Lucene search
K
CoalfireRecent

603 matches found

The Coalfire Blog
The Coalfire Blog
added 2015/04/28 8:19 a.m.50 views

Would Coalfire Clients benefit from membership with the PCAOB?

Coalfire Controls, LLC Coalfire is a registered Certified Public Accounting CPA firm registered with the American Institute of Certified Public Accountants AICPA and the Colorado State Board of Accountancy, as required to issue Service Organization Control SOC attestation reports in accordance wi...

1.3AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2015/04/15 1:16 p.m.12 views

PCI DSS version 3.1 released!

As expected, a "minor" revision to the PCI DSS 3.0 standard now version 3.1 was released by the PCI SSC today to address the vulnerabilities exposed by the POODLE and BEAST browser attacks. PCI DSS 3.1 primarily addresses the insecure use of SSL as an encryption protocol within a Cardholder Data...

1.8AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2015/04/14 2:30 p.m.21 views

Where is your social security number today?

As April 15 approaches, the "water cooler" talk revolves around all types of topics related to the tax season. However, due to the overwhelming number of security breaches reported this past year, several individuals are finding that fraudulent tax filings were created with voluntarily provided...

2AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2015/03/20 2:53 p.m.9 views

The Future of Healthcare Cybersecurity: The Best Defense is a Good Offense

In the last five years with the increasing digitalization of health information, healthcare security breaches have increased four-fold with the industry experiencing more breaches than any other in 2013. With a large number of potential targets and the high value of personal medical information o...

2.3AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2015/03/06 4:2 p.m.14 views

COSO Framework for Service Organizations and SOC Reporting (Part 2 of 3)

Every SOC report whether it is a SOC 1, SOC 2 or SOC 3 should include information about the service organizations risk assessment process. Risk assessment can take many forms and there is no "one size fits all" format. Risk assessment is intended to be an evolutionary process, designed to meet th...

2AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2015/02/24 12:31 p.m.12 views

COSO Framework for Service Organizations and SOC Reporting (Part 1 of 3)

One of the most important reference tools that companies use to establish and evaluate their internal controls is the Committee of Sponsoring Organizations COSO Internal Control - Integrated Framework. Initially published in 1992 the 1992 Framework, the COSO framework has been the most widely use...

3AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2015/02/19 12:46 p.m.17 views

What does PCI DSS 3.1 and PA-DSS 3.1 mean for you and your organization

In the wake of the POODLE vulnerability identified by NIST and subsequent attacks, the PCI SSC has announced its intent to release the first revision of the PCI DSS 3.0 and PA-DSS 3.0 standards. The PCI DSS 3.1 and PA-DSS 3.1 standards will indicate that the SSL v3.0 protocol no longer meets the...

1.1AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2015/02/09 11:13 a.m.13 views

Emerging Payment Technologies and Due Diligence: A Warning about “Silver Bullets”

2015 will be an exciting year for the payments industry, especially for merchants that now have a number of new payment technologies at their disposal. Emerging payment technologies such as Point-to-Point-Encryption P2PE, Tokenization, EMV/Chip and Signature and Mobile Payment Acceptance are...

1.1AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2015/02/05 12:39 p.m.9 views

Anthem Data Breach - A Message from Coalfire's Healthcare Practice Director

Several weeks ago I had the opportunity to speak on a panel at a healthcare conference. In attendance were CIOs, CISOs, VPs of IT, and members of legal counsel. The individuals attending the session represented organizations ranging from small- to medium-sized business associates all the way up t...

1.3AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2015/01/15 9:15 a.m.13 views

Their Claim to Fame – So-Called HIPAA-Compliance Experts and Tools

Have you noticed how many vendors and software solutions are out there claiming they can make you HIPAA-compliant? Well, at the end of the day thats simply not possible because only you can make your organization HIPAA-compliant. I came up with a list of "red flags" that I typically see from...

2.4AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/12/15 12:15 p.m.13 views

Social Engineering- Beyond the Baseline

Coalfire Labs does a lot of Social Engineering testing. Traditional Social Engineering testing involves a mundane process of taking a sample of a population and then attacking those "targets" with some pretext calls or a phishing email in order to obtain credentials. Metrics are recorded and then...

