Author: Rapid7

[Security Nation] Jeremi Gosney on the Psychology of Password Hygiene

In this episode of Security Nation, Jen and Tod talk to renowned password security expert Jeremi Gosney about how we are all guilty of bad password practices. He discusses the psychology of how we develop the various words/phrase combinations that become our crackable passwords.

Stick around for the Rapid Rundown, where Tod and Jen dive into a great story for Cybersecurity Awareness Month as well as bad data-governance practices.    

Jeremi Gosney

[Security Nation] Jeremi Gosney on the Psychology of Password Hygiene

Jeremi Gosney is a renowned password cracker and password security expert. He is a member of the Hashcat core development team, the former CEO of the password cracking firm Terahash, and the author of the Pufferfish and hmac-bcrypt password hashing functions. He also helps run the DEF CON Password Village and the PasswordsCon track at Security BSides Las Vegas.

Show notes

Interview links

Rapid Rundown links

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Want More Inspiring Stories From the Security Community?

Subscribe to Security Nation Today

[The Lost Bots] S02E05: The real magic in the Magic Quadrant

In this episode, we discuss the best use of market research reports, like Magic Quadrants and Waves. If you're in the market for a new cybersecurity solution, do you just pick a Leader and call it a day?

“Consult the MQ only after you’ve identified two vendors that would be a perfect security solution for you,” say our hosts Jeffrey Gardner, Detection and Response Practice Advisor and Stephen Davis, Lead D&R Sales Technical Advisor. When you have two that meet or exceed the requirements? “I'll be honest, I might not care about the MQ placement,” says Davis.

Do not under any circumstances leave before the jazz hands bit: they do gather themselves and talk about how outcomes have to run the show, first and always.

Check back with us in November for our next installment of The Lost Bots!

Additional reading:

Emerging best practices for securing cloud-native environments

Globally, IT experts recognise security as the most significant barrier to cloud adoption, in part because  many of the ways of securing traditional IT environments are not always applicable to cloud-native infrastructure. As a result, security teams may find themselves behind the curve and struggling to keep up with the ambitious digital transformation programs set by their senior leadership teams.

As technology evolves and threats change rapidly, organizations that stay abreast of the latest developments, trends, and industry standards tend to have fewer security risks than those that don't. Failure to do so can lead to data breaches, compliance violations and increased costs. From creating a security culture to implementing innovative solutions, it’s clear a new approach to security is required; one that is more automated and based on best practices that consider the following:

Speed vs security

Finding the right balance between security and speed can be difficult, especially when trying to keep pace with your organization’s cloud migration and digital transformation strategy. Securing your continuous integration and delivery (CI/CD) pipeline can be challenging if visibility, governance and compliance lack across your IT environment.

Ensuring errors and missteps are detected and minimised requires a consistent set of processes, people, and tools. By putting challenges into logical groups, you can address each one more effectively.

For example, the first stage of the CI/CD pipeline is vulnerable to human error. Adopting the DevSecOps model adds security to the DevOps working processes as a continuous activity, allowing security policies to be defined and enforced at every pipeline stage — including development and testing environments. Although, moving away from traditional processes requires strong foundations to transform and change.

Operationalising cyber security

As the number of workloads in the cloud increases, security challenges can sometimes fall between the gaps and outside of traditional processes, increasing additional risk from a technical and operational perspective. When everyone understands cybersecurity processes, their importance and why it's necessary, they'll take action. Holding people and business units accountable for their efforts lets you measure your cyber security programs' effectiveness to discover any necessary improvements. This will result in better decision-making and measurable risk reduction; not to mention greater understanding and awareness of security across your organization.

Begin by understanding where and how security gaps are being created. Once you’ve identified these gaps, prioritise them based on business impact and the likelihood of occurrence. Ask your peers; in the event of a breach, what data would you be most concerned about if hackers applied ransomware to it? With this information in hand, it becomes easier to identify the appropriate controls and solutions to help identify your organization's cyber maturity.

