Rapid7 massive VC funding opens door to acquisitions, expansion and maybe IPO?

Vulnerability management company Rapid7, commercial home of the Metasploit Project, announced today it has secured $50 million in venture funding from Technology Crossover Ventures of Palo Alto, Calif. The company said it will use the money for new hires, international expansion and to explore acquisitions. Bigger picture, Rapid7 could also position itself for an initial public offering, something CEO Mike Tuchen would not address in an interview with SearchSecurity.com.

“This will help us accelerate our ability to drive product innovation, expand our operations internationally and also go shopping,” Tuchen said. “We plan to pursue strategic acquisitions that would line up with our business. We think we have a unique portfolio in the assessment business, which is a strategically important area for us as a vendor and an important problem for companies to solve.”

Rapid7’s flagship product is its Nexpose vulnerability management platform, which scans networks, applications and databases for vulnerabilities. Rapid7 also houses the Metasploit Project and the Metasploit Framework, a platform used by penetration testers and vulnerability assessment products to execute exploits against targets. Tuchen said Metasploit, backed by its large, active open source community, was an important piece of the puzzle for investors.

“$50 million validates what we’re doing as a company and the interest in security as a sector and Rapid 7 as a company,” Tuchen said, adding that up to a half-dozen VC firms were interested in investing in Rapid7, which help push the number to $50 million.

Tuchen said his top priority for the immediate future is hiring talent to stock a new innovation center at its Boston headquarters, grow engineering teams in California and Texas and staff new international offices in London and Hong Kong.

“It’s all about hiring, and getting the right team and leadership in place and building and scaling out our engineering teams and finding the right leader in EMEA,” Tuchen said. “I’ll be busy hiring, and in my spare time, doing a little shopping.”

Rapid7 said it has grown revenue more than 900 percent over the past four years, boasting 10 quarters of record revenue through Q3 of this year. The company said it has more than 1,700 customers worldwide and is a growing company in a market whose predicted revenue, according to IDC, is expected to top $5.2 billion by 2015.

Technology Crossover Ventures general partner Tim McAdam will become the newest member of Rapid7’s board of directors. TCV is a new investor in Rapid7; Bain Capital Ventures is Rapid7’s other VC investor.

Cloud security among PCI Council 2012 special interest groups

The PCI Security Standards Council announced the latest slate of special interest groups that it will prioritize next year. Merchants, financial institutions, service providers and others voted on a variety of potential SIGs before settling on cloud, ecommerce security and risk assessment.

This is the first time SIG selection was put to a vote, and more than 500 were cast, close to a quarter of the SSC’s participating organizations, said Jeremy King, European director of the PCI SSC, who added that one-third of the votes cast came from outside North America.

PCI SIGs are essentially forums for feedback on topics that ultimately is turned into guidance for interpreting and implementing existing or new mandates to the standard, the SSC said in a release. This year, the SSC released guidance on tokenization, point-to-point encryption and virtualization.

SIGs are made up of merchants, payment processors and qualified security assessors. SIGs must complete their efforts and deliver a guidance document within one year.

This year, voters had seven potential SIGs to choose from, and were asked to select a top three. The seven, according to the Storefront BackTalk blog, were: administrative access to systems and devices; how to write a risk assessment; patch management; ecommerce guidelines; PCI in the cloud; small business and PCI; and managing hosted service providers.

Report: ‘R&D is under attack’ from China, Russia

According to a U.S. intelligence report made available to Congress, foreign nations and other actors are using cyberespionage to take sensitive technology and trade data, and those actions pose a threat to American interests.

Reuters reported Thursday that in a report titled “Foreign Spies Stealing US Economic Secrets in Cyberspace,” the Office of the National Counterintelligence confirmed that foreign intelligence services, corporations and individuals have increased their efforts to take research and development data relating to U.S. technologies. These efforts include remote data downloads, transferring data to portable devices and via email.

The report, covering 2009-2001, was developed using data from intelligence agencies, think tanks, academia and what it called “private sector” resources. It referred to numerous sources being involved in cyberespionage against U.S. interests, but called out only Russia and China by name.

Though the report failed to link China to specific events, such as the RSA SecurID attack earlier this year, it represents a tacit acknowledgment that China’s involvement in cyberespionage represents a serious ongoing problem for U.S. companies.

“Chinese actors are the world’s most active and persistent perpetrators of economic espionage,” the Office of the National Counterintelligence wrote in the report. “China and Russia view themselves as strategic competitors of the United States and are the most aggressive collectors of U.S. economic information and technology.”

Secunia brings own spin to vulnerability rewards programs

Another day, another vulnerability reporting reward program. Kinda.

Secunia, a vulnerability management vendor from Denmark, is the latest to join the bounty brigade, but it is bringing its spin to the market. Secunia’s new Secunia Vulnerability Coordination Reward Program is another platform for researchers to report software security flaws, but Secunia goes a step further and offers to handle the reporting process to the affected vendor. Software vendors have varied and sundry reporting processes and Secunia hopes to help researchers skip the hassle, according to Carsten Eiram, chief security specialist at Secunia.

“Most other schemes pay researchers for their discoveries, and, while these offerings are excellent for researchers, the companies are, naturally, very selective in which vulnerabilities they wish to purchase and coordinate,” he wrote in a release from the company. ”This leaves a huge gap for researchers, who either do not want to sell their vulnerabilities or discover vulnerabilities not fulfilling the requirements of the existing initiatives, but who would still like an independent third party to confirm their discoveries and handle coordination.”

TippingPoint’s Zero Day Initiative (ZDI) and VeriSign’s iDefense Labs Vulnerability Contributor Program are probably the most well known bug-bounty programs offered by security companies., Google, Microsoft and Mozilla also have their own twists on bug bounties. ZDI, for example, pays researchers for previously unpatched bugs and then develops signatures for its intrusion prevention products to give its customers first crack at protection. It also works with the affected vendor, and once a patch is ready, a joint advisory on the vulnerability is prepared.

Secunia says it will provide detailed information on vulnerabilities to the affected vendors and will participate in the patch process by providing feedback on fixes and confirming patches resolve the issue in question. Secunia hopes to establish itself as a trusted, independent third party in the vulnerability remediation process. In addition, the company says it will not notify its customers in advance as ZDI would. Instead, a public advisory would be the first notification of a vulnerability.

Secunia has established certain conditions for vulnerabiilties to be considered: the vulnerability must not be already publicly known; it must have been found in a stable product, inthe latest version that is actively supported by the vendor. Secunia’s research team must also be able to confirm the vulnerability.

Secunia said its rewards will include merchandise and accommodations and entry into major security conferences.

Windows zero-day flaw used in Duqu attacks

Security researchers said Tuesday the Duqu Trojan used a Word document that exploits a Microsoft zero-day vulnerability in order to infect computers. Microsoft said it’s working to address the flaw.

Researchers at the Laboratory of Cryptography and System Security (CrySys) in Budapest, Hungary, uncovered the installer file, the Word document, which Symantec researchers said exploits a previously unknown kernel vulnerability. Symantec issued a report last month that detailed the similarities between Duqu and the notorious Stuxnet malware. Designed to steal data, Duqu was discovered on the systems of industrial component manufacturers.

In an email statement, Jerry Bryant, group manager of response communications for Microsoft Trustworthy Computing, said, “Microsoft is collaborating with our partners to provide protections for a vulnerability used in targeted attempts to infect computers with the Duqu malware. We are working diligently to address this issue and will release a security update for customers through our security bulletin process.”

According to Symantec, the Word document was designed to target specific organizations. Symantec researchers noted that this installer is the only one recovered to date; attackers may have used other methods to spread Duqu. There are no robust workarounds but most security vendors already detect and block the main Duqu files, Symantec said in a blog post Tuesday.

