Lucene search
+L
CoalfireMost viewed

603 matches found

The Coalfire Blog
The Coalfire Blog
added 2018/04/01 7:52 p.m.16 views

Background Checks on AIs and Other Challenges in the PCI World

Coalfire has noted a number of leading-edge technological challenges for enterprises managing the rapid pace of innovation while also aiming for PCI compliance. Wed like to review our recent experience and offer suggestions for these comparatively novel situations...

2.9AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2018/03/16 6:15 p.m.16 views

Icebreaker: Chip Away at Active Directory Passwords, Automatically

To break the ice with Active Directory and shorten the cycles penetration testers spend on cracking passwords, I developed Icebreaker, a tool that automates network attacks against Active Directory and provides plaintext credentials. Icebreaker performs five network attacks in order...

4.1AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2018/03/06 12:8 a.m.16 views

DFARS 7012 Compliance

At Coalfire, we field a lot of questions from government contractors about compliance with National Institute of Science and Technology NIST Special Publication SP 800-171. We also address requests for help with "DFARS 7012," which is a commonly used shorthand for Defense Acquisition Regulation...

2.5AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2018/01/02 10:41 p.m.16 views

Healthcare Security Pros Prioritize Sharing and Caring in the Wild, Wild West of Healthcare

Security professionals from healthcare delivery organizations HDOs, medical device manufacturers, and pharmaceutical companies gathered in Scottsdale, Arizona for the NH-ISAC Cyber Rodeo Summit last month. The big topics were how to share more threat intelligence, while at the same time ensuring...

1.1AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2017/12/11 4:17 p.m.16 views

Deploying and Troubleshooting Compliance Baselines

If you are in the IT space, youve most likely encountered or are bound by some form of regulation/framework such as PCI, HIPAA, FISMA, and/or CGIS. Most of these compliance programs require a hardened baseline to be implemented within your information systems to reduce the risk and impact of an...

0.2AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2017/08/16 5:46 p.m.16 views

Coalfire’s Adaptive Penetration Testing at Black Hat Helped Prepare Tomorrow’s Security Talent

What makes a penetration tester highly successful? Most obviously, the technical skills to hack into a network, application, or location comes to mind first, and without those capabilities and the ability to continuously learn, an aspiring pen tester has a tough road ahead of them...

2.1AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2017/08/03 9:14 p.m.16 views

Black Hat 2017: training, cybersecurity trends and end-point protection

Every year, Black Hat is a highly anticipated event in the cybersecurity community--and Black Hat 2017 certainly did not disappoint! It was yet another year of record traffic, bustling with visitors from the security community that want to strengthen their security skills and postures...

1.8AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2016/08/17 2:48 p.m.16 views

What is Defcon

The first year I attended, I was lucky enough to identify interesting wireless signals with a distinct sound - that of the POCSAG and FLEX protocols. Decoding these signals revealed party invites to the Telephreak party where I listened to raw, uncensored lightning talks covering topics from car...

0.9AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2016/05/05 3:44 p.m.16 views

Coalfire goes to Washington!

Our CEO Larry Jones visited The White House Thursday morning to join with First Lady Michelle Obama and Dr. Biden in the celebration of the Joining Forces initiatives fifth-year anniversary and announce Coalfires pledge to hire and train veterans and military spouses...

2.9AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2015/10/26 10:37 a.m.16 views

The 100 Million Dollar Getaway - Horror Stories 2015

In todays security landscape, companies face daily threats to their reputation and intellectual property. The typical response to these threats is to purchase a tool or a service claiming to be a magical silver bullet that can respond to all "cyber" threats. In reality, the quest for a security...

0.3AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2015/10/22 9:18 a.m.16 views

The Clock is ticking for EU and US to Negotiate New Safe Harbor Deal: What You Can Do to Stay Out of Legal Limbo

European authorities have given the European Union and US officials three months to come up with an alternative to the Safe Harbor agreement after the European Court of Justice ECJ declared Safe Harbor laws invalid earlier this month. The new agreement must protect the personal data of European...

2.1AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2015/06/22 6:4 p.m.16 views

Is penetration testing required for HIPAA compliance?

In this blog post were going to focus our discussion on the technical requirement part of this standard. The evaluation is supposed to establish the extent to which a covered entitys or business associates security policies and procedures meet the requirements of the HIPAA Security Rule. A questi...

