603 matches found
Coalfire Expands Dallas Office and Names Kurt Hagerman Managing Director
I am pleased to announce that our Dallas office is growing by leaps and bounds. Leading the charge is Kurt Hagerman, the newly appointed managing director. Kurt will serve more than 60 clients in the Southwest region and oversee Coalfires strategic vision while building new client relationships f...
HIPAA Compliance and Call Centers
In a previous post titled Is It Safe to Speak? Protection for Telephone-Based Payment Card Data, I commented on the PCI SSC new requirements for call center operations and recording systems. Call center security has been a hot topic for a long time. How safe is the information that is given over...
Botnets: 2011 Rocky Mountain Information Security Conference
Botnets have become one of the most dangerous cyber threats affecting businesses today. Botnets criminals focus on the same things as most criminals: money and information. That is why these criminals are targeting payroll, human resources departments, C-level executives and senior strategists...
Guardians of IoT: Addressing IoT security vulnerabilities in electric vehicles and charging stations
The rise of electric vehicles EVs and charging infrastructure necessitates robust security measures, especially in the context of IoT integration. Explore the vulnerabilities in EV systems and potential risks, proposing mitigation strategies like firmware updates, user authentication, intrusion...
White House cyber strategy: leadership is now accountable
The National Cybersecurity Strategy represents one of the most significant market-driving forces in the history of IT. It ushers in a new era of standards, requirements, and best practices that will define how our economy works and how buyers interact with sellers for decades to come...
FAQ: Transitioning to the highly anticipated new revision of ISO 27001
For a group like Coalfire Certification that lives and breathes these standards daily, it has been an exciting few months monitoring the progress of this publication and its review through the various ISO working groups...
FedRAMP just got better – and is here to stay
Today, President Biden signed the National Defense Authorization Act NDAA, taking a giant step forward in securing the federal governments cloud-first mission. The FedRAMP® Federal Risk and Authorization Management Program Authorization Act, outlined in section 5921 of the NDAA, formalizes the...
Mobile app usage soars but security still falls short
Benchmark analysis of mobile apps shows 99% have security or privacy vulnerabilities. These weaknesses can cause exposure of sensitive information and jeopardize brand reputation, customer trust and company value...
Understanding compliance platform capabilities: black box automation has its limitations
Compliance is hard. It is not a "black box" of opaque inputs and outputs, where systems and data are hidden and where users are oblivious to their inner workings. There has yet to be a product made that can magically produce all the evidence sufficient for testing and verification across the wide...
CMMC – The smoke is clearing
The smoke is finally starting to clear on "CMMC 2.0." Hundreds of companies are already lining up for Cybersecurity Maturity Model Certification assessments. Everything is taking place faster and with far more urgency than most organizations have planned around or prepared for...
A survey of FedRAMP’s new supply chain requirements
Over the past few years, supply chain management has shifted from a background requirement that everyone unknowingly relies upon, to being a commonly talked about aspect of our everyday lives. The Federal government has ramped up its effort to gain a handle on supply chain threats as a result of...
The right ASM tools include understanding where the real risk lies
While companies are just scratching the surface of understanding their Internet-facing architecture, hackers have been monitoring growing attack surfaces to find vulnerabilities where companies arent looking or maybe not prioritizing and reaping the reward through bug bounty programs...
General Overview of Vulnerability Management
In a world where most companies take nearly six months to detect a data breach, establishing a comprehensive and continuous process for identifying, classifying, mitigating and preventing security vulnerabilities within an organization can help prevent current cybersecurity challenges...
Azure Policies
Welcome back to Part Two of our four-part Blueprint Series. Today's post covers the use of Azure Policies within a Blueprint deployment along with ARM templates and permissions management. Azure Policies are the critical component of Azure Blueprints. Policies, like ARM Templates, are JSON...
So Long, Privacy Shield
In whats rapidly becoming the splashiest news to hit the privacy space in years, the Court of Justice of the EU CJEU, the highest court in the European Union, invalidated the U.S. Privacy Shield, a legal instrument that made it possible for organizations operating in the United States to transfer...
Applied ThreadFix: Security teams collaborating with development teams
Modern enterprises are distributed. Most ThreadFix deployments have stakeholders spanning development and security teams and those team members are spread around the globe. To support these distributed organizations, ThreadFix has a number of collaboration features that make teams more efficient...
So your company has decided to do FedRAMP - What does that mean?
The exponential increase in cloud adoption in recent years has led to a dramatic increase in technology companies evolving from software and application companies to Software as a Service SaaS, Platform as a Service PaaS or Infrastructure as a Service IaaS providers. The 2011 release of the Cloud...
With IoT, common devices pose new threats
For Instance… Hackers Setting Your 3D Printer on Fire The world is careening toward the reality that almost all electronics in your home and business are connected to the internet. Many of these devices contain things like heating elements, batteries, and motors that are entirely...
NIST SP 800-171A Assessment: Finalized Assessment Objectives Foster a Roadmap to Compliance
On June 13, 2018, NIST formally released their Special Publication SP 800-171A, Assessing Security Requirements Controlled Unclassified Information CUI.This publication provides organizations with an assessment methodology to evaluate their compliance with the CUI security requirements defined in...
Incident Response: Do Your Vendor Contracts Have Claws (for Liability)?
In previous blogs, weve discussed some of the struggles organizations have when responding to cyber incidents. For many, it is the recovery aspect, and specifically vendor liability for the data or privacy breach, that poses many questions. In trying to assign liability, the obvious place to star...
AWS Certified Cloud Practitioner: A Valuable Certification for Professionals in Non-Technical Roles
Within the past year, AWS unveiled what is arguably one of the best programs they have ever offered to non-technical professionals in the AWS Partner Network APN: the AWS Certified Cloud Practitioner certification. The program, which is especially valuable for those in sales or marketing roles,...
NIST Interagency Report on IoT: An Incremental Step Toward IoT Standards
The Internet of Things IoT has been widely regarded as representing a significant cybersecurity risk, which will only grow as connected devices continue to proliferate. As an important step in addressing these concerns, the Interagency International Cybersecurity Standardization Working Group IIC...
Introducing Red Baron - Automate the Creation of Resilient, Disposable, Secure, and Agile Infrastructure for Red Teams
The need to automate the creation of disposable red-team infrastructure is key to providing effective adversary simulations. As Coalfire Labs continued to grow, our team needed a system to quickly configure and spin up C2 and/or phishing infrastructure, run multiple campaigns at the same time, an...
Scripted Inputs and Splunk
Splunk is an extremely versatile tool when dealing with data: - Monitor files? Check! - Listen in on an open port? Check! - Monitor the file system? Performance monitor? HTTP Event Collector? - Check, check aaaaand check! But what if the data you want to ingest does not have a method listed...
Just a Few Seats Left at the Coalfire Adaptive Pen Testing Training at Black Hat!
Black Hat is just around the corner, and Coalfire is gearing up for the best Adaptive Penetration Testing Training yet! Weve adapted the Adaptive Penetration Test Training course with new instructors, enriched content, and new labs to provide the richest training to date. The revised training now...
Q&A from P2PE-NESA Webinar for Merchants
The selection of a PCI-listed P2PE solution and determination of expected benefits can be challenging for even the most sophisticated merchants. The introduction of the NESA program can make decisions more difficult. To help guide merchants, Coalfire and FreedomPay held a webinar "P2PE & NESA for...
Ransomware Response: To Pay or Not to pay
Recently, I was speaking with a CISO friend of mine and he mentioned that his company suffered a breach. I asked if it was a ransomware attack, and sadly, that was the case. Malware had infected nearly every connected computer. Clearly there was a breakdown in protective controls, but Ill get to...
Reconciling Quarterly ASV and QSA Scanning Requirements
In the compliance realm, the term "quarterly" seems to be a sound and straight-forward term used to provide guidance and to aid entities in adhering to requirements. However, its meaning can vary based on its context in relation to dealing with various compliance requirements from your ASV and QS...
Ghosts in the Bank
It was a dark night. A car pulled up in the parking space next to me and quickly extinguished his lights. I looked out the my window and saw the driver. He gave me a quick nod and we exited our cars. Opening the trunk I pulled out my tools for the night. A backpack full of trash bags, a flash...
What to Expect in the PCI 3.2 Update
A preview of new requirements and guidance expected later this month from the Payment Card Industry Security Standards Council was announced Thursday. The PCI DSS 3.2 version represents the first update to the standard that the Council has released since 3.1 in April 2015 and 3.0 in November of...
Report from the PCI SSC North American Community Meeting
The Payment Card Industry Security Standards Council held their 2015 North American Community Meeting this year in Vancouver, BC, from September 29 - October 1. Coalfire was well represented at the meeting, with Dan Fritsche, Managing Director, Application Security, making two presentations at th...
COSO Framework for Service Organizations and SOC Reporting (Part 2 of 3)
Every SOC report whether it is a SOC 1, SOC 2 or SOC 3 should include information about the service organizations risk assessment process. Risk assessment can take many forms and there is no "one size fits all" format. Risk assessment is intended to be an evolutionary process, designed to meet th...
Law Firm - Forensics Services
As cyber threats and attacks have increased year over year, Coalfire has seen a drastic increased need for support to law firms in cybersecurity cases. Attacks and threats vary so often, many law firms lack the skills required to properly evaluate cyber-attacks involving their clients. As such la...
IT Security Horror Story: Digging your own grave with Default Credentials
I recently performed a penetration test that really required no "hacking skills" whatsoever. I was able to obtain domain administrator rights simply by logging into web applications and network hardware using default credentials...
IT Security Horror Story: Slow Network, Big Phish
It was a typical morning, just like any other for Annie. She arrived at the office just in time to fill her coffee mug and get to her desk to read her email that had been piling up since Friday. After reading through the standard office wide emails she came across one from the help desk...
PCI Community Meeting - EMV Chip Update
Randy Vanderhoof, Executive Director, EMV Migration Forum EMF, presented the EMV Chip Update today at Day Two of the PCI Community Meeting. The session provided attendees with insights into the EMV chip migration process in the U.S. and how this impacts PCI security efforts...
Stop Hitting the Snooze Button
In the aftermath of the most damaging retail breach in history, a CEO in the financial industry explained his companys position on the issue:...
What you need to know from the OCR’s Report to Congress on Breaches and HIPAA Rules Compliance
Last week the HHS Office for Civil Rights OCR issued their Annual Report to Congress on Breaches of Unsecured Protected Health Information PHI for calendar years 2011 and 2012. This is their second annual report required by the Health Information Technology for Economic and Clinical Health HITECH...
Emerging Threats and Going Beyond Compliance
I recently presented to a C-level gathering of retail finance executives about the industrys changing threat landscape and the emerging threats facing omni-channel sellers. The retail security environment has changed dramatically in the past few years. Not that long ago, retailers mostly worried...
The Lesson of eBay
After every major cyber breach, security professionals are asked about the lessons we can learn from them. While the technical details of the eBay attack arent yet public, we can already learn lessons about from companys public statements and its communications to its customers...
The Top 3 Security Issues in Federal Cloud Computing
A journalist recently asked me for my top three pressing concerns related to Federal cloud security. Here are a few points I had to offer up...
Target Hackers Broke in Via HVAC Company?
When I first heard about the account used to gain access to the Target environment, my first reaction was to laugh at the ridiculousness of the HVAC vendor having an impact on the CDE like it seems to or is rumored to have had in the recent breach. Then I started thinking with the PCI controls,...
Free and low-cost tools for PCI DSS Compliance
Complying with the PCI DSS requires policies and processes plus implementing and managing a variety of software tools. As a QSA who has performed many PCI assessments for merchants and service providers, Ive seen and assessed a variety of free and low-cost under $200 software tools that help our...
PCI DSS 3.0 puts emphasis on year-round awareness
Its easy to think of PCI compliance as just another annual hoop to jump through. Of course, after the annual audit, the business is safe for another 12 months, right? Well, not exactly, and with the upcoming release of PCI DSS 3.0, there will be an even bigger reason to think about compliance...
The Rapidly Changing World of Mobile Application Payment Systems Compliance
In this series of Compliance Talk, Dirk and Ken are back at their favorite coffee shop, this time joined by Dan Fritsche. Dan is Coalfires Director of Solution Validated Services and is considered a thought leader on mobile payments, P2PE and other emerging trends in the payments industry...
Determining if your Company is Prepared for FedRAMP
Many companies interested in pursuing FedRAMP are seeking guidelines, checklists and any referenceable source to help them understand and determine their level of preparedness to go through the FedRAMP process. The GSAs FedRAMP.gov site provides documentation on the FedRAMP process in their "Guid...
Whether you are a large or small business, beware of these 5 common security problems
Every January, the trade press if full of new years resolution-like advice… things to do in the coming year, even Coalfire made a few predictions for 2013. I work at Coalfire Labs, and since our business is IT security and testing, we want to share some advice on how to avoid your systems and...
FedRAMP PMO - FedRAMP Process and Developing SSP webinar Q&A
The FedRAMP program continues to gain momentum and GSA and the FedRAMP PMO conduct great, interactive, webinars available to attend live or to watch later. There is much to learn from the GSA on how to navigate the FedRAMP process according to their requirements...
Penetration Testing Frequently Asked Questions
You may have noticed this recent article about Googles contest that rewarded a hacker for discovering a vulnerability in Chrome. Once Google verified the vulnerability, they were able to fix the bug and issue the cash prize to the hacker. This is a very public example similar to what Coalfire Lab...
IT Security Horror Stories: The Case of the Phantom Technician
At Coalfire Labs, we discover--and help our clients address--a lot of scary security and compliance problems. Like zombies out looking for a victim, nefarious characters are out to attack your IT infrastructure and compromise your systems. Even when organizations have protections in place, the...