Posted by: Jeromie Jackson
credit union, CU, cuispa, CUNA, metasploit, ncua, pentest, rapid7
Credit Union security practitioners leverage Rapid7 to provoke reaction at the board level. Compromised credit cards, remote command-and-control over an ERP system, and administrative access to the payroll database provides for much more compelling discussions than discussing the number of vulnerabilities found in the environment. Hypothetical issues do not obtain budget.
Credit Unions are required to adhere to stringent security regulations. Delivery of superior security & risk management is often squelched however due to small budgets, lean staffing, and technical jargon. Most credit unions have existing vulnerability assessment budgets in place. By leveraging the Rapid7 software suite credit union security practitioners are enabled to bring transparency to the current state of security affairs.
I am sure you have experienced the difference it makes when speaking to someone with their paradigm in mind, and a good story. There is a very different reaction when I tell a client that a given machine is infected and susceptible to attack vs. when I hand the executive their recent tax paperwork and a copy of their customer database. Putting business context into a security conversation makes the discussion relative to non-technical peers.
Rapid7 acquired the open-source Metasploit security framework in October 2009. Since that time integration between the vulnerability scanning application Nexpose and Metasploit has been bridged allowing someone to pivot from a vulnerability right to a pre-loaded exploit page leveraging Metasploit. In April of 2010 Rapid7 then released Metasploit Express providing a clean graphical interface over an application that had came from a command-line background. This definitely brought penetration testing mainstream. In July 2010 Rapid7 announced sponsoring W3af, a strong web application assessment tool, while acquiring the founder of the project Andrés Riancho. They seem to be acquiring talent and exceptional projects which have large existing install bases- not a bad business strategy in my humble opinion.
Being able to not simply identify vulnerabilities, but to attack, compromise, and collect intellectual property from those assets generates much more response from executives. Security is important. Executives quickly turn a deaf ear to technical jargon. The ability to demonstrate compromise, as opposed to commenting on vulnerabilities, is a game-changer for credit union security practitioners.