0.6AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/06/16 5:16 p.m.16 views

How do cyber insurer's assess cyber risk?

Last week I presented on risk transfer as a viable risk management option to compliance and security professionals at the Financial Crime Compliance Professionals Conference in London. As mentioned in one of Ricks earlier blog entries analyzing the Target kill chain, the communication between...

2.3AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/01/07 12:47 p.m.16 views

P2PE Hybrid, the next best thing since the Prius

P2PE promises many things, the most coveted being scope reduction for the merchant and a shifting of the compliance burden from the merchant to the service provider. A properly implemented P2PE solution can indeed reduce the risk of compromise for a merchant as well as reduce the scope of what mu...

1.7AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2012/10/29 2:8 p.m.16 views

IT Security Horror Stories: Tale of the Fake IT Rep

Some IT security monsters arent as obvious as a Mummy. At Coalfire Labs, we discover--and help our clients address--some pretty scary security and compliance problems. There are lots of deceptive monsters looking to exploit the weaknesses of their victims. This is one of those terrifying but true...

2.9AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2012/10/19 12:22 p.m.16 views

Coalfire Client FireHost Achieves HITRUST CSF Certification

Yesterday, we were delighted to see our long-time client Firehost announce that they achieved Common Security Framework CSF "Certified" status from the HITRUST Alliance. Headquartered in Richardson, Texas, FireHost has made compliance a top priority, and weve enjoyed working with them to achieve...

1.2AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2012/03/16 12:22 p.m.16 views

What We Learned at HIMSS12

A few weeks ago, more than 35,000 healthcare IT professionals and 1,100 exhibitors converged on Las Vegas. Some were there to go shopping for "HIT" or health information technology; others were there to sell it. The IT professionals from across the healthcare spectrum were there to meet with each...

1.4AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2012/01/03 8:59 p.m.16 views

Cyber Security Fraud in the Banking Industry: Lessons Learned in OCC Examiner Training

In late October 2011, Coalfire participated in a day of IT audit training with about 35 bank examiners. As you would expect, we covered a lot of previously hot topics. The conversation changed as we started talking about the amount of fraud being realized by community banks and credit unions...

1.7AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2011/05/24 7:16 a.m.16 views

They Changed What? HIPAA & HITECH

In 1996, the Healthcare Insurance Portability and Accountability Act HIPAA opened the door to increased exchanges of healthcare information in an effort to improve care and reduce costs. The Act included new provisions for protected health information PHI. Since there are only a few limited revie...

1.3AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2011/05/11 12:38 a.m.16 views

Meet John Rostern: Managing Director of the New York Office

We are pleased to announce that John Rostern has joined Coalfire Systems as managing director of the New York office...

2.2AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2023/11/20 9:53 p.m.15 views

Improving compliance management with mappings and automation

Based on the research in Coalfires 2023 Securealities Compliance Report, the third blog in this series examines one of the top concerns of CISOs and compliance program managers: realizing the value of a platform to simplify compliance...

7.2AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2023/11/16 7:19 p.m.15 views

Guardians of IoT: Fortifying the financial sector in the age of IoT

The Internet of Things IoT has revolutionized the financial industry, but its associated security vulnerabilities and risks must be addressed to protect sensitive data...

7.5AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2023/09/12 8:26 p.m.15 views

What to look for in an audit partner

How are successful auditor partnerships formed? It starts with selecting the right auditor and taking them with you on your organizations compliance journey...

7AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2023/06/22 4:23 p.m.15 views

How medical device manufacturers can address new FDA cybersecurity guidelines

Advancements in technology in the healthcare industry have made medical devices increasingly vulnerable to cyber attacks. To embed better security practices into the manufacturing and implementation of medical devices, the FDA released a new mandate requiring a comprehensive cybersecurity plan fo...

7AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2023/05/22 3:32 p.m.15 views

Insider threats to the healthcare industry

A discussion of insider threats faced by the U.S. healthcare industry highlighting the types of threats and recommendations on how organizations can mitigate the risks...

7AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2023/05/01 5:30 p.m.15 views

Six steps to prepare your application security team for a penetration test

This blog post will show step-by-step how an application security team should prepare for a penetration test...

7AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2022/10/10 5:9 p.m.15 views

Highlights from FedRAMP®’s new Penetration Test Guidance

In an effort to stay on top of the evolving threats being faced by the cloud community, the FedRAMP PMO released Version 3.0 of their Penetration Test Guidance, dated June 30, 2022. 3PAOs and CSPs should begin using the updated pen test guide for pen tests beginning shortly after June 5, 2022,...

7.2AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2022/01/20 11:28 p.m.15 views

The right ASM tools include understanding where the real risk lies

While companies are just scratching the surface of understanding their Internet-facing architecture, hackers have been monitoring growing attack surfaces to find vulnerabilities where companies arent looking or maybe not prioritizing and reaping the reward through bug bounty programs...

3.3AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2021/12/08 2:10 a.m.15 views

The secure development lifecycle

Whatever tolerance we had for failure has been turned upside down in the cloud. The consequences have never been greater. So, whats the solution? As made clear in Coalfires latest Cloud Advisory Board CAB Securealities report, smartest path to DevSecOps transformation, nothing is more important t...

0.9AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2021/11/23 6:6 p.m.15 views

CMMC 2.0 – what, how, and why act now?

With the recent streamlining of the Cybersecurity Maturity Model Certification CMMC framework, the path to assure Defense Industrial Base DIB cybersecurity has changed dramatically from what was originally planned. Theres a lot to learn about CMMC 2.0, but the objective remains the same: protect...

6.7AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/09/26 1:0 a.m.15 views

Applied ThreadFix: Seeding Your Application Portfolio with OWASP Amass

OWASP Amass is a great tool for asset discovery and enterprise attack surface mapping. It pulls data from a number of different data sources and identifies potential hosts and applications associated with organizations, domains, IP CIDRs and other identifiers. As we have noted, having a solid...

2.8AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/07/16 8:32 p.m.15 views

So much compliance to do…so little time (and people!)

In my seven years at Coalfire I've had the pleasure of working with dedicated compliance professionals at organizations of all shapes and sizes. Over time I've seen the pressure on these fine folks increase tenfold as the stream of new compliance obligations jumps its banks and becomes a flood. T...

0.6AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/05/28 11:5 p.m.15 views

A new way to manage supply chain risk – Introducing the AICPA SOC for Supply Chain report

With the continuation of its System and Organization Controls SOC suite of services SOC 2®, SOC for Cybersecurity, etc., the American Institute of Certified Public Accountants AICPA has released a new report format that focuses on manufacturing and distribution supply chains. The AICPAs SOC for...

1.2AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/05/26 3:56 p.m.15 views

Establishing risk appetite is key to effective risk management

The mission of an enterprise risk management program is to respond to and monitor risks to the enterprises operations and objectives. In order to properly respond to and monitor risks, the enterprise must establish risk appetite thresholds. Well-established and well-communicated risk appetite...

2.1AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/05/21 12:19 a.m.15 views

Remote Workforce is NOT the New Norm, but “Secure Work Anywhere” Should Be

Secure Work Anywhere SWA is a new term for an old idea that is quickly becoming an industry standard. The overall principles of SWA are not new, but the risks associated with increased rates of workers connecting from potentially unsecure networks highlight the importance of those principles now...

2.8AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/04/27 4:44 p.m.15 views

So your company has decided to do FedRAMP - What does that mean?

The exponential increase in cloud adoption in recent years has led to a dramatic increase in technology companies evolving from software and application companies to Software as a Service SaaS, Platform as a Service PaaS or Infrastructure as a Service IaaS providers. The 2011 release of the Cloud...

3.5AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/04/15 4:6 p.m.15 views

Should cloud service providers be concerned with FIPS 140-3?

If youve dealt with FedRAMP, you may already know that FIPS 140-2 is the standard for cryptographic modules published by the National Institute of Standards and Technology NIST. All cloud service providers CSPs who wish to be FedRAMP compliant must use only crypto modules that have been validated...

7AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/02/25 2:0 a.m.15 views

What are the benefits of SAST testing in CI/CD pipelines?

Static application security testing SAST is traditionally used in software development lifecycles both early on in the process and often to "white box" test all files containing source code. Integrating SAST into modern CI/CD pipelines allows developers to continuously monitor their code, providi...

1.9AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2018/09/19 12:57 a.m.15 views

The Unhealthy Security of Healthcare

I have been involved in a number of healthcare penetration tests here at Coalfire and in my previous roles. I have hacked electronic medical records, medical devices, and most importantly, humans. From my time as a systems engineer at a medical device and systems vendor to my current role at...

