603 matches found
IT Security Horror Stories: The Case of the Phantom Technician
At Coalfire Labs, we discover--and help our clients address--a lot of scary security and compliance problems. Like zombies out looking for a victim, nefarious characters are out to attack your IT infrastructure and compromise your systems. Even when organizations have protections in place, the...
The hackerproof password? Tips and advice on password management
Having some security expert tell you that you should be creating strong passwords that are unique per account and change frequently is like your dentist telling you that you should floss morning, night and after consuming any dentally dangerous foods. The majority of us say, "yeah right". The tru...
Password Management: How many do you need to remember?
In todays online world, the proliferation of usernames and passwords has resulted in a cottage industry springing up to meet the need to keep track of them in a secure manner. Software and hardware providers have developed a number of unique approaches to deal with this problem, but they all...
Coalfire in the News
Its been quite a season in the world of IT security as we move into 2012. As experts in our field, we are often asked to comment on current trends and recent stories. Take some time to check out what we have had to say recently:...
Coalfire Appoints Larry Jones to Board of Directors
We are proud to announce the election of Larry Jones to our board of directors. Larry is the former CEO of StarTek, Activant, Message Media and NeoData, and is a seasoned veteran in technology services. He also serves on the board of Comverge, Inc., a publicly traded provider of smart grid, deman...
The dark side of AI data privacy: What you need to know to stay secure
This blog post examines the threats of data leakage, bias, and overcollection in AI systems, offering valuable insights and recommendations for effective risk mitigation...
Mastering AI Risks: Navigating the NIST AI RMF Core with Coalfire
This article delves into mastering AI risks through the application of the NIST AI Risk Management Framework RMF Core. It emphasizes the importance of understanding and mitigating the multifaceted risks associated with AI, from ethical dilemmas to data security, and introduces Coalfires tailored...
Maximizing the value of threat modeling
Explore four practices that maximize the value of threat models throughout the entire development lifecycle...
The state of cybersecurity compliance in 2023 – part 1
This first blog in the series captures the key takeaways from Coalfires Annual Compliance Report...
Four key questions for privacy programs in the U.S.
With new state privacy laws passed each year, organizations are tasked with developing privacy programs that are compliant with applicable laws. To help organizations identify their current privacy program maturity, privacy professionals can ask four questions to determine where they stand...
Threat and vulnerability management - No time for complacency
There was some very good news in Coalfires 4th Annual Penetration Risk Report. Most notable was that high-risk vulnerabilities have been cut almost in half since 2018 when we first began reporting our pen testing research derived from thousands of direct client engagements. Also of note, the larg...
FAQ: Transitioning to the highly anticipated new revision of ISO 27001
For a group like Coalfire Certification that lives and breathes these standards daily, it has been an exciting few months monitoring the progress of this publication and its review through the various ISO working groups...
It’s time to bite the bullet for more secure software
On September 14, 2022, the Office of Management and Budget OMB released their M-22-18 memorandum on "Enhancing the Security of the Software Supply Chain through Secure Software Development Practices." This document builds upon previous government documents such as Executive Order EO 14028...
Security as a differentiator: How to market the secure customer experience
Leveraging software development lifecycle security as a go-to-market differentiator is imperative in setting companies apart from competitors. As Coalfires Cloud Advisory Board and my colleague Gail Coury eloquently pointed out in our recent Securealities Report, Smartest Path to DevSecOps...
View TPRM risk through four lenses
In recent years, as attackers seek to gain entry and disrupt business through vendors, Third Party Risk Management TPRM has proven to be a top priority item for every organization. As organizations mitigate the risks associated with a third party-related attack, leaders should continue to address...
A little actually doesn’t go a long way: Fight the urge to shortcut your TPRM program
Third Party Risk Management TPRM is hard to get right. Ineffective TPRM is when 83% of legal and compliance leaders identify third party risks after due diligence, despite spending 73% of effort on due diligence. This is supported by 49% of business leaders saying they lack a centralized strategy...
Governing the organization
Security is the biggest risk to business today. Managing security has become one of the hardest jobs in the enterprise, and failing to do so effectively can create opportunities for severe operational disruption. One of the keystone conclusions from Coalfires Cloud Advisory Boards the Smartest Pa...
A Bridge Over the Chasm: A Primer on the Release of PCI 4.0
The Payment Card Industry PCI Security Standards Council SSC has just released version 4.0 of the Data Security Standard DSS. Developing DSS 4.0 took almost four years and included several rounds of Request for Comments RFC from Participating Organizations and other interested parties. This new...
