Leading in Privacy

On September 24, I was pleased to represent Coalfire and private-sector expertise by attending the kickoff for the Privacy Framework at the Brookings Institute in Washington, D.C. The event was attended by notable leaders in the industry and government: The Departments of Transportation and...

Scan Interference

Scan interference is best defined as when traffic from our scanners gets blocked, filtered, dropped, or modified in response to some sort of active protection system not recognizing our traffic. Once our scanners are flagged as an intruder, the clients environment is no longer accessible, which...

“Password Spraying”—What to Do and How to Avoid It

Cyber breaches arent the only hot topic in the cyber media--sometimes the attack tactics themselves can claim the limelight when a significant breach gains media attention. One tactic getting some attention in the news is "password spraying." We offer an overview of what it is, how to avoid it, a...

Kubernetes Vulnerability: What You Can and Should Do to Protect Your Enterprise

This week, news was released regarding a critical security Common Vulnerability and Exposure CVE associated with the Kubernetes container software CVE-2018-1002105. While this is only a reported vulnerability at this stage and no actual exploits have been reported to date, organizations that have...

FedRAMP and Its Applicability to ISVs Hosted on FedRAMP-Authorized IaaS

Independent Software Vendors ISVs often ask Coalfire about the FedRAMP compliance framework and how it applies to them. They hear that all software procured by the U.S. federal government must be FedRAMP authorized, and they come to the experts to help them navigate the process. The good news is...

Headless, Unattended Scanning in Burp Suite Professional 2.0 with Seltzer

Burp Suite Professional Burp is one of the best tools available for penetration testers. It is feature-rich, intuitive, well-supported, and customizable. However, it can be difficult to use Burp for headless, unattended scanning. Alternatives such as Burp Suite Enterprise exist, but those of us...

Exploiting Blind Java Deserialization with Burp and Ysoserial

While performing a web application penetration test, I stumbled upon a parameter with some base64 encoded data within a POST parameter. Curious as to what it was, I sent it over to Burp decoder...

Forensically Imaging a Microsoft Surface Pro 4

Working on digital forensics can sometimes create some challenging situations. Recently, we received a couple of Microsoft Surface Pro tablets to image and analyze. Having conducted forensics for a while, I realized that, depending on the version, imaging this tablet could be a challenge. Some...

Healthcare Slow to Adopt NIST Digital Identity and Authentication Guidance

The National Institute of Standards and Technology NIST published an updated guide Special Publication 800-63b for Digital Identity Guidance in June 2017. This is a comprehensive and holistic guide to authentication processes, which includes choices of authenticators that may be used at various...

Introducing Slackor, a Remote Access Tool Using Slack as a C2 Channel

As a penetration tester at Coalfire Labs, I frequently use exploitation frameworks such as Metasploit or PowerShell Empire to perform post-exploitation actions on compromised endpoints. While anti-virus AV bypass and detection avoidance is often trivial in all but the most mature environments,...

Processing payments in the cloud

Some things work so well together that even suggesting they dont now seems almost ridiculous. But I wonder, who were the pioneers that fought back when questioned about the jelly on the PB? The savory with the sweet. The steak wrapped in cheese . . . those crazy hipsters spreading avocado on toas...

Preparing for PCI DSS 4.0

PCI DSS 4.0 is currently in its request for comments RFC process, where the industry can provide comments and feedback to help shape the next iteration. This process is initially open to the participating organizations - members that help steer and inform the PCI SSC based on their experiences. T...

The HITRUST Common Security Framework: Not Just for Healthcare Anymore

The HITRUST 2019 conference took place last month in Dallas, Texas, and covered important topics such as risk management, compliance, third-party assurance, cybersecurity, medical devices, and the Internet of Things IoT. As speakers and sponsors, we saw much enthusiasm about HITRUST Common Securi...

PA-DSS to Software Security Framework: What You Need to Know

The Payment Application Data Security Standard PA-DSS developed by the Payment Card Industry Security Standards Council PCI SSC applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data and/or sensitive authentication data. The list o...

Our Analysis: Gartner’s Hype Cycle for Risk Management, 2018

For those of us charged with managing cyber risk as well as planning and budgeting for cybersecurity, the Gartner "Hype Cycle for Risk Management, 2018" provides some helpful perspectives that are useful in setting both priorities and expectations...

Valuing IR Preparedness: Identifying and Communicating ROI

In the information security community, a proactive approach to incident response is always considered best practice. Reacting in the moment can drain resources and often, the full impact of the incident may take weeks or even months to remediate. Despite this, making a case to management for the...

