603 matches found
A rundown of the OWASP top 10 for large language model applications
As part of the Open Worldwide Application Security Project OWASP AI Project, a community of international experts published a list of the top 10 critical vulnerabilities seen in Large Language Model LLM applications...
An integrated approach to security audits
A cyberattack can be devastating to any organization because it compromises sensitive data and, as a result, the financial position, strategic vision, and more important, the trust and credibility that the enterprise has built over the years. Given the magnitude of this risk, what role does the I...
Rumors of an upcoming, major change to ISO 27002
Of the thousands of international standards published by the International Organization for Standardization ISO, some of the most popular ISO standards are management system standards, such as the well-known ISO 9001 standard for quality management and ISO 27001 for information security managemen...
Lift and drag: confronting complacency and disrupting inertia in cybersecurity strategy
Within corporate cybersecurity, resistance presents in a variety of forms. Individuals and institutions alike often face overwhelming peer pressure to "keep doing what made us successful in the past." In the face of that pressure, it can be difficult to generate or sustain momentum toward...
The Basics of Exploit Development 4: Unicode Overflows
If you have read the previous articles in this series, welcome back and keep reading. If not, I would encourage you to read those first before proceeding, as this article builds on concepts laid down in the previous installments. In this article, we will be covering a technique similar to the one...
Attention Payment Application Developers: Begin Your Transition from the PA-DSS to the PCI SSF Today
The Payment Card Industry PCI Council plans to formally retire the Payment Application Data Security Standard PA-DSS in October 2022 and replace it with the PCI Software Security Framework SSF. For vendors, the new framework expands program eligibility with improved support for evolving...
Exploiting an Unsecured Dell Foglight Server
Dell Foglight for Virtualization is an infrastructure performance monitoring tool that can also be used to manage systems as well. It comes configured with a default username and password of "foglight."...
What you need to know: Navigating EU Data Protection changes – EU-US Privacy Shield and EU General Data Protection Regulation
If youre an organization with trans-Atlantic presence that transmits and stores European citizen data e.g. employee payroll & HR data, client & prospect data in the U.S. you will want to pay attention. What we will discuss was administered under the European Unions Data Protection Directive and a...
Navigating the AI security landscape: The federal push for responsible AI adoption
This blog post discusses the U.S. government's commitment to responsible AI through the Executive Order and proposed legislation, outlines key provisions for AI risk management, highlights efforts to strengthen federal AI governance, and emphasizes Coalfire's role in promoting responsible AI...
Penetration testing and red teaming: The differences and reasons why both are important to your business
Penetration testing, also known as ethical hacking, white-hat hacking, or pen testing, is one important form of security assessment that tests people, process, and technology to find security vulnerabilities that a potential attacker could exploit. Red teaming is a more targeted approach that...
Coalfire celebrates a decade as HITRUST assessor
Coalfire is incredibly excited for 2022. We are fully committed to developing world-class solutions for our teams and customers. On the immediate horizon is the newly announced i1 assessment, and were eagerly anticipating more news regarding CSFv10. Alongside these developments from HITRUST, were...
The impact of Covid-19 on SOC reporting
The audit cycle for organizations that receive SOC reports includes new challenges related to Covid-19. Remote workforces are now the norm throughout the world, which introduces new risks. For example, connecting to corporate networks using personal computers that may be infected with malware is...
New HC3 report defines security assessments needed for healthcare organizations during and after COVID-19
The Health Sector Cybersecurity Coordination Center HC3 recently delivered a report that defines and articulates the security assessments and information technology audits that should be considered during and after the COVID-19 pandemic...
Pro Tips: Testing Applications Using Burp, and More
Burp Suite is one of my favorite tools for web application testing. The feature set is rich, and anything that it does not do by default can usually be added with an extension. There are a few things, however, that while they exist in Burp Suite, are not completely intuitive. Below are a few pro...
PowerShell: In-Memory Injection Using CertUtil.exe
Have you ever heard the old saying," The only constant in life is change?" Nothing is truer in the world of penetration testing and information security than the certainty of change. New defenses are always emerging, and the guys and gals in the red team game are always having to evolve our effor...
Takeaways from GAM 2018: Internal Audit Embraces Cybersecurity
Last week, the Institute of Internal Auditors IIA held its 2018 Global Audit Management Conference at the Aria Resort in Las Vegas. With over 1,700 attendees, this was the most well-attended event in the history of the conference. Coalfire was one of the sponsors, and we were delighted to meet wi...
Has Your O365 Account Been Hacked?
In the past six months, Coalfire has seen an increase in businesses receiving fraudulent emails from legitimate client accounts with fraudulent invoice attachments. In several cases, the recipient paid the invoices not realizing they were fraudulent. The losses have ranged between thousands and...
New PCI NESA Guidance is Good News for Non-Listed Encryption Solutions
While PCI P2PE is still the most secure approach, solution providers, who are not yet validated, can now offer additional clarity to merchants, QSAs, and acquirers...
PCI Council Gives Merchants Reprieve on PCI 3.1 Updates
The Payment Card Industry Security Standards Council PCI SSC released an update to its vulnerability standards and is giving merchants until June 2018 to migrate their security protocols, even though waiting is not recommended...
Where is your social security number today?
As April 15 approaches, the "water cooler" talk revolves around all types of topics related to the tax season. However, due to the overwhelming number of security breaches reported this past year, several individuals are finding that fraudulent tax filings were created with voluntarily provided...
Hexeon unleashed: human-centric offensive security amplified by technology
Part 3 in a blog series spotlighting Coalfire's 5th Annual Penetration Risk Report...
FedRAMP 101: How to get listed as “In Process”
Are you a cloud service provider working on a federal contract and need a FedRAMP authorization - but dont have a sponsor yet? Acquiring a committed government agency sponsor early in the FedRAMP process is crucial to your success and will ensure a smoother process. A major role for an agency...
Aligning Enterprise Cyber Risk and Business Strategy
Most business leaders have a contextual awareness of cyber risk and the threats facing their organizations. However, this contextual awareness rarely contributes to a clear, consolidated directive that can be applied across the organizations. Further, many organizations struggle to align their...
FedRAMP High Baseline Requirements Published
The Federal Risk and Authorization Management Program FedRAMP Project Management Office officially released its High baseline for High impact-level systems. This baseline is at the High/High/High categorization level for confidentiality, integrity, and availability in accordance with FIPS 199; an...
2013 PCI SSC European Community Meeting Wrap-Up
Matt Getzleman - PCI Practice Director, Dan Fritsche - Director, Solution Validation, Andrew Barratt - Managing Director UK, and Brian Pennington - Regional Sales Director, discuss the recent PCI SSC Community Meeting in Nice, France...
BYOD Survey Results: Employees are not playing it safe with company data
Employers are seeing a drastic increase in the number of employees using personal smartphones and tablets in the office. This "Bring Your Own Device" BYOD trend is causing headaches for the IT department and there is no stopping this trend. Due to the sensitive nature of company information often...
Coalfire Acquires Digital Resources Group in California
We have reached a new milestone at Coalfire and have announced the recent acquisition of privately held Digital Resources Group DRG in Redwood City, California. We are excited about our latest venture as it consolidates our leadership position within the IT Governance Risk and Compliance IT GRC...
Is your HIPAA Security and HITECH audit program in order?
Healthcare organizations have been working towards HIPAA and HITECH compliance for a few years now. "Surprise" HIPAA compliance audits conducted by the OCR have begun and at Coalfire weve come across some gaps that have led organizations to fall short of their compliance initiatives...
Penetration testing: shifting paradigms from reactive to proactive
Part 2 in a blog series spotlighting Coalfires 5th Annual Penetration Risk Report...
Behind the eight-ball: Why companies struggle with penetration risk
An introduction to a new blog series spotlighting Coalfires upcoming 5th Annual Penetration Risk report...
Spotlight: Women of Coalfire part 3
In this spotlight series, we are recognizing some of the women at Coalfire who have shattered glass ceilings and forged their own paths despite the obstacles they faced. Karen Laughton and Michi Everett are two of these women. Karen was the first female to hold an executive position in delivery a...
Cloud Transformation and the Shared Security Model
For many organizations, the lure of the cloud is very strong. Large enterprises usually have several justifications for adopting cloud-based services including preserving capital, adding scalability to applications, and minimizing IT staffing needs. Small- to medium-sized organizations often look...
Continuous Monitoring in the Cloud
I recently spoke at the Cloud Security Alliances Federal Summit on the topic "Continuous Monitoring / Continuous Diagnostics and Mitigation CDM Concepts in the Cloud." As government has moved and will continue to move to the cloud, it is becoming increasingly important to ensure continuous...
Ransomware: the anatomy of paying a ransom to decrypt hostage files
Ransomware is on the rise and clients seeking to understand the process can learn from this clients story about being a victim of ransomware as to what can be expected and how to handle a ransomware attack. Recently a company facing a malware infection approached us to help them deal with the...
New York State Implements Cybersecurity Regulation 23 NYCRR 500
On March 1st, 2017, sweeping new cybersecurity requirements were placed on organizations regulated by the New York State Department of Financial Services. The law applies to a broad set of covered entities that are supervised by the NYDFS, including banks, trusts, budget planners, check cashers,...
What’s Your Computer Thinking About? Examining Random Access Memory (RAM)
How valuable would it be to be able to read another persons mind? To know what theyre thinking or planning to do would be invaluable. Or, how valuable would it be to know what they have done in the recent past, especially if you believed they were involved in some criminal activity? Who they were...
A huge applause from the NIST-OCR-HIPAA 2015 conference
It looked like the 8th annual conference may have garnered record-breaking attendance as I noticed hotel staff rushing to add skirted tables and chairs to the back of the room to accommodate a standing-room-only crowd. I guess that was to be expected given the star-studded line-up of presenters...
Apple Pay: A New Way to Pay
Every September, Apple announces exciting new products that promise to change how we interact with not only our devices, but with the world around us. 2014 has been no exception; in San Francisco this morning, Apple announced the iPhone 6, Apple Watch and Apple Pay. Even though Im excited about t...
The Federal Government in Financial Services' Cybersecurity
Its no secret that the internet has changed the way we do business in nearly every industry. On the other hand, the dangers of limited cyber regulations are quickly becoming a focus for the government due to the frequency and impact of data breaches. Its becoming apparent that convenience comes a...
Target Kill Chain Analysis
Last week, I talked with Wall Street Journal reporter Ben DiPietro about the persistent communications gap between the data center and the board room when it comes to recognizing and tackling security threats: In almost every breach situation after his company completes a forensic analysis, Mr...
Cyber Security Awareness - Are you Doing All You Can to Stay Safe?
Every company has vulnerabilities and must learn to protect themselves from fast-moving cyber threats. Below are a few tips to keep in mind as you examine your network security:...
Phishing Season: Spam on the rise
Within the past two weeks there have been several reports on the increase in email spam, which can be directly correlated to an increase in phishing schemes and malware attacks. These attacks are frequently being delivered under the guise of legitimate business: they come in the form of shipment...
Looking back at Black Hat 2023
From AI to the evolving threat landscape, Black Hat 2023 spotlighted the security industrys latest and greatest innovations...
Spotlight: Women of Coalfire part 1
There is no area of society in which women are free of obstacles to their success due to their gender. I am all too familiar with inequity impacting women - including in the military - where I fought to correct the injustices that affected servicewomen. In the past, servicewomen who became pregna...
Deploying your first Blueprints
Welcome back to the fourth and final part of this Azure Blueprints series. This section covers how to use some Blueprints provided by Microsoft and how to get started writing your Blueprints for managing your Azure Governance. Specifically, we will look more closely at a FedRAMP use case...
Please Stop Managing Vulnerabilities in Excel Spreadsheets
Do your best Excel users work in application security? Are you trying to manage thousands of vulnerabilities across hundreds of applications in an increasingly elaborate series of Excel spreadsheets? Most companies are using multiple scanning technologies as well as a variety of manual testing...
Successful DevSecOps begins with a cultural shift
A successful DevSecOps approach fosters cohesive collaboration between Development, Security, and Operations teams for the cultivation of outcomes that improve security while also maintaining the goals of DevOps. Within DevSecOps, security is an additional foundational component in the process...
The Basics of Exploit Development 3: Egg Hunters
Hello dear reader. If you have read the other articles in this series, welcome back! If not I encourage you to read the previous installments before proceeding with this post. This post covers a surprisingly useful technique in exploit development called Egg Hunters. In order to demonstrate how E...
Will ISO 27701 Be the New GDPR Certification?
On August 6, ISO published the ISO/IEC 27701:2019 "ISO 27701" standard, which lays out the requirements for implementing an organizational program to govern the handling of personally identifiable information PII, known as a Privacy Information Management System PIMS. In many ways, the new standa...
How I Found CVE-2018-8819: Out-of-Band (OOB) XXE in WebCTRL
I like to do bug bounties from time to time, mostly when I am sacrificing sleep once the kids are finally out cold. This seemed like a worthy experience to document. Let me just start by saying I dont plan on going into the whole recon bits too deeply here. Maybe I will someday if I ever have...