Skip navigation
All Places > Nexpose > Blog
1 2 3 4 Previous Next


319 posts

Recently, Rapid7 took a step forward to deliver insight to our customers: our vulnerability management solutions now include the ability to deliver interactive guides. Guides are step-by-step workflows, built to deliver assistance to users at the right time. Guides are concise and may be absorbed with just a few clicks. They are available anytime on-demand within the user interface, so you can quickly and easily find the information you need, as you need it, where you will be applying it.

Here’s an example:

pasted image 0.png

How Guides Work

Interactive guides are powered by As you navigate through the user interface, relevant guides are made available based on the area of the application in use. Pendo serves Rapid7 authored content directly to the user. The user’s workstation must be connected to the internet to make use of these new capabilities. We understand this limits access for some of Rapid7’s customers, but for most individuals, internet access has become as important as the keyboard or a monitor.

To be clear, to receive guides, the user’s workstation requires internet access. The machine hosting the Security Console does not require access to the internet.


How are guides delivered in context?

In order to determine which guides are relevant to a user in the moment, very specific information is transmitted to Pendo from the user’s browser:

  • The URL navigated to
  • CSS element the user has clicked on
  • A globally unique, random identifier for the user


With this information, Rapid7 is able to deliver very specific guidance to users when they need it, for improved experiences within the product. All data collected is anonymized, and all communications between the user’s workstation and are encrypted with SSL/TLS.


Is my Nexpose data transmitted?

No data that is collected by Rapid7 Nexpose about your organization's assets or vulnerabilities is transmitted to Pendo or Rapid7:

  • No personally identifiable information, such as email addresses, names or User IDs is transmitted.
  • No vulnerability data is transmitted.
  • No asset data is transmitted, inclusive of software, attributes, IP addresses, and other metadata.
  • No information collected by Scan Engines or Agents is transmitted.

To learn more on how Rapid7 and protect your information, please visit: and

I don’t see any guides. When will they be available?

We’re busy building guides right now. You can expect to see new guides in the coming weeks.

What if I cannot participate, or do not want to participate?

If your users have no access to the internet, then you won’t be able to receive guides. No data will be transmitted and no guides will be delivered.

If you do not wish to receive guides, you can easily disable the capability on the Security Console:

  1. Login to the machine hosting the Security Console as an administrator
  2. Locate and edit nsc.xml. The file is located in the “deploy/nsc/conf/nsc.xml” directory. For example “/opt/rapid7/deploy/nsc/conf/nsc.xml” in some Linux distributions. Make a copy of the file in case you need to revert the configuration.
  3. Edit or add the following element <Analytics enabled=”false” />. This element should be a direct child of <NexposeSecurityConsole />.

pasted image 0 (1).png

This is a snippet of the nsc.xml file used to illustrate the format of the element. Your nsc.xml will differ.

Changes will take effect during the next Console restart.

Making inadvertent changes to the nsc.xml file can cause issues in your Security Console. Please contact Rapid7 Support for guidance or assistance.

On March 9th, 2017 we highlighted the availability of a vulnerability check in Nexpose for CVE-2017-5638 see the full blog post describing the Apache Struts vulnerability here. This check would be performed against the root URI of any HTTP/S endpoints discovered during a scan.


On March 10th, 2017 we added an additional check that would work in conjunction with Nexpose’s web spider functionality. This check will be performed against any URIs discovered with the suffix “.action” (the default configuration for Apache Struts apps).


It may be necessary to configure your scan template to direct Nexpose to specific paths on web servers if they cannot be discovered during the default spidering process. If your app’s URI is not linked to from any of these discovered pages, you will need to configure these paths. Follow the steps below to configure your scan template:


Let’s say you have 2 Apache Struts apps in the following locations:


Example App URL 1:

Example App URL 2:


In Nexpose’s web UI, select the scan template that you wish to use (Administration → Templates → manage)


Go to the Web Spidering section of the template (WEB SPIDERING → PATHS) and then add all the paths you wish Nexpose to try accessing to the “Bootstrap paths” section. PLEASE NOTE: Each path must be followed by a trailing slash and are comma separated (e.g. /org/apps/,/other/org/):



Once you configured the paths, save the changes to the template.


Not a Nexpose customer and want to scan your network for the Apache Struts vulnerability? Download a free trial of Nexpose here.

Due in part to the delay of February's fixes, today's Patch Tuesday is a big one, comprising 18 bulletins split evenly between "Critical" and "Important" ratings. It's also significant as three of the bulletins (MS17-006, MS17-012, and MS17-013) contain fixes for vulnerabilities that were previously disclosed by external vendors and have exploit code publicly available. Administrators should prioritize these three updates before moving on to the remaining Critical and then Important ones.


CVE-2017-0037 is a particularly nasty one, allowing attackers to remotely execute arbitrary code if a user visits a malicious web page using Internet Explorer 11 (or potentially Edge). CVE-2017-0038 allows remote attackers to glean potentially sensitive information from process heap memory due to an EMF file handling defect. And CVE-2017-0016 is a denial of service vulnerability that can crash Windows when connecting to a malicious SMB share. Exploit code for it has been publicly available since at least February 1st.


