Corporate demand for cybersecurity ROI drives CISO metrics

Increasing cyber risks and decreasing budgets mean that C-suites and boards are demanding better cyber performance metrics and reporting from security teams...

Threat and vulnerability management - No time for complacency

There was some very good news in Coalfires 4th Annual Penetration Risk Report. Most notable was that high-risk vulnerabilities have been cut almost in half since 2018 when we first began reporting our pen testing research derived from thousands of direct client engagements. Also of note, the larg...

Mobile app usage soars but security still falls short

Benchmark analysis of mobile apps shows 99% have security or privacy vulnerabilities. These weaknesses can cause exposure of sensitive information and jeopardize brand reputation, customer trust and company value...

FedRAMP® CSPs face a new challenge meeting FIPS Compliance

The Federal Risk and Authorization Management Program FedRAMP requires Cloud Service Providers CSPs to meet federal mandates and achieve or maintain a FedRAMP authorization. One of those mandates require the consistent use of FIPS 140-2 validated cryptographic modules everywhere cryptography is...

FAQ: Transitioning to the highly anticipated new revision of ISO 27001

For a group like Coalfire Certification that lives and breathes these standards daily, it has been an exciting few months monitoring the progress of this publication and its review through the various ISO working groups...

Spotlight: Women of Coalfire part 3

In this spotlight series, we are recognizing some of the women at Coalfire who have shattered glass ceilings and forged their own paths despite the obstacles they faced. Karen Laughton and Michi Everett are two of these women. Karen was the first female to hold an executive position in delivery a...

Spotlight: Women of Coalfire part 2

Its been nearly 50 years since Congress formally recognized the 1920 certification of the 19th Amendment to the Constitution with Womens Equality Day on August 26. In the last half-century, women have made significant strides in the workforce and the world, but still face adversity due to their...

Spotlight: Women of Coalfire part 1

There is no area of society in which women are free of obstacles to their success due to their gender. I am all too familiar with inequity impacting women - including in the military - where I fought to correct the injustices that affected servicewomen. In the past, servicewomen who became pregna...

Highlights from FedRAMP®’s new Penetration Test Guidance

In an effort to stay on top of the evolving threats being faced by the cloud community, the FedRAMP PMO released Version 3.0 of their Penetration Test Guidance, dated June 30, 2022. 3PAOs and CSPs should begin using the updated pen test guide for pen tests beginning shortly after June 5, 2022,...

It’s time to bite the bullet for more secure software

On September 14, 2022, the Office of Management and Budget OMB released their M-22-18 memorandum on "Enhancing the Security of the Software Supply Chain through Secure Software Development Practices." This document builds upon previous government documents such as Executive Order EO 14028...

Software supply chain security is coming of age

Coalfires first Securealities Software Supply Chain Risk Report revealed dramatic budget increases for enterprise security in general and a growing demand for more testing, training, and process improvements in the battle to defend digital assets. But perhaps the most significant takeaway from th...

Sitting in cars with hackers

Are organizations doing enough to protect customer data? The auto industry can teach us a lot about vulnerability management...

Sitting in cars with hackers

Are organizations doing enough to protect customer data? The auto industry can teach us a lot about vulnerability management...

Security as a differentiator: How to market the secure customer experience

Leveraging software development lifecycle security as a go-to-market differentiator is imperative in setting companies apart from competitors. As Coalfires Cloud Advisory Board and my colleague Gail Coury eloquently pointed out in our recent Securealities Report, Smartest Path to DevSecOps...

View TPRM risk through four lenses

In recent years, as attackers seek to gain entry and disrupt business through vendors, Third Party Risk Management TPRM has proven to be a top priority item for every organization. As organizations mitigate the risks associated with a third party-related attack, leaders should continue to address...

Understanding compliance platform capabilities: black box automation has its limitations

Compliance is hard. It is not a "black box" of opaque inputs and outputs, where systems and data are hidden and where users are oblivious to their inner workings. There has yet to be a product made that can magically produce all the evidence sufficient for testing and verification across the wide...

Understanding compliance platform capabilities: black box automation has its limitations

Compliance is hard. It is not a "black box" of opaque inputs and outputs, where systems and data are hidden and where users are oblivious to their inner workings. There has yet to be a product made that can magically produce all the evidence sufficient for testing and verification across the wide...

Hacking Ham Radio: WinAPRS – Part 5

This installment will review the final Python exploit code. The exploit will transmit the three-stage shellcode in two separate AX.25 packets. It will then listen for a response from the victim machine and allow the attacker to send commands back over ham radio. Well then revisit Windows 10 and...

