Federal Friday - Weekly Recap 8/23/2013

Blog Post created by jschim Employee on Aug 23, 2013

Wow, it’s August already! The Fourth of July was a month-and-a-half ago, BlackHat/DEFCON, a few weeks ago, even though it seems the hangover from the Rapid7 Party just ended for a few folks.  Labor Day?  Yeah, that’s only a week away. Forget talking back-to-school I just saw a Christmas display in one of the local big-box stores here in Beantown. 


Well, being that FY2013 and summer are almost over, I want to let you know about some incentives for improving your cybersecurity program. The White House said in a post last week that organizations that adopt voluntary cybersecurity standards have the potential to be rewarded nicely in return. Some of the proposed incentives include:

  • preferences in obtaining federal grants
  • expedited government services
  • lower insurance rate
  • public recognition


While these incentives may seem trivial to some, anythingttempts, which one utility was as high as 10,000 per month. Even with this report circulating many pieces of critical infrastructure are still open to attack and the hope is that by creating an incentive program there will be additional business drivers, in terms of cost savings, so that these organizations will speed up establishing an internal comprehensive security framework. What really hits home for me is that the true reward is the peace of mind that by adhering to these standards you have greatly improved your organizations security posture. This will help to prevent future potential attacks, securing your brand reputation (yes, even .gov’s need to worry about that) and keeping your critical infrastructure safe. For more on this topic please head here.

Mobile Security continues to be a hot topic. So hot that the DoD has created a process to streamline the approval process for new smartphones, tablets, and even apps that would be used by our increasingly more technical warfighters. Currently this involves a rather lengthy process as the traditional hurry up and wait mentality truly applies here. However, by completely overhauling the process, the DoD hopes to have approvals completed within 30 days. This will greatly improve the material being given out to their personnel, and providing equipment that is not near end-of-life is crucial. The old process took entirely too long so that by the time the technology was actually deployed, it was then time to put out a new bid due to the purchased product becoming obsolete. One of the positive outcomes potentially stemming from this is that more businesses are focusing on DoD specific hardware, operating systems, and apps improving the capabilities that are available. If you interested in reading more on this you can do so here.


In continuing the theme of helping to streamline processes, Rapid7 announced this week the arrival of two new products to our line; ControlsInsight and UserInsight. The idea behind both products is to give you a more comprehensive vision as to what is happening in your environment from a security controls and from user standpoint.

to get companies to become more secure is moving the needle in the positive direction. This plays off the claim from many power utilities in May that they are under constant threat of attack. On the positive side, none of these attempts led to a significant breach. What is interesting is that the same types of attacks these utilities face are no different, for the most part, than many other organizations. The astonishing part is in the number of a



ControlsInsight is the first of the two products to go to market and is available for purchase now. With ControlsInsight, you can monitor how well security policies are maintained across endpoints and plan the most impactful next steps to progress your security program.


  • Automatically give a complete picture of your security controls deployment and gaps in minutes.
  • Analyze your environment using industry best practices for defending against common threats.
  • Prioritize controls to deploy for the greatest impact on making your organization more secure.
  • Provide step-by-step guidance on how to deploy each control for easy implementation.


Why should I care?

·         80% of attacks leverage known vulnerabilities and misconfigurations (US State Department)

·         Desktops and laptops are two of the most likely assets to be compromised in an organization (Verizon DBIR)

·         85% of intrusions could be prevented by following four mitigation steps (Australian Department of Defense)

·         80% of companies believe laptops pose a significant security risk to their networks (Ponemon Institute)


I can already get this information in my AV console/patch/config management software…

·         Yes, some of the information in ControlsInsight can be pulled from other software but ContolsInsight also…

o   Collects the most critical endpoint controls and presents it in a single pane of glass.

o   Gives you a second source of information to check the effectiveness of other tools and software, and provides visibility into unmanaged assets.

o   Analyzes the information collected and provides next steps to improve endpoint security.

Security Controls Assessment

  • High-risk applications up-to- date: Adobe Flash, Adobe Reader, Java, Microsoft Office
  • Operating system up-to-date: Windows XP, Vista, 7, 8
  • Browsers up-to-date: Internet Explorer, Firefox, Chrome
  • Anti-virus deployed: McAfee, Symantec, Sophos, TrendMicro*
  • Passwords hardened
  • Browsers hardened
  • USB access blocked
  • Admin privileges limited
  • Code execution prevention deployed
  • User Access Control enabled
  • Windows firewall enabled
  • E-mail attachment filtering enabled












To learn more about ControlsInsight, or request a demo, please visit the ControlsInsight landing page here. You can also email your Account Manager or Sales Representative for more information as well.


UserIsight, the 2nd of the new products, is currently in Beta and will be released in the very near future. With UserInsight you are now able to monitor user activity and threats across on-premise, cloud and mobile environments.

UserInsight addresses 3 key Security challenges:

1.       Visibility into user behavior across on-premise, cloud and mobile environments.

2.       Focusing incident response by easily identifying users involved

3.       Detecting when a user’s credentials may have been compromised. (Compromised credentials are the source of 80% of all records stolen)

The focus on user activity differentiates UserInsight from traditional monitoring products whose effective functionality stops at the firewall. Unlike other monitoring products, UserInsight provides results with minimal maintenance and tuning. UserInsight also helps security teams control unsanctioned web services by providing visibility into which cloud services employees are using.

If you are looking for more info on this soon-to-be-released product or would like to register to participate in a limited release please you can do so here. You can also contact me directly for more information at john_schimelpfenig@rapid7.com.