1.7AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/12/11 12:14 p.m.13 views

Law Firm - Forensics Services

As cyber threats and attacks have increased year over year, Coalfire has seen a drastic increased need for support to law firms in cybersecurity cases. Attacks and threats vary so often, many law firms lack the skills required to properly evaluate cyber-attacks involving their clients. As such la...

2.8AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/12/09 11:52 a.m.11 views

Top 10 Cybersecurity Predictions for 2015

Fueled by cybercrime, cyber warfare, and cyber terrorism, the cost of cybersecurity and risk management will double in 2015. Thats the bad news. The good news is there will be a shift to cyber offense that will begin to stem the tide of cyber threats...

6.9AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/11/20 1:41 p.m.12 views

Apple Pay and PCI Compliance

A year ago, many retail cybersecurity discussions began and ended with PCI compliance. Today, after a gut-wrenching 10 months of data breaches stretching from mom-and-pop shops to category-leading brands, the discussions are broader, the risks are better understood and every link in the customer...

3.1AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/10/31 2:34 p.m.23 views

The PCI Enforcement Hammer is Ready to Drop

The time for nervous anticipation for PCI breach response is over …. VISA has issued dramatic PCI Data Security Standard Compliance enforcement guidance for Level 1 and 2 merchants and all Service Providers. Effective January 1st, 2015, noncompliance costs will be applied sooner and will escalate...

2.3AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/10/30 1:0 p.m.9 views

Truth is SCARIER than Fiction Redux

Yes... To be honest, although we really do some neat stuff here at Coalfire Labs that can be pretty scary, Ive got to give a shout out to "reality" for being even scarier than any emulated attack we could possibly develop. The astounding number of data breaches announced this year is just shockin...

0.9AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/10/29 5:25 p.m.13 views

IT Security Horror Story: Digging your own grave with Default Credentials

I recently performed a penetration test that really required no "hacking skills" whatsoever. I was able to obtain domain administrator rights simply by logging into web applications and network hardware using default credentials...

0.9AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/10/29 10:44 a.m.11 views

IT Security Horror Story: Is your Network an Unsegmented Haunted House?

One day I went to a client site to perform internal penetration test to emulate the insider threat. This testing was designed to help this client understand the damage a rogue employee or an intruder who gained physical access to the network could do. The site that I was visiting was a storefront...

0.3AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/10/29 9:56 a.m.13 views

IT Security Horror Story: Slow Network, Big Phish

It was a typical morning, just like any other for Annie. She arrived at the office just in time to fill her coffee mug and get to her desk to read her email that had been piling up since Friday. After reading through the standard office wide emails she came across one from the help desk...

1.2AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/10/15 3:18 p.m.22 views

POODLE vulnerability assessment

Vulnerability Summary: The POODLE vulnerability is due to a bug in SSL protocol, whereas Heartbleed and Shellshock were vulnerability due to a bug in software. Heartbleed and Shellshock were confined to systems that ran vulnerable versions of software, whereas POODLE affects any system running an...

1.4AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/09/15 7:43 a.m.12 views

Chertoff Group Security Series Educates Financial Services Institutions about Cybercrime

Last week I attended The Chertoff Groups Security Series on Building Resiliency for Financial Services Sector. They provided insight into what theyre doing to protect their organizations, how they see the industry evolving, and firsthand knowledge about emerging threats...

3.6AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/09/11 6:48 p.m.8 views

Two final thoughts from the PCI Community Meeting

The 2014 North American PCI Community Meeting has drawn to a close, but the messages and lessons learned will continue to resonate with me long after Ive returned home to Denver. There were two messages from the SSC this week that really struck a chord with me and I wanted to expand on why I thin...

7.2AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/09/10 8:40 a.m.9 views

PCI Community Meeting Keynote

Admiral James Stavridis delivered this mornings PCI Community Meeting keynote presentation, Sailing the Cyber Sea: The New Realities of 21st Century Security to an engaged and near-capacity crowd. Admiral Stavridis, a four-star admiral and former NATO Supreme Allied Commander, touched briefly on...

3.8AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/09/10 8:25 a.m.8 views

Forensics Session Takeaways from Day 2

Day two of the PCI Community Meeting presented an array of security topics ranging from best practices, EMV, security awareness, and more. I had the pleasure of sitting in on a forensics presentation, which leveraged information from a variety of industry leaders and provided valuable insight int...