The fact that Microsoft published security bulletins at all this month may come as a surprise to some, given that they announced their intention to transition away from the Security Bulletin model in favour of their Security Updates Guide after January's updates. February's out-of-band release of Adobe Flash Player fixes as MS17-005 hinted that they weren't quite done with the format, and the slew of bulletins issued this month confirms that it's not yet deprecated.


Even so, the Rapid7 vulnerability content team is pressing forward with our promised changes to the way we identify Microsoft vulnerabilities. Instead of being bulletin-centric (e.g. "MS17-004: Security Update for Local Security Authority Subsystem Service (3216771)") vulnerabilities will be broken down by CVE. For example, MS17-017 is split across four separate CVE identifiers:

  • msft-cve-2017-0050: Microsoft CVE-2017-0050: Windows Kernel Elevation of Privilege Vulnerability
  • msft-cve-2017-0101: Microsoft CVE-2017-0101: Windows Elevation of Privilege Vulnerability
  • msft-cve-2017-0102: Microsoft CVE-2017-0102: Windows Elevation of Privilege Vulnerability
  • msft-cve-2017-0103: Microsoft CVE-2017-0103: Windows Registry Elevation of Privilege Vulnerability

This provides a more accurate assessment of risk compared to the legacy approach, where a single bulletin could encompass many individual vulnerabilities. Indeed, across the 18 bulletins this month there are a total of 134 unique CVE identifiers.


One last piece of administrivia this month that security teams should be aware of: the security-only updates for Windows 7, Server 2008 R2, Windows 8.1, and Server 2012 R2 do not include security updates for Internet Explorer. This aligns with how Microsoft has traditionally shipped IE fixes, but is a change back from how they've done it over the past several months.


Happy patching!

We are often asked by customers for recommendations on what they should be scanning, when they should be scanning, how they ensure remote devices don’t get missed, and in some cases why they need to scan their endpoints (especially when they have counter-measures in place protecting the endpoints). This blog post is intended to help you understand why running regular scans is a vital part of a security program, and to give you options on how to best protect your ecosystem.


Q: What do I need to be scanning?

Scan everything. This may seem blunt or overly simplified, but if a device touches your ecosystem, then it should be scanned. Why? Because if you don’t, you are losing visibility into the weaknesses in your infrastructure. This brings inherent, unquantifiable risk because you cannot see where the holes are that an attacker can use to access your organisation. Exploitable vulnerabilities exist across all operating systems and applications; if you are not scanning your entire ecosystem, including cloud and virtual, you are leaving these vulnerabilities as unknowns. Scanning everything does not mean that all systems or devices will be treated with the same level of criticality when it comes to prioritizing remediation actions.

Q: How frequently should I scan my ecosystem?

Our recommendation is to combine Insight Agents and regular scanning to get a live picture of your ecosystem at all times. Nexpose Now capabilities prevent your data from becoming stale, meaning you’ll know where to focus your efforts on reducing risk at all times. Specifically, adaptive security within Nexpose Now automatically detects new devices as they join your network, so you never miss a network change.

If you haven’t had a chance to upgrade your vulnerability management program to include the live monitoring that comes with Nexpose Now and are still using traditional Nexpose, then scanning everything as frequently as possible is highly recommended. Monthly scans to coincide with Patch Tuesday are good, but scanning more frequently certainly doesn’t hurt. Customers often split up their scans to hit different segments at different times, but they’ll cover the whole environment on a monthly or bi-weekly basis. More details on scan configuration can be found here.


Q: How do I ensure my remote workers aren’t missed?

Most organisations have a number of remote workers, some of whom hardly ever connect to the internal network, but still have access to certain applications when they are on the road. It can be tricky to ensure their devices don’t get missed during scans and patching. Remote workers bring additional risk as they often keep sensitive data local to their devices for ease of access when they are travelling, and frequently connect to unsecured Wi-Fi. Therefore, on the occasions when they do venture into the office, their devices are potential grenades. 


You really don’t want to miss these folks.


The best way to ensure you have visibility into these devices is to use our Insight Agent, which can connect back to Nexpose Now as long as the device has internet access.  You can learn more about how Rapid7 can solve your remote workforce challenges here.


Q: Why are endpoints important? Can I just scan my servers?

Endpoints run operating systems and applications that have vulnerabilities, meaning they can be breached just as easily as servers — if not more so. Endpoints are more likely to have a connection to the internet and generally have users attached to them. Users often introduce security risks, either due to a lack of care or, in some cases, through no fault of their own (i.e. unknowingly connecting to a compromised website). Endpoints can have sensitive data saved locally while also accessing resources on the network. Users can also introduce security risks by connecting removable media and other USB type devices to endpoints.


Furthermore, attackers have been increasingly focusing on using endpoints as an initial entry point in an attack. We’ve become very good at spending millions of dollars on firewalls and defense-in-depth tools to protect servers, so attackers have moved to the weakest link that remains: users and their endpoints. Almost every major breach in the news begins with a phishing or spear phishing attack, and these all exploit endpoints.


