11 Tips and Tricks for the RIO Power User

Posted on August 18, 2014 by in Risk I/O, Vulnerability Intelligence

1. Keyboard Shortcuts
Keyboard shortcuts are available from the home screen. Want to know what they are? Click the Keyboard Shortcuts link in the bottom right sidebar or just <shift>+?

2. Threat Trends Click-Through
Clicking on any of the attack or breach bubbles within the threat trends view will filter your assets by only displaying those that are vulnerable to that attack or exploit. Didn’t know threat trends existed? Go to the dashboard and open the threat trends “drawer” by clicking on it in the bottom of your screen.

3. Threat Trends History
Speaking of threat trends and keyboard shortcuts, there’s a hidden shortcut within threat trends. By clicking on the left and right arrows, you can page through threat trends historically one week at a time.

 

4. Bulk Editing
You can edit multiple assets and vulnerabilities at a time using the bulk editing menu. To edit multiple assets or vulnerabilities at once, just select the ones you want to edit with the checkbox on the left side of the asset and vulnerability table. At the top right of the table you’ll see our bulk editor. For assets, you can set their priority score, add and remove tags, and mark them inactive or active. For vulnerabilities, you can create a Jira ticket (requires a Jira connector) or edit any custom fields. Didn’t know we had custom fields??

5. Custom Fields
In addition to tagging assets you can create custom fields for vulnerabilities. To define a new custom field, click the gear icon in the upper right and choose custom fields. Click New Custom Field. Complete the form by naming the field, provide an optional description, select the field data type (string, numeric, or date), and if you’d like to filter your vulnerabilities on this field check the faceted search box then save it.

Once you have defined your custom fields you can add them to vulnerabilities either in bulk via the method above or on an individual vulnerability. To define for an individual vulnerability, just click on the vulnerability details arrow from the home screen and then click edit on the right hand side of your screen. Assign your own creative values to your custom hearts content.

6. Heads Up Display (HUD)
Our Heads Up Display is accessible from the home screen by clicking on the bar chart in the upper right corner. Opening up the HUD displays a breakdown of the CVSS metrics and subscores of the vulnerabilities currently under review. You can click on any of the values within the charts to filter your vulnerabilities by those values.
HUD

 

7. Compare Teams/Applications/Networks/BUs via Tagview
You can compare any set of assets side-by-side with meta data using the tag view within the dashboard. Want to compare multiple teams, different applications or maybe even business units against each other? Within the dashboard select the tag view tab and enter the tagged assets you’d like to compare to each other in the tag filter box. For easier comparison, you can select either stacked or grouped charts.

 

8. RBAC
You can restrict access in RIO using Role Based Access Control (RBAC). First you’ll need to create a role by clicking the gear in the upper right of your screen and selecting user roles. Select New Role and complete the form including naming the role, selecting whether the role will have read only or read+write access and then entering the tag(s) to the assets this role will have access to. Next save the role.

Assign a user to a role from the gear in the upper right select users. You can edit an existing user or create a new user. In the user form select the role from the role drop down and save it. Done.

9. Search by IP Range
If you want to find assets by an IP range, you can use the search box in the home screen. An example of a search query by ip range would be:

ip_address_locator:[10.0.0.0 TO 10.255.255.255]

This will produce a list of assets in your 10-dot network.

If you want to find all of your internal RFC 1918 assets you could perform a search like:

ip_address_locator:[10.0.0.0 TO 10.255.255.255] ip_address_locator:[192.168.0.0 TO 192.168.255.255] ip_address_locator:[172.16.0.0 TO 172.16.255.255]

You can also perform a negative search. For example, you could take the same search above and find any asset that doesn’t have an RFC 1918 internal address by adding a ‘-’ in front of the key to look like this:

-ip_address_locator:[10.0.0.0 TO 10.255.255.255] -ip_address_locator:[192.168.0.0 TO 192.168.255.255] -ip_address_locator:[172.16.0.0 TO 172.16.255.255]

10. Jira Ticketing
If you use Jira for trouble ticketing or bug tracking, you can send vulnerabilities for remediaiton to Jira directly from Risk I/O. You can send multiple vulnerabilities to a single ticket in Jira using the bulk editor as described above. You can also send an individual vulnerability to Jira by opening up the vulnerabilities details page and clicking the Create Jira Issue button on the right side panel. After you submit the issue, we’ll persist the issue ID, assignee, due dates and it’s status within the vulnerability details in Risk I/O.

