603 matches found
DoD DIACAP transition to RMF approved
Welcome DIARMF! This has been a long time coming. From DITSCAP to DIACAP and now to DIARMF the Department of Defense approved the transition to a Risk Management Framework RMF approach developed by NIST on March 12. What does this mean for Information Systems and Platform Information Technology...
University Data Breaches Pose Threat to Students, Academic Openness
North Dakota State University administrators confirmed last week that hackers never accessed the personal information of more than 200,000 students, faculty and staff housed on the server they successfully infiltrated. This attack perfectly suits the modern hackers MO. They attack open systems...
It wasn't raining when Noah built the ark
This month movie-goers around the world will flock possibly two-by-two to see Darren Aronofskys Noah--a silver-screen adaptation of the timeless biblical story, starring Russell Crow and Jennifer Connelly . Whether one interprets the flood narrative literally or figuratively, this fact remains: t...
HIPAA Compliance: A Demanding Effort Yielding Deserved Benefits
The heat is on! Compliance with the Health Insurance Portability and Accountability Act of 1996 HIPAA has never been more scrutinized and highly regarded. The push towards compliance has fueled businesses large and small to explore the options and necessary requirements of HIPAA compliance...
The PCI DSS 3.0 SAQs are here!
The Payment Card Industry Security Standards Council PCI SSC released Data Security Standards DSS 3.0 in November 2013 and has just released the related Self-Assessment Questionnaires SAQ. There are two new SAQs, SAQ A-EP and SAQ B-IP...
PCI SSC Releases New SAQ Versions for 3.0
As expected, the SSC finally released the new version of the Self-Assessments Questionnaires SAQs today on their website. They are available on the PCI SSCs website here:...
Would EMV Help?
With the spate of cyber attackers on US retailers recently, Coalfires European Managing Director, Andrew Barratt considers how the attacks on retailers differ outside the US and what the potential impact of similar attacks is in a world where chip and pin technology is more widely deployed...
PCI DSS 3.0 ROC Reporting Template Released
Heads up for our PCI customers: the PCI SSC released the "ROC Reporting Template for v3.0" this last weekend and it is available here. This document supports the PCI DSS 3.0 standard and must be used by all QSA organizations to create and submit a Report on Compliance ROC. What does this mean?...
Target Hackers Broke in Via HVAC Company?
When I first heard about the account used to gain access to the Target environment, my first reaction was to laugh at the ridiculousness of the HVAC vendor having an impact on the CDE like it seems to or is rumored to have had in the recent breach. Then I started thinking with the PCI controls,...
Are you ready for PA-DSS 3.0?
Theres been a lot of chatter about PA-DSS 3.0 among several early-adopter application vendors. As of January 1, 2014 its permissible to validate against 3.0 in place of a 2.0 validation. Longevity of the 3.0 validation and the desire to be validated first on a new standard seem to be driving the...
Detecting and Preventing Compromises in Retail Payment Systems
Information Weeks Matthew Swartz published an article on the recently- confirmed payment card breaches at Target, Nieman Marcus and three other unnamed retailers. This article and many others reveal that these attacks involve sophisticated malware and some even suggest it is the work of the same...
Free and low-cost tools for PCI DSS Compliance
Complying with the PCI DSS requires policies and processes plus implementing and managing a variety of software tools. As a QSA who has performed many PCI assessments for merchants and service providers, Ive seen and assessed a variety of free and low-cost under $200 software tools that help our...
A Proven Strategy for Implementing Vendor Management Programs
Every regulated industry includes a requirement for managing third-party risk. Some industries are further along the path and have more mature processes than others. However, there are tried and true methodologies and standards established by those early movers that we can utilize across other...
What every CIO should know about the new ISO 27001:2013 framework
Originally released in 2005, the ISO 27001 standard has recently been updated with additional guidelines for assessing risks within information management systems. These changes constitute the first revisions to the standard in eight years and have major implications for organizational compliance...
The Ponemon Institute 2013 Cost of Cyber Crime Study is out
Before anyone else conjures up the image of Steve Martin in the Jerk running down the street with the new phone book and declaring the obvious to all around him, lets put this study in perspective. There is nothing new or unexpected in the 2013 study. We have had it confirmed that cybercrime is...
2013 PCI SSC European Community Meeting Wrap-Up
Matt Getzleman - PCI Practice Director, Dan Fritsche - Director, Solution Validation, Andrew Barratt - Managing Director UK, and Brian Pennington - Regional Sales Director, discuss the recent PCI SSC Community Meeting in Nice, France...
IT Security Horror Story #3: Ghost in the Machine
A supernatural sequence of automotive portals and applications yield a ghostly in-car phenomenon. READ MORE…IF YOU DARE -...
IT Security Horror Story #2: A Tale of Spooky Hosted Images
Image manipulation madness causes a near disaster for a popular web site. READ MORE…IF YOU DARE -...
IT Security Horror Story #1: The Case of the Phantom Blood Red Team
An unsuspecting Fortune 100 company allows horrible creatures into their building and systems during a Red Team engagement. READ MORE…IF YOU DARE -...
2013 PCI SSC North America Meeting – Wrap-Up
Coalfire sent the entire team to the meeting in Las Vegas and everyone reported a positive and engaging experience. We hosted our annual dinner where we caught up with clients and friends - a good time was had by all. The most valuable technical information was presented during the Assessors Only...
College students concerned about information security
Universities and colleges have been under significant pressure to upgrade their technology both in and out of the classroom. For instance, many organizations turn to mobility as a way to engage students and facilitate learning campus-wide. While much of the discussion is around issues such as the...
BYOD Survey 2013: Employees and Companies Remain Lax with BYOD Security
Despite a dramatic increase in mobile device sales in the past year, BYOD security among employees remains static. Gartner forecasts 2013 tablet shipments to grow 67.9 percent, with shipments reaching 202 million units, while the mobile phone market will grow 4.3 percent, with volume of more than...
PCI DSS 3.0 puts emphasis on year-round awareness
Its easy to think of PCI compliance as just another annual hoop to jump through. Of course, after the annual audit, the business is safe for another 12 months, right? Well, not exactly, and with the upcoming release of PCI DSS 3.0, there will be an even bigger reason to think about compliance...
Are you in danger of missing the HIPAA Omnibus?
On September 23, 2013, many companies will be required by law to comply with HIPAA…and they dont even know it. Specifically, the final HIPAA Omnibus Rule pulls all companies under the law if they store, process, or transmit PHI data as part of their business processes. While the Omnibus Rule was...
Highlights of Newly Released PCI DSS 3.0 Information
The standards are coming! The PCI SSC has finally let loose with some much needed information regarding the upcoming releases of the PCI DSS 3.0 and PA DSS 3.0 standards. Available on the PCI SSC website; the document titled "Version 3.0 Change Highlights" contains information on what PCI...
MAPCO Incident Highlights the Risks Faced by All Convenience Stores
On May 6, 2013, convenience store operator MAPCO Express, Inc. did a responsible thing - they issued a press release that shared important information about a data security incident that was discovered at their stores. Such notices ---along with a whole lot of behind-the-scenes investigative work...
The Rapidly Changing World of Mobile Application Payment Systems Compliance
In this series of Compliance Talk, Dirk and Ken are back at their favorite coffee shop, this time joined by Dan Fritsche. Dan is Coalfires Director of Solution Validated Services and is considered a thought leader on mobile payments, P2PE and other emerging trends in the payments industry...
PCI DSS 3.0 Is Coming Soon
The PCI Security Standards Council SSC plans on releasing the newest version of the PCI Data Security Standard in October, 2013. Predictably, the PCI SSC has been tight-lipped on divulging details regarding any expected changes...
Determining if your Company is Prepared for FedRAMP
Many companies interested in pursuing FedRAMP are seeking guidelines, checklists and any referenceable source to help them understand and determine their level of preparedness to go through the FedRAMP process. The GSAs FedRAMP.gov site provides documentation on the FedRAMP process in their "Guid...
Compliance Talk: Debt Collectors and PCI
As the largest IT audit and compliance advisor in the U.S., Coalfire is exposed to a wide variety of compliance concerns. In this series of Compliance Talk blogs, Dirk and Ken are back at their favorite coffee shop…the Bean and Berry in Louisville, Colorado. Over a couple cappuccinos, their...
Agencies to report progress with FedRAMP
The FedRAMP PMO recently conducted webinars on April 23 and 25 regarding Agencies requirement to report their progress on compliance with FedRAMP. The discussion covered the FedRAMP progress to date, the reporting requirements and process for moving services to FedRAMP authorized cloud service...
The PCI DSS Cloud Computing Guidelines: An Executive Summary
The PCI SSC and its Cloud Special Interest Group has released its Cloud Computing Guidelines after a year of collaboration and input from SIG members. Coalfire was a big contributor to this document, and we think it is required reading for anyone who has front-line responsibility for managing...
Getting Your Databases Audit Ready
Your database is perhaps one of the most sensitive targets for cybercriminals as they are your companys primary repository for confidential and proprietary data. Besides knowing what vulnerabilities exist for your perimeter network and also for your internal systems, best practices require you to...
Information Governance: Get Data Classification Right First
Data classification is one of the most crucial elements of an effective information governance process--yet its also one that many companies fail to implement well. In its simplest terms, data classification is the process of categorizing data based on its level of sensitivity. When done properly...
War on Passwords? Check with Your QSA First!
Passwords have long been the workhorse of user authentication schemes, and many security experts are speaking out on the need for more effective controls. It seems like hardly a week goes by when we dont see a password breach in the news...
Whether you are a large or small business, beware of these 5 common security problems
Every January, the trade press if full of new years resolution-like advice… things to do in the coming year, even Coalfire made a few predictions for 2013. I work at Coalfire Labs, and since our business is IT security and testing, we want to share some advice on how to avoid your systems and...
Creative Ideas for Replacing Passwords
Passwords have been the de facto manner of providing security for IT systems. Theyve got a bad reputation, but its not the passwords themselves that deserve the reputation - its the individuals using them and the weak standards to which these passwords are managed. In fact, a password system...
The FFIEC proposes guidance on social media - can you stay two steps ahead?
On January 22, 2013, the FFIEC put out a press release called "Financial Regulators Propose Guidance on Social Media". We should begin by saying that even without a social media presence, every company should address social media risks in their annual risk assessment. In this day and age where th...
White House Executive Order on Cyber Security
The tense standoff between an unresponsive Congress and a reluctant critical infrastructure industry has been broken. On February 13, 2013, the President issued an Executive Order that provides initial guidance for the country to confront escalating cyber threats. Finally, we have someone with th...
All Aboard the HIPAA Omnibus - but is the ‘bus’ missing anything?
In the wake of the recently-released HIPAA Omnibus Rule with its upcoming deadline, healthcare organizations are trying to figure out how theyre going to achieve compliance. Weve been busy trying to get through the 563-page rule and determine what it means to our clients...
Long-awaited HIPAA Omnibus Rule is Unveiled
As of January 17, 2013, the HIPAA Omnibus Rule has finally been released by the Department of Health and Human Services HHS, which will modify the HIPAA privacy, security, and enforcement rules. The package of regulations, in regard to this long-overdue HIPAA Omnibus Rule, will officially be post...
FedRAMP PMO - FedRAMP Process and Developing SSP webinar Q&A
The FedRAMP program continues to gain momentum and GSA and the FedRAMP PMO conduct great, interactive, webinars available to attend live or to watch later. There is much to learn from the GSA on how to navigate the FedRAMP process according to their requirements...
South Carolina Data Breach Survey Results on Residents' Attitudes
Coalfire recently conducted a survey of South Carolina residents who were victims of the recent data breach at the Department of Revenue. The data breach affected residents of the State who had filed their taxes online exposing 3.8 million taxpayer Social Security numbers and nearly 400,000 credi...
The PCI SAQ P2PE-HW: Patience, POIs and PIMs
The new PCI SAQ P2PE-HW Point to Point Encryption Self-Assessment Questionnaire was released in July 2012, and many merchants are excited about the prospect of a shorter, less arduous compliance validation effort. After all, its significantly shorter than the SAQ-D; instead 12 sections, there are...
What's Next in Retail IT? The Convergence of Mobile, P2PE and the Cloud
Greetings from the Javits Center in New York City, the site of the National Retail Federations Big Show. This year, the theme of NRF is "Next". When it comes to Retail technology - and in particular, security and compliance, the most talked about "next" things are:...
Small Breach, Big Settlement
Earlier this week the Department of Health and Human Services HHS announced the first ever breach settlement where fewer than 500 patient records were compromised. The $50,000 settlement was issued as a result of 441 patient records being stored on an unencrypted laptop that was stolen from the...
P2PE Hybrid, the next best thing since the Prius
P2PE promises many things, the most coveted being scope reduction for the merchant and a shifting of the compliance burden from the merchant to the service provider. A properly implemented P2PE solution can indeed reduce the risk of compromise for a merchant as well as reduce the scope of what mu...
What “Dexter Malware” tells us about the future of POS security (It might just be P2PE)
The recently announced Dexter malware is targeting POS systems and once in, it collects sensitive credit card data and surreptitiously sends it off to attackers. While the details of this particular attack are not yet available, this is not the first time this general approach has been exploited...
FedRAMP Question and Answer session from PMO webinar
On October 25, the FedRAMP PMO conducted its first webinar, in what will be a series of webinars, on the FedRAMP process. This first webinar covered the four methods that CSPs can get listed in the FedRAMP repository. This webinar is well worth the time to listen to it. The PMO had a lengthy Q&A...
Penetration Testing Frequently Asked Questions
You may have noticed this recent article about Googles contest that rewarded a hacker for discovering a vulnerability in Chrome. Once Google verified the vulnerability, they were able to fix the bug and issue the cash prize to the hacker. This is a very public example similar to what Coalfire Lab...