1.3AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2018/01/26 7:3 p.m.15 views

The Archimedes Medical Device Security 101 Conference - A Secure Forum for Security Issues

The University of Michigans Archimedes Center for Medical Device Security hosted its second annual MDS 101 conference in Orlando this month. The conference provides a secure forum for attendees to speak freely about cybersecurity issues with respected professionals who can help establish best...

2.2AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2017/12/18 9:23 p.m.15 views

Black Hat Europe puts cybersecurity on the C-Suite Agenda

Black Hat is renowned for being one of the biggest, most technical security conferences in the world operating in the USA, Europe and Asia. 2017 marks Europes first Black Hat Executive summit, a format well received for senior executives to be able to openly discuss cyber security concerns and...

2.2AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2017/10/05 6:13 p.m.15 views

How I discovered CVE-2017-13707

New Vulnerability Found Using Techniques Taught at Black Hat USA One of the topics I teach in Coalfires Adaptive Penetration Testing course, given most recently at Black Hat 2017, is manual privilege escalation on Linux- and Unix-based systems. I also talk about how common it is to gain an initia...

1.5AI score0.03025EPSS
Exploits1
The Coalfire Blog
The Coalfire Blog
added 2017/09/27 9:9 p.m.15 views

The Value of Governance in Minimizing Cybersecurity Incidents

Part Two of a Three Part Series Since Equifaxs September 15th statement about their well-publicized, broadly discussed major security incident, Coalfire has fielded multiple inquiries from clients who are wondering if such an incident could happen to them, and if there is anything that they can d...

0.3AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2017/06/16 11:11 p.m.15 views

AWS Public Sector Summit 2017: Cloud Super Powers and Security

Coalfire recently returned from the Amazon Web Services AWS Public Sector Summit, held in Washington, D.C., which addresses some of the most pressing issues todays leaders face around security, governance and compliance, and more. While Coalfire has attended the show in the past, we were especial...

1.6AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2016/12/30 1:30 p.m.15 views

New PCI DSS Scoping Guidance Corroborates Coalfire’s Approach

On Friday, December 6th 2016, the PCI Security Standards Council released their formal information supplement titled, Guidance for PCI DSS Scoping and Network Segmentation. This particular information supplement has been eagerly anticipated in the PCI DSS industry for several years. The document...

2.5AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2015/10/26 11:29 a.m.15 views

Breaching a bank in 20 minutes - Horror Stories 2015

I arrived onsite to suite 102 the banks corporate headquarters around 9:40 a.m. I was impersonating a local utility worker - with all the garments like a hardhat, clipboard, obnoxious yellow vest, and some old Timberland work boots. I played the part well...

2.2AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2015/07/10 8:42 a.m.15 views

What the PCI Council’s Point-to-Point-Encryption (P2PE) Update Means for You

Last week, the PCI Security Standards Council PCI SSC published the updated P2PE v2.0 standard. The Summary of Changes from v1.1 to v2.0, the updated P2PE Glossary and the PIM template are available in the PCI SSC documents library. According to the announcement, the highlights of the new version...

0.6AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2015/07/01 3:16 p.m.15 views

Banking with digital currency - A futuristic application

Digital Currency is a thing? $3 Billion dollars USD of money is out there in a digital format, not printed or managed by a government. It has many different product names and each one operates separately. One example of a digital currency is Bitcoin. It is only one of the many digital currencies...

1.7AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/06/26 10:23 a.m.15 views

What you need to know from the OCR’s Report to Congress on Breaches and HIPAA Rules Compliance

Last week the HHS Office for Civil Rights OCR issued their Annual Report to Congress on Breaches of Unsecured Protected Health Information PHI for calendar years 2011 and 2012. This is their second annual report required by the Health Information Technology for Economic and Clinical Health HITECH...

1.2AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/04/01 9:28 a.m.15 views

HIPAA Compliance: A Demanding Effort Yielding Deserved Benefits

The heat is on! Compliance with the Health Insurance Portability and Accountability Act of 1996 HIPAA has never been more scrutinized and highly regarded. The push towards compliance has fueled businesses large and small to explore the options and necessary requirements of HIPAA compliance...

1AI score
Exploits0
Total number of security vulnerabilities603