11. RESTful API
Did you know we have a robust RESTful API? You can find the full doc here: https://api.risk.io

Black Hat 2014 Recap: Actionable Takeaways from a Security Data Scientist

Posted on August 13, 2014 by in Data Science, Event, Industry, Vulnerability Intelligence

This is my second Black Hat conference, and the best one yet. Last year was full of gloom about all sorts of devices exploited, revelations about the NSA and uncertainty about what threat intelligence meant or how good it was. This year, from the keynote down to an obscure track at BSides which I participated in, the tone was much more optimistic.

Dan Geer’s keynote at Blackhat this year sounded more like a state of the union address than a speech about information security, and this is largely due to the fact that the quote/unquote cyber domain has now reached breadth and depth of such proportions that it might as well be its own political system.

His claim is that cybersecurity has reached critical mass—that our practice areas are being taken seriously outside of our domain—in Congress, across business units and governmental agencies. Sadly, though, he claims that the rate of technological change has made it impossible to keep up with every aspect of info sec; he says this time passed “about six years ago.”

I quote: “Black

“When younger people ask my advice on what they should do or study to
make a career in cyber security, I can only advise specialization.
Those of us who were in the game early enough and who have managed
to retain an over-arching generalist knowledge can’t be replaced
very easily because while absorbing most new information most of
the time may have been possible when we began practice, no person
starting from scratch can do that now.”

I am one of those that has never had a grasp of the full field, I have known vulnerability management and only vulnerability management since I started applying techniques from operations research to the practice two years ago. And so, I want to sum up Black Hat in the only way I know how: from a math background, with takeaways about vulnerability management.

Why do I see a very bright future for vulnerability management from this year’s Black Hat? A few talks and trends:

1. The Keynote’s (Cyber)CDC suggestion (and the push to share data in general)

As fundamental requirement for future information security best practices, Geer called for mandatory reporting for all types of vulnerabilities: not only for those with Internet-wide implications (like Heartbleed), but for all organizations, both large and small. Geer wants mandatory reporting to follow the model of the US Centers for Disease Control, where details of outbreaks of diseases beyond a specific threshold must be released to the general public.

“When you really get down to it, three capabilities describe the CDC and why they are as effective as they are: (1) mandatory reporting of communicable diseases, (2) stored data and the data analytic skill to distinguish a statistical anomaly from an outbreak, and (3) away teams to take charge of, say, the appearance of Ebola in Miami. Everything else is details. The most fundamental of these is the mandatory reporting of communicable diseases.“

The CDC is effective at stopping pandemics because they force mandatory disease reporting, have expert-away teams, and analyze historical data. Infosec experts should do the same. In fact, much of Risk I/O’s approach to vulnerability management is already exactly this – we collaborate with industry partners to gather information about attacks, breaches and exploits to create a central repository of data that we can then use to guide vulnerability strategy. If there were mandatory disclosures, we’d have much richer data, and on a larger scale. The methods by which we prioritize vulnerabilities would become much more powerful.

2. Alex Stamos on Lessons from his first 6 months as CISO at Yahoo

Alex’s talk did a really good job of characterizing what a security practice at scale means, which has been hard to pin down before. He suggests that scale for security really means a large amount of data, systems, and users, as well as a diversity of users and threat models. There is wisdom in this taxonomy, because of that very last part. A diversity of threat models, to me, means two things: a diversity of threat intelligence, coming from many different sources in order to capture as much of the reality of what’s happening out there as we can, and a diversity of ways to segment that data in order to defend against script kiddies or more advanced attackers.

