Lucene search
K
CoalfireRecent

603 matches found

The Coalfire Blog
The Coalfire Blog
added 2014/04/03 11:36 a.m.12 views

DoD DIACAP transition to RMF approved

Welcome DIARMF! This has been a long time coming. From DITSCAP to DIACAP and now to DIARMF the Department of Defense approved the transition to a Risk Management Framework RMF approach developed by NIST on March 12. What does this mean for Information Systems and Platform Information Technology...

1.9AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/04/02 6:4 p.m.9 views

University Data Breaches Pose Threat to Students, Academic Openness

North Dakota State University administrators confirmed last week that hackers never accessed the personal information of more than 200,000 students, faculty and staff housed on the server they successfully infiltrated. This attack perfectly suits the modern hackers MO. They attack open systems...

3AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/04/01 11:56 a.m.11 views

It wasn't raining when Noah built the ark

This month movie-goers around the world will flock possibly two-by-two to see Darren Aronofskys Noah--a silver-screen adaptation of the timeless biblical story, starring Russell Crow and Jennifer Connelly . Whether one interprets the flood narrative literally or figuratively, this fact remains: t...

0.8AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/04/01 9:28 a.m.14 views

HIPAA Compliance: A Demanding Effort Yielding Deserved Benefits

The heat is on! Compliance with the Health Insurance Portability and Accountability Act of 1996 HIPAA has never been more scrutinized and highly regarded. The push towards compliance has fueled businesses large and small to explore the options and necessary requirements of HIPAA compliance...

1AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/03/17 11:41 a.m.11 views

The PCI DSS 3.0 SAQs are here!

The Payment Card Industry Security Standards Council PCI SSC released Data Security Standards DSS 3.0 in November 2013 and has just released the related Self-Assessment Questionnaires SAQ. There are two new SAQs, SAQ A-EP and SAQ B-IP...

1.6AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/02/28 8:33 a.m.11 views

PCI SSC Releases New SAQ Versions for 3.0

As expected, the SSC finally released the new version of the Self-Assessments Questionnaires SAQs today on their website. They are available on the PCI SSCs website here:...

2.3AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/02/26 9:49 a.m.8 views

Would EMV Help?

With the spate of cyber attackers on US retailers recently, Coalfires European Managing Director, Andrew Barratt considers how the attacks on retailers differ outside the US and what the potential impact of similar attacks is in a world where chip and pin technology is more widely deployed...

2.7AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/02/11 9:30 a.m.18 views

PCI DSS 3.0 ROC Reporting Template Released

Heads up for our PCI customers: the PCI SSC released the "ROC Reporting Template for v3.0" this last weekend and it is available here. This document supports the PCI DSS 3.0 standard and must be used by all QSA organizations to create and submit a Report on Compliance ROC. What does this mean?...

1.4AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/02/06 1:4 p.m.14 views

Target Hackers Broke in Via HVAC Company?

When I first heard about the account used to gain access to the Target environment, my first reaction was to laugh at the ridiculousness of the HVAC vendor having an impact on the CDE like it seems to or is rumored to have had in the recent breach. Then I started thinking with the PCI controls,...

3.2AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/01/20 6:11 p.m.10 views

Are you ready for PA-DSS 3.0?

Theres been a lot of chatter about PA-DSS 3.0 among several early-adopter application vendors. As of January 1, 2014 its permissible to validate against 3.0 in place of a 2.0 validation. Longevity of the 3.0 validation and the desire to be validated first on a new standard seem to be driving the...

3.4AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2014/01/14 12:37 p.m.10 views

Detecting and Preventing Compromises in Retail Payment Systems

Information Weeks Matthew Swartz published an article on the recently- confirmed payment card breaches at Target, Nieman Marcus and three other unnamed retailers. This article and many others reveal that these attacks involve sophisticated malware and some even suggest it is the work of the same...

1.7AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/12/12 3:15 p.m.13 views

Free and low-cost tools for PCI DSS Compliance

Complying with the PCI DSS requires policies and processes plus implementing and managing a variety of software tools. As a QSA who has performed many PCI assessments for merchants and service providers, Ive seen and assessed a variety of free and low-cost under $200 software tools that help our...

