Skip navigation
All Places > Nexpose > Blog
1 2 3 Previous Next


233 posts

Building an Application Vulnerability Management Program, found in the SANS Institute Reading Room ( ulnerability-management-program-35297), identifies vulnerability program management as a cyclical process involving the following steps:

  • Policy
  • Discovery and Baseline
  • Prioritization
  • Shielding and Mitigation
  • Eliminating the Root Cause
  • Monitoring


While the use of Nexpose applies to several of these steps, the scope of this article is how Adaptive Security fits into your vulnerability management program. To that end we will cover monitoring.



Monitoring is the part of the vulnerability management cycle where changes and refinements are considered and adjustments are made before proceeding to the next iteration. Two critical areas of change to consider are as follows:

  • Covering gaps in your vulnerability assessments
  • Discovery of new vulnerabilities


Covering Your Blindspots

Your run regular scans to discover and assess the assets connected to your network. You carefully schedule the vulnerability scans on nights and weekends to reduce the impact on your network during business hours. How will you ensure that of those laptops that people take home and on the road are also scanned for vulnerabilities? Adaptive Security allows you to automatically detect and scan assets that were previously connected to your network and have missed recent vulnerability scans.


There is a prerequisite for an automated action to employ the discovery trigger:


To create or manage automated actions, click the automated actions icon on the top navigation bar.


Click the NEW ACTION button to create a new action.


Select the type of trigger for your action. For this use case, we'll choose "Known asset available" to detect when assets are reconnected to the network.


Next, select the discovery connection you wish to use as the source for this trigger. We're using a DHCP dynamic discovery connection that accepts Infoblox Triznic log entries via syslog.


Optionally specify one or more filter criteria to refine the assets to be processed. Since we want to scan returning assets that have missed recent scans, we'll select Hours Since Last Scan and enter 84 to include only assets that have not been scanned in a week. Click on the Next button to continue.


Select the action to take when the trigger is invoked. We'll use "Scan." Since this action uses the site from each asset's most recent scan, there is no need to provide any further information.


Enter a descriptive and unique name for this action and then click the Save button.


You should see you new automated action in the list. Here you may view the current state of the action and turn it on and off.


From this point forward, the automated action will scan all returning assets that have not been scanned in the last week.


Reacting to New Vulnerability Discoveries

Researchers continuously discover and publish new vulnerabilities. Quickly assessing your network’s exposure to the more critical new vulnerabilities is essential. Also, with the seemingly increasing number of high-profile breaches in the media, you need to be able to report your assessed risk to executives as soon as possible. In any case, you can reduce your risk by scanning for new, critical vulnerabilities as soon as they're published rather than waiting for the next scan window. With Adaptive Security, you can create an automated action that triggers scans for only the new vulnerabilities that meet your criteria as they are published.


Click the automated actions icon from the top navigation bar and press the NEW ACTION button. Next, select the "New vulnerability coverage available" trigger. Finally, specify a filter for refining the vulnerabilities that will be automatically scanned.



Select the "Scan for new vulnerabilities" action and then select the site to be scanned when new vulnerabilities are published.


Enter a unique, descriptive name for the action and press the SAVE button.


Your new action will be displayed in the list of automated actions. Again, you may view the action state or turn it on and off from here.


Your new action will now automatically scan the specified site for the new vulnerabilities that are published and meet your filter criteria.



Nexpose was already a major player in your vulnerability management program. Adaptive security makes monitoring possible to complete the loop.

The number one critical security control from the Center for Internet Security recommends actively managing all hardware devices on the network:


CSC 1: Inventory of Authorized and Unauthorized Devices

Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.


Here a some of the reasons you should actively inventory your hardware:

  • Discover new assets that have not yet patched
  • Detect returning hardware such as laptops that have missed previous updates
  • Identify unauthorized hardware


Whatever the scenario, you’ll want to establish your surface area in order to accurately assess your risk and remediate vulnerabilities.


Before you can track and correct assets on your network, you must first establish a method to inventory all of the assets connected to your network. Employing a DHCP dynamic discovery connection in Nexpose is a great way to determine what hardware is present on your network.


Nexpose dynamic asset discovery via DHCP parses DHCP server logs and supports two collection methods for gathering DHCP log entries:

  • Directory watcher – watches a specified directory for new and updated DHCP log files.
  • Syslog – listens on a TCP/UDP port to receive syslog messages much like a syslog server


Nexpose dynamic asset discovery currently supports Microsoft Server 2008 and 1012 using either directory watcher or syslog, as well as, Infoblox Trinzic using syslog.


How to Create a DHCP Discovery Connection

From the Administration page, find the Discovery Options section and click the Create link next to CONNECTIONS.


Next, fill in all three tabs of the form…


From the General tab, select DHCP Service and provide the name of your discovery connection.


From the Service tab, select the event source, collection method, and engine. The source and collection method will determine what additional fields are required. In the example, using the directory watcher collection method for Windows Server mandates providing the fully qualified path to the directory where DHCP logs reside.


From the Credentials tab, provide the username and password for you to access the directory.


As the DHCP server logs events, they will be parsed and imported as assets discovered by connection. Previously assessed assets that appear in DHCP logs will continue to show only as assessed. Discovered assets have not been assessed and present unknown risk to your network.



