Good day, a client presented the following case: "I would like your help to know which are the best practices or standards that Rapid7/Nexpose recommends based on the "Average asset risk score", since we are in an audit process and we see that Nexpose gives us a level of risk, but we do not know what is the optimum level, medium or minimum. For example, in a report that was made, "Average asset risk score: 96,585", what would be the optimum level of this score recommended by the Rapid7 engineers? What is the standard that is taken for this type of score or who defines what is the optimal level and what is not? In one of the previous reports, an objective of 30,000 was defined internally in terms of the "Average asset risk score", but it was an internal agreement and what we want to know is what would this objective be based on a standard, or what number we should take as a basis for this "Average asset risk score" and that in front of an audit we can check, since we could put instead of 30,000 maybe less or more, but we want to base ourselves better on a standard." We investigate that to measure the "Average asset risk score" it is known that the risk score report provides grades for each of your Nexpose groups which can be organized by Sites, Tags, or Asset Groups based on how you want to organize your environment. The grading system works on the A through F range and is based on a curved scale system of your environment. In this case, the closer you are to the letter A is good and the further you move towards the F is critical (information from: https://blog.rapid7.com/2014/08/13/improving-visibility-into-your-security-program-the-risk-scorecard-report/). We want to know if you can suggest that "standard measure" to evaluate the "Average asset risk score" or if in this case it does not exist and everything depends on the evaluations carried out by other methods. First of all, Thanks. Best regards.
Posted by Julio César Sánchez 4 months ago
Hi, My company is thinking about procuring the Rapid 7 VM Scanning Engine available in the Azure marketplace for a customer. It would be installed in a closed environment and we're wondering how exactly does the engine conduct scanning on Azure VMs? Does it install an agent on the target? What permissions does it need? We are going to opt for the 30-day trial but could use some help identifying the scanning flow of this offering. Thank you.
Posted by King Kraussen 4 months ago
Buen día, un cliente expuso el siguiente tema: "Me gustaría de su ayuda para saber cuáles son las mejores prácticas o estándares que recomienda Rapid7/Nexpose en base al “Average asset risk score” aceptable, ya que estamos en un proceso de auditoría y vemos que Nexpose nos da un nivel de riesgo, pero no sabemos cuál es el nivel óptimo, mediano o mínimo. Por ejemplo, en un reporte que se realizó nos indica “Average asset risk score: 96,585", ¿cuál sería el nivel óptimo de este score que recomienda el fabricante? ¿Cuál es el estándar que se toma para este tipo de puntaje o quién define cuál es el nivel óptimo y cuál no? En uno de los reportes anteriores, internamente se definió un objetivo de 30,000 en cuanto al “Average asset risk score”, pero fue un acuerdo interno y lo que queremos saber es cuál sería este objetivo basado en un estándar, o bien, qué numero al respecto deberíamos de tomar como base para este “Average asset risk score” y que frente de una auditoria podamos comprobar, ya que pudimos poner en vez de los 30,000 tal vez menos o más, pero queremos basarnos mejor en un estándar.". Nosotros investigamos que para medir el “Average asset risk score” se sabe que el informe de puntaje de riesgo proporciona calificaciones para cada uno de sus grupos de Nexpose, que pueden organizarse por sitios, etiquetas o grupos de activos según la forma en que desea organizar su entorno. El sistema de clasificación funciona en el rango de la A a la F y se basa en un sistema de escala curva de su entorno. En este caso, entre más cercano esté a la letra A es bueno y cuanto más se aleja hacia la F es crítico (información de: https://blog.rapid7.com/2014/08/13/improving-visibility-into-your-security-program-the-risk-scorecard-report/). Queremos saber si nos pueden sugerir esa "medida estándar" para evaluar el Average asset risk score o si en este caso no existe y todo depende de las evaluaciones que se realicen mediante otros métodos. Quedamos en espera de sus comentarios y de antemano gracias. Saludos cordiales.
Posted by Julio César Sánchez 4 months ago
Dear Team , Is there any way possible way to achieve Reported Vs Remediated for a particular month in Nexpose . The report should be in such a format that at the start of the month ( Eg : Jan 1st 2019 ) how many vulnerabilities has been reported for a particular site including ( New Vs Remediated ) . At the end of the month ( Eg : Jan 31st 2019 ) how much has been remediated .