Why are companies still managing compliance with spreadsheets?

Compliance management and automation has come a long way in just the last couple of years, and market demand for cyber assurance is at an all-time high. So why are so many companies still managing their compliance programs with spreadsheets?...

Why are companies still managing compliance with spreadsheets?

Compliance management and automation has come a long way in just the last couple of years, and market demand for cyber assurance is at an all-time high. So why are so many companies still managing their compliance programs with spreadsheets?...

CMMC – The smoke is clearing

The smoke is finally starting to clear on "CMMC 2.0." Hundreds of companies are already lining up for Cybersecurity Maturity Model Certification assessments. Everything is taking place faster and with far more urgency than most organizations have planned around or prepared for...

CMMC – The smoke is clearing

The smoke is finally starting to clear on "CMMC 2.0." Hundreds of companies are already lining up for Cybersecurity Maturity Model Certification assessments. Everything is taking place faster and with far more urgency than most organizations have planned around or prepared for...

Hacking Ham Radio: WinAPRS – Part 4

In part three of this series, we discovered and traced a memory corruption bug in WinAPRS using IDA Pro and WinDbg. We discovered that it could be used to gain control over the CPUs EIP register to obtain remote code execution. We found that there were limitations on the address that could be...

A survey of FedRAMP’s new supply chain requirements

Over the past few years, supply chain management has shifted from a background requirement that everyone unknowingly relies upon, to being a commonly talked about aspect of our everyday lives. The Federal government has ramped up its effort to gain a handle on supply chain threats as a result of...

Hacking Ham Radio: WinAPRS – Part 3

In part two of this series, we reviewed our WinAPRS software and hardware configuration. We then began reverse engineering WinAPRS and fuzzing it for vulnerabilities using modified open-source software. Finally, we identified a potentially exploitable vulnerability. This installment will dig into...

A little actually doesn’t go a long way: Fight the urge to shortcut your TPRM program

Third Party Risk Management TPRM is hard to get right. Ineffective TPRM is when 83% of legal and compliance leaders identify third party risks after due diligence, despite spending 73% of effort on due diligence. This is supported by 49% of business leaders saying they lack a centralized strategy...

Hacking Ham Radio: WinAPRS – Part 2

In part one of this series on vulnerability research in ham radio software, we discussed ham radio and digital communications via packet radio. We reviewed some relevant packet radio protocols such as AX.25, APRS, and KISS. We then chose WinAPRS as our target application. In this installment we...

Penetration testing and red teaming: The differences and reasons why both are important to your business

Penetration testing, also known as ethical hacking, white-hat hacking, or pen testing, is one important form of security assessment that tests people, process, and technology to find security vulnerabilities that a potential attacker could exploit. Red teaming is a more targeted approach that...

Governing the organization

Security is the biggest risk to business today. Managing security has become one of the hardest jobs in the enterprise, and failing to do so effectively can create opportunities for severe operational disruption. One of the keystone conclusions from Coalfires Cloud Advisory Boards the Smartest Pa...

Security Performance Reporting: Command guidance for CISO-to-stakeholder communications

There is tremendous urgency for security professionals to do a better job at communicating security program performance to enterprise stakeholders and boards of directors. For the Coalfire Cloud Advisory Board CAB, effective reporting on this level is mission-critical for cyber teams, and was a...

StateRAMP: The “easy button” is now a reality

When StateRAMP was announced last year, I was excited! Finally, they have put together a program that will enforce rigorous cloud security standards, while reducing the burden on state and local governments, which are flexible and eliminate repetitive and costly authorization and accreditation...

A Bridge Over the Chasm: A Primer on the Release of PCI 4.0

The Payment Card Industry PCI Security Standards Council SSC has just released version 4.0 of the Data Security Standard DSS. Developing DSS 4.0 took almost four years and included several rounds of Request for Comments RFC from Participating Organizations and other interested parties. This new...

An integrated approach to security audits

A cyberattack can be devastating to any organization because it compromises sensitive data and, as a result, the financial position, strategic vision, and more important, the trust and credibility that the enterprise has built over the years. Given the magnitude of this risk, what role does the I...

Hacking Ham Radio: WinAPRS – Part 1

Hackers have been breaching computer system defenses for more than half a century, and the networks they use to exploit those weaknesses have been around for far longer than that. With the internet replacing most wirelines and wavelengths, and with the rise of cybercrime sophistication from petty...

The paradigm shift of PCI SSF: what executive leaders need to know now

As a security leader who lives and breathes security controls, protocols, and compliance standards, youre probably aware of the upcoming Payment Card Industry PCI Software Security Framework SSF transition thats been coming for some time. In fact, I posted a blog about the phase-out of the...

Research reveals cyber risk is the best language for a C-suite audience

As a Chief Information Security Officer CISO or cybersecurity leader, one of the most important parts of your role is to manage the organizations cybersecurity risk. Managing risk and minimizing the impact of cyber incidents strengthens trust between you and the executive team, which is essential...

The Long-Term Impact of Log4j

In its aftermath, Log4j vulnerabilities put the spotlight on vendor management and supply chain security practices. Software suppliers should expect vendor security questionnaires to expand in scope and detail around application security practices. Its relatively easy for software buyers to...

Privacy-by-design… not by accident

The concept of privacy-by-design was actually devised almost 30 years ago by Ann Cavoukian, PhD, former Ontario Information and Privacy Commissioner. If youre reading a blog about privacy, chances are good you have at least a passing familiarity with Dr. Cavoukians seminal contribution to the...

The right ASM tools include understanding where the real risk lies

While companies are just scratching the surface of understanding their Internet-facing architecture, hackers have been monitoring growing attack surfaces to find vulnerabilities where companies arent looking or maybe not prioritizing and reaping the reward through bug bounty programs...

Coalfire celebrates a decade as HITRUST assessor

Coalfire is incredibly excited for 2022. We are fully committed to developing world-class solutions for our teams and customers. On the immediate horizon is the newly announced i1 assessment, and were eagerly anticipating more news regarding CSFv10. Alongside these developments from HITRUST, were...

Certification body rebrands to Coalfire Certification

Were excited about our new name. It reflects what we do and where we are headed. We share this excitement with our clients and our teams and extend thanks to everyone that helped push the certification body to this level of framework coverage as Coalfire Certification enters this next period of...

The secure development lifecycle

Whatever tolerance we had for failure has been turned upside down in the cloud. The consequences have never been greater. So, whats the solution? As made clear in Coalfires latest Cloud Advisory Board CAB Securealities report, smartest path to DevSecOps transformation, nothing is more important t...

Preparing for DevSecOps transformation

The latest report from Coalfires prestigious Cloud Advisory Board CAB, consisting of some of the worlds most experienced C-level cyber leaders and cloud security thought leaders from Coalfire, provides some of the most significant insight and timely advice for cybersecurity leaders in 2022 and...

CMMC 2.0 – what, how, and why act now?

With the recent streamlining of the Cybersecurity Maturity Model Certification CMMC framework, the path to assure Defense Industrial Base DIB cybersecurity has changed dramatically from what was originally planned. Theres a lot to learn about CMMC 2.0, but the objective remains the same: protect...

The biggest update you’ll barely see

Its been more than 10 years since ThreadFix had its first lines of code written by its creator, Dan Cornell, as a means of solving a very pervasive issue in the application security space. While it quickly became a popular talking point at conferences and app sec parties they exist!, it was never...

Accelerating CMMC compliance

The reason the Cybersecurity Maturity Model Certification program is so critical to national security can be traced back to the second World War: To counter German submarine attacks against Allied supply chains, British intelligence hacked a German Enigma machine, stole the code, intercepted enem...

Staying current with HITRUST advisory changes

As a result of an ever-evolving threat landscape, compliance requirements are proliferating at an unprecedented rate. It can be overwhelming to keep up with the staggering number of new and updated regulations, compliance frameworks, and standards. HITRUST®, founded in 2007, recognized this...

The business case to expand ISO 27001 certification with privacy controls

Third-party inspections of organizational privacy risk remain a novel trend. Only five years ago, the most basic of common controls frameworks for this risk taxonomy did not even exist. Today, privacy has captured the collective global consciousness. Every segment, from regulators and industry...

Rumors of an upcoming, major change to ISO 27002

Of the thousands of international standards published by the International Organization for Standardization ISO, some of the most popular ISO standards are management system standards, such as the well-known ISO 9001 standard for quality management and ISO 27001 for information security managemen...

DoD Cloud Computing Impact Level 6 – the unclassified edition

The final Impact Level IL referenced in the Department of Defense DoD Cloud Computing CC Security Requirements Guide SRG is IL6. IL6 allows Cloud Service Providers CSPs to store information up to SECRET or below. CSPs can utilize their own infrastructure or deploy their cloud service offering CSO...