The Assessment Status chart on the Assets page gives you a clear indication of your un-assessed surface area. Additionally, the Discovered by Connection table enumerates the discovered assets that have not yet been assessed.

Rapid7 has made it a priority to support security industry standards, including the Open Vulnerability and Assessment Language (OVAL).  Those of you who use Nexpose to measure policy compliance, either by using the built-in CIS, DISA, and USGCB policies, or by writing your own custom policies, are using OVAL for these policies.


A decision by the National Institute of Standards and Technology (NIST) has made it necessary for us to make changes in our OVAL implementation.  These changes affect policies written for Microsoft Windows systems.  Previously, Nexpose would convert case-sensitive comparators for certain objects and states to case-insensitive comparators, in order to support the case-insensitive behaviour of Windows.  This was a convenient function when uploading third-party policies, which would sometimes be written with default case-sensitive comparators, leading to false positives.


In order to comply with NIST's requirements for OVAL, it will now be necessary to honour the comparators exactly as written, meaning that comparators will now default to being case-sensitive on Windows systems.  This will not have any effect on policies that have already been imported into Nexpose, nor will it have any effect on the current set of built-in policies.


However, this change will affect:


1) Newly uploaded custom policies

2) Custom policies created by copying built-in content

3) Custom policies created by copying previously uploaded custom policies


As an example, consider the following registry object:


<registry_object xmlns="" 
id="oval:nist.validation.winRegistry:obj:19" version="1">
    <name operation="equals">vQwordLE</name>


The name element in that object has an 'operation = "equals"' attribute.  Previously, this attribute would have been automatically converted to be 'operation = "case insensitive equals"'.  With the new change, this will no longer be the case: there will be no conversion, and the attribute will remain as 'operation = "equals"'.  This is also the default behaviour: when no operation is specified, the operation will be "equals".


As a result, a policy rule that would have passed regardless of whether the name field in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSMQ\SCAP_Validation_Test\win_reg\exists were "vqwordle", or "VQWORDLE", or "vQwordLE", will now only pass when the value in the name field is exactly "vQwordLE".


To change the behaviour of the object to match its previous behaviour, you would need to change:


<name operation="equals">vQwordLE</name>


to be:


<name operation="case insensitive equals">vQwordLE</name>


The following objects and states will be affected by this change:

accesstoken_object, accesstoken_state

environmentvariable_object, environmentvariable_state

environmentvariable58_object, environmentvariable58_state

fileauditedpermissions_object, fileauditedpermissions_state

fileauditedpermissions53_object, fileauditedpermissions53_state

fileeffectiverights_object, fileeffectiverights_state

fileeffectiverights53_object, fileeffectiverights53_state

file_object, file_state

group_object, group_state

registry_object, registry_state

sid_sid_object, sid_sid_state

sid_object, sid_state

user_object, user_state


Depending on your requirements, you may need to rewrite your custom policies to reflect these changes.  It will also be necessary to evaluate the functionality of any new policies that you create by copying previously imported policies.  We regret that this change might be disruptive, but it is necessary to ensure full compatibility with industry security standards.


Update Tuesday, November 2015

Posted by anowak Employee Nov 10, 2015

November sees a mix of remote code execution and elevation of privilege vulnerabilities enabling an attacker to gain the same rights as the user when the victim opens specially crafted content, such as a webpage, journal file or document containing embedded fonts. These vulnerabilities affect Internet Explorer (7 and onwards), Edge, and Windows (Vista and onwards).  It is advisable for users and administrators to patch the affected platforms.


Microsoft includes 12 security bulletins, a third of them rated as critical, resolving a total of 49 vulnerabilities. All of the critical bulletins (MS15-112, MS15-113, MS15-114, MS15-115) are remote code execution issues affecting affecting a variety of products and platforms including Edge, Internet Explorer, Lync, Office, Office for Mac, Office Web Apps, Skype for Business, SharePoint Server and all supported releases of Microsoft Windows.


MS15-112 is the bulletin to watch out for this month, it addresses 25 vulnerabilities. It is rated Critical for Internet Explorer 7 - 11 on Windows clients and moderate on Windows servers. Microsoft's update addresses the vulnerabilities by resolving underlaying issues with how objects are handled in memory for JScript and VBScript, properly re-implemeting the ASLR security feature and adding additional permissions to Internet Explorer.


Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code and gain the same rights as the user. Your best protection against these threats is to patch as quickly as possible.


Resolved Vulnerability Reference:


Increasing Risk Visibility

Posted by anowak Employee Oct 29, 2015

We at Rapid7 are committed to providing our customers with the best, most accurate vulnerability detection and remediation information. To better serve you, starting October 28th, 2015, Rapid7 will begin generating content for Nexpose in a way that will provide greater visibility into risk. This change will start with content generated for Adobe, Debian and Ubuntu and eventually all supported platforms will transition to this approach. For the end user the benefit is more accurate representation of risk and better data to prioritize remediation steps.

As a customer you may be asking, how will this change impact me? Under the historical approach vulnerability results are from the perspective of the Vendor, via their advisory, which may contain one or more vulnerabilities. Unfortunately this masked actual risk in a way that was not anticipated. As an example taken from an Ubuntu advisory, USN-2735-1, you will notice this one advisory addresses 8 vulnerabilities (CVE-2015-1291, CVE-2015-1292, CVE-2015-1293, CVE-2015-1294, CVE-2015-1299, CVE-2015-1300, CVE-2015-1301, CVE-2015-1332).