As mentioned above, any device you do not scan brings unquantifiable risk to your ecosystem. Scan or use Insight Agents across all your devices, endpoints, servers, virtual, remote, and cloud.


Q: But I’ve got countermeasures in place!

Good. Countermeasures — and a good security policy — are really important. These could include Host or Network IPS, a strong security configuration on the endpoints, plus things like access control policies and strict settings for remote users to ensure they always connect to your VPN before accessing the internet. That doesn’t mean you shouldn’t scan devices for vulnerabilities *and* validate that your countermeasures are working. There have been multiple instances of vulnerabilities in security software itself, not to mention operating system and application vulnerabilities, as well as malware that affects configuration settings and a device’s security policy. If you don’t have a way to see which vulnerabilities are on a device, then you are leaving a door open for attackers.


The best way to test that your countermeasures are working properly is to simulate an attack and make sure they catch it; many customers use Metasploit Pro to test their security controls, or our professional services to simulate a full-scale attack and help plan how to improve compensating controls.


Additional questions?

If you would like to discuss best practices further, we would love to talk with you. If you are already a customer, your Customer Success Manager is a great resource. We can also provide services engagements to help you implement or invigorate your security program. If you’re interested in receiving training on how to make the most of Nexpose, we have options available to you as well. Contact us through your CSM or and let us know how we can help.

Earlier today Microsoft announced that they will be delaying this month's security updates due to finding a last-minute issue that could "impact some customers." This may be due to a glitch in their new process that they were not able to iron out in time for today's planned release.


We will be keeping an eye out for any updates and will, as always, provide timely coverage for the security vulnerabilities once they become public. There is no word yet of when that might be.

On January 21st 2017, Google’s Project Zero disclosed a vulnerability in Cisco’s WebEx browser plugin extension that could allow attackers to perform a remote code execution (RCE) exploit on any Windows host running the plugin.



An initial fix was pushed out by Cisco that warned a user if they were launching a meeting from a domain other than * or *, however, the fix was questioned by April King from Mozilla based on the WebEx domain’s security audit results from their Observatory project.



Cisco released a fix on 26th January 2017 that not only whitelisted the domains where meetings could be launched, but also tightened up the verification mechanisms to calls on DLLs, as observed by Tavis Ormandy at Project Zero, “It looks like they correctly handle Mac and Windows, and have also added some verification on GpcInitCall/GpcExitCall/etc so that functions have to match a RegEx. This looks like a huge improvement.”


Full details of the vulnerability disclosure from Cisco can be found here. The following versions of plugins were declared vulnerable:


  • < 1.0.7 on Google Chrome

  • < 106 on Mozilla Firefox

  • < on Internet Explorer



Nexpose version 6.4.21 will allow you to detect if you have a vulnerable version of the Cisco WebEx plugin installed on any of your Windows hosts in your network and if you are vulnerable to CVE-2017-3823. As this is an authenticated check, credentials will need to be configured for the scan.

Update (February 14th): Microsoft has delayed the release of their February 2017 security updates due to a last-minute issue. As always, we will provide timely coverage for the vulnerabilities once Microsoft has published the updates.


Next Tuesday (February 14th) will mark a major change in how Microsoft issues their security updates. Since October 2003, on the second Tuesday of each month (plus occasional bonus out-of-band updates) Microsoft has published a number of Security Bulletins detailing fixes to vulnerabilities in their software products. System administrators and security professionals are well familiar with identifiers of the form MS14-060, where the first two digits after MS refer to the year the bulletin was published and the last three increment over the course of the year. Each of these bulletins could include several vulnerabilities and/or Knowledge Base article identifiers (KBs).


After last month's atypically small number of bulletins, MS17-004 is the last of this format. Microsoft has announced that their new single destination for security vulnerability information will be their Security Updates Guide (still in "preview" as of this writing). Instead of publishing bulletins to describe related vulnerabilities, the new Updates Guide breaks down fixes by CVE identifier, KB number, and product.

What This Means For Nexpose Users

Nexpose's existing Windows Hotfix vulnerability content uses Microsoft's bulletin numbers, for example, MS16-151: Security Update for Windows Kernel-Mode Drivers (3205651). If you have any habits or workflows that assume identifiers or titles in this particular format (e.g. filtering by vulnerability title), they will not include Windows Hotfix content from this coming Patch Tuesday onward. The new format will be CVE-based, with identifiers of the form msft-cve-yyyy-nnnn. Legacy content will not be changed to reflect this new format. However, to take the above MS16-151 as an example, it would become two distinct vulnerabilities:

  • Microsoft CVE-2016-7259: Win32k Elevation of Privilege Vulnerability
  • Microsoft CVE-2016-7260: Win32k Elevation of Privilege Vulnerability

In case you are used to dealing with vulnerability IDs, these would be called msft-cve-2016-7259 and msft-cve-2016-7260 respectively.