When Checking the Box Results in Two Zero Days and Root (CVE-2019-14257 and CVE-2019-14258)

Finding new bugs and exploiting them can be exciting and fun for a penetration tester. I was ecstatic to find my first two zero-days, and I used them to break a system from no access to root. This was a good day for me - but the story behind the story provides some real lessons enterprises can...

Forensics and the Internet of Things (IoT)

Today, the Internet of Things IoT means that billions of devices are connected to the Internet. People and organizations are looking to connect devices more frequently for automation, simplification, and the feature advantages the IoT delivers. Items such as smoke detectors, glasses, watches,...

The HOW, WHY, and HUH? Blog on Disputes

As you may know, performing vulnerability scans is a requirement for PCI DSS compliance. One of those specific requirements, described in section 11.2.2, states that quarterly external scanning must be done by a qualified Approved Scanning Vendor. Coalfire just so happens to be an ASV, so if you...

Update to Microsoft Checks

Part of the glamorous life of an ASV involves a rigorous Quality Assurance program to ensure that we are the best ASV's we can possibly be. Some of those efforts are not as readily apparent to our clients as others; but on some occasions, we like to share when our work directly benefits those who...

Enabling Clients to Cope with ASV Scans

Gathering evidence, applying patches, and configuring your systems in preparation for submitting your vulnerability disputes can be a nerve-wracking and daunting task. To better enhance your understanding of the Approved Scanning Vendor ASV process, Ive outlined some coping mechanisms and tools t...

PCI Announces Coming Qualified PIN Assessor (QPA) Program

Second only to protecting sensitive credit card account information, safeguarding the cardholders personal identification number PIN is one of the most important tasks for prevention of card-present fraud in retail and banking. With the continued movement toward chip-and-PIN EMV the technology...

The Threats That Are Your Weakest Link

Coalfire published the latest report in its Securealities series, The Penetration Risk Report, and its based on findings from Coalfire penetration tests. It includes data drawn from engagements with businesses of all sizes, spanning financial services, retail, healthcare, and technology/cloud...

Requirements for DoD Impact Level 2

As discussed in the previous blog post on FedRAMP+, there are four authorization levels defined in the Department of Defense DoD Cloud Computing CC Security Requirements Guide SRG. In this post we will give a brief rundown of the lowest authorization level, DoD Impact Level IL 2, and the security...

Epic Holiday Cookie Baking

One aspect of being a penetration tester that is always rewarding is the process of rabbit-holing into an area of interest and letting the data guide me to my destination. Recently, while updating and testing new code on a custom cookie fuzzing tool Anomalous Cookie -...

The HITRUST CSF 90-Day Rules – What You Need to Know

Earlier this year, HITRUST announced required changes, effective April 1, 2019 applicable to all CSF assessor firms, regarding quality and consistency for validated assessments. The changes were outlined in the CSF Assurance Bulletin and included the release of the HITRUST CSF® Assessor Quality...

Data Governance in the Cloud

Data governance is something your organization has likely considered, put into action, and implemented. The question is, to what degree is the data actually being governed - or not?...

How Hospitals Can Tie Cost Reduction to a Solid Data Security Program

When I have conversations with hospitals and other organizations subject to HIPAA, one of the first questions asked is "if I have a data breach, will OCR fine me, and if so, how much?" Many organizations decide to gamble: they opt to save time and money by not implementing a robust information ri...

Clearing the clouds: Comparing CMMC to other frameworks

These days, I spend a lot of time talking to our cloud-based clients about Cybersecurity Maturity Model Certification CMMC: what it is, why its important, and how they can prepare. As one of the leading cybersecurity consulting firms and third-party assessment organizations 3PAO, Coalfires client...

High-Power Hash Cracking with NPK

Password hashes are an everyday part of life in Coalfire Labs. Barring any other low-hanging fruit, its not uncommon for a penetration test to hinge on recovering a plaintext password from one of these hashes. Whether its NTLM hashes from Active Directory, NetNTLMv2 from Responder, WPA2 PMK from ...

CoalfireOne Special Notes

PCI-DSS can be challenging to navigate - particularly when it comes to the ASV scanning requirements. While fulfilling the scanning requirement is easy, obtaining a passing attestation report may involve more than simply remediating failed findings. One requirement that we receive many questions...

Successful SOC 2 Approaches to Address Fraud Risk

Coalfire has found that many SOC 2 clients struggle with addressing COSO Principle 8 fraud risk considerations because they innately think only about financial fraud risks. Many clients do not understand that fraud risks depend on the nature of the business and the environment in which the busine...

PCI DSS for large organizations: A Coalfire perspective

As organizations grow, PCI DSS responsibilities become more complex. Logically, they gain more interconnected relationships internally and with third parties. Multiple payment channels, complex network architectures, and large inventories of devices in scope require preparation before performing...

FUD is Dead

A friend of mine who runs a cybersecurity firm told me recently, "Bro, FUD is dead. People are tired of all the fearmongering." I completely agreed. For the uninitiated, FUD stands for Fear, Uncertainty, and Doubt...

Phantom Acquisition Lets Splunk SOAR

At the SplunkLive! Conference in Washington, D.C., Splunk gave a presentation on Phantom, a Security Orchestration, Automation, and Response SOAR system. Splunk acquired Phantom this year for $350 million...

Common Questions and Answers Salesforce ISVs Need to Know for FedRAMP

Many Salesforce Independent Software Vendors ISVs are interested in pursuing FedRAMP to serve federal customers, but have many questions about the process. The four questions below are the most common questions that Coalfire receives from these ISV partners; we have provided some basic responses ...

Introducing Our New Scanning Platform, CoalfireOne Scans

As you may be aware by now considering previous blog posts, ongoing walk-through webinars, and our press release, we released Coalfires brand new vulnerability scanning platform, CoalfireOne Scans, this morning. All of us here at the CoalfireOne Scanning Services Team are truly excited to see its...

DoD Cloud Computing Impact Levels 4-5

Moving past DoD Impact Level 2 IL2, the logical next step should be IL3; however, IL3 is no longer used by the Department of Defense DoD and has been consolidated into IL4. DoD IL4 is designed to store, process, and transmit up to controlled unclassified information CUI related to military or...

Pulling Back the Curtain

As ASVs, a lot of what we do is shrouded in mystery and danger well, at least the former of those two. Today, we would like to take a moment to let you in on some of the processes we use to deal with all those disputes you might have to submit...

What You Should Know About the Changing Nature of Telephone-Based Payments

In March 2011, the PCI SSC released the initial version of the "Protecting Telephone-Based Payments Card Data" Information Supplement as a guide to help assessors assess environments where cardholder data was stored, processed, and/or transmitted over the telephone. It was a pivotal guidance...

Leveraging AWS Trusted Advisor for Security and Compliance

The benefits of undergoing mandatory or voluntary cybersecurity compliance assessments are well known throughout the cybersecurity industry. These benefits include improving the security posture of the organization, enabling sales to move faster through the sales lifecycle, addressing regulatory...

Work It ‘til You Make It – Part 1

I was recently asked to be a speaker on my first "Women in Cybersecurity" panel. I accepted, despite my admitted fear of speaking in public, on a stage, dishing honesty to be judged by strangers. But, I did it because I know that itll make me a better speaker and a better leader - the more...

Observations from RSA Conference, 2019

Last week, the 2019 RSA Conference was held with typical energy and exuberance in San Francisco. One of the largest cybersecurity industry conferences, it had over 700 exhibiting vendors not including another 50 in their Early Stage Expo area and over 500 sessions covering a wide range of current...

RISE in the Community

Hope House of Colorado is metro-Denvers only resource for providing free self-sufficiency programs to teen moms, including residential, General Educational Development GED, and college and career programs. Additional supportive services include parenting and healthy relationship classes, life...

IoT Adventures: The LeFun WiFi Camera

Recently I happened to be in the market for a baby monitor, so I decided to search Amazon for an affordable device that would fit my needs. A search for "baby monitor" within the "electronics" department brought me to the LeFun WiFi Camera. For $39.99 at the time of my purchase, this seemed like ...

Waking up to the new realities of privacy risk and the need for focused expertise

Last month, Coalfire announced that our certification body was awarded yet another of many "firsts." In this scenario, Coalfire was the first to expand its registration to a second accreditation body as part of its certification services related to ISO 27701, a framework that governs the activiti...

The HITRUST shared responsibility matrix – the assessor’s point of view

HITRUST® announced the availability of the new Shared Responsibility Program and MatrixTM Version 1.0 to help communicate and assign security and privacy responsibilities between cloud service providers CSPs and their customers. Coalfire is proud that we helped develop the Matrix as part of the...

What You Need to Know from the North American PCI Community Meetings

Too busy to attend the PCI Community Meetings this year? Coalfire has you covered with the top 6 things you need to know from the most important annual payments conference in the world...

Fuzzing: Common Tools and Techniques

Fuzzing is a software testing methodology that can be used from either a black or white box perspective and predominantly consists of providing deliberately malformed inputs to an application to identify errors such as unhandled exceptions, memory spikes, thread hangs, read access violations or...

AWS Slurp Github Takeover

Slurp is a tool used by information security professionals to enumerate AWS S3 buckets. Slurp takes a domain name example.com or wordlist as input and cycles through likely S3 bucket names example.s3.amazonaws.com looking for any world-read/writeable buckets. S3 buckets are a great find for...