The Long-Term Impact of Log4j
In its aftermath, Log4j vulnerabilities put the spotlight on vendor management and supply chain security practices. Software suppliers should expect vendor security questionnaires to expand in scope and detail around application security practices. Its relatively easy for software buyers to...
Staying current with HITRUST advisory changes
As a result of an ever-evolving threat landscape, compliance requirements are proliferating at an unprecedented rate. It can be overwhelming to keep up with the staggering number of new and updated regulations, compliance frameworks, and standards. HITRUST®, founded in 2007, recognized this...
AppSec concerns: UUID generation
During static analysis, one of the things the application security team checks for is strong random number generation for security sensitive contexts. We see weaknesses in this space quite often for temporary passwords and session identifiers, but an increasingly common variant is for universally...
Using Azure Blueprints to Control Azure Compliance
As Peter Parker says, with great power comes great responsibility. And so it goes with public cloud: With cloud scale and agility come cloud-scale problems and compliance nightmares. Every day, IT professionals balance the need to act quickly--often leveraging cloud speed of execution to implemen...
Help Net Security – ThreadFix 3.0 Review
Help Net Security recently published a review of ThreadFix 3.0. Security Researcher, Toni Grzinic, took a deep dive into our vulnerability management platform and broke down everything from infrastructure, reporting and analytics, to integrations, and beyond. Click here to read Tonis full review ...
Using DAST to Expand DevOps Security Coverage
The state of application security is constantly evolving with changing web architectures and approaches. These changes are making security teams employ a wider range of techniques and toolsets to find vulnerabilities within their applications. Web and mobile applications each present their own...
Planning Ahead to Prevent Vulnerabilities
The cost to remediate vulnerabilities increases as those vulnerabilities make it further into the development process. If they make it into a final release, those vulnerabilities can leave organizations vulnerable to attacks, costing time and resources to address, as well as causing damage to the...
Establishing risk appetite is key to effective risk management
The mission of an enterprise risk management program is to respond to and monitor risks to the enterprises operations and objectives. In order to properly respond to and monitor risks, the enterprise must establish risk appetite thresholds. Well-established and well-communicated risk appetite...
FedRAMP – 8 years in and 100 assessments achieved
Back in 2011, if you had asked me what cloud computing was, I would have looked at you with a blank look on my face. At the time, I was supporting a Federal client when my boss asked me to assist in applying to become a 3PAO. I had no clue what 3PAO even stood for it stands for Third-Party...
ERC.Net – A Toolset for Analyzing Windows Application Crashes
ERC.Net is a collection of tools designed to assist in analyzing and debugging Windows application crashes in order to identify potential security vulnerabilities. Supporting both 64 and 32 bit applications, ERC.Net has many use cases including parsing Windows file headers, identifying compile-ti...
Dodge Data Breaches with Real-Time PCI Compliance
Its been five years since the PCI Council released the first "Best Practices for Maintaining PCI DSS Compliance" guidance document in August 2014. Since then, many prominent payment data breaches have occurred, with the finger often pointing to lapses in the affected organizations compliance...
Coalfire participates in cybersecurity disaster exercise at the 2019 HSCC Spring Summit
The Healthcare and Public Health Sector Coordinating Council HSCC conducted their biannual Joint Cybersecurity Working Group JCWG All-Hands Meeting on April 3-4, 2019. As a member of HSCC, Coalfire participated in the JCWG meeting with other security leaders from across the healthcare industry an...
Upcoming Changes to Cryptographic Findings in Q4 2018
The security world is a constantly changing and evolving landscape, and as part of Coalfire's commitment to security, we need to constantly review and update vulnerability information for vulnerability scanning to keep up. We've made some changes to previously acceptable vulnerability checks, whi...
A Cyber Engineering Primer: Vulnerability Management Lifecycle
According to the SANS Institute, "Vulnerability management is the process in which vulnerabilities in IT are identified and the risks of these vulnerabilities are evaluated. This evaluation leads to correcting the vulnerabilities and removing the risk or a formal risk acceptance by the management...
PCI Compliance: Early-TLS and Cloud Service Providers
Organizations tracking their PCI compliance are likely aware of the impending June 30, 2018 deadline to disable SSLv3 and early-TLS. This blog post examines the special case of Cloud Service Providers CSPs and how their customers should proceed to achieve compliance...
Cyber Engineering for 2018 and Beyond
2017 could be considered one of the most exciting or horrifying years in the technology industry. End-of-year statistics showed that the number of reported breaches in the business sector saw a 21% increase over the previous year, and headlines from all major news outlets were riddled with report...