Historically we would have taken the highest CVSSv2 score out of those 8 (which in this case is a 7.5) and reported this as one vulnerability with that score. Going forward, Nexpose will report the score per vulnerability giving you greater visibility into the risk within your environment through an increase in the detail of vulnerability results.

We will publish a supplementary blog post with each platform that move to the vulnerability-centric approach.

Rapid7’s Vulnerability Management and User Behavior Analytics solutions, Nexpose and UserInsight, now integrate to provide visibility and security detection across assets and the users behind them. Combining the pair provides massive time savings and simplifies incident investigations by highlighting risk across your network ecosystem without writing queries or digging through logs.


Nexpose proactively identifies & prioritizes weak points on your network, while UserInsight helps detect stealthy attacks with behavior analytics, investigate security incidents faster with user context, and expose risky internal behavior from endpoint to cloud. 4-minute UserInsight demo. Let’s look at two specific benefits: (1) user context for your vulnerabilities, and (2) automatic security detection for your critical assets.




User Context for Your Vulnerabilities

UserInsight integrates with your existing network & security infrastructure to automatically baseline your users’ activity. By correlating all activity to the users behind them, you’re alerted of attacks that often go unnoticed, such as compromised credentials and lateral movement.


When UserInsight ingests the results of your Nexpose vulnerability scans, they are also added to each user’s profile. By simply searching for an employee name, asset, or IP address, you get a complete look at their activity:




How this saves you time:

  • Immediately see who is affected by what vulnerability – this helps you get buy in to remediate a vulnerability by putting a face and context on a vulnerability (“The CFO has this vulnerability on their laptop – we must remediate immediately so they don’t get phished.”)
  • Have instant context on the user behind the asset, so you can assess whether a particular piece of malware that exploits a particular vulnerability could have been successful
  • Proactively bolster and check risk surface – verify key players are not vulnerable


Automatic Security Detection for Critical Assets

In Nexpose, you can dynamically tag assets as critical by factors such as being in the IP range of the DMZ or containing a particular software package/service unique to domain controllers. Critical asset tags can be synced with UserInsight, where they show up as restricted assets.


Some examples of critical asset alerts:

  • First authentication from an unfamiliar source asset: If there’s an unfamiliar attempt to authenticate to a restricted asset, you’ll receive an alert.
  • An unauthorized user attempts to log-in: This can include a contractor or compromised employee attempting to access a financial server.
  • A unique or malicious process hash is run on the asset: UserInsight uses an agentless endpoint monitor to identify every process run on your endpoints. We run these process hashes against the wisdom of 50 virus scanners to identify malicious processes, as well as identify unique processes for further investigation.
  • Lateral movement (both local and domain): Once inside your organization’s network, intruders typically run a network scan to identify high-value assets. They then laterally move across the network, leaving behind backdoors & stealing higher privilege credentials.
  • Endpoint log deletion: After compromising an organization’s asset, attackers look to delete system logs in order to hide their tracks. This is a high-confidence indicator of compromise.
  • Anomalous administrative activity, including privilege escalation exploits: Once gaining access to an asset or endpoint, attackers will use privilege escalation exploits to gain administrative access, allowing them to take next steps such as password hash scraping. We identify and alert on anomalous administrative activity across your network ecosystem.


As Nexpose identifies critical or vulnerable assets, UserInsight automatically adjusts its detection thresholds to alert you about things you’ll want to know about.




Configuring the UserInsight-Nexpose Integration

If you have Nexpose & UserInsight, setting up the Event Source is easy.

  1. In Nexpose, setup a Global Admin
  2. In UserInsight, click on the Collectors tab -> Rapid7 -> “Add event source”


     3. Add the information about the Nexpose Console (Server IP & Port)

     4. Add the credentials of the newly created Global Admin


And you’re all set! If you have any questions, contact your QuickStart Manager or Support. Don’t have UserInsight and want to learn about User & Entity Behavior Analytics? Get the Gartner Market Guide for UEBA here.

With the release of Nexpose 5.17, customers were enabled to easily gain an outsider’s view of their internet-facing assets.  This capability was made possible through integration with Rapid7 Labs’ Project Sonar.


What is Project Sonar?


Project Sonar is a community effort to improve security through the active analysis of public networks. This includes running scans across public internet-facing systems, organizing the results, and sharing the data with the information security community.    Sonar regularly ‘scans the internet’ and gathered data is archived and made publicly available in cooperation with the University of Michigan.


Integration with Nexpose

When designing the integration with Project Sonar, we spent a lot of time determining the ‘best fit’ for a seamless integration into the Nexpose workflow.  We wanted it to make it both easy and intuitive to retrieve and view data from this new external data source.


Connecting to Sonar

Working with Rapid7 Labs engineers, we were able to create an ‘always there’, trusted connection to Sonar based on the user’s Nexpose license.  A properly licensed Nexpose console install (with internet access) would be able to automatically authenticate with and connect to the Sonar service.  No action is required from the user.


We wanted the user to be able to confirm this connection was active.   Since Sonar represents a new way for the user to discover assets, showing the connection in the ‘Discovery Connections’ listing was a natural fit.

Screen Shot 2015-10-05 at 5.31.53 PM.png

*note: Since the Sonar connection is always available, edit and delete have been disabled.  If your console is not licensed or cannot reach the internet, the Sonar connection will not exist in this table.