3.1AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/12/10 1:9 p.m.11 views

A Proven Strategy for Implementing Vendor Management Programs

Every regulated industry includes a requirement for managing third-party risk. Some industries are further along the path and have more mature processes than others. However, there are tried and true methodologies and standards established by those early movers that we can utilize across other...

3.7AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/11/27 12:53 p.m.10 views

What every CIO should know about the new ISO 27001:2013 framework

Originally released in 2005, the ISO 27001 standard has recently been updated with additional guidelines for assessing risks within information management systems. These changes constitute the first revisions to the standard in eight years and have major implications for organizational compliance...

2.8AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/11/26 6:7 p.m.27 views

The Ponemon Institute 2013 Cost of Cyber Crime Study is out

Before anyone else conjures up the image of Steve Martin in the Jerk running down the street with the new phone book and declaring the obvious to all around him, lets put this study in perspective. There is nothing new or unexpected in the 2013 study. We have had it confirmed that cybercrime is...

1.5AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/11/04 5:51 p.m.19 views

2013 PCI SSC European Community Meeting Wrap-Up

Matt Getzleman - PCI Practice Director, Dan Fritsche - Director, Solution Validation, Andrew Barratt - Managing Director UK, and Brian Pennington - Regional Sales Director, discuss the recent PCI SSC Community Meeting in Nice, France...

2.7AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/10/29 11:51 a.m.13 views

IT Security Horror Story #3: Ghost in the Machine

A supernatural sequence of automotive portals and applications yield a ghostly in-car phenomenon. READ MORE…IF YOU DARE -...

1.6AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/10/29 11:23 a.m.5 views

IT Security Horror Story #2: A Tale of Spooky Hosted Images

Image manipulation madness causes a near disaster for a popular web site. READ MORE…IF YOU DARE -...

0.7AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/10/29 11:6 a.m.11 views

IT Security Horror Story #1: The Case of the Phantom Blood Red Team

An unsuspecting Fortune 100 company allows horrible creatures into their building and systems during a Red Team engagement. READ MORE…IF YOU DARE -...

1.2AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/10/21 2:1 p.m.10 views

2013 PCI SSC North America Meeting – Wrap-Up

Coalfire sent the entire team to the meeting in Las Vegas and everyone reported a positive and engaging experience. We hosted our annual dinner where we caught up with clients and friends - a good time was had by all. The most valuable technical information was presented during the Assessors Only...

0.3AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/09/23 11:55 a.m.12 views

College students concerned about information security

Universities and colleges have been under significant pressure to upgrade their technology both in and out of the classroom. For instance, many organizations turn to mobility as a way to engage students and facilitate learning campus-wide. While much of the discussion is around issues such as the...

1.9AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/09/18 8:0 a.m.17 views

BYOD Survey 2013: Employees and Companies Remain Lax with BYOD Security

Despite a dramatic increase in mobile device sales in the past year, BYOD security among employees remains static. Gartner forecasts 2013 tablet shipments to grow 67.9 percent, with shipments reaching 202 million units, while the mobile phone market will grow 4.3 percent, with volume of more than...

2AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/09/10 12:54 p.m.14 views

PCI DSS 3.0 puts emphasis on year-round awareness

Its easy to think of PCI compliance as just another annual hoop to jump through. Of course, after the annual audit, the business is safe for another 12 months, right? Well, not exactly, and with the upcoming release of PCI DSS 3.0, there will be an even bigger reason to think about compliance...

1.9AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/08/28 10:0 a.m.9 views

Are you in danger of missing the HIPAA Omnibus?

On September 23, 2013, many companies will be required by law to comply with HIPAA…and they dont even know it. Specifically, the final HIPAA Omnibus Rule pulls all companies under the law if they store, process, or transmit PHI data as part of their business processes. While the Omnibus Rule was...

2.5AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/08/15 12:57 p.m.13 views

Highlights of Newly Released PCI DSS 3.0 Information

The standards are coming! The PCI SSC has finally let loose with some much needed information regarding the upcoming releases of the PCI DSS 3.0 and PA DSS 3.0 standards. Available on the PCI SSC website; the document titled "Version 3.0 Change Highlights" contains information on what PCI...

