Latest news
Metasploit Pro 4.5 released
Posted on 07 December 2012.
Rapid7 released a new version of Metasploit Pro, which introduces advanced capabilities to simulate social engineering attacks.
With Metasploit 4.5, security professionals can now gain visibility into their organization’s exposure to phishing attacks through user-based and technical threat vectors, and introduce the necessary controls to manage the risk.
Phishing is often the initial attack vector of a data breach and experts estimate that “more than 500 million phishing e-mails appear in user inboxes every day.” These kinds of attacks result in financial losses of several billion dollars per year2, so it is critical that security professionals gain visibility into this risk in their organization and introduce appropriate controls.
“Many organizations already conduct end-user trainings and implement technical security controls to protect their data, but it’s hard to know how effective these measures are, or even if you’re focusing on the right things,” said HD Moore, chief architect of Metasploit and chief security officer for Rapid7. “Metasploit assesses the effectiveness of these measures, and provides metrics and management for each step in the chain of compromise to help you reduce your risk.”
Defenders can set up social engineering campaigns that will send simulated phishing emails to employees across the organization. The results indicate areas to focus on for training or mitigations. For example, a click-through on an email points to a lack in security awareness, whereas an exploited browser indicates a technical problem. Users who fall victim to the simulated phishing emails can be redirected to an online training, where they can learn to spot and correctly handle phishing emails in the future.
Alternatively, administrators can consult the Metasploit social engineering report to follow up with individuals by email or in person. Reports contain both overview statistics and details about the risk level of each user and host.
Additionally, Metasploit 4.5 enables defenders to quickly and easily set up fake websites to emulate real phishing attacks. Security professionals just need to enter the URL of the site they want to clone and Metasploit automatically changes forms to capture user input, adding client-side exploits if desired.
Security professionals can also test end-user security awareness by creating malicious files on USB flash drives that can be left in the company parking lot or restrooms as bait. Metasploit’s social engineering functionality can also be used for penetration testing engagements to compromise one or more computers as a starting point for a more comprehensive security assessment.
Metasploit Pro’s social engineering reports go above and beyond alternative penetration testing solutions by providing conversion rates, such as how many people clicked through a phishing email, how many entered username and password on a fake website, and how many systems were compromised. It enables organizations to track and trend the effectiveness of their security programs. Only Metasploit Pro provides advice on how to address risk at each step in the social engineering funnel. With its community of 175,000 users, security researchers and open source contributors, Metasploit provides the most recent attack vectors and a realistic picture or your organization’s exposure.
With Metasploit 4.5, security professionals can now gain visibility into their organization’s exposure to phishing attacks through user-based and technical threat vectors, and introduce the necessary controls to manage the risk.
Phishing is often the initial attack vector of a data breach and experts estimate that “more than 500 million phishing e-mails appear in user inboxes every day.” These kinds of attacks result in financial losses of several billion dollars per year2, so it is critical that security professionals gain visibility into this risk in their organization and introduce appropriate controls.
“Many organizations already conduct end-user trainings and implement technical security controls to protect their data, but it’s hard to know how effective these measures are, or even if you’re focusing on the right things,” said HD Moore, chief architect of Metasploit and chief security officer for Rapid7. “Metasploit assesses the effectiveness of these measures, and provides metrics and management for each step in the chain of compromise to help you reduce your risk.”
Defenders can set up social engineering campaigns that will send simulated phishing emails to employees across the organization. The results indicate areas to focus on for training or mitigations. For example, a click-through on an email points to a lack in security awareness, whereas an exploited browser indicates a technical problem. Users who fall victim to the simulated phishing emails can be redirected to an online training, where they can learn to spot and correctly handle phishing emails in the future.
Alternatively, administrators can consult the Metasploit social engineering report to follow up with individuals by email or in person. Reports contain both overview statistics and details about the risk level of each user and host.
Additionally, Metasploit 4.5 enables defenders to quickly and easily set up fake websites to emulate real phishing attacks. Security professionals just need to enter the URL of the site they want to clone and Metasploit automatically changes forms to capture user input, adding client-side exploits if desired.
Security professionals can also test end-user security awareness by creating malicious files on USB flash drives that can be left in the company parking lot or restrooms as bait. Metasploit’s social engineering functionality can also be used for penetration testing engagements to compromise one or more computers as a starting point for a more comprehensive security assessment.
Metasploit Pro’s social engineering reports go above and beyond alternative penetration testing solutions by providing conversion rates, such as how many people clicked through a phishing email, how many entered username and password on a fake website, and how many systems were compromised. It enables organizations to track and trend the effectiveness of their security programs. Only Metasploit Pro provides advice on how to address risk at each step in the social engineering funnel. With its community of 175,000 users, security researchers and open source contributors, Metasploit provides the most recent attack vectors and a realistic picture or your organization’s exposure.
Spotlight
Experts highlight top data breach vulnerabilities
Posted on 22 May 2013. | Hidden vulnerabilities lie in everyday activities that can expose personal information and lead to data breach, including buying gas with a credit card or wearing a pacemaker.
A closer look at Mega cloud storage
Posted on 21 May 2013. | Once a novelty, nowadays many cloud storage services are fighting for their piece of the market in the virtual world. Mega offers 50GB of free space with great pricing on Pro accounts.
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