Asset Data

When determining how to organize and present Sonar gathered data, we considered that Nexpose assets are divided into 3 categories:

  • Discovered by Connection:  Assets that have been discovered from an external connection (ie: DHCP).  Very little is known about these assets otherthan their hostname and ip address.
  • Discovered by Scan: This category holds assets that have been scanned in some way (ie: discovery scanned) so that more catalog information is known about the asset.
  • Assessed.  To be categorized as assessed, an asset has been Nexpose scanned and evaluated for vulnerabilities or policy. (ie: full audit scan)

Screen Shot 2015-10-05 at 6.14.08 PM.png

Sonar data fits best into the ‘Discovered by Scan’ state, as there is a variety of asset information cataloged, but it does not contain vulnerability and policy data that would be gathered and evaluated during a typical Nexpose scan.


On the Nexpose assets page, imported Sonar assets will be found in the ‘scanned’ asset listing. The ‘assessed’ column will say ‘no’.

Screen Shot 2015-10-05 at 6.33.06 PM.jpg



Retrieving Data from Sonar

Sonar ‘scans the internet’ so it contains a huge dataset with has varying degrees of freshness.  We could not automatically collect data without user input.  In the simplest case, a target ‘search domain’ would be required.  We already had a mechanism in place for specifying a set of filters to be applied to a connection from which assets could be pulled.  When creating a site, the user is given several options to specify which assets to scan.  One of those options is via discovery connection.  And discovery connections allow the user to create filters.

Screen Shot 2015-10-06 at 3.17.16 PM.png

This is how you bring in assets from Sonar.  Create a site and select 'specify assets by connection.'  The Sonar connection will be in the dropdown list (again, properly licensed, console with an internet connection).  Add a search domain on which to filter and click the 'filter' button to see a listing of assets that would be brought into Nexpose when that site is saved and scanned.  A 10,000 asset limit was imposed for a given Sonar site to help the user avoid retrieving more assets than expected.   Remember, Sonar's dataset is the internet.


A Note on 'scanning' a site based on a Sonar connection

Screen Shot 2015-10-06 at 3.43.21 PM.png

When the a Sonar site is 'scanned', what is actually happening is that we retrieve the most current asset data archived in the Sonar dataset.  Project Sonar has done the actual exploratory scan of the asset at different times as it works its way through scanning the internet.


'Scanning' a Sonar site *does not* perform a Nexpose assessment of those assets, it simply retrieves archived scan data from Sonar.  (note: The 'last scan' date in the asset listing will show the last time it was seen by Sonar, not the last time time a Sonar data retrieval was performed.  We realize this will create some confusion with users who would like to perform a full-audit scan of their discovered externally facing assets.


Think of a Sonar scan as a discovery scan that retrieves a larger set of data per asset.  It does not assess for vulnerabilities or policy but does find relevant assets and ip addresses that the user might want to more carefully audit.  To audit assets discovered by the Sonar site, the user will need to create an Asset Group (dynamic or static) containing the assets which are desired for a full-audit.  That asset group can then be scanned by Nexpose in the traditional way.

Screen Shot 2015-10-06 at 4.01.25 PM.png


What is Next?

We are reaching out and listening to users to discover how they would like us to evolve this functionality.  We are planning to add more complex filtering to the initial import of Sonar data.  A big example of this is filtering by last Sonar scan date.  The Sonar project does not currently age out asset information.  We want to give users the ability to say "I only want to retrieve assets that have been seen by Sonar within the last X days".


Additionally, we're thinking about alleviating the extra steps required to perform a Nexpose scan of assets imported from Project Sonar.  We want to make this process as easy as possible while making sure users don't full-audit scan unintentionally large datasets (or assets that they don't own).


From the Engineers

We hope our community is excited to have yet another method for discovering their full surface area and for this unique 'outsider's' view of their internet presence.  We are actively working with customers, project management, and other stakeholders to make sure Project Sonar integration is a valuable and seamless addition to the Nexpose product.

Over the last couple of years, some of the most serious and widely publicized vulnerabilities have been related to the Transport Layer Security (TLS) protocol and its predecessor, Secure Sockets Layer (SSL). Because TLS is so fundamental to keeping network communications secure, new flaws that are discovered can have a disproportionate effect on an organization's risk.


From Heartbleed to POODLE, FREAK to Logjam, system administrators dread the next vulnerability announcement with a catchy name or custom designed logo that will require patching and/or reconfiguring any services using TLS. The October 14th release of Nexpose (6.0.2) contains a number of improvements related to TLS that will make it easier for administrators to track which versions of the protocols are supported by assets, along with which cipher suites are enabled. We've also broken up our weak cipher vulnerability into multiple vulnerabilities to make it clearer why particular cipher suites are flagged as insecure. (Note that we will continue to ship the old ssl-weak-ciphers vulnerability alongside the new ones for a period of time to give customers who typically do content-only updates a chance to get the required product changes without losing coverage.)