She Powers Tech
November 28th at the Venetian in Las Vegas, AWS re:INVENT held an important session that could shape the future of technology. The sold-out session, SHE POWERS TECH: Women Supporting Women in Tech, filled a ballroom with 500 women in technology and a few men who were interested in the topic. The...
Blockchain: Are You Ready?
By now, most of us have heard of Bitcoin. Few of us really know the specifics about what that is. Fewer still have a workable or even cursory knowledge of the underlying technology that makes Bitcoin possible...
Blueborne – Don’t Panic!
Here is what we know right now: Security company Armis recently released research identifying eight newly discovered vulnerabilities that exist in the wireless communications protocol Bluetooth, which could potentially affect a large percentage of the estimated 8.2 billion Bluetooth enabled...
Getting cert-y with all-5 AWS certs
I thought my recent experience achieving all five 5 AWS certs might be helpful to others in the community that are looking to do the same. However, this blog isnt meant to stand on its own, and I encourage everyone interested in going for all 5 certs to read other blogs posts too...
SOC 2 Type 1 and SOC 2 Type 2 Frequently Asked Questions
Coalfires SOC Practice Directors Dixon Wright and Jeff Cook recently conducted a webinar on AWS and SOC Reporting, What you need to know. The presentation provided a lot of good points that organizations should know or be prepared for regardless of the technology that is being used. Below you wil...
Cloud Burst?
The cloud can burst!? This weeks AWS service disruption showed us the importance of architecting a system to account for failure, and how to be successful when deploying your solution in the cloud...
FedRAMP Readiness Assessment Report (RAR) template launched
As part of the FedRAMP Accelerated process, cloud service providers CSPs can now complete a Readiness Assessment Report RAR to demonstrate their readiness for the FedRAMP process. The RAR is required for CSPs pursuing the FedRAMP JAB approval route. CSPs should also consider having a Readiness...
FedRAMP in Bloomberg
Recently Bloomberg Government published an article that describes the increasing awareness of the Federal Risk and Authorization Management Program FedRAMP as a major factor affecting the federal marketspace. The article indirectly indicates a major first-mover advantage, as there are "only 77...
EC Ruling Invalidates Safe Harbor - Now What?
In a ruling on October 7, 2015 the European Court of Justice ECJ invalidated the principal European component of the U.S.-E.U. Safe Harbor Framework when it ruled in Schrems v. Data Protection Commissioner. In the ruling the court said that the existing U.S.-EU Safe Harbor agreement, overseen by...
WS2-Cybersecurity Fundamentals Workshop
2 day Workshop Saturday 17 October - Sunday 18 October, 9:00 a.m. - 5:00 p.m...
RFPs and Needs Assessments for Higher Education
In this blog post, I will be discussing RFP best practices for Higher Education Institutions. Having worked with higher education organizations for a number of years, Ive noticed some trends that could be useful as you and your department or institution head into another year of projects that may...
COSO Framework for Service Organizations and SOC Reporting (Part 3 of 3)
In part 1 of this series, we discussed the recent changes to the COSO framework and the overall impact that the updated framework has on service organizations that receive Service Organization Controls SOC reports...
PCI DSS version 3.1 released!
As expected, a "minor" revision to the PCI DSS 3.0 standard now version 3.1 was released by the PCI SSC today to address the vulnerabilities exposed by the POODLE and BEAST browser attacks. PCI DSS 3.1 primarily addresses the insecure use of SSL as an encryption protocol within a Cardholder Data...
COSO Framework for Service Organizations and SOC Reporting (Part 1 of 3)
One of the most important reference tools that companies use to establish and evaluate their internal controls is the Committee of Sponsoring Organizations COSO Internal Control - Integrated Framework. Initially published in 1992 the 1992 Framework, the COSO framework has been the most widely use...
Emerging Payment Technologies and Due Diligence: A Warning about “Silver Bullets”
2015 will be an exciting year for the payments industry, especially for merchants that now have a number of new payment technologies at their disposal. Emerging payment technologies such as Point-to-Point-Encryption P2PE, Tokenization, EMV/Chip and Signature and Mobile Payment Acceptance are...
Their Claim to Fame – So-Called HIPAA-Compliance Experts and Tools
Have you noticed how many vendors and software solutions are out there claiming they can make you HIPAA-compliant? Well, at the end of the day thats simply not possible because only you can make your organization HIPAA-compliant. I came up with a list of "red flags" that I typically see from...