Although this may take some getting used to, it will result in more accurate risk scores, as described in this blog post from when we introduced a similar change for Adobe, Debian and Ubuntu security advisories.


Check back next week after Microsoft issues February's updates; we will provide some more concrete examples of these changes, along with our standard analysis of the fixes.

A common request we hear from customers is for the ability to schedule scans on individual assets, or on subsets of assets.

Currently, you can start a manual scan and choose specific IPs, engine and template, but you need to have permissions to create sites in order to schedule such a scan.

Good news!

In version 6.4.18 version of Nexpose, released Jan 25th 2017, we've addressed this! Now individual site owners can create schedules and choose specific IP's, ranges or asset groups to kick off at a later time, or on a regular basis. Additionally, you can give manual or scheduled scans a name – making it much easier to understand what’s being scanned and when.


With these enhancements you can:

  • Schedule single assets, subsets of assets, or asset groups to scan (one-off or repeating)
  • Name all manual or scheduled scans for ease of tracking
  • Choose any engine available to you for any scheduled scan - scheduled scans are no longer constrained to the site default engine
  • See who started, stopped, paused or resumed each scan


How to Use It




(1) Name your scan

(2) Choose to use the default engine for this particular schedule, or any other engine available to you

(3) Check the 'Specify Subset of Assets' box to give you the ability to choose to scan specific assets for this schedule.

     (Site default is unchecked so the schedule would scan the full site)

When you check the box to 'Specify Subset of Assets', you can be more explicit with your inclusions and exclusions for this schedule.




Tables such as current scans and past scans on the homepage and scan history pages will now show the name of the scan, and the name of the person who triggered the scan.




The Small Print

1) When creating a scheduled or manual scan, the name field is not required.

If you do not enter a name, we'll just use the time and date the scan started to fill the current scans and past scans tables for tracking.

2) Since we currently use string comparison for the validation of assets and asset groups, there is a limitation to the functionality.

Here is an example of valid and invalid use of this new functionality


Site Asset Range x.x.x.1 - x.x.x.255. You choose to schedule a scan only for a range x.x.x.10 - x.x.x.25


Create New Asset group. Subset A = x.x.x.10 - x.x.x.25

Site Asset Range x.x.x.1 - x.x.x.255. You choose to schedule a scan only by specifying by group 'Subset A'


Patch Tuesday, January 2017

Posted by anowak Employee Jan 10, 2017

Update: See below for an update for the upcoming February Patch Tuesday.


Microsoft starts off the year with 4 bulletins and continues a long running trend with their products where the majority of bulletins (2) are remote code execution (RCE) followed by an even distribution of elevation of privilege and denial of service. Missing from this month’s list of affected products is Internet Explorer, which typically complements the Edge bulletin (MS17-002). All this month’s critical bulletins are remote code execution vulnerabilities, affecting Adobe Flash Player, Microsoft Office, Microsoft Office Services and Web Apps, Microsoft Windows.


While Microsoft continue actively working on resolving these issues, as witnessed in the overwhelming number of critical RCE bulletins, there is an ongoing table in which they are unable to permanently address these vulnerabilities, which predominately affect the consumer applications listed above. Unfortunately this leads to one of the single largest attack vectors, consumers.


This month Microsoft resolves 15 vulnerabilities across 4 bulletins. Both consumers and server users MS17-002 and MS17-003 are the bulletins to watch out for, addressing 14 vulnerabilities. Fortunately, at this time no vulnerabilities are known to have been exploited in the wild. However, two vulnerabilities addressed by MS17-001 (CVE-2017-0002) and MS17-004 (CVE-2017-0004) are known to have been publicly disclosed.


Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code in-order to gain the same rights as their user account. The best protection against these threats is to patch systems as quickly as possible. Administrators, be sure to review this month’s bulletins and in accordance with your specific configuration, prioritize your deployment of this months’ updates. At a minimum, ensure to patch systems affected by critical bulletins (MS17-002, MS17-003).


Please note that January marks the end of Microsoft’s Security Bulletins as the tech giant transitions to their Security Update Guide; instead of publishing bulletins to describe related vulnerabilities. This new portal provides security vulnerability information through an online database where users can filter, sort and search. Be advised that the current Security Update Guide is in preview; for further information refer to Microsoft’s blog post on furthering their commitment to security updates.



Update: Microsoft’s Security Update Guide FAQ

This Patch Tuesday, February 14th, marks a change for the security community as Microsoft introduces a new portal to consume security updates about their products. For the past 12 years, Microsoft has published security bulletin webpages (e.g. MS16-118) that often-referenced multiple vulnerabilities and KB article IDs. Microsoft has taken the opportunity to pivot to a new model focusing around vulnerability ID (CVE-2017-0004) and KB article ID numbers (KB2913602) in attempts to easy the access of security information, providing customers more flexibility. The tech giant is actively working with vendors whose tools rely on security bulletin pages in-order to help them transition to their new portal. One point the FAQ does not address is if Microsoft intends to localize their new API.