Cipher Suite Enumeration


The most significant enhancement with this release is that Nexpose now enumerates the protocol versions (SSLv2 and v3, TLS v1.0, v1.1 and v1.2) and associated cipher suites for each TLS endpoint that gets scanned. This information is stored in the service configuration, accessible by clicking on the Service Name under the SERVICES section of an asset's page:


Click on the Service Name to see catalogued settings related to the service


A number of new configuration settings are available:


Configuration settings related to the service


The new ssl.protocols configuration setting is a comma-delimited list of protocol versions supported by the endpoint. As a convenience, the sslv3, tlsv1_0, tlsv1_1, and tlsv1_2 settings contain "true" if that protocol is supported, or "false" if Nexpose was unable to connect via that version. In this case, we can see that only SSLv3 is supported. The sslv3.ciphers setting is a comma-delimited list of cipher suites available when using SSLv3 to connect to the service. There are also dh.keysize settings indicating the size of the key used by cipher suites that use Diffie-Hellman key exchange.

Exporting Cipher Suite Data


Although having all the cipher suites in the service configuration is convenient for taking a quick look at how a service is configured, it does not lend itself well to bulk or offline analysis. To facilitate this, the data can be exported as a SQL Query Export with a row per cipher suite. This is done by going to the Reports tab, choosing Create a Report, giving it a name (here "ciphersuite export"), choosing the Export tab and then the SQL Query Export template:



Select the SQL Query Export template under the "Export" report type


Next, define the query that will expand the comma-delimited list into individual rows:



The SQL query


The query:

SELECT AS site_name, da.ip_address, da.host_name, dos.asset_type, dasc.port,
       split_part(, '.', 1) protocol_version,
       unnest(string_to_array(dasc.value, ',')) cipher_suite
FROM dim_asset da
   JOIN dim_operating_system dos USING (operating_system_id)
   JOIN dim_host_type dht USING (host_type_id)
   JOIN dim_asset_service_configuration dasc USING (asset_id)
   JOIN dim_site_asset dsa USING (asset_id)
   JOIN dim_site ds USING (site_id)
WHERE ILIKE 'sslv2.ciphers'
   OR ILIKE 'sslv3.ciphers'
   OR ILIKE 'tlsv1_0.ciphers'
   OR ILIKE 'tlsv1_1.ciphers'
   OR ILIKE 'tlsv1_2.ciphers'


will convert the comma-separated list into an array ("string_to_array") and then expand it into a row per cipher suite ("unnest").


Now, select the site and scan of interest, then save and run the report:


Select a site and scan, then save and run the report


Once the report has finished, you can download it as a CSV file containing rows with the site name, host name, IP address, protocol version and cipher suite:



Cipher suite breakdown by asset and protocol version


New Weak Cipher Checks


In addition to the cipher suite enumeration, we have also changed how our vulnerability checks for ciphers are performed. Our old vulnerability checks each connected to the server and requested SSL/TLS handshakes using the vulnerable ciphers. This meant that it was possible for multiple handshakes to be performed with the same cipher if the cipher was listed in multiple vulnerabilities. This led to unnecessary requests to the scan target. With the new cipher enumeration, we are performing the vulnerability checks against the configuration settings of the scan target, without performing any additional requests. This results in better, scalable vulnerability checks.


We have also expanded our three previous vulnerability checks into seven new checks.  This allows more direct explanations as to why a cipher is weak and vulnerable. To accommodate customers who will only perform content updates this release, we are shipping the new vulnerability checks alongside the old checks. This is just for a transition period and it is recommended to update Nexpose to prevent loss of coverage when the old checks are deprecated.


The seven vulnerabilities are:

  1. ssl-anon-ciphers: The server is configured to support anonymous cipher suites with no key authentication. These ciphers are highly vulnerable to man in the middle attacks.
  2. ssl-cbc-ciphers: The server is configured to support Cipher Block Chaining (CBC) ciphers. These ciphers have problems with the way TLS implements CBC mode and can be vulnerable to multiple attacks. Known attacks include the "BEAST" attack (CVE-2011-3389) and the "Lucky Thirteen" (CVE-2013-0169).
  3. ssl-des-ciphers: Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346) include cipher suites based on DES (Data Encryption Standard) and IDEA (International Data Encryption Algorithm) algorithms. DES and IDEA are no longer recommended for general use in TLS, and have been removed from TLS version 1.2.
  4. ssl-export-ciphers: The TLS/SSL server supports export cipher suites, intentionally crippled to conform to US export laws. Symmetric ciphers used in export cipher suites typically do not exceed 56 bits.
  5. ssl-null-ciphers: The TLS/SSL server supports null cipher suites. Null cipher suites do not provide any data encryption and/or data integrity.
  6. ssl-rsa-export-ciphers: The TLS/SSL server supports RSA-based cipher suites intentionally weakened due to export control regulations. This may enable an attacker to launch man-in-the-middle attacks and monitor or tamper with sensitive data against clients susceptible to the FREAK vulnerability. These cipher suites can typically be identified by the word "EXP" or "EXPORT" in their name.
  7. rc4-cve-2013-2566: Recent cryptanalysis results exploit biases in the RC4 keystream to recover repeatedly encrypted plaintexts. As a result, RC4 can no longer be seen as providing a sufficient level of security for SSL/TLS sessions. It has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.


Note that ssl-rsa-export-ciphers and rc4-cve-2013-2566 already exist in Nexpose. The more generic ssl-weak-ciphers vulnerability will be deprecated in an upcoming release.



Along with all these additions, this release fixes various outstanding issues with Nexpose's TLS coverage. These changes also lay the groundwork for further TLS improvements, coming soon!


