603 matches found
Background Checks on AIs and Other Challenges in the PCI World
Coalfire has noted a number of leading-edge technological challenges for enterprises managing the rapid pace of innovation while also aiming for PCI compliance. Wed like to review our recent experience and offer suggestions for these comparatively novel situations...
Icebreaker: Chip Away at Active Directory Passwords, Automatically
To break the ice with Active Directory and shorten the cycles penetration testers spend on cracking passwords, I developed Icebreaker, a tool that automates network attacks against Active Directory and provides plaintext credentials. Icebreaker performs five network attacks in order...
DFARS 7012 Compliance
At Coalfire, we field a lot of questions from government contractors about compliance with National Institute of Science and Technology NIST Special Publication SP 800-171. We also address requests for help with "DFARS 7012," which is a commonly used shorthand for Defense Acquisition Regulation...
Healthcare Security Pros Prioritize Sharing and Caring in the Wild, Wild West of Healthcare
Security professionals from healthcare delivery organizations HDOs, medical device manufacturers, and pharmaceutical companies gathered in Scottsdale, Arizona for the NH-ISAC Cyber Rodeo Summit last month. The big topics were how to share more threat intelligence, while at the same time ensuring...
Deploying and Troubleshooting Compliance Baselines
If you are in the IT space, youve most likely encountered or are bound by some form of regulation/framework such as PCI, HIPAA, FISMA, and/or CGIS. Most of these compliance programs require a hardened baseline to be implemented within your information systems to reduce the risk and impact of an...
Coalfire’s Adaptive Penetration Testing at Black Hat Helped Prepare Tomorrow’s Security Talent
What makes a penetration tester highly successful? Most obviously, the technical skills to hack into a network, application, or location comes to mind first, and without those capabilities and the ability to continuously learn, an aspiring pen tester has a tough road ahead of them...
Black Hat 2017: training, cybersecurity trends and end-point protection
Every year, Black Hat is a highly anticipated event in the cybersecurity community--and Black Hat 2017 certainly did not disappoint! It was yet another year of record traffic, bustling with visitors from the security community that want to strengthen their security skills and postures...
What is Defcon
The first year I attended, I was lucky enough to identify interesting wireless signals with a distinct sound - that of the POCSAG and FLEX protocols. Decoding these signals revealed party invites to the Telephreak party where I listened to raw, uncensored lightning talks covering topics from car...
Coalfire goes to Washington!
Our CEO Larry Jones visited The White House Thursday morning to join with First Lady Michelle Obama and Dr. Biden in the celebration of the Joining Forces initiatives fifth-year anniversary and announce Coalfires pledge to hire and train veterans and military spouses...
The 100 Million Dollar Getaway - Horror Stories 2015
In todays security landscape, companies face daily threats to their reputation and intellectual property. The typical response to these threats is to purchase a tool or a service claiming to be a magical silver bullet that can respond to all "cyber" threats. In reality, the quest for a security...
The Clock is ticking for EU and US to Negotiate New Safe Harbor Deal: What You Can Do to Stay Out of Legal Limbo
European authorities have given the European Union and US officials three months to come up with an alternative to the Safe Harbor agreement after the European Court of Justice ECJ declared Safe Harbor laws invalid earlier this month. The new agreement must protect the personal data of European...
Is penetration testing required for HIPAA compliance?
In this blog post were going to focus our discussion on the technical requirement part of this standard. The evaluation is supposed to establish the extent to which a covered entitys or business associates security policies and procedures meet the requirements of the HIPAA Security Rule. A questi...
How do cyber insurer's assess cyber risk?
Last week I presented on risk transfer as a viable risk management option to compliance and security professionals at the Financial Crime Compliance Professionals Conference in London. As mentioned in one of Ricks earlier blog entries analyzing the Target kill chain, the communication between...
P2PE Hybrid, the next best thing since the Prius
P2PE promises many things, the most coveted being scope reduction for the merchant and a shifting of the compliance burden from the merchant to the service provider. A properly implemented P2PE solution can indeed reduce the risk of compromise for a merchant as well as reduce the scope of what mu...
IT Security Horror Stories: Tale of the Fake IT Rep
Some IT security monsters arent as obvious as a Mummy. At Coalfire Labs, we discover--and help our clients address--some pretty scary security and compliance problems. There are lots of deceptive monsters looking to exploit the weaknesses of their victims. This is one of those terrifying but true...
Coalfire Client FireHost Achieves HITRUST CSF Certification
Yesterday, we were delighted to see our long-time client Firehost announce that they achieved Common Security Framework CSF "Certified" status from the HITRUST Alliance. Headquartered in Richardson, Texas, FireHost has made compliance a top priority, and weve enjoyed working with them to achieve...
