4 min
Penetration Testing
IoT Security Testing Methodology
By
Deral Heiland IoT - IoT Research Lead Rapid7
Nathan Sevier - Senior Consultant Rapid7
Chris Littlebury - Threat Assessment Manage Rapid7
End-to-end ecosystem methodology
When examining IoT technology, the actionable testing focus and methodology is
often applied solely to the embedded device. This is short sighted and
incomplete. An effective assessment methodology should consider the entire IoT
solution or as we refer to it, the IoT Product Ecosystem. Every interactive
component that makes
2 min
Microsoft
Patch Tuesday - May 2017
It's a relatively light month as far as Patch Tuesdays go, with Microsoft
issuing fixes for a total of seven vulnerabilities as part of their standard
update program. However, an eighth, highly critical vulnerability (CVE-2017-0290
) that had some of the security community buzzing over the weekend was also
addressed late
Monday evening. A flaw in the
4 min
Automation and Orchestration
ChatOps for Security Operations
Synopsis
Bots are tiny helpers that can be part of any applications and are well suited
for a large scale, repetitive and real time tasks. They enable highly qualified
security teams to focus on more productive tasks such as building, architecting
and deploying rather than get occupied with menial tasks. Additionally, they act
as sharing and learning tools for everyone in the organizations and provide
context for all conversations and collaborations.
Benefits of ChatOps for Security
ChatOps
2 min
Metasploit
Metasploit Weekly Wrapup
hdm recently provided a new exploit module for a type confusion vulnerability that exists in Ghostscript versions 9.21 and earlier, allowing remote code execution on the target.
7 min
Verizon DBIR
2017 Verizon Data Breach Report (DBIR): Key Takeaways
The much-anticipated, tenth-anniversary edition of the Verizon DBIR has been
released (Updated here: https://www.verizon.com/business/resources/reports/dbir/
), once again providing a data-driven snapshot into what topped the cybercrime
charts in 2016. There are just under seventy-five information-rich pages to go
through, with topics ranging from distributed denial-of-service (DDoS)
to ransomware,
prompting us to spin a reprise ed
2 min
3 Simple Ways to Approach Content Security Policy
In the 2 previous posts about Content Security Policy, we talked about the main
reasons why you need to get started with CSP and the common problems that you
will run into. In this post, we will dive deeper into the 3 types of CSP
solutions.
Phased Approach
Because reports of violations can be overwhelming for both analysis and
performance reasons tCell recommends starting with the most critical directives
first (such as script-src and object-src which help prevent XSS) and a very
permissive s
5 min
Komand
Translating and Detecting Unicode Phishing Domains with Komand's Security Orchestration Platform
I don't know about you, but in the past few weeks, my news feed has been abuzz
with unicode domain names as phishing
URLs. The use of unicode
domain names is a version of a homograph attack applied using International
Domain Names (IDN).
The underlying problem is that it’s difficult to visually distinguish some
unicode characters from ASCII ones. Luckily, Chrome and Firefox have stopped
converting domain names
2 min
Komand
Asia Cybersecurity Event Calendar [Free Shared Google Calendar]
Cybersecurity events and conferences are ways for the infosec community to
connect and share their knowledge. We’ve provided an extensive calendar of
events for US cybersecurity events
,
and now we are pleased to present the latest and upcoming events in other
regions of the world. This time though, we’re taking it international with an
Asia cybersecurity events list and shared calendar!
The Asian continent is home to
11 min
Komand
A Privacy Stack for Protecting Your Data
Over the years, there have been a number of incidents that have raised my
security-guy neck hairs. Every time something crops up, I get a bit more worried
about where my data lives, and who is privy to it that I don’t know about.
Most recently, we have the dismantling of privacy rules that protect our
information from being wantonly sold off by our ISPs, even more in depth
searching at US borders, large scale sweeping up of people and associated
electronic devices at occurrences of civil unrest
3 min
Vulnerability Disclosure
R7-2017-02: Hyundai Blue Link Potential Info Disclosure (FIXED)
Summary
Due to a reliance on cleartext communications and the use of a hard-coded
decryption password, two outdated versions of Hyundai Blue Link application
software, 3.9.4 and 3.9.5 potentially expose sensitive information about
registered users and their vehicles, including application usernames, passwords,
and PINs via a log transmission feature. This feature was introduced in version
3.9.4 on December 8, 2016, and removed by Hyundai on March 6, 2017 with the
release of version 3.9.6.
Affec
5 min
Microsoft
Actionable Vulnerability Remediation Projects in InsightVM
Security practitioners and the remediating teams they collaborate with are
increasingly asked to do more with less. They simply cannot remediate
everything; it has never been more important to prioritize and drive
remediations from start to finish.
The Remediation Workflow capability in InsightVM
was designed to drive more
effective remediation efforts by allowing users to project manage efforts both
large and small. Remediation Workflow is designed
4 min
CIS Controls
The CIS Critical Security Controls Explained - Control 6: Maintenance, Monitoring and Analysis of Audit Logs
In your organizational environment, Audit Logs are your best friend. Seriously.
This is the sixth blog of the series based on the CIS Critical Security Controls
. I'll be
taking you through Control 6: Maintenance, Monitoring and Analysis of Audit
Logs, in helping you to understand the need to nurture this friendship and how
it can bring your information security program to a higher level of maturity
while helping gain visibilit
4 min
Automation and Orchestration
Introduction to ISO/IEC 27035 - the ISO Standard on Incident Handling
Synopsis
In the series of articles titled “Incident Response Life Cycle in NIST and ISO
standards” I review incident response life cycle, as defined and described in
NIST and ISO standards related to incident management.
I introduced these standards in the first article in this series
and later in this article
I
start
4 min
Automation and Orchestration
Introduction to ISO/IEC 27035 - Planning for and Detection of Incidents
Synopsis
In the series of articles titled “Incident Response Life Cycle in NIST and ISO
standards” I review incident response life cycle, as defined and described in
NIST and ISO standards related to incident management.
I introduced these standards in the first article in this series
and later in this article
I
start
4 min
Automation and Orchestration
Introduction to ISO/IEC 27035 - Assessment and Responding to Incidents
Synopsis
In the series of articles titled “Incident Response Life Cycle in NIST and ISO
standards” I review incident response life cycle, as defined and described in
NIST and ISO standards related to incident management.
I introduced these standards in the first article in this series
and later in this article
I
start