Update Tuesday, October 2015

Posted by anowak Employee Oct 13, 2015

This month is dominated by remote code execution vulnerabilities enabling information disclosure if a user opens/visits specifically crafted content. The vulnerabilities affect Internet Explorer, Edge, Windows Shell and Microsoft Office. It is advisable for users and administrators to patch the affected platforms.


Microsoft includes 6 security bulletins, half of which are rated critical, resolving a total of 19 vulnerabilities. All of the critical bulletins (MS15-106, MS15-108, MS15-109) are remote code execution issues affecting Internet Explorer, Edge, VBScript & JScript Engines, Windows Shell, Office, Office Services and Apps as well as Microsoft Server Software.


MS15-106 is the bulletin to watch out for this month. It is rated Critical for Internet Explorer 7 - 11 on Windows clients and Moderate for Internet Explorer 7 - 11 on Windows servers. If a user views a maliciously crafted webpage using Internet Explorer, an attacker could gain the same rights as the current user. Users with administrative rights beware.


Users should always be wary of untrusted sources as maliciously crafted content could disclose personal/sensitive information. Your best protection against these threats is to patch as quickly as possible.


Vulnerability Reference:


Adaptive Security is a new feature released in Nexpose 6.0 that dynamically collects and analyzes the important network changes with minimal configuration needed from the user. This new feature allows you to create workflows called automated actions that can respond to various behaviors occurring in your environment automatically. For further explanation, please feel free to read Adaptive Security Overview.


Triggers and Actions

Currently Adaptive Security offers 3 triggers:

  • New coverage available
  • New asset discovered
  • Known asset available


Each trigger will be accompanied by an action which handle events that the trigger initiates within a workflow. Following represents a summary of all three triggers and associated available actions:


Configuration parameters
TriggerNew coverage availableFilter by: CVSS score, risk, severityInitiates the workflow once a new vulnerability coverage is detected that meets certain criteria defined by filters
ActionScan for new vulnerabilitiesAn existing Nexpose siteThe detected vulnerability is scanned within the selected site.


Configuration parameters
TriggerNew asset discoveredDiscovery connectionInitiates the workflow once a new asset is discovered from the selected discovery connection. An asset is considered as new if Nexpose has never seen the hostname of the discovered asset before.
ActionAdd to site and scanAn existing Nexpose siteThe detected asset is added to the selected site and scanned.
Add to siteAn existing Nexpose siteThe detected asset is added to the selected site.


Configuration parameters
TriggerKnown asset availableDiscovery connectionInitiates the workflow once a known asset is discovered from the selected discovery connection. An asset is considered as known if Nexpose has seen the hostname of the discovered asset before.
ActionAdd to site and scanAn existing Nexpose siteThe detected asset is added to the selected site and scanned.
Add to siteAn existing Nexpose siteThe detected asset is added to the selected site.
TagNexpose tagThe detected asset is tagged with the selected tags.
ScanN/AThe detected asset is scanned with scan template of the site which the asset is located in.


Let's configure an Automated Action

Let's configure an Automated Action that will initiate a scan when new coverage is available that meets to a certain criteria. In this example, we want to initiate a scan on a specific site when a new coverage which has a risk score of 4 or higher becomes available.


In order to configure the Automated Action, we will use Automated Actions widget. The widget is located on the top right hand corner of Nexpose user interface marked with red square, shown on the screenshot 1:


                                                                                                      screenshot 1  


To create a new Automated Action with "New coverage available" as the trigger and "Scan for new vulnerabilities" as the action:

     1. Click on "NEW ACTION" button marked with green rectangle in the screenshot 1.

     2. In the drop down menu marked "TRIGGER", select "New coverage available".

     3. In the "Filter By" drop down menu, pick a criteria, i.e. "Risk Score".

     4. Enter a valid value in the text box, i.e. 4 is a valid value for "Risk Score" is 0-1000.

     5. Once a valid value is entered in the text box, the "NEXT" button will become enabled, click on the button to move on to the action selections.

     6. Choose "Scan for new vulnerabilities" from the "ACTION" drop down menu.

     7. Once the "Scan for new vulnerabilities" action is chosen, the site selection drop down will appear, choose the desired site and click on the "NEXT" button.

     8. A text box appears for the name of the action, name the action and click on the "SAVE" button.


Overview of the UI with step numbers from above marked on screenshot 2:

Screen Shot 2015-10-07 at 12.42.00 PM.png                                                                                                              screenshot 2


Once the Automated Action is configured and saved, then the trigger will simply wait for respective event to occur in order to kick off the action. The Automated Action will stay enable until you turn if off or delete it all together manually. Currently, there is no process can turn off or delete an Automated Action automatically.


As we continue to develop Adaptive Security, we will be adding additional filters and actions in order to provide better surface area coverage for your needs.


Now, please go ahead and play with this new feature and have fun. As always, we are here to listen any feedback you wish to give.

In Nexpose 6, we are introducing Adaptive Security, a smarter way to automate actions taken based on security incidents as they occur in your environment. The ultimate goal is to give back to security teams the time spent configuring tools to respond to a threat and automating the tedious and repetitive tasks taken to understand changes in the asset inventory and the threat landscape.