The number of confirmed Duqu infections remains limited, but have been confirmed in six possible organizations in eight countries, including France, India, and Iran, according to Symantec.

According to Reuters, computer investigators in India have seized the computer equipment believed to have hosted the command-and-control server connected to Duqu.

Duqu Trojan investigation: Indian authorities seize Web hosting provider servers

Computer equipment from a data center in Mumbai have been seized as part of an investigation into the Duqu Trojan, which shares code with the notorious Stuxnet worm.

Reuters has reported that computer investigators in India have seized the computer equipment that is believed to have hosted the command-and-control server connected to the Duqu Trojan.

Investigators from India’s Department of Information Technology traced the malware communications to a server at a web-hosting company called Web Werks, according to two workers at the firm. The investigators took several hard drives and other components from a server, Reuters said.

Symantec Corp. issued a report last month detailing how the Duqu Trojan is closely linked to the Stuxnet worm. The authors of the malware are believed to have had access to the Stuxnet source code. Unlike Stuxnet, which is intended to seek out Siemens supervisory control and data acquisition (SCADA) software and disrupt industrial processes, Duqu was designed to steal data. Duqu was discovered on the systems of industrial component manufacturers.

Once a system is infected with Duqu, additional malware is downloaded to record keystrokes and steal other details about the infected system. It can take screenshots, record network information and explore files on all drives, including removable drives.

Security researchers don’t know how the malware spreads. They are seeking the installer, which will yield clues as to how systems are initially infected. Currently, antivirus and antimalware engines can detect the Trojan.

The Dell SecureWorks Counter Threat Unit issued a Duqu report last week calling much of the early Duqu analysis “pure speculation.” Many of the techniques used by Duqu share similar characteristics as Stuxnet, but they have also been used in other unrelated malware, the CTU research team said. Still, Symantec said its binary analysis of the Duqu code concluded that the two pieces of malware shared the same code based.

Draft report highlights U.S. government satellites under attack

Two U.S. government satellites came under attack four times in 2007 and 2008, according to a Bloomberg report.

Technologies designed to disrupt satellite communications are becoming more sophisticated and a dangerous threat to national security, according to a congressional commission that reviews U.S.-China relations.

In fact two U.S. government satellites were attacked four times in 2007 and 2008 through a ground station in Norway, according to a Bloomberg report, which sites information from a draft report expected to be issued next month by the U.S.-China Economic Review Commission.

According to Bloomberg, a Landsat-7 earth observation satellite system experienced 12 or more minutes of interference in October 2007 and July 2008. Hackers also interfered with a Terra AM-1 earth observation satellite twice, for two minutes in June 2008 and nine minutes in October that year, the draft says, citing a closed-door U.S. Air Force briefing.

Chinese officials have denied any role in computer attacks.

A 2009 report highlighted the rapid development of new cyber weapons (.pdf) and the growing need for cybersecurity to protect critical infrastructure. It found that Chinese researchers are working on a variety of radio frequency weapons that could potentially disrupt satellite communications. The goal is to develop sophisticated jamming systems and anti-satellite (ASAT) weapons to disrupt reconnaissance operations.

“In 2007, China successfully tested a direct ascent ASAT weapon that used a kinetic kill vehicle to destroy an aging Chinese weather satellite38 and in 2006, the US military accused the Chinese of using a laser dazzling weapon that temporarily blinded a reconnaissance satellite.”

SearchSecurity recently interviewed Tony Sager, chief operating officer of the Information Assurance Directorate at the NSA on cyberwarfare. Sager said nation-states are still understanding the complicated rules of engagement in cyberspace. Cyberwarfare is a reality and organizations should prepare for disruptions, he said. But Sager added that any catastrophic cyberattack would be disruptive worldwide including the systems used by the adversary, making the chances of a digital Pearl Harbor very slim.

“We’re all using this resource that we call the Internet and we all have a vested interest in keeping it alive,” Sager told SearchSecurity.com earlier this month. “There are a lot of norms of behavior that have not been established yet….It took many, many years to establish things like what constitutes acceptable behavior between nations around physical borders and those are simple compared to cyberspace.”

NERC CSO, Weatherford accepts DHS position

Mark Weatherford will focus on cybersecurity operations and communications resilience at the Department of Homeland Security.

Mark Weatherford, vice president and CSO at the North American Electric Reliability Corporation (NERC), has been appointed to the position of Deputy Under Secretary for Cybersecurity for the National Protection and Programs Directorate at the Department of Homeland Security.

The appointment was announced by DHS Secretary Janet Napolitano today, and is effective mid-November. The newly created position will focus on cybersecurity operations and communications at DHS. Cybersecurity leadership at DHS has undergone some changes of late. Philip Reitinger resigned in May to take the position of CISO at Sony.

Weatherford took on the CSO role at NERC in 2010, shortly after the Stuxnet worm surfaced. He is said to have bolstered information sharing there. He started a “Malware Tiger Team” to share accurate and usable Stuxnet related information among facilities.

He also called for more rugged software in the wake of Stuxnet, after it was discovered that the malware targeted four Microsoft zero-day vulnerabilities.

An Information Security magazine Security 7 Award winner, Weatherford was previously director and CISO of the state of California. He also spent six years as the CISO of the state of Colorado. He developed a Data Governance Working Group that defined the data security lifecycle for state agencies. Weatherford also formalized the state’s vulnerability management program to address Web application security issues.

In an essay he wrote for Information Security, Weatherford said that strategic planning often falls short in the security industry.

“We haven’t devoted the deep thought necessary to create a vision worthy of being called a Strategic Plan. I’ve done the annual strategic plan dance more times than I care to admit because creating a Strategic Plan takes real time and real effort, which is difficult to justify when you find yourself in more of a firefighter role than a CISO.”

Data governance and classification

In this video, Weatherford, who was CISO of California’s Office of Information Security and Privacy Protection, gave advice on the importance of data governance and classification.

“The fact that data is ubiquitous and resides everywhere means that you have to know where it is and what systems it resides on,” Weatherford told SearchFInancialSecurity in 2009. “An asset inventory is critical to knowing where the different types of data reside within your organization.”

Identifying assets is doable, he said, adding that business and IT need to work together to identify the most critical data that needs to be protected. The business people own the process and should be engaged and working with security professionals in order for data classification projects to be successful.

Symantec announces beefed up DeepSight service, new authentication capabilities

SEC guidelines push companies to disclose potential breaches

The U.S. Securities and Exchange Commission released guidelines to help companies determine when and what information on security breaches should be disclosed to potential investors.

By Hillary O’Rourke, Contributor

The U.S. Securities and Exchange Commission released guidelines last week that aid public companies in deciding when and what should be disclosed to investors regarding even the potential of security breaches.

The initiative by SEC’s Division of Corporation Finance intends for companies to “disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky,” according to the guidelines.

In the statement, the SEC explains that it would like to see a discussion of possible security risks and what the consequences of those risks entail, how the company plans to counteract possible attacks, descriptions of previous attacks, what would happen if an attack went undetected for a period of time and insurance details.

To determine whether they must disclose information, a company should “evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber incidents and the severity and frequency of those incidents.”

“For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur,” said the guidelines. Instead, the company should discuss the possibility of the attack occurring again and the previous as well as potential consequences that the company could experience.

According to the release, it is not intended to be a rule or a regulation and it’s “neither approved nor disapproved” by the Commission. It’s simply a “roadmap” for those who seek guidance in security efforts in a time of an augmented number of cyber incidents.

From the SEC risk factor disclosures should include:

• Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
• To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
• Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
• Risks related to cyber incidents that may remain undetected for an extended period; and
• Description of relevant insurance coverage.