Posted by Vinoth 4 months ago
CIFS Minimum Password Length Policy Not Enforced CIFS Account Lockout Policy Not Enforced Ok, these ones confuse me. What are these checks looking for exactly? We've had the following Password policies enabled in our default domain policy applied to Authenticated users for years. Enforce password history 10 passwords remembered Maximum password age 60 days Minimum password age 1 days Minimum password length 8 characters Password must meet complexity requirements Enabled Store passwords using reversible encryption Disabled
Posted by Mark Payne 4 months ago
For the vulnerability check "CIFS Account Lockout Policy Allows Password Brute Forcing", InsightVM has the threshold at three attempts but our corporate policy allows 5 attempts. Is it possible to adjust this value from 3 to 5? I really don't want to disable this check as it has value for accounts that don't lockout after 5 attempts. Can somebody point me in the right direction?
Posted by William Frogge 4 months ago
Hello, I'm evaluating InsightOps for our custom logging needs. We're really liking the simplicity of the Webhooks method for sending a log entry via HTTP POST. Since each entry is relatively small, and they are sent in relatively high volume, I'm thinking it would ideal to send them in batches, i.e. POST a JSON array with 100 log entries (or whatever the optimal number is) at a time. Does InsightOps support such a feature?
Posted by Todd Menier 4 months ago
Hello, I have ran a couple of scans on an Ubuntu 18.04, and I have noticed the Nexpose Community Edition only reports on 4 unique CPE codes. The scanners is given credentials and sudo+su root credentials over SSH and I have ran the "exhaustive", "full audit" and "internal DMZ" scan. Is the CPE code reporting better in the commercial version or do I need to change the scan settings somehow to get more CPE codes reported?
Posted by erik hyllienmark 4 months ago
If I have an asset already assigned to a site, I can kick off a scan with the API with something like this: https://scansvr:3780/api/3/sites/123/scans?hosts=10.2.3.4 I cannot figure out a way to use the API to add a NEW asset to a site. In reviewing the API doc, the closest I've come up with would be to get something like this to work: https://help.rapid7.com/insightvm/en-us/api/index.html#operation/createAsset However, I cannot seem to figure out the proper syntax in Postman to get register a new asset into the system. Any help would be greatly appreciated!
Posted by Joe Ut 4 months ago
Added MS SQL creds and have done some one off Oracle DB scans with no noticable vulnerabilities tied to them. Good for sure, but I can't find any details about what InsightVM is looking for specifically when doing a database scan. Is there a list of the checks it does for each database type?
Posted by Charles Burch 4 months ago
Create a site with 8 assets (IP addresses), provide credentials - scan the site - look at the scan results page and see all 8 assets are showing credential success w/ lots of vulnerabilities - go to the home page, find the site and it only shows 1 of the assets and only the vulnerabilities associated with that 1 asset (let's call the asset A) - If I navigate to the site page I see the same thing, only asset A - I go back to the scan result page where all of the assets just scanned appear and click on one of the other assets (let's say it's asset B) and it correctly takes me to scan results for asset B along with assets B's identification information, vulnerabilities, etc. - Now, from that page I click on the 'see asset page' link but instead of taking me to Asset B it instead takes me to Asset A - So I tried the same thing with the other assets and they all just take me to Asset A's asset page - Does anyone have any idea what's going on?
Posted by David Miller 4 months ago
I was trying to scan my Ubuntu server using ssh. when i entered my credentials and test them, below error appears. java.net.ConnectException: Connection refused I double checked my credentials and also check with website http authentication. It wasn't working.same error
Posted by Suresh Madhuwantha 4 months ago
Is it possible to reference the log file name or log set name in a LEQL search? For example, I'd like to check if a regular expression named variable value occurs in a particular log file (in combination with other tests) or group by the log file name to see the breakdown of events by log file. Same question with the timestamp. Can I test or group by the timestamp? What I'd really like to do is like a timeslice, but sum the hour of the day across a week. I thought these might be predefined values that could be tested, but I can't find this in the documentation. Thanks in advance!
Posted by Brandt Braunschweig 4 months ago
I have a deployment in Azure and we install the Insight Agent using the VM Extension in Azure following this guide: https://insightagent.help.rapid7.com/docs/integrations We've had this up for about 3 months and about 10% of my hosts have old versions installed. The rest are all updated. I initially assumed because the VM extension is installed, the version will be maintained. Should these agents be updating automatically? Is there a way to manually update? Is there an agent log I can review to see why an update may have failed?
Posted by Brewbs 4 months ago