0.5AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/08/13 1:45 p.m.11 views

MAPCO Incident Highlights the Risks Faced by All Convenience Stores

On May 6, 2013, convenience store operator MAPCO Express, Inc. did a responsible thing - they issued a press release that shared important information about a data security incident that was discovered at their stores. Such notices ---along with a whole lot of behind-the-scenes investigative work...

1.1AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/06/28 7:45 a.m.14 views

The Rapidly Changing World of Mobile Application Payment Systems Compliance

In this series of Compliance Talk, Dirk and Ken are back at their favorite coffee shop, this time joined by Dan Fritsche. Dan is Coalfires Director of Solution Validated Services and is considered a thought leader on mobile payments, P2PE and other emerging trends in the payments industry...

1.8AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/05/13 7:36 p.m.12 views

PCI DSS 3.0 Is Coming Soon

The PCI Security Standards Council SSC plans on releasing the newest version of the PCI Data Security Standard in October, 2013. Predictably, the PCI SSC has been tight-lipped on divulging details regarding any expected changes...

2.9AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/05/13 12:0 a.m.13 views

Determining if your Company is Prepared for FedRAMP

Many companies interested in pursuing FedRAMP are seeking guidelines, checklists and any referenceable source to help them understand and determine their level of preparedness to go through the FedRAMP process. The GSAs FedRAMP.gov site provides documentation on the FedRAMP process in their "Guid...

2AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/05/06 8:27 a.m.11 views

Compliance Talk: Debt Collectors and PCI

As the largest IT audit and compliance advisor in the U.S., Coalfire is exposed to a wide variety of compliance concerns. In this series of Compliance Talk blogs, Dirk and Ken are back at their favorite coffee shop…the Bean and Berry in Louisville, Colorado. Over a couple cappuccinos, their...

3.1AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/04/26 6:0 a.m.17 views

Agencies to report progress with FedRAMP

The FedRAMP PMO recently conducted webinars on April 23 and 25 regarding Agencies requirement to report their progress on compliance with FedRAMP. The discussion covered the FedRAMP progress to date, the reporting requirements and process for moving services to FedRAMP authorized cloud service...

4.1AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/04/22 9:1 a.m.10 views

The PCI DSS Cloud Computing Guidelines: An Executive Summary

The PCI SSC and its Cloud Special Interest Group has released its Cloud Computing Guidelines after a year of collaboration and input from SIG members. Coalfire was a big contributor to this document, and we think it is required reading for anyone who has front-line responsibility for managing...

4.3AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/04/04 11:56 a.m.11 views

Getting Your Databases Audit Ready

Your database is perhaps one of the most sensitive targets for cybercriminals as they are your companys primary repository for confidential and proprietary data. Besides knowing what vulnerabilities exist for your perimeter network and also for your internal systems, best practices require you to...

2.4AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/03/21 2:48 p.m.17 views

Information Governance: Get Data Classification Right First

Data classification is one of the most crucial elements of an effective information governance process--yet its also one that many companies fail to implement well. In its simplest terms, data classification is the process of categorizing data based on its level of sensitivity. When done properly...

2.2AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/03/14 11:58 a.m.18 views

War on Passwords? Check with Your QSA First!

Passwords have long been the workhorse of user authentication schemes, and many security experts are speaking out on the need for more effective controls. It seems like hardly a week goes by when we dont see a password breach in the news...

1.9AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/03/11 12:44 p.m.13 views

Whether you are a large or small business, beware of these 5 common security problems

Every January, the trade press if full of new years resolution-like advice… things to do in the coming year, even Coalfire made a few predictions for 2013. I work at Coalfire Labs, and since our business is IT security and testing, we want to share some advice on how to avoid your systems and...

0.2AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/03/08 2:47 p.m.11 views

Creative Ideas for Replacing Passwords

Passwords have been the de facto manner of providing security for IT systems. Theyve got a bad reputation, but its not the passwords themselves that deserve the reputation - its the individuals using them and the weak standards to which these passwords are managed. In fact, a password system...

2.9AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/03/06 12:6 p.m.14 views

The FFIEC proposes guidance on social media - can you stay two steps ahead?

On January 22, 2013, the FFIEC put out a press release called "Financial Regulators Propose Guidance on Social Media". We should begin by saying that even without a social media presence, every company should address social media risks in their annual risk assessment. In this day and age where th...

3.1AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/02/14 3:23 p.m.10 views

White House Executive Order on Cyber Security

The tense standoff between an unresponsive Congress and a reluctant critical infrastructure industry has been broken. On February 13, 2013, the President issued an Executive Order that provides initial guidance for the country to confront escalating cyber threats. Finally, we have someone with th...

1.3AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/02/06 2:35 p.m.11 views

All Aboard the HIPAA Omnibus - but is the ‘bus’ missing anything?

In the wake of the recently-released HIPAA Omnibus Rule with its upcoming deadline, healthcare organizations are trying to figure out how theyre going to achieve compliance. Weve been busy trying to get through the 563-page rule and determine what it means to our clients...

2AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/01/21 2:56 p.m.11 views

Long-awaited HIPAA Omnibus Rule is Unveiled

As of January 17, 2013, the HIPAA Omnibus Rule has finally been released by the Department of Health and Human Services HHS, which will modify the HIPAA privacy, security, and enforcement rules. The package of regulations, in regard to this long-overdue HIPAA Omnibus Rule, will officially be post...

1.6AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/01/16 1:19 p.m.14 views

FedRAMP PMO - FedRAMP Process and Developing SSP webinar Q&A

The FedRAMP program continues to gain momentum and GSA and the FedRAMP PMO conduct great, interactive, webinars available to attend live or to watch later. There is much to learn from the GSA on how to navigate the FedRAMP process according to their requirements...

3.5AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/01/15 3:44 p.m.8 views

South Carolina Data Breach Survey Results on Residents' Attitudes

Coalfire recently conducted a survey of South Carolina residents who were victims of the recent data breach at the Department of Revenue. The data breach affected residents of the State who had filed their taxes online exposing 3.8 million taxpayer Social Security numbers and nearly 400,000 credi...

3.7AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/01/15 11:25 a.m.12 views

The PCI SAQ P2PE-HW: Patience, POIs and PIMs

The new PCI SAQ P2PE-HW Point to Point Encryption Self-Assessment Questionnaire was released in July 2012, and many merchants are excited about the prospect of a shorter, less arduous compliance validation effort. After all, its significantly shorter than the SAQ-D; instead 12 sections, there are...

2.3AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/01/15 10:47 a.m.12 views

What's Next in Retail IT? The Convergence of Mobile, P2PE and the Cloud

Greetings from the Javits Center in New York City, the site of the National Retail Federations Big Show. This year, the theme of NRF is "Next". When it comes to Retail technology - and in particular, security and compliance, the most talked about "next" things are:...

2.4AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/01/08 12:15 p.m.9 views

Small Breach, Big Settlement

Earlier this week the Department of Health and Human Services HHS announced the first ever breach settlement where fewer than 500 patient records were compromised. The $50,000 settlement was issued as a result of 441 patient records being stored on an unencrypted laptop that was stolen from the...

1.6AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2013/01/07 12:47 p.m.15 views

P2PE Hybrid, the next best thing since the Prius

P2PE promises many things, the most coveted being scope reduction for the merchant and a shifting of the compliance burden from the merchant to the service provider. A properly implemented P2PE solution can indeed reduce the risk of compromise for a merchant as well as reduce the scope of what mu...

1.7AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2012/12/20 9:51 p.m.8 views

What “Dexter Malware” tells us about the future of POS security (It might just be P2PE)

The recently announced Dexter malware is targeting POS systems and once in, it collects sensitive credit card data and surreptitiously sends it off to attackers. While the details of this particular attack are not yet available, this is not the first time this general approach has been exploited...

2.3AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2012/11/13 9:18 a.m.7 views

FedRAMP Question and Answer session from PMO webinar

On October 25, the FedRAMP PMO conducted its first webinar, in what will be a series of webinars, on the FedRAMP process. This first webinar covered the four methods that CSPs can get listed in the FedRAMP repository. This webinar is well worth the time to listen to it. The PMO had a lengthy Q&A...

6.8AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2012/10/29 3:37 p.m.14 views

Penetration Testing Frequently Asked Questions

You may have noticed this recent article about Googles contest that rewarded a hacker for discovering a vulnerability in Chrome. Once Google verified the vulnerability, they were able to fix the bug and issue the cash prize to the hacker. This is a very public example similar to what Coalfire Lab...

1AI score
Exploits0
Total number of security vulnerabilities603