With Adaptive Security, you can create workflows called automated actions that respond to new and existing assets coming online, assets that are missed on scan windows, and more importantly, to instantly understand the surface area of a critical threat that is adding risk to the environment. Imagine a world where you know exactly what the affected assets are for a recently published Zero-day vulnerability. A world where your team have answers to questions like "How is the new celebrity Zero-day vulnerability affecting our environment?" or "What risk does an unauthorized asset adds to our security program?" as soon as the vulnerability is found or when the device comes online. Today, with Adaptive Security you do not need to imagine that world anymore. It is a reality, security teams now have the ability to work smarter and faster to take action in an automated way and focus on strategies to address the risk as opposed to finding it.


One of the more powerful aspects of this new features is that is highly configurable. Security teams can eliminate the noise generated  by just continuous monitoring and create filters and rules to intelligently react to threats and asset discovery in a way that makes sense and meet the particular needs of each of the customer environments managed by their security team. Not all findings or threats are born the same and they should be treated and addressed in the context that they live in.


Adaptive Security brings in a set of triggers that kick off automated actions. Differing actions based on the selected triggers are available allowing users to easily customize the response to a change on the environment or the threat landscape. Customization such as filtering the scope of the action or the area of the environment that needs to be addressed. The possibilities that this feature opens for efficiency and productivity are enormous and will make the usage of Nexpose even more enjoyable and useful than ever before.


Looking forward to hearing from you, new triggers and actions will be added and existing ones refined based on your feedback. Please check out our introductory video: Meet your newest asset: Adaptive Security


My name is JF Boisvert - NEXPOSE Senior UX Architect. In this role, I see opportunities everyday to improve our user flows, visual design, and customer usage.

I am excited to share with you valuable insights into the NEXPOSE 6 product development process, and how we are making a better, more usable product.



With NEXPOSE 6, we are laying a new foundation which will percolate across all of our product line to eventually unify the look, experience, and interactions our customers will experience.


By using NEXPOSE as the foundation for the new look and feel, we are:

  • Moving towards standardized interface guidelines
  • Creating reusable interface artifacts
  • Improving our development velocity
  • And producing consistent user experiences.

In less than a few months, Engineering, Product Management, Product Marketing, and UX came together to bring dramatic user experience changes to NEXPOSE 6.


Why did we change the interface in the first place?

  • First off, NEXPOSE 5x was due for a major makeover.
  • We wanted to modernize the application and create a common design language for all of our Rapid7 products.
  • We also wanted to remove clutter and noise, with a strong emphasis on readability.


What are the steps involved in creating amazing user experiences?

  • UX Discovery
    • First we look at the customer problem.
    • Talk to users via discovery calls.
    • Identify their needs, pain points, and contextual limits.
    • We survey their technical environments to understand what is possible.
    • We work in concert with Engineering, Product Marketing, and Product Management leads to understand all the elements involved in creating a world class solution.


  • UX Solutions
    • Once we have a clear understanding of all the above parameters we:
      • Create user flows to understand how the experience will unfold.
      • Define access points for the experience.
      • Create wireframes describing the interface.
      • Create interactive prototypes to uncover any flaws and to explain how it will work to our partners.
      • Create high-fidelity visual design artifacts.
      • Validate the proposed solutions with customers, using live interviews and prototypes.
      • Make appropriate edits and revisions.
      • Socialize our learnings with all parties involved.
      • Create final design specifications.
      • And proceed towards implementation support.



If you’re familiar with NEXPOSE or have been using it over the past 5+ years, you probably became aware of the various visual design updates that were given to the product over time. Through these various development cycles, we realized that, in order for us to build a winning brand image and improve usability, we would need to invest in the development of a unified user experience strategy.



Screen Shot 2015-10-01 at 8.44.23 AM.png



The first step towards delivering a more efficient experience, was to simplify the navigation. In NEXPOSE 6, the global navigation has been redesigned to maximize working space while providing easy access to global features like notifications and user settings.

To improve readability, NEXPOSE is giving users an improved look and feel focused on providing better contrast and information priority.



“Information presentation is a critical step in designing for security. Attackers depend on invisibility. We intend to counter that by not only showing you key data, but delivering it visually in a way that enables you to connect the dots easily. The overall design of NEXPOSE places the focus on the content, enabled by the navigation in a secondary role. This redesigned navigation and enhanced look and feel are important steps toward unifying the experience across all of our products.” Neil Estacio, UX Visual Design Manager




Our DESIGN PARTNERS PROGRAM is led by Even Jacobs and Ger Joyce. Ger is our resident UX Research Lead.

Every time we need to validate a thesis, we schedule time with our customers through our DESIGN PARTNERS PROGRAM. By listening to our customers, Ger and his team validate thesis, uncover usability issues and provide clues that will eventually translate into better experiences. To support UX Architects and Leads, Ger's team can organize a variety of activities such as:

  • Focus Group
  • Surveys
  • And On-site Customer Validations.

“We find key insights when we engage with our customers, and validate them by testing iterations with our DESIGN PARTNERS PROGRAM. Our customers not only engage with us to give these insights, but also engage with the products prior to release, resulting in a refined necessary experience that meets their work needs.” Ger Joyce, UX Research Lead












NEXPOSE 6 is the first product to adopt the new user experience strategy. In coming months, we will continue to improve consistency, usability, and product experiences across all products in the portfolio. With the growing involvement of the UX product team in the creation of world class experiences, expect exciting updates to all the Rapid7 products in a very near future.