2.9AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/09/10 8:8 a.m.14 views

PCI Community Meeting - EMV Chip Update

Randy Vanderhoof, Executive Director, EMV Migration Forum EMF, presented the EMV Chip Update today at Day Two of the PCI Community Meeting. The session provided attendees with insights into the EMV chip migration process in the U.S. and how this impacts PCI security efforts...

1.4AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/09/09 5:7 p.m.19 views

Apple Pay: A New Way to Pay

Every September, Apple announces exciting new products that promise to change how we interact with not only our devices, but with the world around us. 2014 has been no exception; in San Francisco this morning, Apple announced the iPhone 6, Apple Watch and Apple Pay. Even though Im excited about t...

1AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/09/08 10:4 a.m.13 views

Stop Hitting the Snooze Button

In the aftermath of the most damaging retail breach in history, a CEO in the financial industry explained his companys position on the issue:...

1.7AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/08/28 11:0 p.m.11 views

A New Cold War – with Many Sides

A New Cold War - with Many Sides Theres a lot we still dont know about the FBIs investigation of the data theft at JP Morgan Chase & Co. Criminal hackers based in Russia were targeting U.S. financial institutions long before Russia annexed Crimea or the West responded with sanctions. Is this trul...

2.7AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/08/22 2:59 p.m.16 views

Heartbleed Aftershocks: Community Health Systems Breach, 4.5 Million Records Lost

The news this week that hackers from China compromised 4.5 million customer records held by Community Health Systems is just the latest indication that companies are not adequately protecting the information of the consumers they serve...

3.4AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/08/20 4:1 p.m.18 views

A billion reasons to enhance your penetration testing

There are so many questions regarding those leaked Russian passwords. Is this for real? What sites are on that list? How can you tell if your sites users are in the "Russian Billion"? Isnt this just a matter of changing user passwords? Bottom line: As a company with websites that have user...

3.8AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/08/12 9:6 a.m.12 views

Keeping your restaurant & hospitality Cardholder Data Environment safe

Reports of new credit card data breaches seem to be in the news daily. Recent high profile breaches within major retailers this year should serve as a wake-up call to the restaurant and hospitality industries. As a result of having high volumes of credit card transactions and decentralized securi...

0.8AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/08/07 11:30 a.m.16 views

Is the “Day of Reckoning” getting closer for a large scale cyber-attack?

The "Phony War" is how commentators described the seven-month period of eerie quiet that prevailed in Western Europe between Germanys 1939 invasion of Poland and its later move into the Benelux countries, when erstwhile allies Britain and France avoided offensive operations and simply waited for...

3.9AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/07/30 8:47 a.m.18 views

The Federal Government in Financial Services' Cybersecurity

Its no secret that the internet has changed the way we do business in nearly every industry. On the other hand, the dangers of limited cyber regulations are quickly becoming a focus for the government due to the frequency and impact of data breaches. Its becoming apparent that convenience comes a...

3.4AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/07/25 2:37 p.m.10 views

Secret Services Issues Warning to Hospitality Industry, Now What?

The U.S. Secret Service has issued an advisory to the hospitality industry to be on alert for keyloggers on the computers in the business center. Whether your hotel received this advice or not, this is something that will undoubtedly affect your business in the near future. Weve put together this...

2.5AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/07/03 7:55 a.m.11 views

Cybersecurity and the Financial Services Industry

2014 is the year that the US Securities and Exchange Commissions Office of Compliance Inspections and Examinations OCIE is turning its focus to cybersecurity, a looming threat to any and all companies that utilize the internet. In case you missed my last post, back in March the OCIE hosted a...

1.9AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/06/26 10:23 a.m.14 views

What you need to know from the OCR’s Report to Congress on Breaches and HIPAA Rules Compliance

Last week the HHS Office for Civil Rights OCR issued their Annual Report to Congress on Breaches of Unsecured Protected Health Information PHI for calendar years 2011 and 2012. This is their second annual report required by the Health Information Technology for Economic and Clinical Health HITECH...