Alex’s talk was about overcoming “security nihilism,” which is exactly what referred to in my Black Hat preview when I suggested we should ignore the new “sexy” vulnerabilities coming out. Just because we see hundreds of new devices exploited at Black Hat ever year, doesn’t mean there isn’t hope! Attackers change their tactics daily, but for the most part, they rely on exploits that have been around for years and are easily weaponized. If we can focus on stopping this massive part of attacks, we’ll achieve much better security.

3. The Ground Truth Track at BsidesLV (and the attendance numbers!)

The Ground Truth track was all about math and machine learning in info sec, and I invite you to check out the videos on youtube. The material is technical and applied to a various segments of the practice. This might sound like a bit of shameless self-promotion since I spoke at this track myself, but less so than the content, I was impressed with the attendance numbers. The room was packed the entire day, which means folks are paying attention to mathematical models, machine learning, and data-driven approaches to security. The golden age is upon us! Of course, we have a lot more work coming up – with more and better data comes the task of incorporating it into our models, and with more models comes the even more difficult task of determining which are the correct ways to do it.

An important moment for me in the keynote was when Dan Geer said, “For every complex problem there is a solution that is clear, simple, and wrong.” Let’s make sure our solutions stay away from there. Stay tuned for new models and data analysis in the coming weeks!

There’s No Such Thing As a Cool Vulnerability

Posted on July 31, 2014 by in Data Science, Event, Industry, Security Management, Threats and Attacks

If you work in vulnerability management, all the vulnerabilities you’ll hear about at Black Hat are irrelevant. Every year at Black Hat and DEF CON, new vulnerabilities get released, explained and demoed. This year, you’ll see everything from remote car hacks, to hotel room takeovers, to virtual desktop attacks to Google Glass hacks. But once you get back home, don’t let the hype get you. It might be months before the code is weaponized, attacks will still go after the old, reliable vulnerabilities, and chances are, you will have enough security debt to keep your head down anyhow. This is not to say that you shouldn’t go see a talk about hardware level vulnerabilities in the NEST thermostat. It’s interesting. I own a NEST. Go see it.

But when you get back, get back to what matters. In reality, attackers seem to care about efficiency just as much as you ought to. The data shows that attackers shift tactics over time…a lot. Below is a gif of a small sample (past 3 months, week by week snapshots) of attacks and breaches we’ve recorded at Risk I/O, grouped by CVE type (attacks are WASC). The x-axis is the amount of breaches during the week, the y-axis is the week-over-week change.

“threat

You can take a closer look at the technical details by signing up for a trial of Risk I/O (this feature is currently in beta, but will be released shortly). More important than these details is the fact that breaches shift wildly week over week, both in variety and in volume. In fact, the vast majority of breaches occur on CVEs published 10 years ago. What this means for us is that the newness of a vulnerability—or the hype assigned to it—is irrelevant. Getting a handle on attackers’ behavior is the only way to know which vulnerabilities matter.

So, given this mindset, which talks am I excited for?

1. Building Safe Systems at Scale: Lessons from Six Months at Yahoo! by Alex Stamos

Alex will detail his first six months as the CISO of Yahoo. He’ll review the impact of the government surveillance revelations on how Yahoo designs and builds hundreds of products across dozens of markets. The talk includes discussion of the challenges Yahoo faced in deploying several major security initiatives and useful lessons for both Internet companies and the security industry from his experience.

2. Epidemeology of Software Vulnerabilities by Kymberlee Price and Jake Kouns

This talk will discuss the proliferation of vulnerabilies through third-party libraries. It’ll use vulnerability data to explore the source and spread of these vulnerabilities through products, as well as actions the security research community and enterprise customers can take to address this problem.

3. Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring by Alex Pinto

The presentation will describe the techniques and feature sets that were developed by Alex in the past year as a part of his ongoing research project on the subject. In particular, he’ll present some interesting results obtained since his last presentation at Black Hat USA 2013, and some ideas that could improve the application of machine learning for use in information security, specially in its use as a helper for security analysts in incident detection and response. The techniques should be applicable to many types of infosec analytics.

