Rapid7 Blog

Whiteboard Wednesday  

How a breached vendor impacts your organization's security - this week's Whiteboard Wednesday

The traditional concept of the security perimeter is long-outdated, and as recent headline-grabbing data breaches have shown, we must also monitor to the corporate supply chain as a source of potential security issues down the road. And as business systems become increasingly interconnected, the risks…

The traditional concept of the security perimeter is long-outdated, and as recent headline-grabbing data breaches have shown, we must also monitor to the corporate supply chain as a source of potential security issues down the road. And as business systems become increasingly interconnected, the risks can grow as well. In this week's Whiteboard Wednesday, Security Engineer Justin Pagano digs a little deeper into this issue and details: How a vendor in your supply chain could (inadvertently) introduce risk to your organization Methods an attacker can use to pivot from the vendor to get directly to you Steps you can take to reduce your risk -- or at the very least, be more aware of your risk exposure As always, if there's a topic you'd like to see us cover on Whiteboard Wednesday, Tweet us @rapid7, or use the hashtag #Rapid7WbW.  Thanks! ~ @mvarmazis, Community Manager

The Anatomy of a Credit Card Breach: Whiteboard Wednesday [VIDEO]

The onset of the holiday season means lots of stores preparing for the inevitable shopping rush. While these retailers keep fingers crossed that customers make this season quite merry and bright, attackers also have high hopes for the season -- for lots of new credit…

The onset of the holiday season means lots of stores preparing for the inevitable shopping rush. While these retailers keep fingers crossed that customers make this season quite merry and bright, attackers also have high hopes for the season -- for lots of new credit card data to steal and sell. Plenty of organizations cover the scope and consequences of these credit card data breaches, so we thought we would walk through how these attacks actually work, from an attacker's initial entry to a network, all the way through to data exfiltration. Have a watch: Whiteboard Wednesday: Cyber Monday: The Anatomy of a Credit Card Breach [VIDEO] And as always, we welcome your suggestions for future Whiteboard Wednesdays - drop us a comment or tweet us @rapid7 using the hashtag #rapid7WbW.

WinShock (CVE-2014-6321) - what is it & how to remediate - Whiteboard Wednesday [VIDEO]

This month's Patch Tuesday disclosed vulnerability CVE-2014-6321, dubbed by some as "WinShock," and it's getting some major attention. Our Security Engineer Justin Pagano gives a rundown of this vulnerability with the information we have today—what it is, what it affects, and how you…

This month's Patch Tuesday disclosed vulnerability CVE-2014-6321, dubbed by some as "WinShock," and it's getting some major attention. Our Security Engineer Justin Pagano gives a rundown of this vulnerability with the information we have today—what it is, what it affects, and how you can best remediate it—in this Special Edition of Whiteboard Wednesday.*Whiteboard Wednesday video: WinShock - What is it? How to remediate?More informationOur VP of Information Security, Josh Feinblum (@TheCustos), wrote an extensive blog post yesterday on MS14-066 and WinShock specifically, especially regarding how it compares to Heartbleed and ShellShock. I highly recommend reading it if you haven't yet: SChannel and MS14-066, another Red Alert?We know that CVE-2014-6321 is a remote code execution vulnerability that affects SChannel, and while it does have some potentially nasty exploit capabilities, compared to some previous high-profile vulnerabilities (like Heartbleed, ShellShock, etc), it looks like WinShock may be easier to remediate—Microsoft has already released an initial patch (KB2992.611). That said, we are still learning more about this vulnerability and we expect we will have more developments in the coming days and weeks.As always, if you have any comments, questions, or suggestions about this or any other of our Whiteboard Wednesdays, Tweet them to @rapid7 or use the hashtag #rapid7WbW -- or of course, drop us a comment right here in the community.-@mvarmazis*So special, we released it on a Thursday.

The difference between an IPS & IDS - Whiteboard Wednesday [VIDEO]

Intrusion Prevention System (IPS) and Intrusion Detection System (IDS) -- sometimes these acronyms are used a bit interchangeably, so we wanted to take a moment to clarify their differences and how these systems can be useful in your environment.Whiteboard Wednesday: IPS and IDS: What's…

Intrusion Prevention System (IPS) and Intrusion Detection System (IDS) -- sometimes these acronyms are used a bit interchangeably, so we wanted to take a moment to clarify their differences and how these systems can be useful in your environment.Whiteboard Wednesday: IPS and IDS: What's The Difference? [VIDEO] Take a look at this week's Whiteboard Wednesday -- and as always, if there's a topic you'd like us to cover, drop us a comment here, Tweet us @rapid7 or use the hashtag #rapid7WbW to share your ideas.We love hearing how these Whiteboard Wednesdays have been useful for staying on top of breaking news and for user education, so your input helps us keep these helpful and relevant to you. We're listening (but not in a creepy way, promise).Thanks!- @mvarmazis

Whiteboard Wednesday: Insider Threat Programs - How To Get Started

Do you need an insider threat program? It's a good question - one that more companies are considering as compromised users become an increasingly popular attack vector, and malicious user behavior becomes more prevalent. In this week's Whiteboard Wednesday video, we weigh some options on…

Do you need an insider threat program? It's a good question - one that more companies are considering as compromised users become an increasingly popular attack vector, and malicious user behavior becomes more prevalent. In this week's Whiteboard Wednesday video, we weigh some options on why you might want to consider an insider threat program, as well as give recommendations on steps you can take to start your own. As always, if there's a topic you'd like to see us cover in a Whiteboard Wednesday, please drop us a comment, Tweet, email -- we'd love to hear your thoughts. -- @mvarmazis

Whiteboard Wednesday [VIDEO]: BashBug/ShellShock explained

On this Very Special Whiteboard Wednesday, we bring you a video on a Thursday because, well, #bashbug happened. Thankfully the sky is not falling.In this bashbug-edition of Whiteboard Wednesday, we discuss common attack vectors that could be used to exploit this vulnerability, exactly how…

On this Very Special Whiteboard Wednesday, we bring you a video on a Thursday because, well, #bashbug happened. Thankfully the sky is not falling.In this bashbug-edition of Whiteboard Wednesday, we discuss common attack vectors that could be used to exploit this vulnerability, exactly how this vulnerability compares to Heartbleed (if at all), and possible mitigating techniques—including, but not exclusively, the ever-relevant "patch, patch, patch!"We've received a number of questions today about our products and what we're doing to help you detect this vulnerability in your environment. We're continually posting new information and making updates, so keep an eye here on SecurityStreet for new blogs, and make sure to visit rapid7.com/bashbug for a comprehensive list of bashbug resources that we've posted.

Android browser privacy bug explained [VIDEO]: Whiteboard Wednesday

todb's post earlier this week about the flaw in Android's Open Source Platform browser has been getting a lot of attention this week, and for good reason: By the numbers, Android 4.2 and earlier builds have the vulnerable browser in question, and about 75%…

todb's post earlier this week about the flaw in Android's Open Source Platform browser has been getting a lot of attention this week, and for good reason: By the numbers, Android 4.2 and earlier builds have the vulnerable browser in question, and about 75% of Androids in the world today are using pre-4.4 builds. While not everyone uses the AOSP browser on their phone—certainly Firefox, Chrome, or Dolphin are popular choices—there still could be a lot of people potentially exposed to this issue.While I encourage you to read Tod's original blog post about this, where he walks through the history of the vulnerability in detail, we've also created this brief Whiteboard Wednesday video explainer to walk you through the high-level points. Our VP of Strategic Services, Nick Percoco (@c7five), reviews how exactly this bug works and what it means for most Android phone owners. Additionally, he discusses what corporations need to keep in mind if they have a BYOD policy with employees that are potentially exposed to this vulnerability.Take a look at this week's Whiteboard Wednesday: Android Browser Privacy Bug Explained, and let us know what you think!In addition, if you have any topics you'd like to have us cover, we want to hear 'em—you can drop us a comment here on SecurityStreet or Tweet us at @rapid7—our Whiteboard Wednesday hashtag is #rapid7WbW.  (We love hearing about folks using our Whiteboard Wednesday videos in corporate trainings and executive presentations!)

Whiteboard Wednesday - Pen Testing for Productivity

This week's Whiteboard Wednesday finds Chris Kirsch, our Senior Product Marketing Manager for Metasploit, explaining how productivity features within pen testing tools can save you some significant time.We here at Rapid7 obviously love open source products, but a common issue with most of them…

This week's Whiteboard Wednesday finds Chris Kirsch, our Senior Product Marketing Manager for Metasploit, explaining how productivity features within pen testing tools can save you some significant time.We here at Rapid7 obviously love open source products, but a common issue with most of them is that they don't do a great job of focusing on efficiency. If you add the lack of network security people in the market, and the fact that 46% of organizations are planning on increasing their security spend in 2014, you're looking at a ongoing issue of not enough time and people to even cover the basics.  We hear from a lot of security teams and we find that most of them are overworked and are not armed with the tools needed to get the job done in an efficient manner. This leads to mediocre security assessments since their day to day does not allow them to really focus on what matters.We decided to ask our users just how much time they saved by using a commercial product, where they have the ability to utilize certain features that provide a great amount of efficiency, in comparison to an open source product, and the result? A time savings of 45%, which if you're like most of us in this industry, will give you the time for a much needed coffee break, before diving back into your testing.Click, and watch, and let us know if you agree in the comments below. Interested in a full Metasploit Pro productivity demo? Check out this webcast. 

How to Save 140 Hours a Month on Vulnerability Management

Welcome back, Whiteboard Wednesday Fans!Were you able to check out our Whiteboard Wednesday last week? Our very own Bill Bradley discusses how you can significantly cut down on the time spent on vulnerability management every month. Specifically, he discusses the various technologies that exist…

Welcome back, Whiteboard Wednesday Fans!Were you able to check out our Whiteboard Wednesday last week? Our very own Bill Bradley discusses how you can significantly cut down on the time spent on vulnerability management every month. Specifically, he discusses the various technologies that exist today that will help you, as a user, cut down on the amount of time needed to properly scan and remediate the vulnerabilities that are most pressing in your environment. Awesome topic, right?If you're like most of the security teams out there - you're understaffed. You're overworked. You're spending all your time being very reactive, and you need to get as much time back as possible today in order to start being proactive tomorrow.We've talked to most of our customers, and they all agree - that when they're using the cheaper tools out there, they are getting results. The problem is, those results are just as valuable as the tools themselves. The price point is great, however the granularity of the reporting just isn't there, resulting in a lot of time spent investigating and remediating. If you are a current Nessus user or simply interested in the topic, check out this customer story of ours where a current customer of Rapid7 saves 140 hours a month on vulnerability management after switching.Also, if you are interested int trying Nexpose, check out our free, full featured, 14-day trial here - Nexpose Enterprise Trial | Rapid7

Whiteboard Wednesday - PCI Compliance

Hello all, This week, for Whiteboard Wednesday, it's everyone's favorite Community Manager - Patrick Hellen (ie - me), breaking Today's Whiteboard Wednesday is all about PCI compliance. Watch as Ethan Goldstein, Security Engineer at Rapid7, tells you what PCI is, how to become PCI compliant,…

Hello all, This week, for Whiteboard Wednesday, it's everyone's favorite Community Manager - Patrick Hellen (ie - me), breaking Today's Whiteboard Wednesday is all about PCI compliance. Watch as Ethan Goldstein, Security Engineer at Rapid7, tells you what PCI is, how to become PCI compliant, and what to look for in vendors that help you become compliant. Whether you are looking for a PCI Approved Scanning Vendor (ASV) or just trying to learn more about PCI, Rapid7 can help. Watch this quick video to learn more and feel free to download our free PCI compliance guide which goes into further detail. down what we felt the top 4 takeaway's from UNITED Security Summit 2013 were. Check it out here!

How Can I Protect Against Phishing? - Whiteboard Wednesdays

Phishing is on the rise as an attack vector because it's often the fastest and easiest way to penetrate a network's defenses. You're doing security awareness training, but how do your users behave when faced with a real phishinge-mail?  So how can you train…

Phishing is on the rise as an attack vector because it's often the fastest and easiest way to penetrate a network's defenses. You're doing security awareness training, but how do your users behave when faced with a real phishinge-mail?  So how can you train people to smell a phish and just say no?  In this Whiteboard Wednesday, I'll walk you through some telltale signs and techniques you can use to reduce the risk of falling for phish.  Topics covered in this video include:What is phishing?Different types of phish: e-mail with attachment, web-based, malware-laced, credential-capture...How to measure user behaviorImproving behavior: go phish!How to conduct phishing exercisesKey metrics to monitorRemediation: how to remove that pesky phish odorTools to automate phishingWatch the video here!

How to Justify Your Penetration Testing Budget - Whiteboard Wednesdays

Is penetration testing a good idea to you, but your managers don't seem to get it? Don't worry, you're not alone, and there is a solution. This Whiteboard Wednesday video walks you through some steps to achieve your goal - and to get your budget…

Is penetration testing a good idea to you, but your managers don't seem to get it? Don't worry, you're not alone, and there is a solution. This Whiteboard Wednesday video walks you through some steps to achieve your goal - and to get your budget approved.Areas I'll touch on are:How do I explain penetration testing to my boss?Why do we need penetration testing if we have all these security controls in place?Should I be using the fear factor to sell security?How do I build on penetration testing as a success factor?How do I get buy in for penetration testing?How do I calculate the return of investment (ROI) for penetration testing?Click on the video on your right to watch the video!Prefer to read? Download this white paper on How to Justify Your Penetration Testing Budget.

Moving from HML (High, Medium, Low) Hell to Security Heaven – Whiteboard Wednesdays

At last check there are about 22 new vulnerabilities being published and categorized every single day (see National Vulnerability Database web site - http://nvd.nist.gov/). In total, the National Vulnerability Database now contains more than 53,000 vulnerabilities. No wonder security professionals are…

At last check there are about 22 new vulnerabilities being published and categorized every single day (see National Vulnerability Database web site - http://nvd.nist.gov/). In total, the National Vulnerability Database now contains more than 53,000 vulnerabilities. No wonder security professionals are overwhelmed with the sheer volume of vulnerabilities in their daily practices. At the same time, the prioritization schema that many organizations use are quite basic and are either proprietary or only leverage some basic industry standards such as CVSS.In this 5-minute Whiteboard Wednesday session, I'll provide a few tips and tricks of what other criteria to consider that will help your security operation save time and increase creditability with your IT operation counterparts. A few concepts I'll introduce include:The age of a vulnerabilityExploit exposureMalware exposureRealRisk scoring and prioritization methods.All of these concepts can provide a more meaningful and efficient way of prioritizing. How does your organization prioritize vulnerabilities and what do you think about some of the concepts discussed in our session? I'd love to hear from you!

What is Penetration Testing? - Whiteboard Wednesdays

Are you wondering "What is penetration testing?" Need a quick primer on the topic? In this first video of our Whiteboard Wednesdays series, we're explaining what a penetration test is as well as some typical reasons why people conduct so-called "pen tests". l'll also introduce…

Are you wondering "What is penetration testing?" Need a quick primer on the topic? In this first video of our Whiteboard Wednesdays series, we're explaining what a penetration test is as well as some typical reasons why people conduct so-called "pen tests". l'll also introduce you to the typical steps of a penetration test, including:ReconaissanceDiscoveryExploitationBruteforcingSocial engineeringTaking controlPivotingCollecting evidenceReportingRemediationThe video also covers some pointers for setting the scope for a penetration test, whether you should choose an internal or external penetration test, and whether you should outsource your pen test or conduct it in-house. We'll also talk about how you can conduct penetration tests safely to protect your production environment."What is Penetration Testing?"- View video now!Prefer a white paper to a video? Get the free white paper "What is Penetration Testing? An Introduction for IT Managers".

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now