1.2AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/06/25 9:30 a.m.14 views

Emerging Threats and Going Beyond Compliance

I recently presented to a C-level gathering of retail finance executives about the industrys changing threat landscape and the emerging threats facing omni-channel sellers. The retail security environment has changed dramatically in the past few years. Not that long ago, retailers mostly worried...

3.6AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/06/23 2:4 p.m.10 views

HIMSS Privacy & Security Forum – West 2014 Wrap-Up

The first HIMSS Privacy & Security Forum in the western U.S. proved to be a success and was attended by over 300 people including attendees CEs and BAs, speakers, exhibitors, and partners. We reconnected with several clients and met new friends at our booth, which was located right in the middle ...

1.3AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/06/17 2:56 p.m.12 views

Embracing the Cloud's Potential for Security

I spoke recently at TIAs Network of the Future conference. At the session, which was heavier on vendors than operators, the discussion was very focused on the cloud. Everyone wants to know whats coming next and if theyre ready for it...

3.2AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/06/16 5:16 p.m.15 views

How do cyber insurer's assess cyber risk?

Last week I presented on risk transfer as a viable risk management option to compliance and security professionals at the Financial Crime Compliance Professionals Conference in London. As mentioned in one of Ricks earlier blog entries analyzing the Target kill chain, the communication between...

2.3AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/06/11 10:8 a.m.11 views

Please make sure you have offline backups

This ransomware has hit not only personal computers, but also organizations, including a town in New Hampshire. This particular attack was carried out when an employee opened a seemingly legitimate email attachment, once again reminding us of the ever-present danger of social engineering...

4.1AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/06/02 12:45 p.m.13 views

The Lesson of eBay

After every major cyber breach, security professionals are asked about the lessons we can learn from them. While the technical details of the eBay attack arent yet public, we can already learn lessons about from companys public statements and its communications to its customers...

2.8AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/05/27 3:17 p.m.12 views

What are Insurers really covering?

Across the country, executives and their boards saw the data breaches that occurred at large, well-run retailers and immediately began asking the right questions about their own systems and protections. The challenge for the insurance industry is that the plan for many of these companies seems to...

5.2AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/05/15 5:56 p.m.7 views

FedRAMP deadline- Industry and Agency Days

The FedRAMP PMO sent out a notification that they are holding a FedRAMP Industry Day on June 4, 2014 and an Agency Day on June 10, 2014. Items to discuss include the June 5, 2014 deadline, NIST SP 800-53 rev 4 transitions and the 3PAO privitization progress to name a few. We wanted to republish t...

0.7AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/05/07 2:38 p.m.19 views

Target Kill Chain Analysis

Last week, I talked with Wall Street Journal reporter Ben DiPietro about the persistent communications gap between the data center and the board room when it comes to recognizing and tackling security threats: In almost every breach situation after his company completes a forensic analysis, Mr...

1.1AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/04/24 7:56 a.m.17 views

New National Exam Program Risk Alert

In case you missed the most recent National Exam Program Risk Alert, you might want to head over to their website and determine what this may mean for you and your company. Since this may be a topic at your next board meeting, you should be prepared to answer any potential questions. Your board...

1.3AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/04/22 6:5 p.m.11 views

Heartbleed – When Will the Next Shoe Drop?

Last week, while I was in the offices of one of our customers, a long-present but little-known vulnerability in OpenSSL became public knowledge. Our client detected it early and made the necessary patches and updates. The systems deployed by their customers are now secure. Consumers will change...

2.5AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/04/17 10:51 a.m.13 views

The Top 3 Security Issues in Federal Cloud Computing

A journalist recently asked me for my top three pressing concerns related to Federal cloud security. Here are a few points I had to offer up...

7AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/04/10 9:0 a.m.10 views

Heartbleed Vulnerability Bug: What You Need to Know

The widely publicized heartbleed bug http://heartbleed.com/ may be impacting as many as 500,000 systems across the Internet. Heartbleed is the name of a vulnerability in the OpenSSL program that powers encrypted communication to many of the worlds web sites and private networks. Below you will fi...

1.2AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/04/04 3:5 p.m.11 views

SEC Roundtable

On Wednesday, I attended a roundtable discussion the Securities and Exchange Commission held to gather information on cybersecurity trends and potential disclosure requirements for regulated public companies and stock exchanges...

2.4AI score
Exploits0
Total number of security vulnerabilities603