Stay tuned for my recap in case you can’t attend or were busy doing other things in Vegas!

Risk I/O Needs YOU

Posted on July 30, 2014 by in Risk I/O

At Risk I/O our number one goal is making the web and our customers safer by using real-world data to drive security decisions. We work hard to collect information across the Internet that can act as a “neighborhood watch” for our customers. Because we believe our work is critically important, we look for people that are equally as passionate about what they do and how they do it.The Team

Everyone these days talks about how they’re going to “change the world” but truthfully this just seems like something companies say. We like many, offer a number of benefits while working at Risk I/O. Make no mistake that these are important and ultimately help define the culture… but you have to believe what you’re building makes a difference as everything else can easily be replaced by the next recruiter to hit you up on LinkedIn or Twitter.

We are a data-driven company in everything that we do. Whether it’s solving complex security issues for our customers, prioritizing a product roadmap or just figuring out when’s the best time to hold a stand-up, we use data to help make informed decisions. We won’t hesitate to kill a feature that isn’t proven to be valuable by our customers.

Because we believe that what everyone is working on is valuable, you won’t find yourself toiling away on an internal project that never sees the light of day. If you’re engineer we guarantee your code will see its way into production, often in your very first week. We value feedback and openness. Contributing back via charity and open source is important to us and our team as is evident with projects like slackr, bouncer and others.

As a culture, we love working with smart people but humility is equally important. The “no rockstars” rule is an important one. We work very closely together but can also be geographically distributed. We have offices in Chicago and San Francisco but we also have a guy who lives in an Airstream. As important as our work is to us, we try to make it fun. Whether it’s hardware hacking on our newest kegbot, bringing your dog along to work or just going out with co-workers after work, we believe these are all important parts of “the job”.

Other perks that help include unlimited paid time off, medical, dental and vision coverage, 401K (coming soon), free unlimited bike sharing service in Chicago and SF, oh and did I mention that kegbot is making it’s way to the office?

I wrote this post with an interest in finding like minded people to help our cause. If this is you… we’re hiring. Our current needs include engineers, designers and sales but we’re always on the look out for great talent. Thanks for taking the time to read this and I hope you join us.

QualysGuard Connector: Now With WAS Inside

Posted on July 28, 2014 by in DAST, Feature Release, Network Scanners, Risk I/O, Vulnerability Management

Qualys
At Risk I/O, we’re always striving to ensure our integrations are seamless and complete. Risk I/O is happy to announce that as of today, our QualysGuard connector has expanded to pull in results from your Qualys VM and Qualys WAS scans.

What does this mean for you? If you are a Risk I/O user with a Qualys connector, you’ll see both VM and WAS scanner results in your QualysGuard connector results if the user you configured your connector with has access in Qualys to those results. If you’d like to begin pulling in your Qualys Web Application Scan results, ensure the user in your connector configuration has access to those results within your QualysGuard portal.

If you have any questions or need assistance, you can reach out to the Risk I/O team at support@risk.io.

And if you use the Qualys scanner but haven’t tried out Risk I/O, you can signup for a 30-day free-trial. All trials include the ability to sync data with our vulnerability threat management platform from a list of over 20 security tools, including Qualys.

Announcing Our Latest Integration: Beyond Security

Posted on June 5, 2014 by in Network Scanners, Risk I/O, Static Analysis, Vulnerability Assessment

Beyond Security Web Application Security

At Risk I/O, we’ve always made it our mission to integrate with the scanner tools used most. That’s why we’ve added integration with the BeyondSecurity AVDS web scanner to our vulnerability threat management platform.

With the new BeyondSecurity AVDS connector, you can discover and eliminate your network’s most serious security weaknesses. Simply sync your scan data via our new connector and Risk I/O will continuously process it against active threats from our threat processing engine. Risk meters can be used to pinpoint your exposure to active Internet attacks and breaches and to prioritize the vulnerabilities putting you at greatest risk.