What We Learned at HIMSS12
A few weeks ago, more than 35,000 healthcare IT professionals and 1,100 exhibitors converged on Las Vegas. Some were there to go shopping for "HIT" or health information technology; others were there to sell it. The IT professionals from across the healthcare spectrum were there to meet with each...
Cyber Security Fraud in the Banking Industry: Lessons Learned in OCC Examiner Training
In late October 2011, Coalfire participated in a day of IT audit training with about 35 bank examiners. As you would expect, we covered a lot of previously hot topics. The conversation changed as we started talking about the amount of fraud being realized by community banks and credit unions...
They Changed What? HIPAA & HITECH
In 1996, the Healthcare Insurance Portability and Accountability Act HIPAA opened the door to increased exchanges of healthcare information in an effort to improve care and reduce costs. The Act included new provisions for protected health information PHI. Since there are only a few limited revie...
Meet John Rostern: Managing Director of the New York Office
We are pleased to announce that John Rostern has joined Coalfire Systems as managing director of the New York office...
Improving compliance management with mappings and automation
Based on the research in Coalfires 2023 Securealities Compliance Report, the third blog in this series examines one of the top concerns of CISOs and compliance program managers: realizing the value of a platform to simplify compliance...
Guardians of IoT: Fortifying the financial sector in the age of IoT
The Internet of Things IoT has revolutionized the financial industry, but its associated security vulnerabilities and risks must be addressed to protect sensitive data...
What to look for in an audit partner
How are successful auditor partnerships formed? It starts with selecting the right auditor and taking them with you on your organizations compliance journey...
How medical device manufacturers can address new FDA cybersecurity guidelines
Advancements in technology in the healthcare industry have made medical devices increasingly vulnerable to cyber attacks. To embed better security practices into the manufacturing and implementation of medical devices, the FDA released a new mandate requiring a comprehensive cybersecurity plan fo...
Insider threats to the healthcare industry
A discussion of insider threats faced by the U.S. healthcare industry highlighting the types of threats and recommendations on how organizations can mitigate the risks...
Six steps to prepare your application security team for a penetration test
This blog post will show step-by-step how an application security team should prepare for a penetration test...
Highlights from FedRAMP®’s new Penetration Test Guidance
In an effort to stay on top of the evolving threats being faced by the cloud community, the FedRAMP PMO released Version 3.0 of their Penetration Test Guidance, dated June 30, 2022. 3PAOs and CSPs should begin using the updated pen test guide for pen tests beginning shortly after June 5, 2022,...
The right ASM tools include understanding where the real risk lies
While companies are just scratching the surface of understanding their Internet-facing architecture, hackers have been monitoring growing attack surfaces to find vulnerabilities where companies arent looking or maybe not prioritizing and reaping the reward through bug bounty programs...
The secure development lifecycle
Whatever tolerance we had for failure has been turned upside down in the cloud. The consequences have never been greater. So, whats the solution? As made clear in Coalfires latest Cloud Advisory Board CAB Securealities report, smartest path to DevSecOps transformation, nothing is more important t...
CMMC 2.0 – what, how, and why act now?
With the recent streamlining of the Cybersecurity Maturity Model Certification CMMC framework, the path to assure Defense Industrial Base DIB cybersecurity has changed dramatically from what was originally planned. Theres a lot to learn about CMMC 2.0, but the objective remains the same: protect...
Applied ThreadFix: Seeding Your Application Portfolio with OWASP Amass
OWASP Amass is a great tool for asset discovery and enterprise attack surface mapping. It pulls data from a number of different data sources and identifies potential hosts and applications associated with organizations, domains, IP CIDRs and other identifiers. As we have noted, having a solid...
So much compliance to do…so little time (and people!)
In my seven years at Coalfire I've had the pleasure of working with dedicated compliance professionals at organizations of all shapes and sizes. Over time I've seen the pressure on these fine folks increase tenfold as the stream of new compliance obligations jumps its banks and becomes a flood. T...
A new way to manage supply chain risk – Introducing the AICPA SOC for Supply Chain report
With the continuation of its System and Organization Controls SOC suite of services SOC 2®, SOC for Cybersecurity, etc., the American Institute of Certified Public Accountants AICPA has released a new report format that focuses on manufacturing and distribution supply chains. The AICPAs SOC for...
Establishing risk appetite is key to effective risk management
The mission of an enterprise risk management program is to respond to and monitor risks to the enterprises operations and objectives. In order to properly respond to and monitor risks, the enterprise must establish risk appetite thresholds. Well-established and well-communicated risk appetite...