Ken Mizota

macOS Agent in Nexpose Now

Posted by Ken Mizota Employee Dec 29, 2016


As we look back on a super 2016, it would be easy to rest on one's laurels and wax poetic on the halcyon days of the past year. But at Rapid7 the winter holidays are no excuse for slowing down: The macOS Rapid7 Insight Agent is now available within Nexpose Now.


Live Monitoring for macOS

Earlier this year, we introduced Live Monitoring for Endpoints with the release of a Windows agent for use with Nexpose Now. The feedback from the Community has been great (and lively!) and now we're back with another round. Recall, by adding agents into your threat and vulnerability management routine, you can:

  • Get a live view into your exposures: Automatically collect data from your endpoints and seamless integrates it into Nexpose Now, so your Liveboards are always populated with real time data without the need to hit refresh or rescan.
  • Get visibility into remote workers:  Remote workers rarely, or in some cases never, connect to the corporate network and often miss scheduled scan windows. Our lightweight agents can be deployed to monitor risks posed by the mobile workforce.
  • Eliminate restricted asset blindspots: Some assets are just too critical to the business to be actively scanned. With our agents, you'll get visibility into assets with strict scanning restrictions, while removing the need to manage credentials to gain access.

These same powers may now be pointed at your macOS population.


macOS adoption has been on the rise for years. Windows adoption is not in danger of being eclipsed, but many customers need visibility into their pockets of macOS machines within the environment. This makes sense -- when IT can't always mandate a common hardware platform, entire business units adopt what works for them, and C-suite executives use the hardware they desire; a Security team simply needs visibility to what's weak on the systems that mean the most to them.


Getting Started

Just like its Windows counterpart, the macOS agent is easy to install (interactive or silent), easy to manage (directly from Liveboards), and most importantly performs its duty with minimal resource consumption and no user interference. Ready to get started? Here's how:


First, navigate to your Liveboards and if you haven't done so already, add an Agent card.


Click on the Manage Agents link and then the Download Mac Agent button.


Run the installer package on your Macs of choice and you've taken a first step into a larger world. The Rapid7 Insight Agent takes care of the rest, performing initial and regular data collection, securely transmitting the data back to Nexpose Now for assessment. All of this takes place whether the user is connected to your network or just the internet, reducing the effort for you to get the visibility you need. We expect every organization may deploy or configure things a little differently, so we've provided more information and a FAQ on Rapid7 Insight Agents.


tl;dr, at launch the macOS Agent is compatible with macOS Yosemite 10.10 and onwards.


You keep using that word...


Since launching Nexpose Now early in the year and following up with Live Monitoring for Endpoints and Remediation Workflow, we've received questions on the minor, but obvious (Beta), label visible within some parts of Nexpose Now.


While on the topic of new capabilities, we thought we'd take the opportunity to share some of the Q&A with you all.


What is in (Beta) in Nexpose Now?

Remediation Workflow and Live Monitoring for Endpoints are the two current features that have this label applied. We've opened up these new capabilities to all users of Nexpose Now without restriction.


Why is <feature> Beta?

We want to get new capabilities into your hands as soon as possible, so you can start getting value and provide feedback to Rapid7 on how we can improve. We continue to work on improvements that will make the user experience more seamless, more capable and more performant. Beta is used to let customers know Rapid7 is actively working to deliver value: more goodness to come!


Are you releasing untested functionality?

All features are fully tested before being released. Users will get a high quality experience across many workflows, with more features and workflows being added to the product based on feedback we receive.


Is (Beta) functionality supported?

Yes. Features offered in Beta form are fully supported by Rapid7 Technical Support.


May I use these features in production?

Yes. That is why we've released them into the world, so they may deliver their intended value to you NOW.


Haven't tried Nexpose Now but are interested? Check out our Help page to learn how to get started with Nexpose Now.


All of our innovations are built side-by-side with our customers through the Rapid7 Voice program. Please contact your Rapid7 CSM or sales representative if you're interested in helping us make our products better.

'Tis the holiday season and the Nexpose team is in the giving spirit! At the Rapid7 workshop, we've been busy little helpers building toys for deserving security teams throughout the year. Here are just some of the goodies you can take advantage of NOW:




Before 2016 is over, we want to give all the hardworking security teams one final treat. What does virtually every team need and wish they had more of? Time, of course.


Teams using Adaptive Security in Nexpose have already been saving time by automating key workflows (like Rapid7’s own security team). Earlier this year we added integration with Rapid7 Labs’ Project Sonar and a new Rapid7 Critical vulnerability category. This week we released even more improvements to Adaptive Security, including the ability to trigger Automated Actions during scans and a new Automated Actions Activity Monitor, to help security teams save even more time.


Scanning as a Trigger

There are 3 ways to trigger Automated Actions; when a known asset comes online, a new asset is discovered, or there is new vulnerability coverage. These can be triggered via Discovery Connections (e.g. DHCP, vSphere, Sonar, etc.) and now, during any active scan (discovery, vulnerability or policy).


There are many ways you can use this new capability. Here's one way: Performing quick assessments in between full vulnerability scans. For example, you can run a discovery (nmap) scan to trigger an Automated Action to assess only the assets that haven’t been scanned before.