This month, Microsoft includes 12 security bulletins, comprised of 52 CVEs, with five bulletins being rated critical. All five critical bulletins (MS15-094, MS15-095, MS15-097, MS15-098, MS15-099) and MS15-100 are remote code execution issues affecting Internet Explorer, Edge, Microsoft Graphics, Windows Journal, Microsoft Office and Media Center. Users can be affected by the remote execution issues by viewing a specially crafted web page, journal file, office file or media center link (.mcl).


CVE-2015-2506, CVE-2015-2510 and CVE-2015-2545 are Office vulnerabilities actively being exploited in the wild. The positive news is exploitation of these vulnerabilities requires user interaction. As always users should be aware of the document origins whenever they open Office documents, particularly for documents received via email or downloaded from an untrusted online source.


Users, remember to be wary of untrusted sources. Your best bet for resolving these is to get patching quickly.

As the IT landscape evolves, and as companies diversify the assets they bring to their networks - including on premise, cloud and personal assets - one of the biggest challenges becomes maintaining an accurate picture of which assets are present on your network. Furthermore, while the accurate picture is the end goal, the real challenge becomes optimizing the means to obtain and maintain that picture current. The traditional discovery paradigm of continuous discovery sweeps of your whole network by itself is becoming obsolete. As companies grow, sweeping becomes a burden on the network. In fact, in a highly dynamic environment, traditional sweeping approaches pretty quickly become stale and irrelevant.


Our customers are dealing with networks made up of thousands of connected assets. Lots of them are decommissioned and many others brought to life multiple times a day from different physical locations on their local or virtual networks. In a world where many assets are not 'owned' by their organization, or unauthorized/unmanaged assets connect to their network (such as mobile devices or personal computers), understanding the risk those assets introduce to their network is paramount to the success of their security program.


Rapid7 believes this very process of keeping your inventory up to date should be automated and instantaneous. Our technology allows our customers to use non-sweeping technologies like monitoring DHCP, DNS, Infoblox, and other relevant servers/applications. We also enable monitoring through technology partners such as vSphere or AWS for virtual infrastructure, and mobile device inventory with ActiveSync.. In addition, Rapid7's research team through its Sonar project technology (this topic deserves it's own blog) is able to scan the internet and understand our customer's external presence. All of these automated techniques provide great visibility and complements the traditional approaches such that our customer's experiences on our products revolves around taking action and reducing risk as opposed to configuring the tool.


Why should you care? It really comes down to good hygiene and good security practices. It is unacceptable not to know about the presence of a machine that is exfiltrating data off of your network or rogue assets listening on your network. And beyond being unacceptable, it can take you out of business. Brand damage, legal and compliance risks are great concerns that are not mitigated by an accurate inventory alone, however, without knowing those assets exists in your network in a timely manner it is impossible to assess the risk they bring and take action.


SANS Institute has this topic rated as the Top security control They bring up key questions that companies should be asking to their security teams: How long does it take to detect new assets on their networks? How long does it take their current scanner to detect unauthorized assets? How long does it take to isolate/remove unauthorized assets from the network? What details (location, department) can the scanner identify on unauthorized devices? and plenty more.


Let Rapid7 technology worry about inventory. Once you've got asset inventory covered, then you can move to remediation, risk analysis, and other much more fun security topics with peace of mind that if it's in your network then you will detect it in a timely manner.

One of the exciting but challenging aspects of working in the security industry is how quickly things change. You have to protect critical data while physical and virtual devices are coming on and offline, and new threats are announced on a regular basis.


Advanced features in Nexpose are designed to help you respond to these complicated situations. The ability to scan dynamic assets allows you to keep on top of your network even when addresses may be in flux. By scheduling scans, you can use more than one scan template per site, and perform regular scans with no manual effort on your part. Criticality tags help you track your most essential assets amid all the data you receive. This post shows how to access a few of these key features and explains when and why to use them.


Scanning dynamic assets

In some cases, your assets may shift constantly. In the case of virtual or cloud assets, they may come and go or change addresses due to the nature of the environment. In others, you may have a busy office with a lot of employees coming and going, and connecting via virtual private network (VPN).


You can configure Nexpose to keep track of these kinds of constantly changing assets, and scan them on a schedule you specify. For instance, if you have virtual assets, you can create a connection to your vSphere instance, and scan assets discovered through that connection.

Configuring a connection to discover assets

Creating multiple schedules

You can create as many automated scheduled scans as you want. One advantage of creating multiple schedules is that you can scan the same site with different templates. For example, you can scan the same set of assets one day with a standard template such as Full Audit without Web Spider, and another day with another type of template, such as a custom template that checks only for certain types of vulnerabilities. One potential use for this feature is to scan your existing sites for newly announced zero-day vulnerabilities.

Multiple schedules configured for a site

Tagging all assets in a site

You can apply a tag to all the assets in a site. For instance, if you want to tag all the assets in the site with a Very High criticality tag, you can do that in the site configuration. This is an efficient way to set up tags that can help you with tracking and reporting later.

Applying a tag to all assets in a site

To learn more about any of these features, see the Nexpose Help or User’s Guide.


Shooting gallery photo from jeremyriad via flickr under a Creative Commons attribution license. No changes were made.

Filter Blog

By date: By tag: