603 matches found
Lift and drag: confronting complacency and disrupting inertia in cybersecurity strategy
Within corporate cybersecurity, resistance presents in a variety of forms. Individuals and institutions alike often face overwhelming peer pressure to "keep doing what made us successful in the past." In the face of that pressure, it can be difficult to generate or sustain momentum toward...
Crypto vulnerability management
In this blog series, weve discussed in detail how crypto assets and currencies are no longer passing fads. Even if your C-suite remains skeptical, security leaders and teams cant afford to keep watching, waiting, and speculating about whats going to happen or when your organization will be direct...
Thinking about data privacy strategically: four key questions
It wasnt that long ago when the concept of data privacy was mostly a legal question. Privacy obligations arose almost exclusively from regulations, so most organizations delegated the problem to legal counsel, who then tackled the problem through policy and contract language. At best, it was a co...
DoD Cloud Computing Impact Levels 4-5
Moving past DoD Impact Level 2 IL2, the logical next step should be IL3; however, IL3 is no longer used by the Department of Defense DoD and has been consolidated into IL4. DoD IL4 is designed to store, process, and transmit up to controlled unclassified information CUI related to military or...
Requirements for DoD Impact Level 2
As discussed in the previous blog post on FedRAMP+, there are four authorization levels defined in the Department of Defense DoD Cloud Computing CC Security Requirements Guide SRG. In this post we will give a brief rundown of the lowest authorization level, DoD Impact Level IL 2, and the security...
What is FedRAMP+?
The Department of Defense DoD Cloud Computing CC Security Requirements Guide SRG Version 1, Release 3 defines FedRAMP Plus FedRAMP+ as: "… the concept of leveraging the work done as part of the FedRAMP assessment and adding specific security controls and requirements necessary to meet and assure...
Data privacy: What's new in cross-border transfers? The Standard Contractual Clauses
The transfer of personal data between companies and countries is vital for smooth data processing operations. When transferring data out of the European Union, companies are required to comply with the General Data Protection Regulation GDPR which requires that any data that is transferred to a...
Long-awaited changes to the nation's cybersecurity infrastructure become reality
There is a lot of buzz in the biz about the ripple effects of President Bidens "Executive Order EO on Improving the Nations Cybersecurity," which comes on the heels of the Colonial Pipeline hack. The pipeline, which delivers about 45% of the fuel used on the Eastern Seaboard, was shut down after ...
Third party risk management and the cloud
Risk is inevitable with third party vendors that have access to your company and client data. With expanding attack surfaces, dispersed supply chains, and IoT issues on the rise, TPRM third party risk management is becoming a more mission-critical security practice in the cloud. Lets look at...
The road to secure crypto: start getting risk management priorities on your threat modeling radar
While attending the biggest event in crypto history earlier this month in Miami, it struck me that, although irrational over-exuberance was the mood, the reality is really sinking in: We are in a new payments industry paradigm shift. Its not a fad anymore, and its not going away. An exclamation t...
What you need to know: Transitioning CSA STAR for Cloud Controls Matrix 4.0
In January of this year, the Cloud Security Alliance CSA released a major revision to its widely adopted Cloud Controls Matrix CCM in the form of version 4.0. This comes in the middle of a calendar year where several alternative information security frameworks are also expected to be refined,...
Payments paradigm shift
Crypto assets have been around for over a decade, and with the recent Coinbase IPO, we believe we are well past the point of calling this a "passing fad." In fact, we believe that crypto assets -- particularly bitcoin -- have now passed the tipping point from being considered an unconventional...
Cybersecurity opportunities for the public and private sectors
Im happy to share a new paper by Cynergy Partners, co-authored by Coalfire board member, Jim Pflaging, titled Cybersecurity Opportunities for the Public and Private Sectors...
MIME sniffing in browsers and the security implications
Whenever a website in opened in a browser, there are many tasks that are being silently performed in the background. One of those tasks is fetching resources such as images, stylesheets and JavaScript from different domains on the internet and then parsing those resources...
Avoid oversights in HIPAA risk management
Since HIPAA regulations first came about in 1996, organizations have looked for ways to analyze and manage risk within this complex framework. Although guided by the HIPAA Security Rule as well as additional guidance from the U.S. Department of Health and Human Services HHS and Office for Civil...
Coalfire ramps up for StateRAMP — What you need to know…
There has been a lot of buzz during the past year or so about StateRAMP SR. SR was an idea born out of helping state and local governments efficiently and effectively verify cybersecurity and manage third-party risk. SR is a 501-c6 non-profit, membership-based organization based in Indiana and...
Waking up to the new realities of privacy risk and the need for focused expertise
Last month, Coalfire announced that our certification body was awarded yet another of many "firsts." In this scenario, Coalfire was the first to expand its registration to a second accreditation body as part of its certification services related to ISO 27701, a framework that governs the activiti...
Closing the technical gap with resiliency pen testing
Organizations across all industries are watching and weighing the real impact and cost of security breaches as they look to budget security spending for 2021. While remote operations are becoming the norm, threat actors have no intention of slowing down their efforts. Instead, they are taking ful...
Getting started with ZAP and the OWASP top 10: common questions
I recently received an email from a developer who was gearing up to use OWASP ZAP to test the security of their code. The developer had some questions about OWASP ZAP, testing for the OWASP Top 10 2013, and ZAP configuration. After I answered the email, I asked if I could repost it here because I...
Android: DNS setup for developing and testing against local web services
Most "interesting" smartphone applications do not run only on the smartphone device; they rely on supporting web services that can be run both by the deploying organization and 3rd parties. One of the challenges we have run into when developing Android application is setting up a suitable...
Command injection in java: 80% proven that it is 100% impossible (sometimes)
I was reading Alex Smolens blog the other day and ran across the post "Command Injection Impossible in Java and .NET?" Interesting stuff! In an effort to avoid doing work I should actually be doing, I decided to look into it a bit more...
AppSec Bites: Implementing DevOps? What Security Teams Need to Know. (Part 4)
DevOps practices can be difficult to implement for any business. While the overall goal is to streamline the business and join the development and operations sides of things together, the first step needs to be a strong relationship between DevOps and security teams otherwise things will typicall...
Properties of secure hash functions
The news of NIST and their SHA-3 algorithm competition and a recent lunch and learn at Denim Group reminded me of the Cryptographic lectures I gave at UTSA. One of the hardest concepts my students had grasping was secure cryptographic hash functions, partially because of the number theory, but al...
General Overview of Vulnerability Management
In a world where most companies take nearly six months to detect a data breach, establishing a comprehensive and continuous process for identifying, classifying, mitigating and preventing security vulnerabilities within an organization can help prevent current cybersecurity challenges...
Success stories in cybersecurity and information technology
RISE is Coalfires initiative to Recruit, Influence, Support, and Educate women in cybersecurity. I am honored to have been invited to be an active member of the RISE steering committee and help contribute to this worthy cause...
AppSec Bites: What Opportunities Does Remote Working Create for AppSec Teams? (Part 3)
Its no secret that the pandemic has shifted the operational mindset of many organizations as we adapted to a fully remote workspace. In additional to this, many businesses were subjected to tighter budgets, compelling them to find ways to be more efficient and cost effective. The automation of...
AppSec concerns: UUID generation
During static analysis, one of the things the application security team checks for is strong random number generation for security sensitive contexts. We see weaknesses in this space quite often for temporary passwords and session identifiers, but an increasingly common variant is for universally...
Asymmetric-key algorithms and symmetric-key algorithms
The symmetry of the algorithm comes from the fact that both parties involved share the same key for both encryption and decryption. It works similar to a physical door where everyone uses a copy of the same key to both lock and unlock the door. A symmetric-key algorithm, just like real doors,...
AppSec Bites: Top 3 Things to Consider When Maturing Your AppSec Programs (Part 2)
Maturing security programs along with the growth of development programs are essential to ensuring a safe and efficient development lifecycle. The need to be on top of development while scaling programs is imperative to managing both risk and business opportunities. However, it is during times of...
Automated application scanning: handling complicated logins with AppScan (only!)
Ory Segal @orysegal from IBM Rational reached out with a simpler method to handle this natively in AppScan. It involves configuring AppScan to add a custom parameter to each request. For the sample case in the authexamples GitHub repository it would be handled like this...
New cybersecurity legislation to amend the Health Information Technology for Economic and Clinical Health (HITECH) Act – an analysis of H.R. 7898
New legislation was passed by Congress and signed by the president on January 5, 2021 that amends the HITECH Act with an additional section titled: SEC. 13412. RECOGNITION OF SECURITY PRACTICES.1...
AppSec Bites: A Podcast on Balancing Speed and Thorough AppSec Coverage (Part 1)
In the world today we have all become so accustomed to high-speed delivery and the instant gratification it instills any large 2-day shipping retail monsters come to mind?. Its only natural that the demand for speed and efficiency we are experiencing in our daily lives has expanded to the...
Latest round of OCR audits highlight HIPAA risk analysis and risk management shortcomings
The Office for Civil Rights OCR at the U.S. Department of Health and Human Services HHS has released its latest report with findings from their 2016 and 2017 series of audits as required under the Health Insurance Portability and Accountability Act of 1996 HIPAA/HITECH Privacy, Security, and Brea...
Coalfire acquires penetration testing management platform
Over the past year, Coalfire has worked closely in partnership with Neuralys, a penetration testing management platform. Today, Coalfire is ecstatic to announce the acquisition of Neuralys, and welcome its founders, developers and sales team to our organization...
New cybersecurity legislation to amend the Health Information Technology for Economic and Clinical Health (HITECH) Act – an analysis of H.R. 7898
New legislation was passed by Congress and signed by the president on January 5, 2021 that amends the HITECH Act with an additional section titled: SEC. 13412. RECOGNITION OF SECURITY PRACTICES. The fundamental driver for amending HITECH is to ensure the secretary of Health and Human Services HHS...
The Edge of a Storm?
The SolarWinds element of this breach is likely just the tip of the iceberg as many more businesses leveraging their management tools are exposed to this compromise. Not necessarily from the nation state actor believed to have triggered it, but from the potential sell off of those points of acces...
Deploying your first Blueprints
Welcome back to the fourth and final part of this Azure Blueprints series. This section covers how to use some Blueprints provided by Microsoft and how to get started writing your Blueprints for managing your Azure Governance. Specifically, we will look more closely at a FedRAMP use case...
Deploying your first Blueprints
Welcome back to the fourth and final part of this Azure Blueprints series. This section covers how to use some Blueprints provided by Microsoft and how to get started writing your Blueprints for managing your Azure Governance. Specifically, we will look more closely at a FedRAMP use case...
Blueprints scopes and assignments
Welcome back for part three of four in our Blueprint technical series. Today were covering the governance and lifecycle controls of Blueprints within an Azure tenant. There is a lot of power in what Blueprints provide, and this tooling needs to be managed across multiple subscriptions or...
Azure Policies
Welcome back to Part Two of our four-part Blueprint Series. Today's post covers the use of Azure Policies within a Blueprint deployment along with ARM templates and permissions management. Azure Policies are the critical component of Azure Blueprints. Policies, like ARM Templates, are JSON...
The California Privacy Rights Act (CPRA)
The California Privacy Rights Act CPRA was passed in November by voters in California. Adding another entry to the alphabet soup that is privacy regulations, the CPRA known as Proposition 24 when it was on the ballot expands on the states landmark consumer privacy law, the California Consumer...
Systemic non-compliance: the root cause of pain for healthcare organizations
Recently, I was fortunate enough to experience the joys of becoming a father as my wife and I welcomed our first child into the world. It was one of the most beautiful experiences of my life and Im grateful for the advances we have made in modern medicine and technology. I mention this personal...
Cloud tech first floor recommendations
I hate to say it, but Im an old, curmudgeonly guy thats been in the industry more than 20 years. And after a while, things just start to wear on you. In fact, there was a point in my career that I swore if I had to counsel just one more company on the importance of having strong passwords and...
Coalfire and HITRUST – 9 years, 1,000 engagements and counting
Since 2007, HITRUST® has offered programs that protect sensitive information and allow organizations to manage information risk globally across all industries and throughout the supply chain. In collaboration with information security, privacy, and risk management leaders from public and private...
Mining Splunk's Internal Logs
Splunk is great about logging its warnings and errors, but it wont tell you about them - you have to ask! As the leading machine-generated data analysis software, its not surprising that Splunk excels at creating robust logs. The current version of Splunk Enterprise v 8.05 generates 22 different...
Using Azure Blueprints to Control Azure Compliance
As Peter Parker says, with great power comes great responsibility. And so it goes with public cloud: With cloud scale and agility come cloud-scale problems and compliance nightmares. Every day, IT professionals balance the need to act quickly--often leveraging cloud speed of execution to implemen...
Managing Application Vulnerabilities Manually?
In spite of the fact that automation and application vulnerability resolution platforms like ThreadFix have existed for a decent length of time, we continue to see organizations that try to muscle ahead with their existing manual processes. We continue to be surprised that organizations manage...
Getting around the cybersecurity talent shortage
More remote workers mean larger attack surfaces, and as cyber criminals take advantage of the rush to provision a remote workforce, the pain of the cybersecurity professionals shortage has become acute. Last year, the ISC2 Workforce Study identified a shortage of 561,000 cybersecurity professiona...
PCI DSS version 4.0 – what we know so far
From September 23 - November 13, 2020, stakeholders can participate in the Request for Comments RFC on the draft of PCI Data Security Standard DSS version 4.0. This is the second RFC for the PCI DSS v4.0 draft--the first RFC was in late 2019 and that feedback was incorporated into the draft...
Help Net Security – ThreadFix 3.0 Review
Help Net Security recently published a review of ThreadFix 3.0. Security Researcher, Toni Grzinic, took a deep dive into our vulnerability management platform and broke down everything from infrastructure, reporting and analytics, to integrations, and beyond. Click here to read Tonis full review ...