Automated Actions Activity Monitor

Adaptive Security is the gift that keeps on giving – working to keep your network secure even when you’re not there. The new Activity Monitor shows you which Automated Actions were triggered and when, so you (and your manager) can see exactly how much work was done. This capability also makes it simple for you to disable/enable Actions and spot any issues that need troubleshooting.




You can now create, edit and monitor Automated Actions via this icon Picture4.png  in the left navigation.


If you haven’t tried Adaptive Security yet, there’s no time like the present!

A question that often comes up when looking at vulnerability management tools is, “how many vulnerability checks do you have?” It makes sense on the surface; after all, less vulnerability checks = less coverage = missed vulnerabilities during a scan right?


As vulnerability researchers would tell you, it’s not that simple: Just as not all vulnerabilities are created equal, neither are vulnerability checks.


How “True” Vulnerability Checks Work


At Rapid7 we pride ourselves in generating “True” Vulnerability Checks, which leverage vulnerability information right from the source, the vendor. Our content is composed of two fundamental components; fingerprinting and vulnerability check data. Researchers spend considerable effort in-order to provide our expert system the capability to accurately identify vendor products such as applications and operating systems. “True” vulnerability checks are executed within our expert system, which utilizes these fingerprints to determine characteristics for each asset it encounters, then comparing these characteristics against our vulnerability check data to identify any vulnerabilities.


Looking at vulnerability check count alone is a meaningless metric as security vendors could easily inflate this number by spreading their check logic across multiple check files. There is only a finite amount of ways to test for the presence of a vulnerability, which is most often prescribed by the vendor.


“Informational” Vulnerabilities


This brings us to what vendors usually describe as “Informational Vulnerabilities.” In the act of doing a vulnerability scan (especially during credentialed scans), a vulnerability scanner gleans a ton of useful information that doesn’t necessarily have a CVSS score or real risk, such as installed software, open ports, and general information about what a system is and how it operates.


A common way vendors show these findings to users is by making them “informational or potential” vulnerabilities, categorizing them in the same way they categorize CVSS-scored issues. Most scanners that do this thankfully make it easy to filter out informational vulnerabilities from “real” ones so you can focus on the vulnerabilities with actual risk; however, it still leads to several issues:

  • Users that are new to vulnerability management may not understand what is informational and what isn’t, leaving those vulnerabilities in reports and making it appear that their scan is catching much more than others (when in reality the actual vulnerability information is likely very similar)
  • There’s no industry standard for classifying “informational” vulnerabilities like there is for CVSS scored “real” vulnerabilities. This leaves it to the vendor’s discretion what they consider is pertinent information. There’s a huge amount of incidental information that can be gathered from a vulnerability scan; labeling ALL of it as vulnerabilities is impractical, and so is leaving out data by labeling only SOME of the data. It’s a lose-lose situation
  • Thanks to the above point, vendors often tout their total number of vulnerability checks as proof of their superiority over each other, without pointing out that a sizeable chunk of these checks are largely irrelevant to prioritizing important vulnerabilities


The Nexpose Approach


Nexpose doesn’t have any informational vulnerabilities.  For example, identifying that the target has a resolvable FQDN isn’t something you will find in our vulnerability list. This is simply a characteristic of the target not necessarily a vulnerability and therefore is found in the asset details page. We know that no one wants to be bogged down with irrelevant vulnerabilities or spend extra time filtering out information they don’t need; that’s why we focus on making it easy to filter down your assets to identify relevant information and report off of assets based on these filters. Need to see all assets that are virtual machines (yes, believe it or not, being a virtual machine is classified as a vulnerability in some tools!)? Simply create a dynamic asset group to automatically filter your assets down to just virtual machines, a group that updates automatically as new devices are added. Strip away informational vulns, and you’ll be surprised with how may real vulnerability checks are left over.


In the end, the number of vulnerability checks isn’t much of a differentiator anymore; as those new Sprint commercials say, its 2016, and every enterprise level vulnerability scanner has pretty similar coverage across even uncommon types of assets. Vendors that tout the # of checks as a differentiator often do it because they know that have more informational checks than their competition, and conveniently fail to mention that a sizeable chunk of these would never be used in actual remediation, only slowing down your security team and giving you more 1000 page irrelevant reports.


Patch Tuesday, December 2016

Posted by anowak Employee Dec 13, 2016

December continues a long running trend with Microsoft’s products where the majority of bulletins (6) are dominated by remote code execution (RCE) followed by an even distribution of elevation of privilege (3) and information disclosure (3). All of this month's critical bulletins are remote code execution vulnerabilities, affecting a variety of products and platforms including Edge, Internet Explorer, Exchange, Microsoft Office, Office Services and Web Apps, Sharepoint as well as Windows (client and server).


While Microsoft continues actively working on resolving these issues, as witnessed in the overwhelming number of critical RCE bulletins, there is an ongoing battle in which they are unable to permanently address these vulnerabilities, which predominantly affect the consumer applications listed above. Unfortunately, this leads to one of the single largest attack vectors, consumers.


This month Microsoft resolves 59 vulnerabilities across 12 bulletins. For consumers MS16-144, MS16-145, MS16-146, MS16-147 and MS16-154 are the bulletins to watch out for, addressing 36 vulnerabilities. For server users MS16-146 and MS16-147 are the bulletins to watch out for, addressing 4 vulnerabilities. Fortunately, at this time no vulnerabilities are known to have been be exploited in the wild. However, five vulnerabilities addressed by MS16-144 (CVE-2016-7202, CVE-2016-7281, CVE-2016-7282), MS16-145 (CVE-2016-7206, CVE-2016-7281, CVE-2016-7282) and MS16-155 (CVE-2016-7270) are known to have been publicly disclosed.


Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code in-order to gain the same rights as their user account. The best protection against these threats is to patch systems as quickly as possible. Administrators, be sure to review this month’s bulletins and in accordance with your specific configuration, prioritize your deployment of this months’ updates. At a minimum, ensure to patch systems affected by critical bulletins (MS16-144, MS16-145, MS16-146, MS16-147, MS16-148, MS16-154).


With the launch of Nexpose Now in June, we’ve talked a lot about the “passive scanning trap” and “live assessment” in comparison. You may be thinking: what does that actually mean?  Good question.


There has been confusion between continuous monitoring and continuous vulnerability assessment – and I’d like to propose that a new term “continuous risk monitoring” be used instead, which is where Adaptive Security and Nexpose Now fits. The goal of a vulnerability management program is to understand your risk from vulnerabilities and manage it effectively, based upon what is acceptable to your organization.


First ask, “What does ‘Continuous Monitoring’ actually mean?”


“Continuous” admits that our networks, and the systems on them, are not static. System configurations change, users install stuff, admins deploy things. Users move around the building, plug into network jacks, or leave stuff plugged in.


“Monitoring” speaks to the need to answer that question “What is on my network?” and “Are the systems on my network patched and configured in a way we are comfortable with?”. Because these things are changing continuously, we need to be able to monitor them continuously to be secure.


Then ask, “How are other folks using this ‘continuous monitoring’ concept?”


There are different definitions from best practices and regulatory standards that use the words “continuous”, like SANS (now CIS) Critical Security Controls and NIST [PDF].


The definitions vary.

  • SANS says “Run automated vulnerability scanning tools against all systems on the network on a weekly or more frequent basis and deliver prioritized lists of the most critical vulnerabilities to each responsible system administrator along with risk scores”.
  • NIST says “Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.”


With that said, the intent behind “continuous” is the same…it is to provide you as close to real-time visibility into risk in your environment that is actionable, to ultimately reduce your risk of a breach (side note: Rapid7 was also recently recognizedas the top company for meeting the SANS top 20 controls, so this is just one of 19 controls we can help with!)


Many Approaches Available


There are different approaches to continuous risk monitoring that range from running back-to-back vulnerability scans, or passively finding vulnerabilities using network traffic, to running event-driven vulnerability assessments.


Back-to-Back Scans

Nexpose Live Assessment Passive Scanning.png

This approach is basically running an endless loop of vulnerability scans back to back, so when one scan finishes you run another scan.  While this approach ensures that you always have a full picture of the risk on your network, during the time between when the scan starts and ends you have a potential blindspot in your risk posture. Not only is this noisy and expensive from a network bandwidth perspective, a risky asset could join and be removed during this window without your knowledge.


Passively identifying vulnerabilities using network traffic

Nexpose Live Assessment Fig. 2.png

The other approach to continuously monitoring risk is to put a network sniffer throughout your network to find vulnerability risk.  This approach sounds pretty good, however, it is limited as it relies only on clear text network traffic on the network. The volume of vulnerabilities is limited when compared to active vulnerability scanning, and is more likely to generate false-positives needing tracked down and explained to your IT organization.  Buyers should also be aware that network traffic is increasingly encrypted –Google is even rewarding sites that leverage HTTPS through better rankings – this limits visibility of data that can be used for vulnerability assessment.


Because of these limitations it’s tough to use passive vulnerability scanning alone as true continuous monitoring; you still Nexpose Live Assessment Fig. 3.pngneed active vulnerability scanning in order to have an actionable view of your risk posture. Which is fine, but the deployment architecture is eerily similar to IDS and would be duplicated if you already have an IDS deployed in your environment.  Many organizations have made the upgrade to IPS over the classic IDS because if you are going to go through the effort of sniffing network traffic, you might as well have a solution that can actually prevent an attack from happening instead of just knowing about it.



What’s even more interesting is that Gartner says “In 2015, 40% of enterprises have a standalone IPS deployed.  However, it is decreasing down to 30% by the end of 2017.”


That seems odd, right?  Well, IPS technology is getting baked into next-generation firewalls which is becoming a more and more popular choice for enterprises.


This is the trap that most people fall into: thinking they can rely on “passive scanning” to do continuous monitoring, when they a) often have very similar capabilities already baked into their next-generation security tools and b) are overloaded with false positives that provide more noise than actual monitoring. This is what lead us to a new approach.