Remote Workforce is NOT the New Norm, but “Secure Work Anywhere” Should Be
Secure Work Anywhere SWA is a new term for an old idea that is quickly becoming an industry standard. The overall principles of SWA are not new, but the risks associated with increased rates of workers connecting from potentially unsecure networks highlight the importance of those principles now...
So your company has decided to do FedRAMP - What does that mean?
The exponential increase in cloud adoption in recent years has led to a dramatic increase in technology companies evolving from software and application companies to Software as a Service SaaS, Platform as a Service PaaS or Infrastructure as a Service IaaS providers. The 2011 release of the Cloud...
Should cloud service providers be concerned with FIPS 140-3?
If youve dealt with FedRAMP, you may already know that FIPS 140-2 is the standard for cryptographic modules published by the National Institute of Standards and Technology NIST. All cloud service providers CSPs who wish to be FedRAMP compliant must use only crypto modules that have been validated...
What are the benefits of SAST testing in CI/CD pipelines?
Static application security testing SAST is traditionally used in software development lifecycles both early on in the process and often to "white box" test all files containing source code. Integrating SAST into modern CI/CD pipelines allows developers to continuously monitor their code, providi...
The Unhealthy Security of Healthcare
I have been involved in a number of healthcare penetration tests here at Coalfire and in my previous roles. I have hacked electronic medical records, medical devices, and most importantly, humans. From my time as a systems engineer at a medical device and systems vendor to my current role at...
The Archimedes Medical Device Security 101 Conference - A Secure Forum for Security Issues
The University of Michigans Archimedes Center for Medical Device Security hosted its second annual MDS 101 conference in Orlando this month. The conference provides a secure forum for attendees to speak freely about cybersecurity issues with respected professionals who can help establish best...
Black Hat Europe puts cybersecurity on the C-Suite Agenda
Black Hat is renowned for being one of the biggest, most technical security conferences in the world operating in the USA, Europe and Asia. 2017 marks Europes first Black Hat Executive summit, a format well received for senior executives to be able to openly discuss cyber security concerns and...
How I discovered CVE-2017-13707
New Vulnerability Found Using Techniques Taught at Black Hat USA One of the topics I teach in Coalfires Adaptive Penetration Testing course, given most recently at Black Hat 2017, is manual privilege escalation on Linux- and Unix-based systems. I also talk about how common it is to gain an initia...
The Value of Governance in Minimizing Cybersecurity Incidents
Part Two of a Three Part Series Since Equifaxs September 15th statement about their well-publicized, broadly discussed major security incident, Coalfire has fielded multiple inquiries from clients who are wondering if such an incident could happen to them, and if there is anything that they can d...
AWS Public Sector Summit 2017: Cloud Super Powers and Security
Coalfire recently returned from the Amazon Web Services AWS Public Sector Summit, held in Washington, D.C., which addresses some of the most pressing issues todays leaders face around security, governance and compliance, and more. While Coalfire has attended the show in the past, we were especial...
New PCI DSS Scoping Guidance Corroborates Coalfire’s Approach
On Friday, December 6th 2016, the PCI Security Standards Council released their formal information supplement titled, Guidance for PCI DSS Scoping and Network Segmentation. This particular information supplement has been eagerly anticipated in the PCI DSS industry for several years. The document...
Breaching a bank in 20 minutes - Horror Stories 2015
I arrived onsite to suite 102 the banks corporate headquarters around 9:40 a.m. I was impersonating a local utility worker - with all the garments like a hardhat, clipboard, obnoxious yellow vest, and some old Timberland work boots. I played the part well...
What the PCI Council’s Point-to-Point-Encryption (P2PE) Update Means for You
Last week, the PCI Security Standards Council PCI SSC published the updated P2PE v2.0 standard. The Summary of Changes from v1.1 to v2.0, the updated P2PE Glossary and the PIM template are available in the PCI SSC documents library. According to the announcement, the highlights of the new version...
Banking with digital currency - A futuristic application
Digital Currency is a thing? $3 Billion dollars USD of money is out there in a digital format, not printed or managed by a government. It has many different product names and each one operates separately. One example of a digital currency is Bitcoin. It is only one of the many digital currencies...
What you need to know from the OCR’s Report to Congress on Breaches and HIPAA Rules Compliance
Last week the HHS Office for Civil Rights OCR issued their Annual Report to Congress on Breaches of Unsecured Protected Health Information PHI for calendar years 2011 and 2012. This is their second annual report required by the Health Information Technology for Economic and Clinical Health HITECH...
HIPAA Compliance: A Demanding Effort Yielding Deserved Benefits
The heat is on! Compliance with the Health Insurance Portability and Accountability Act of 1996 HIPAA has never been more scrutinized and highly regarded. The push towards compliance has fueled businesses large and small to explore the options and necessary requirements of HIPAA compliance...