Knowledge sharing

Encouraging knowledge sharing is a great way to help address the skills gap. The more we share our experiences, the easier it is to improve processes and procedures to reduce the risk of mistakes reoccurring. But how do you make sure you get it right?

Join Alex Noble, cloud security lead and Jason Hart, chief technology officer EMEA, for our Lunch and Learn Series: Stay ahead of the curve. During these exclusive, interactive virtual sessions, we will explore emerging best practices driven by new technologies and evolving business models. Don’t miss your chance to connect with local peers and team members over a complimentary virtual lunch.

Join the conversation and save your seat.

A SIEM With a Pen Tester's Eye: How Offensive Security Helps Shape InsightIDR

To be great at something, you have to be a little obsessed. That's true whether you want to be a chess grandmaster, become an internationally recognized CEO, or build the best cybersecurity platform on the planet.

At Rapid7, our laser-focus has always been trained on one thing: helping digital defenders spot and stop bad actors. From the start of our story, penetration testing — or pen testing, for short — has been one of the cornerstones of that obsession. The offensive security mindset influenced the way we built and designed InsightIDR, our cloud-native XDR and SIEM.

On the offensive

Before we ever released InsightIDR, there was Metasploit, an open-source pen testing framework. Originally developed by HD Moore, Metasploit allows offensive security teams to think like attackers and infiltrate their own organizations' environments, pushing the boundaries to see where their systems are vulnerable. Those insights help the business identify the most serious issues to prioritize and patch, remediate, or mitigate.

Offensive security strategies provide a much-needed foundation for assessing your risk landscape and staying a step ahead of threats — but the task of building and operationalizing a security strategy doesn't end there.

"The biggest misconception about pen testing that I hear repeatedly is, 'We're going to pen-test to test our response time or test our tools,'" says Jeffrey Gardner, Rapid7's Practice Advisor for Detection and Response. "That's not the purpose of a pen test."

Pen testing is a critical step in understanding where and how your organization is vulnerable to attackers, and what kinds of activities within your environment might indicate a breach. This is essential information for setting up the detections that your security operations center (SOC) team needs in order to effectively safeguard your systems against intrusion — but they also need a tool that lets them set up those detections, so they can get alerts based on what matters most for your organization's specific environment.

Pen testing itself isn't that tool, nor does it test the effectiveness of the tools you have. Rather, pen testing looks for your weaknesses – and once they’re  found, looks for ways to exploit them, including using stolen credentials to move across the network.

Mapping how bad actors behave

That's where the importance of having a security incident and event management (SIEM) solution built with offensive security in mind comes in — and that's exactly what our years of experience helping organizations run pen tests and analyze their attack surface have allowed us to build. InsightIDR is a unified SIEM and XDR platform designed with a pen tester's eye. And the key to that design is user and entity behavior analytics (UEBA).

See, the problem with detecting attackers in your network is that, to the human eye, they can look a lot like regular users. Once they've hacked a password or stolen login credentials through a phishing/scam attack, their activities can look relatively unremarkable — until, of course, they make the big move: a major escalation of privilege or some other vector that allows them to steal sensitive data or upend systems entirely.

It takes years of experience understanding how attackers behave once they penetrate networks — and the subtle ways those patterns differ from legitimate users — to be able to catch them in your environment. This is exactly the type of expertise that Rapid7 has been able to gain through 10+ years of in-the-trenches experience in penetration testing, executed through Metasploit. Everything we had learned about User and Entity Behavior Analytics (UEBA) went into  InsightIDR.

InsightIDR continuously baselines healthy user activity in the context of your specific organization. This way, the tool can spot suspicious activity fast — including lateral movement and the use of compromised credentials — and generate alerts so your team can respond swiftly. This detections-first approach means InsightIDR comes with a deep level of insight that's based on years of studying the attacker, as well as an understanding of what alerts matter most to SOC teams.

Watch a free demo today to see InsightIDR's attacker-spotting power in action.


[Security Nation] James Kettle of PortSwigger on Advancing Web-Attack Research

In this episode of Security Nation, Jen and Tod talk to James Kettle of PortSwigger. Their discussion includes research for new web-attack techniques and how those get field tested (hint: bug bounties). The research is kept fresh from donations gleaned from the bug bounty field tests. PortSwigger validates their research in the real world, and those advances in web-attack techniques are published and disseminated in and effort to fix bugs and misconfigurations.

Stick around for the Rapid Rundown, where Tod and Jen talk about the recent Fortinet advisory concerning the "silent patching" of bugs without disclosure of any real details – only to have attackers go and reverse it all anyway.  

James Kettle

[Security Nation] James Kettle of PortSwigger on Advancing Web-Attack Research

James 'albinowax' Kettle is Director of Research at PortSwigger. His latest work includes browser-powered desync attacks and web-cache poisoning. James has extensive experience cultivating novel attack techniques, including RCE via Server-Side Template Injection and abusing the HTTP Host header to poison password reset emails and server-side caches. James is also the author of various popular open-source tools including Param Miner, Turbo Intruder, and HTTP Request Smuggler. He is a frequent speaker at numerous prestigious venues, including both Black Hat USA and EU, OWASP AppSec USA and EU, and DEFCON.

Show notes

Interview links

  • Prior Security Nation episode in which loads of Portswigger references were dropped:
  • https://www.rapid7.com/blog/post/2021/08/18/security-nation-daniel-crowley/
  • New research from James about browser-powered desync attacks:
  • https://portswigger.net/research/browser-powered-desync-attacks

Rapid Rundown links

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Want More Inspiring Stories From the Security Community?

Subscribe to Security Nation Today

[The Lost Bots] S02E04: Cyber's Most Dangerous Game — Threat Hunting

Welcome back to The Lost Bots! In this episode, we dive into one of our favorite topics: threat hunting. It's a subject we've talked about before, but this time, we're focusing on the practical side of getting your threat hunting efforts up and running.

Our hosts Stephen Davis, Lead D&R Sales Technical Advisor, and Jeffrey Gardner, Detection and Response Practice Advisor, give us the basics of what a threat hunting hypothesis is and what makes a good one. They talk about the importance of ensuring your hypothesis is both observable and testable. They also cover the differences between intelligence-driven, situational, and domain expertise hypotheses, and explain how to actually put these concepts into action when engaging in cyber threat hunting.

Check back with us on Thursday, October 26, for our next installment of The Lost Bots!

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


[Security Nation] Taki Uchiyama of Panasonic on Product Security and Incident Response

In this episode of Security Nation, Jen and Tod chat with Taki Uchiyama about his work on Panasonic’s Product Security Incident Response Team (PSIRT). They chat about educating folks on vulnerabilities associated with smart devices, the challenges of running PSIRT’s training sessions during the pandemic, and the importance of building security into internet-connected products.

Stick around for our Rapid Rundown, where Tod and Jen talk about a new white paper that shows how parking and toll apps that read license plates could inadvertently be used as a surveillance system.

Taki Uchiyama

[Security Nation] Taki Uchiyama of Panasonic on Product Security and Incident Response

Taki Uchiyama is a member of Panasonic PSIRT and is in charge of global product security activities. His main roles include the coordination of vulnerabilities, creating and conducting product security training to product developers, and providing assistance to product development teams on product security matters as necessary. Aside from his role in Panasonic, Taki has been a CVE Board Member since 2016. Prior to joining Panasonic, Takayuki worked at JPCERT/CC, where his main tasks involved the coordination of vulnerability reports with PSIRT's, taking part in various discussions groups related to the identification, analysis, coordination, and disclosure of vulnerabilities.

Show notes

Interview links

  • Check out Panasonic's delightful PSIRT page – especially if you have a vulnerability in one of Panasonic's many, many products to report.

Rapid Rundown links

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Want More Inspiring Stories From the Security Community?

Subscribe to Security Nation Today

[Security Nation] Chris Levendis and Lisa Olson on Cloud CVEs

In this episode of Security Nation, Jen and Tod chat with Chris Levendis of MITRE and Lisa Olson of Microsoft about assigning CVE IDs for vulnerabilities affecting cloud solutions. They recount their experiences working with the CVE board to establish guidelines for disclosing cloud vulnerabilities and talk through some of the challenges in understanding responsibility for mitigating and managing risks in the cloud.

Stick around for our Rapid Rundown, where Tod and Jen talk about a helpful new feature in iOS 16 that allows users to tell their devices to forget certain Wi-Fi networks, as well as RFC 9293, the newly dropped transmission control protocol (TCP) that obsoletes RFC 793.

Chris Levendis

[Security Nation] Chris Levendis and Lisa Olson on Cloud CVEs

Chris Levendis is a Principal Systems Engineer in the Cybersecurity Operations & Integration department in the Center for Securing the Homeland at MITRE. He has supported various DHS missions since 2004, including infrastructure protection and cybersecurity. Currently, in support of the Cybersecurity and Infrastructure Security Agency (CISA), Chris leads the Homeland Security Systems Engineering and Development Institute’s (HSSEDI) work for Threat Hunting, Office of the Chief Technology Officer (OCTO), Common Vulnerabilities and Exposures (CVE), Common Weakness Enumeration (CWE), and Common Attack Pattern Enumeration and Classification (CAPEC).  

Lisa Olson

[Security Nation] Chris Levendis and Lisa Olson on Cloud CVEs

Lisa Olson has been in the business of developing technology and products to manage complex networks and network devices since the 1980s. She started her career working as a software engineer for IBM and has gone on to management positions for large companies including Boeing and Jupiter/Media Metrix.

For the last 10 years, Lisa has immersed herself in cybersecurity by managing Microsoft’s monthly Security Update releases (aka Patch Tuesday). Under her leadership, Patch Tuesday has undergone digital transformation from a primarily manual labor-intensive production of security bulletins for a relatively small number of products, to a highly automated all-electronic environment supporting hundreds of products including Microsoft’s Azure via a database and APIs. The Security Update Guide is published by Lisa’s team every month and provides information about Microsoft’s CVE list.

Show notes

Interview links

Rapid Rundown links

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Want More Inspiring Stories From the Security Community?

Subscribe to Security Nation Today

5 Things Rapid7 Looks for in a BDR, and How We Spot Them

Every successful organization has a great salesforce. At Rapid7, the Business Development Representative (BDR) Program is a huge source of talent for our sales organization. Some of our most successful salespeople come from the program. So, what is it?

The BDR Program at Rapid7 is an entry-level program that aims to provide early careerists the opportunity to kickstart their career and grow their selling skills. As a part of the program, new hires develop the skills to uncover opportunities with prospects and customers and partner with account executives to continue to expand their knowledge around the entirety of the sales cycle.

As we gear up to welcome another round of applicants, our Talent Acquisition Partner, Lauren Coloumbe, shares five things we look for in BDRs and how we spot them in the interview process.

5 Things Rapid7 Looks for in a BDR, and How We Spot Them
Lauren Coloumbe, Talent Acquisition Partner at Rapid7

1. An interest in the sales process

Sales gives you an opportunity to flex a lot of different problem-solving muscles. At Rapid7, we believe the key to solving problems effectively is through building strong relationships. Each customer has different needs and priorities, and building a relationship establishes trust and understanding that will help us learn more and determine how Rapid7 can meet those needs.

How we spot it: We’re looking for people who demonstrate a passion for problem-solving and are excited to build relationships. Sharing what you’re passionate about in your career and how a role in sales can help you use these skills is something we want to see.  

2. Interest in or curiosity about cybersecurity

You don’t have to be a subject matter expert, but showing an interest in our industry is a great way to help you stand out. Our lives are becoming more digital and connected every day. While that comes with a lot of excitement and efficiency, it also opens up a lot of new risks to our information and communities.