A Live approach for vulnerability management: Adaptive Security + Nexpose Now


The Adaptive Security approach, which was released with Nexpose 6, is a dynamic event-driven automated workflow approach that provides between-vulnerability-scan visibility to changes that occur in your network and real-time. These adaptive security features provide actionable insight into the impact on your organization’s risk.


Dynamic data collection is made possible by the Nexpose integration with asset sources like DHCP and VMWare to identify when an asset joins the network. The automated actions workflow enables instant scanning of these assets, tagging and/or adding to a site. Thus, when a new asset or vulnerability joins the network, Nexpose can automatically assess it and add it to you reports, without any additional deployment and with minimal impact on network performance, and only provides vulnerability insight and actionable information for the events you want to track – no alert fatigue.


Now this can be coupled with Nexpose’s Liveboards to get an instantly updating scoreboard of how your environment is doing. Integrating a new subnet into your network after an acquisition? Adaptive Security will instantly scan it and you’ll see how it affects your overall risk in (near) real time. New critical vulnerability come out over the weekend? Walk into the office on Monday with a list of all assets that are affected and have the ability to assign remediation to the right IT group.


Check out this blog post for more information on Adaptive Security. Ready to get started? Download a free trial of Nexpose to test drive the new adaptive security features!

Nexpose supports a variety of complementary reporting solutions that allows you to access, aggregate, and take action upon your scan data. However, knowing which solution is best for the circumstance can sometimes be confusing, so let's review what's available to help you pick the right tool for the job.


I want to pull a vulnerability assessment report out of Nexpose. What are my options?


Web Interface

The Nexpose web interface provides a quick and easy way to navigate through your data. You can drill-down and navigate through cross references and tables support exporting to CSV. Dashboards are a more flexible and configurable way to organize and visualize the data and printable reports support more comprehensive aggregation. The web interface is best suited for ad-hoc exploratory analysis of data.



Dashboards provide a rich way to visualize and analyze your data in real time. Dashboards in Nexpose Now are highly configurable, flexible, and adaptable to your reporting needs. Cards in the dashboard are easy to use and can be exported to CSV, but are not printable or distributable outside of a web interface natively. Built-in and/or custom report templates are a better option for scheduled distribution and printing.


Built-in Report Templates

Built-in vulnerability assessment report templates allow configurable reporting for common use cases, such as prioritizing remediation, providing overview of remediation progress, auditing results, etc. Each template allows simple user-interface configuration of the scope of the report, as well as scheduling, distribution and other settings that can make automated workflows simple to execute. Built-in report templates are the first feature you should use to get familiar with Nexpose reporting capabilities, format, etc. Built-in report templates may also be configured and generated through the external XML-based application programming interface (API) for even more control. If you are satisfied with the level of control and configuration, but would like alternate printable templates, consider using custom report templates.


Custom Report Templates

Custom report templates extend the built-in report templates with various additional reports. Several are available here on the community but you may also engage with the Rapid7 professional services team to customize the building and deployment of a report specifically suited to your needs. This option is ideal when your organization has little SQL expertise or other reporting infrastructure in place.


SQL Query Export

SQL Query Export provides fine-grained control over the data output in a CSV-formatted reporting. Raw SQL queries against the Reporting Data Model allow any combination, slicing, and intersection of data that is required. This lightweight option is best when the scale of the report is limited, and the CSV format is ideal for consumption. SQL Query Export works well with adhoc API reporting and other scripting-oriented solutions. For large scale deployments that want to have efficient, indexed access to raw data, consider using Data Warehouse Export instead.


Data Warehouse Export

The Data Warehouse Export feature allows Nexpose to perform an extract transform and load (ETL) process to an external data warehouse. The export supports a highly-optimized, indexed, and efficient dimensional model that any business intelligence (BI) tool can easily connect to. If you are familiar with a BI tool or your organization already has access to one, then warehousing may be a good fit. The data warehouse export runs on regularly scheduled intervals and as such will have some latency before data is available in the warehouse. The data warehouse is best suited for large scale enterprise deployments where hundreds of reports may generate on a daily basis. The more active your organization is at reporting, the more benefit you get from the warehouse. However, the data warehouse does require a separately managed and installed PostgreSQL instance to export into and does not provide the built-in capabilities such as role-based access control, distribution, or scheduling natively. BI tools can be used to provide these report management capabilities, such as Tableau, Qlik, Pentaho, Domo, JasperReports Server and many others.


How do I know which reporting solution is right for me?

The following chart highlights some key similarities and differences between the various reporting solutions, which you can use to help select the reporting capabilities best for you and your organization.


Web InterfaceDashboardsBuilt-in ReportsCustom ReportsSQL Query ExportData Warehouse Export
Output FormatCSVCSV



Distribution (e.g. SMTP)
Access Control
Printable Output Format
Customizable Output
Enterprise Scalability
Raw Data Access


Full support

Partial support (varies)

Filter Blog

By date: By tag: