these attacks, as well as a larger number of banking-related scams overall. This is one area where I would love to be proven wrong and instead to see 2016 be the year of international harmony without malicious hacking…. Rick Holland (@rickhholland), Vice President and Principal Analyst at Forrester Research The digital Tony Sopranos are only going to get worse, extortion against healthcare organizations responsible for availability of life sustaining medical devices will occur. Security teams must be on the lookout for the cyber waste management consultants. David Kennedy (@HackingDave) CEO and Founder of TrustedSec, Founder of DerbyCon I think 2016 is the year of mass cloud pwnage. It's been a long time coming and more companies adopting internet of things, cloud centric servers, and mass data heists – I think this will be one of the main focal points. It probably already is, just not having any detection capabilities in cloud providers to notice it will be a challenge. Additionally, mobile attack vectors I believe will start to rise. More and more information is being stored and I feel like MDM fizzled off quite a bit this year because we haven't seen the amount of attacks predicted. I think with Google fragmentation and security threats at an all-time high and the process of having to move from Google to manufacturer to carrier, you're looking at usually a 6 month period before an update hits your phone – this is major. Additionally, more attacks leveraging client-side exploitation and a general lack of monitoring and detection still being the leading cause of breaches in 2016. Katie Moussouris (@k8em0), Chief Policy Officer at HackerOne One thing is certain as we increase our dependence on technology in our society: Attacks will also increase, both targeted and otherwise, and we need all hands on deck as defenders to work together. My prediction is that security recruiting will become among the most important goals of defenders, and with a global shortage of qualified workers in this area, we will see more creative ways to find talent increase, such as the use of bug bounties to help identify key talent in the global marketplace. That means that lawmakers trying to regulate internet security technology, governments, private industry, and major enterprise consumers of technology need to find ways to hear more directly from the security research community, and carefully consider any laws or regulations that make it difficult to work with the emerging global technical talent pool. Our ability to grow our collective defense capabilities depend upon adopting a more agile recruiting model than what has traditionally been the pipeline in the past. Wendy Nather (@RCISCwendy), Research Director at the Retail Cyber Intelligence Sharing Center My prediction for 2016 is that we'll continue to see a glut of security startups, all throwing the equivalent of spaghetti at the wall. At the same time, the more mature organizations, such as financial institutions, will take a harder look at their portfolios and start trimming them of waste. There will be more focus on efficiency and efficacy (not ROI), rather than buying one of everything. Kurt Opsahl (@kurtopsahl), Deputy Executive Director and General Counsel of the Electronic Frontier Foundation In 2016, the infosec community will have to face regulatory pressures, through things like the Wassenaar Arrangement (export controls), multi-national attempts to regulate strong encryption, and the expansion of anti-curcumvention restrictions through the Trans Pacific Partnership.  By working together and educating policy makers, the infosec community can stop or slow the worst regulations and ensure that vulnerabilities can be discovered, exposed and fixed. Tod Beardsley (@todb), Security Research Manager at Rapid7 I believe, and fervently hope, that the security issues dogging the Internet of Things will reach a critical level of both awareness and accountability. Given what the Federal Trade Commission is doing this year with its “Start with Security” campaign and the growing coverage in mainstream media outlets about the state of security with IoT, I expect to see vendors of IoT devices take on real responsibility for the security of their devices. We in the security industry all know that hacking IoT devices is like dropping back ten years, and I believe that the mass consumer market will drive creative and realistic solutions to the problems of old software, old build processes, and the fractured patch pipeline. Rebekah Brown (@pdxbek), Threat Intelligence Lead at Rapid7 We will continue to break free from the echo chamber. We are already seeing this with security researchers spending more time talking to law makers and infosec professionals actively reaching out to engage with non-security sector organizations. This trend will (hopefully) continue into 2016 and will help break down the communication barrier that continues to plague us as an industry. Jen Ellis (@infosecjen), Vice President of Community and Public Affairs at Rapid7 We'll see the massive focus on cybersecurity in the policy sphere continue, and perhaps even increase, with organizational and system changes made in the Administration to reflect this prioritization.  With this continued emphasis on cybersecurity in the Government, I hope we'll see the level of engagement between policy makers and the security community increase, and I hope we'll see it drive positive outcomes.  However, I am concerned that we're likely to see some pretty scary legislation being proposed – we've already seen a bill that would prohibit independent security research on cars.  It's on us to educate legislators about the potential fallout of these efforts. I hope we'll see the security community take a more collaborative, thoughtful, and productive approach to engaging policy makers, so we can avoid legislation that hinders security, rather than helping it. Trey Ford (@treyford), Global Security Strategist at Rapid7 Come see the softer side of security. My prediction is probably aspirational: I am hopeful we'll see more transparency in incident and breach communications. The public isn't afraid of “yet another breach,” they're afraid the organizations they have a relationship with will violate their trust. In our series on VERIS, we've talked about the questions the public wants to see answered: who took what action, against what systems or information, with what impact, when, and what is being done about it? Security will continue the shift of focusing more on trust than compliance. Guillaume Ross (@gepeto42), Senior Security Consultant at Rapid7 Privacy and security will become more of a concern for consumers in 2016, and perhaps a slight marketing advantage for hardware and software vendors, though it will not become the main criteria for most people choosing a device such as a smartphone or an operating system. As we are talking about things that will probably not happen, let's get those un-predictions out of the way: The Internet will not get DDoSed by a botnet of fridges and toasters, though a few will certainly take hold. The Internet will not get DDoSed by a botnet of smartphones, as they will run out of power after an hour. Information Security jobs will not be filled rapidly, as companies will still be struggling to find staff, preferring managed services in many cases, where appropriate. No, not everyone will be done patching Heartbleed, and no, the amount of services exposed to the Internet at the end of 2016, including SCADA systems, will not be lower than the amount of services exposed at the end of 2015. Corey Thomas, President and CEO at Rapid7 We'll see a greater gap between the well-managed and the poorly-managed, our security version of income inequality.  The poorly-managed will continue to ignore, pay lip service, and rely on mostly on controls.  The well-managed will recruit teams directly or through partnerships and build effective programs.

An American Idiot Abroad - Meals Optional

Well, this is my penultimate public rant [at least about living abroad], so while I do have a quick anecdote about a Northern Ireland [and Game of Thrones] road trip, I feel I'd be doing my five loyal readers a disservice if I don't expand…

Well, this is my penultimate public rant [at least about living abroad], so while I do have a quick anecdote about a Northern Ireland [and Game of Thrones] road trip, I feel I'd be doing my five loyal readers a disservice if I don't expand on a small portion of my Visitors' Guide and give a proper rundown of the various establishments I recommend for Belfast's most popular sport: drinking. Dark, hedgey, and almost out of place Well over two hundred years ago, the ridiculously wealthy and noble-y Stuart Family [apparently spelled Stewart approximately 62% of the time to confuse everyone with my version of OCD] decided to plant some beech trees on the road to their Georgian mansion [the adjective differentiates it from their many other mansions], Gracehill House. I'm not sure how popular this destination was in the pre-Khaleesi era, but these trees have grown into such a beautiful pattern that Game of Thrones used them to represent the king's road in season 2, and now everyone asks if you've seen "the Game of Thrones trees". So we went. And they are gorgeous. And incredibly crowded with absolutely no enforcement around the parking, driving, or being remotely polite to the people who want to walk it. And there was even a random car full of eastern European teenagers blasting house music as they bizarrely danced next to a beech tree just before sundown. I can't explain that last one. Sorry. Where to go when you want to ignore the first advice a random American gave me On my first trip to Belfast, nearly two years ago, a Logan airport employee offered his completely unsolicited advice: "do not try to go drinking with them." Well, I thanked him endlessly for his sage wisdom and proceeded on my way. After first visiting twice, and since, obviously living here, I want to provide my own helpful advice by walking through my ten favourite places in Belfast to grab a drink (in no particular order). And, as far as Logan airport guy's advice goes, I just suggest you always make the effort to grab a solid meal because many Belfast residents actually believe "Eatin's cheatin'." and your body may violently disagree [as mine does]. Down the alley, there The only place on the list located in "The Entries", McCracken's Cafe Bar is a great place to grab a pint of Guinness and the food is always better than I expect when I'm in the mood for pub food. Onions & Chickens On every visit to Belfast, the Rapid7 North American [it includes Canada] contingent makes sure to have a Guinness and/or some whiskey [the 'e' implies it is usually not Scotch whisky] at The Dirty Onion. I'm not sure if it's the endearing smell of peat wafting from the rear fireplace, the distractingly ugly Jameson Barrel-Man sculpture as you enter the brick false walls of the entrance and front garden, or just the overall casual feeling of the place, but you always feel welcome in its embrace. The Guinness is reliably well-poured with clean lines and the whiskey selection ranges from a Pappy Van Winkle bourbon to the major Scotch options and the full range of Irish whiskey [Redbreast 12 being my default]. As an excellent complement, upstairs is one of Belfast's best lunch spots, the Yardbird, where the menu is perfectly simple and I cannot imagine ordering anything other than the 1/4 chicken [roasted on the spit] and skin-on fries [with a mix of their smokey barbecue sauce and mayonnaise]. The pints are delicious up there, too. Bringing the craft beer world to Belfast Nine months ago, I would have stated the best place in Belfast to find craft beer was at Hudson Bar. While they have been surpassed by another, they continue to offer a solid, rotating list of mostly English, Scottish, and Irish beers, such as BrewDog Dead Pony or Five AM, and they have a great "beer garden" for enjoying a pint on a sunny, summer afternoon [if you theoretically would ever do that kind of thing]. Lingerie & Gin One bar in Belfast very clear about its identity is Muriel's Cafe Bar. If you enjoy gin drinks, don't you dare enter here with a specific brand in mind. It would be an insult to the bar staff not to ask what they recommend from the wall of dozens of different gins, which range from fruit-infused to spiced to the traditional London varieties, but I don't think I've had the some one twice, and they all go very well with Fever Tree gin. Once you've made your choice, you can stay near the bar on the ground floor and bump your head on the various lingerie dangling from the ceiling or you can choose to look upstairs for room on the plush lounge-style couches. It really depends on your mood. Humour and meet-ups The 2015 NI Pub of the Year - City was awarded to Sunflower Public House. I am not a frequent patron, at all, but I appreciate its exterior signs and its serving as a great venue for most of the monthly Belfast Beer Club meetings, of which I have made a shamefully small number. A solid local with pies and sport Though we rarely get there now, while in our long-time temporary office, the Rapid7 "local" was The Garrick Bar and it was also the first bar I visited in Belfast [oh so long ago]. We did watch a significant portion of last year's World Cup there, with the benefit of a front bar and back bar offering two separate games simultaneously. There is an extensive list of German beers available if you don't want a well-poured Guinness and I was pleasantly surprised to find St. Stefanus on the list of bottles they stock. The main reason we return these days is to satisfy a meat pie craving or just enjoy the free sausage and other canapes they periodically offer to the patrons on large metal trays. Bots & Beer Catalogues I feel like I spent more than a year whingeing about the lack of a world-class beer bar in Belfast, and the Kickstarter-funded, Austin/Belfast "brew from a mobile app and fancy kit" _Brewbot_opened a bar below their corporate office on the Ormeau Road and curbed my complaints in satisfying fashion. The first time I visited, I was offered a job because I had tasted every one of their many beers, but in only a few months, they've made that nearly impossible. Flights of beer are available in two sizes, beers from across North America, the British Isles, and continental Europe are available on draught or in bottles, and you can even get a high-end espresso drink to keep you awake long enough to sample more delicious craft beer. I'll stop. Okay, just one more thing: their beer list is a minimum of fifty pages, so instead of ignoring your friends to stare at your phone, you can ignore them to continuously read about your next potential beer [theoretically, if you are that kind of person]. Grandiose and hard to fill We have our annual University recruiting event [as pictured] at the tea business-turned-whiskey distillery-turned-bank-turned-bar that is Cafe Vaudeville. We have proven it fits well over two hundred thirsty students. I really enjoy its new lunch menu. It is a sight to behold. They have outdoor tables during some of Belfast's 9-month spring/autumn season [2015 included no summer]. Visit. A roofdeck? In Belfast? I feel like the last person to find out about The Perch, but I knew _Rita's_just below as the only place I've found Hitachino Nest in Belfast, and when we were suddenly brought from there through a hallway filled with the bird sounds and up an old-school lift, I really liked the partially-open rooftop hosting this bar. If you're worried about the cold, the staff frequently walks around with soft blankets and the heat lamps above most tables are quite comforting. Get dressed, we're getting some mixed drinks The first time I visited The Albany, I had a delicious steak and my wife had a great mixed drink, but we would never forget how decked out everyone got before stepping in the door. The bar staff likely goes by the title "mixologists" and there is an array of international beers available, but you go for the social atmosphere and to lose your train of thought staring into the chandelier. Don't you dare change on me, Buckfast I haven't reviewed to check, so I'll do what most people do with statistics [make them up]. It was disappointing to decrease my "Buckfast in the wild" discovery rate to only around 1.0 per month [wild ass guess] with last month's zero, but just last week I came upon the aftermath of either (a) a Heineken bottle shedding its glass to evolve into a more potent beast or (b) a turf war between the two.

2014 InfoSec retrospective, predictions for 2015

It's that time of year: We take stock of the year that was, and look to what's coming next. I thought it would be interesting to turn to various experts within Rapid7 for their own musings on how security, as an industry, did in the…

It's that time of year: We take stock of the year that was, and look to what's coming next. I thought it would be interesting to turn to various experts within Rapid7 for their own musings on how security, as an industry, did in the past year, and where our industry is headed in 2015. They've kindly shared their perspectives and predictions with us below. I'm curious what you think—what was the watershed moment for infosec in 2014? What's going to drive conversations in 2015? Comments, retorts, haikus—all are welcome in the comments and on social media.—@mvarmazis Ross Barrett, Senior Manager Security Engineering (@r3dsl1m3) Key takeaway of 2014: Marketing your security research became as important as what you actually found. For every ShellShock and Heartbleed there were a half dozen other attempts to market a minor or non-issue as “the next big thing." 2015 prediction: 2015 will see an increase in the surge of “big market” vulnerability disclosure, where vulnerabilities are disclosed in a very careful, coordinated way to maximize media impact for those backing the researchers.  We will see a regular marching band of “named” issues with logos and well worded blogs. Josh Feinblum, VP of Information Security (@thecustos) Key takeaway of 2014: Traditional business and technological approaches are missing the mark. Companies need to view security as an enterprise problem, not an IT problem, and the security industry must invent new technologies and approaches that can identify reliable indicators of compromise that generate a manageable number of outputs. What stood out in 2014: The volume, severity, and age of vulnerabilities discovered in broadly deployed open source packages coupled with the significant up-tick of highly visible and increasingly impactful breaches. 2015 prediction: The security industry will focus on making tooling and services more accurate and reliable by improving correlation capabilities across IT and security event sources.  The focus will be producing accurate and reliable tooling, especially in the incident detection and response arena. We will see high-profile breaches expand from retail to healthcare, financial service, and media organizations resulting in a continued uptick in efforts to understand and respond to security related risks at the board and executive levels of organizations across all industries. Tas Giakouminakis, Co-Founder and CTO Key takeaway of 2014: 2014 was the year our hearts bled for bug bashing poodles, and that trend is likely to continue. Shellshocked security practitioners took the brunt of this as organizations, even those with well-funded programs, struggled to staff appropriately. We're seeing greater demand throughout the security community to make a dent here. Projects like our own Sonar are giving a view of the software and hardware the Internet is powered by, and researchers like our own folks and Google's Project Zero are making concerted efforts to find the vulnerabilities that lay dormant within the technology powering our world. We're also hearing organizations screaming for more trained professionals, and we can only hope the educational community will pick up on this trend and develop the programs necessary to educate students on cybersecurity for tomorrow's workforce. It also seems 2014 may well have been the year security finally got a seat at the table. All it took was a CEO losing his job and executives being pulled into senate hearings, but it seems the tide has finally shifted from "how do I get the Board & C-suite to care," to funded security initiatives and a desire to build a program, but the lack of staff to do it. 2015 prediction: We'll continue to see attacks against users, stolen/default credentials, and popular but unpatched vulnerabilities. I'm sure we'll continue to see these vectors in 2015, and beyond. Nick Percoco, VP of Strategic Services (@c7five) Key takeaway from 2014: While it is just at the end of the 2014 year, I think the event that is going to really change the way that 2015 is impacted will be the Sony Pictures breach. To me, this is much more impactful to the minds of corporate executives than the Target breach. The Target breach only affected highly replaceable data (credit card numbers). Sure, the reputation of Target was tarnished during the most important time of the year, but what is going on at Sony Pictures is far worse in my opinion. It is showing the value of protecting internal communications and data on a company's own employees really is. 2015 prediction: In 2015, more and more executives are going to be asking questions well beyond protecting customer data. They are going to start to focus on their attention on how their internal communications and collaboration can be protected from a leak in the even that an enterprise-wide data breach happens. Eric Reiners, Senior Director of Products Key takeway of 2014: Offensive technology is outpacing defensive techniques, which requires us to all think differently about knocking out whole classes of attacks. What stood out in 2014: Heartbleed and other fundamental flaws in key Internet infrastructure caused us to question the foundation of the internet with regards to the privacy and security of our communications. 2015 prediction: Security teams will need to align further with the business in order to show their value and make forward progress at reducing risk. Lee Weiner, Senior VP of Products & Engineering (@leeweiner) Key takeaways of 2014: Users are a major risk and weakness in corporations.  This is due to how empowered they are, the devices they have access to, the data they can use anywhere anytime.  Attackers know this and take advantage of it. Credentials are at a crossroads, passwords are being stolen, sold and used to compromise networks and accounts. This needs to be monitored but better yet needs to be addressed.  2 Factor Authentication has been around a long time and there is no better time than now to implement it. Credit card data still holds value on the black markets and are still motivating attackers to compromise point-of-sale systems – EMV can't come soon enough. The security skills gap is having a major impact on companies and the industry at large, organizations can't hire security expertise and are having to outsource more and more 2015 prediction: Lee put together a Whiteboard Wednesday with his 2015 predictions, which you can see right here: http://www.rapid7.com/resources/videos/trends-in-2014.jsp If you'd like more analysis on how to prepare for a more secure 2015, have a listen to our free 2015 Security New Year webcast.

2014 Predictions: Cloudy With a Chance of Data Loss

It's the start of a new year, and over the holidays I asked the security researchers and aficionados at Rapid7 to dust off their crystal balls, deal out their tarot cards, throw down their runes, and study their tea leaves to come up with predictions…

It's the start of a new year, and over the holidays I asked the security researchers and aficionados at Rapid7 to dust off their crystal balls, deal out their tarot cards, throw down their runes, and study their tea leaves to come up with predictions for security trends in 2014. Once they stopped heckling me, they did agree to share their insights for what we may see in the coming year, and without so much as a suggestion of killing a goat. Here are seven of their predictions (yes, yes, we like things in sevens):·         Cloud services will be the big targets. Many of the team highlighted that the shift towards storing data and moving computing into the cloud, coupled with the impracticality or complexity of fully managing this infrastructure from end-to-end, will undoubtedly continue to attract attackers.  We expect to see more cloud services and providers compromised, and this will likely draw the attention of auditors, who will require greater logging and monitoring of the way data stored in the cloud is accessed.·         Deception-based attacks will rule! We will see a continuation of the trend towards deception-based attacks, with these methods reported as significant entry-points in major breaches. Phishing will continue to be a successful attack vector and reduce the technical requirements for initial entry.  Organizations will continue to struggle to defend against these kinds of attacks, and will remain focused on mitigating more traditional brute force methods. ·         The Internet of Things will introduce risk into EVERYTHING. Consumer devices are increasingly becoming network-connected, introducing risk into all walks of life, from your home, to your office, your car, your gym, your doctor's surgery, etc. In recent years, we've seen the variety of network-connected devices expand massively, with TVs, storage, cameras, thermostats, medical devices, exercise machines, and garage doors just a small sample of the kinds of “things” now being connected to the Internet. This is only set to continue – we're already seeing network-enabled toasters, kettles, fridges and much more emerging. Unfortunately, researchers have found time that and again that security issues abound on embedded devices, and they are typically very poorly patched. Rapid7's chief research officer, HD Moore, highlighted this with research on UPnP, Supermicro, and IPMI, the latter building on the work of researcher, Dan Farmer. 2013 was a big year for worms and other forms of exploitation of these issues, and it's likely we will see a significant increase in these types of attacks as the adoption of embedded devices explodes. ·         Malware will be increasingly purpose-oriented. Mark Schloesser, security researcher for Rapid7 Labs, expects a trend towards slimmer and more purpose-oriented malware samples instead of general-purpose kits that have been popular in the past. We are currently seeing the increased use of "droppers" – small binaries that do nothing but look for a new binary and download and execute it once it is offered – especially in the area of more targeted attacks and better organized campaigns. Mark's prediction is that this trend will carry over to the general cybercrime area and that there will be builders and kits that allow an easy creation of these special-purpose chains of malicious code. While being slightly more complex to maintain, the resulting code is less noisy and hides the purpose of an infection before its actual malicious behavior is triggered and thus raises fewer flags on the defender's side. ·         PCI 3.0 will drive pentesting adoption. Christian Kirsch, Metasploit product manager, predicts that PCI 3.0 will create a huge pull for penetration testing in 2014. Previously, companies could get away with just doing an nmap or Nessus scan and call it a pentest to check the box. PCI 3.0 now defines a pentesting methodology to which organizations need to adhere. Since it's hard to build expertise quickly, time savings for existing pentesters will be huge, as will measures that simplify training needs for new team members. ·         Widescale scanning of the internet will increase. Tod Beardsley, Metaslploit engineering manager, and Dan “Viss” Tentler, pentester, both agree that scanning tools such as zmap have made it vastly easier to scan the entire routable internet address space.  As a result, these kinds of scans will no longer be the province of a handful of people and organizations, and will become increasingly commonplace in 2014. Heightened awareness of the surveillance opportunities on the web will also drive an interest in this amongst security professionals. The good news is that these kinds of scans reveal a great deal of information on real-world threats. Security professionals can apply these findings to their own environment to improve the risk management strategies.  ·         Mobile malware will target data contained in apps. Giri Sreenivas, general manager and VP for mobile security, predicts that we will see an increase in malware that targets data contained by specific apps on mobile devices. Most recently, there was an app removed from Google Play for targeting WhatsApp chat history data for exfiltration off the device. With the growth in smartphone and tablet usage, it is becoming increasingly worthwhile for malware authors to target the most popular applications knowing that their potential audience of targets may number in the hundreds of millions. We didn't specifically call out big data, despite it being one of the most discussed topics in security last year.  We're quite sure the noise around it will continue in 2014, but that doesn't seem particularly interesting as predictions go.  And as I said, we like things in sevens.So what do you think? Do you agree? Do you disagree? Did you get a visitation from the spirits last night that led you to greater wisdom?  Let us know in the comments section below. 

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More


Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now


Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now