Setting up your BeyondSecurity AVDS connector in Risk I/O, like our other connectors, is easy and requires simply adding it to your instance through the Connectors tab. Not a Risk I/O customer but would like to try out the integration? Signup for a free account and sync your scan data now.

Heartbleed Is Not A Big Deal?

Posted on April 17, 2014 by in Cyber Attacks, Data Analysis, Threats and Attacks, Vulnerability Management

As of this morning we have observed 224 breaches related to CVE-2014-0160, the Heartbleed vulnerability. More than enough has been said about the technical details of the vulnerability, and our own Ryan Huber covered the details a few days ago. I want to talk about the vulnerability management implications of Heartbleed, because they are both terrifying and telling.

The Common Vulnerability Scoring System ranks CVE-2014-0160 as a 5.0/10.0. A good observer will note that the National Vulnerability Database is not all that comfortable with ranking the vulnerability that broke the internet a 5/10. In fact, unlike any other vulnerability in the system we’ve seen, there is an “addendum” in red text:

 “CVSS V2 scoring evaluates the impact of the vulnerability on the host where the vulnerability is located. When evaluating the impact of this vulnerability to your organization, take into account the nature of the data that is being protected and act according to your organization’s risk acceptance. While CVE-2014-0160 does not allow unrestricted access to memory on the targeted host, a successful exploit does leak information from memory locations which have the potential to contain particularly sensitive information, e.g., cryptographic keys and passwords. Theft of this information could enable other attacks on the information system, the impact of which would depend on the sensitivity of the data and functions of that system.”

So what does this mean for your organization? How should you prioritize the remediation of Heartbleed vs other vulnerabilities? NVD’s answer is “think about what can be stolen.” The problem here is that the CVSS environmental metric, which is used to account for an organization’s particular environment, can only reduce the score. So we’re still stuck at a 5. Why?

CVSS is failing to take into account quite a few factors:

1. It’s a target of opportunity for attackers:

The amount of sites affected by the vulnerability is unfathomable – with broad estimates between 30-70% of the internet.

2. It’s being actively and successfully exploited on the Internet:

We are logging about 20 breaches every few hours. The rate of incoming breaches is also increasing, on April 10th, we were seeing 1-2 breaches an hour. Keep in mind this is just from the 30,000 businesses that we monitor - not 70% of the Internet.

3. It’s easy to exploit:

There exists a metasploit module and exploit code on ExploitDB.

We already knew heartbleed was a big deal – this data isn’t changing anyone’s mind. The interesting bit, is that Heartbleed is not the only vulnerability to follow such a pattern. Of all the breached vulnerabilities in our database, Heartbleed is the fifth most breached (that is, most instances recorded) with a CVSS score of 5 or less.

The others that CVSS is missing the boat on, in order of descending breach volume, are:

1. CVE-2001-0540 - Score: 5.0

2. CVE-2012-0152 - Score: 4.3

3. CVE-2006-0003 – Score: 5.1

4. CVE-2013-2423 - Score: 4.3

Two of these are terminal denial of service, and two of these are remote code executions. The common thread is that all of these have a network access vector and require no authentication, all of these have exploits available, affect a large number of systems and are currently being breached.

Heartbleed IS a big deal. But it’s not the only one – there are plenty of vulnerabilities which have received less press and are buried deep within the PCI requirements or CVSS-based prioritization strategies which are causing breaches, today. It’s important to check threat intelligence feeds for what’s being actively exploited, to think like an attacker and to have the same information an attacker has.

It’s also important to learn a lesson from this past week: while the press took care of this one, it won’t take care of a remote code execution on a specific version of windows that your organization happens to be running. Just don’t say it’s not a big deal when a breach occurs on a CVSS 4.3. You’ve been warned.

The More You Know… (Heartbleed Edition)

Posted on April 9, 2014 by in Cyber Attacks, Industry, Risk I/O, Threats and Attacks, Vulnerability Management

Yesterday, the information security community was made aware of a critical vulnerability in some versions of OpenSSL, one of the most commonly used software “libraries” for secure internet communications. When your web browser is connected via HTTPS (your less tech savvy friends might refer to it as the “lock icon”), there is a high probability that OpenSSL is involved in your communication with that website. It is the job of software like OpenSSL to ensure that your communications are unreadable and unmodifiable by anyone who might be listening in, which is especially important for communication of sensitive data.

It is important to note that this vulnerability affects nearly everyone, from small businesses to internet giants. I won’t go deep into the technical details of how the vulnerability works, which can be found at http://heartbleed.com/, but will instead talk about its impact and the steps Risk I/O is taking to keep your data safe.

In simplified terms, TLS/SSL secure communication requires a server to have a certificate and a private key. When your web browser connects to a server, it is given the certificate, which includes a special one-way key. The certificate is used to verify that the server is who it claims to be. The embedded one-way key is used to send messages that can only be read by someone with the server’s private key. An important point here is that even a legitimate client/user of the website should not be able to access the private key. For communication to remain secure, the private key must NEVER be readable by anyone except the server.

When a webserver is started, it loads the private key into memory, allowing it to reference the key whenever it is needed to send or receive a message. The vulnerability, CVE-2014-0160 or “Heartbleed,” allows an attacker to read (somewhat random) portions of the server’s memory in chunks up to 64kb in size. See where this is going? The private key is the most important thing protecting communication, and the vulnerability allows you to read random bits of data right out of the server’s memory, which means with enough tries you will have a complete map of everything including the prized private key.

As security practitioners ourselves, we have been working to mitigate the impact of this vulnerability. Our external load balancer software has been upgraded with the latest version of OpenSSL, which has fixed the bug. Unfortunately, because there is no way to detect whether the vulnerability has been used to steal private key information, we have also taken the step of revoking our old certificates and creating new private keys for https://www.risk.io. This change was made without user impact, and ensures that if a third party did gain access to our private key, they cannot use it to intercept or modify communications between Risk I/O and our users.

We monitor all communication in and out of our infrastructure, and we have no reason to believe any user data was intercepted during the short window where we were vulnerable. That said, and in the interest in being proactive, we will begin requiring our users change their password when they next log into Risk I/O.

In summary, this vulnerability sucked. Seriously sucked. The long term impact of CVE-2014-0160 remains unclear, but the prompt response from security-focused organizations has likely done a lot to mitigate what could have been a much more serious issue.

On Physical Security

Posted on March 31, 2014 by in Industry, Open Source, Remediation, Security Management, Threats and Attacks

Our mission at Risk I/O is to help businesses understand threats to their infrastructure, but as security practitioners we are interested in many forms of security, including physical. This blog post concerns something of particular interest to me, securing my office and a nearly successful theft, which was thwarted by a bit of hobbyist tech.

Risk I/O is an emerging tech company, and some of us work from home from time to time. I don’t have a car, so the garage is where I decided to set up my office. Because there would be some potentially valuable equipment (monitors/etc) in the garage, and because of my infosec background, physical security was an early consideration.

A quick YouTube search will show you how easy it is to open most automatic garage door systems with just a coat hanger. The technique involves making a hook on one end of the hanger, pushing it into the gap between the door and the top of the frame, and grabbing the emergency release. Bam, they’re in. The fix (nee: remediation) here turns out to be pretty simple. Wrap a zip tie around the emergency release, which the hanger won’t have enough leverage to break. The emergency release still works as intended, just requiring a firmer pull.

The door opener itself is a relatively modern LiftMaster, which utilizes a rolling code system. This rolling code prevents potential thieves from monitoring the radio signal and replaying it to open the door. This is a good first step, but considering garage theft is relatively common, I became interested in thwarting more types of attack.

Thanks to a retired KegBot, I had a few Arduinos and Raspberry Pis at my disposal. These made a great platform to throw some tech at the problem. I ordered some simple door sensors, a PIR motion sensor, and a relay that could be used to open or close the door. Total cost (including the Arduino/Pi/misc) was about $75. After a few hours of coding, I had a mostly functional system that could detect whether the door was open, whether something was moving inside the garage, and open the door. The project code and some basic info is freely available on GitHub: https://github.com/rawdigits/garage-io.