How we spot it: Think about real-life examples of cybersecurity threats around you every day and how impactful it can be to play a role in protecting not only our customers, but our communities at large. We love when candidates can make a personal connection to our mission or share something interesting they may have learned when conducting some initial industry research.  

3. People who are open to learning

We don’t expect you to come in with a ton of industry knowledge, but we do expect you to be prepared to learn, take direction, and ask thoughtful questions. As a BDR, you will be given a lot of opportunities for coaching and development. Being open to learning new things will help you grow and establish a strong foundation.

How we spot it: Natural curiosity drives opportunities for learning. Think of a time when you were especially curious about something or were put in a position where you had to learn a new skill or subject. The interview is also an opportunity for you to express your curiosity. Ask thoughtful questions and let us see your curiosity in action.

4. Team-oriented individuals

At Rapid7, selling is a team sport. You’ll have a group of people in your corner who are invested in your success and ready to lend a helping hand, and you’ll be encouraged to do the same when you get the opportunity. The more we partner together, the better outcomes we can create for our customers and for the company.

How we spot it: There's nothing wrong with celebrating your wins, but how you got there and how you worked as part of a team are equally important. Share examples of how you worked as a team and either succeeded or failed together. Focus on the effort of the team and the collective impact rather than your own personal role in the process.

5. Challenging convention

Challenging convention means speaking up to share an idea when you feel it can benefit the team. This is a place where everyone is expected to check their ego at the door. This makes it easy for everyone to try new things, fail, learn, and try again. You don’t need to be a manager or a long-time employee to challenge convention, we all have an equal voice when it comes to creating positive customer outcomes.

How we spot it: Think of examples where you stood up for a new or different way of doing things. How did you challenge the status quo or share a new perspective that helped the final outcome?

Learn more about our BDR program and entry-level sales roles at Rapid7.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


[Security Nation] Gordon “Fyodor” Lyon on Nmap, the Open-Source Security Scanner

In this episode of Security Nation, Jen and Tod chat with Gordon “Fyodor” Lyon, author of the widely used open-source Nmap Security Scanner. On the doorstep of Nmap’s 25th anniversary, Gordon and our hosts talk about the tool’s impact on asset management, as well as the struggles and triumphs of creating and managing the solution. They even cover a few highlights from Hollywood films where Nmap makes a guest appearance.

Stick around for our Rapid Rundown, where Tod and Jen talk about a recent warning from the FBI that decentralized finance (DeFi) – i.e., cryptocurrency – poses some unique risks, which attackers are already exploiting.

Gordon “Fyodor” Lyon

[Security Nation] Gordon “Fyodor” Lyon on Nmap, the Open-Source Security Scanner

Gordon "Fyodor" Lyon authored the open-source Nmap Security Scanner in 1997 and continues to coordinate its development. His company also develops and sells Npcap, a raw networking library and driver for Windows. Npcap is now used in hundreds of other software projects, including Wireshark and Microsoft Defender for Identity. Gordon is a founding member of the Honeynet Project and served on the technical advisory boards for Qualys and AlienVault, as well as editorial boards for many conferences and journals. He authored or co-authored the books "Nmap Network Scanning," "Know Your Enemy: Honeynets," and "Stealing the Network: How to Own a Continent." He runs the "Full Disclosure" mailing list, along with popular security resource sites such as SecLists.Org, SecTools.Org, and Insecure.Org.

Show notes

Interview links

  • Check out Nmap if, for some reason, you haven’t already.
  • Learn about Npcap, the packet capture library tool that Gordon and his company also offer.
  • Watch Gordon and HD Moore, the creator of Metasploit, chat about the evolution of network scanning on YouTube.

Rapid Rundown links

Like the show? Want to keep Jen and Tod in the podcasting business? Feel free to rate and review with your favorite podcast purveyor, like Apple Podcasts.

Want More Inspiring Stories From the Security Community?

Subscribe to Security Nation Today