Fast forward a year and I have been using this homemade garage system daily. My iPhone acts as the primary method of opening or closing the door. The security features seemed like an interesting bit of learning, but I assumed they would never be put to the test. A few weeks ago, they were!

At 4am on February 14th someone was able to activate the automatic door, which, by design, sets my iPhone into a frenzy. My first thought was “wow, there is some bug in my code and having it wake me up at 4am sucks.” I opened the URL for the garage camera on my phone and sure enough the door was wide open! There was no one visible, so I immediately ran out to see what might have happened. San Francisco was asleep and there was no one around. Maybe it was a bug after all? I did a quick inventory and decided nothing was missing, but decided to check still images captured by the camera.

Here are a few of those images:

I never actually saw the thieves, but I think they must have been waiting around a corner waiting for the automatic light to turn off before pilfering the garage.

The next step was incident response. How the hell did they get in? In my initial assessment, I hadn’t noticed the wires that split off from the physical button inside the garage and ended up at a “key switch”. This 40-year old key switch uses a 3 tumbler lock that, when turned, is the same as pressing the button. A closer look revealed that it was so worn out that you didn’t even need the proper key to turn it. Facepalm.

The moral of this story is that you should play with Arduinos and Raspberry Pis, because it will pay off in not having some valuable items stolen.  (Ok, perhaps that’s a bit far fetched, but if you have the time, they are really fun.)

The real takeaway here is that security is hard, and there is no such thing as perfect security. Despite your best efforts there are often a number of variables at play, which might be overlooked. Monitoring is sometimes viewed as low priority, but as in cases like this, it may just save you from a devastating breach.

P.S. I later learned that these thieves were successful in stealing from over 20 garages in the neighborhood over a one week period. Hopefully mine will continue to elude them and any future attackers.

A Simplified Interface, Perimeter Scanning & A Free Risk Profile (Oh My!)

Posted on March 11, 2014 by in Feature Release, Launch, Remediation, Risk I/O, RiskDB, Threats and Attacks, Vulnerability Assessment, Vulnerability Intelligence, Vulnerability Management

The Risk I/O Team is excited to announce the latest release of our vulnerability threat management platform. In this release, we’ve updated the user interface, and made vulnerability scanning available for perimeters too. You can also now create a free risk profile on any technology.

The latest release of our platform includes:
Vulnerability Threat Management
Simplified User Interface - As you may have noticed, we recently announced our new and completely streamlined interface. In this updated interface, you now have all of your assets, vulnerabilities and patches in a single searchable and filterable view. This makes it dead simple to identify the issues that are most likely to be the cause of a breach and how to quickly address them. Each patch is listed in a “bang for your buck” order based on risk reduction.

Bundled Perimeter Scan – Need to understand your likelihood of a breach in your perimeter, but lack a vulnerability scanner? Risk I/O now bundles a perimeter scan with the service, allowing you to understand your vulnerability and threat risks in real-time. Vulnerability data from the perimeter scan is also synced with Risk I/O’s threat processing engine. Powered by Qualys, the perimeter scan can be up-and-running within minutes, so you can start gaining visibility immediately.
Vulnerability Threat Management
Free Technology Risk Profile – Leveraging scoring technology from our Risk Meter and threat processing, we now offer a free risk profile on any technology. Simply search for a technology and find out the risk  score and its known vulnerabilities. This is available in our recently updated RiskDB, a free, centralized, and open repository of security vulnerabilities sourced from vulnerability databases. We’ll be continuing to expand RiskDB in order to offer even more insight, so check back often!

Take the new-and-improved Risk I/O for a spin today to better understand your security risk and prioritize what’s important. We think you’ll appreciate the time it saves your vulnerability assessment and remediation. If you don’t already have a Risk I/O account, you can create one for free.