603 matches found
Privacy by design: Building customer trust
Historically, the question of privacy has been the domain of the legal community. This makes perfect sense, because privacy has its roots almost exclusively in laws and regulations. The EU General Data Protection Regulation GDPR, the California Consumer Privacy Act CCPA, and similar regulations...
PCI DSS for large organizations: A Coalfire perspective
As organizations grow, PCI DSS responsibilities become more complex. Logically, they gain more interconnected relationships internally and with third parties. Multiple payment channels, complex network architectures, and large inventories of devices in scope require preparation before performing...
How the COVID-19 epidemic is like cybersecurity
Today, every citizen is on the front lines of the epidemic. We are flooded with information about staying safe, keeping an eye out, and left to process unfamiliar language. We are all suddenly doctors and epidemiologists analyzing information and predicting how the world is changing. With countle...
Should cloud service providers be concerned with FIPS 140-3?
If youve dealt with FedRAMP, you may already know that FIPS 140-2 is the standard for cryptographic modules published by the National Institute of Standards and Technology NIST. All cloud service providers CSPs who wish to be FedRAMP compliant must use only crypto modules that have been validated...
Minimize business disruption and move forward with solid assessment guidance
COVID-19 has seized the worlds attention by disrupting the economy, the workforce, and our personal lives. While no one knows when this pandemic is going to end or its lasting impact, Coalfire is listening closely to our customers and doing everything we can to minimize disruption to their...
Clearing the clouds: Comparing CMMC to other frameworks
These days, I spend a lot of time talking to our cloud-based clients about Cybersecurity Maturity Model Certification CMMC: what it is, why its important, and how they can prepare. As one of the leading cybersecurity consulting firms and third-party assessment organizations 3PAO, Coalfires client...
Establishing remote data center assessment standards
For the foreseeable future, the COVID-19 crisis has changed the very nature of on-site cybersecurity compliance assessments and testing. Leading the way, the Payment Card Industry Security Standards Council PCI SSC quickly recognized that its requirements for physical, on-site data center...
The cloud is beige - The demise of black box testing
Black-box penetration testing is dead. Id question why it is even a consideration. Its of limited and dubious value in almost any context. Wait, wait… I didnt mean that. Put down the pitchforks and torches, development and QA teams, Im only talking about black-box penetration testing. Yes,...
Developing COVID-19 outbreak communication and adjustment to planned assessment activities
As the coronavirus outbreak continues and safety concerns relating to travel and large meeting groups increase globally, Coalfires Payments Assurance Practice has been monitoring the effect of this crisis on both its customers and its employees. As a Qualified Security Assessor Company QSAC,...
Controlling Cyber Risk for Teleworkers with HITRUST
Organizations across the globe have sent workers home to avoid spreading the Coronavirus and, as a result, technology leaders are hard-pressed to create cyber-safe work-from-home environments. Organizations must quickly identify and treat new cybersecurity risks introduced by the newly formed...
The HITRUST shared responsibility matrix – the assessor’s point of view
HITRUST® announced the availability of the new Shared Responsibility Program and MatrixTM Version 1.0 to help communicate and assign security and privacy responsibilities between cloud service providers CSPs and their customers. Coalfire is proud that we helped develop the Matrix as part of the...
With IoT, common devices pose new threats
For Instance… Hackers Setting Your 3D Printer on Fire The world is careening toward the reality that almost all electronics in your home and business are connected to the internet. Many of these devices contain things like heating elements, batteries, and motors that are entirely...
Security considerations for the social distancing era?
COVID-19 is changing the way nearly all of us work and, for some specialist security operations, this is a real challenge. For others, its an excellent opportunity to add value to the business for when the economy starts to recover...
What Will Happen to My ISO Certificate During a Global Pandemic?
As the coronavirus outbreak continues and safety concerns relating to travel and large group meetings increase globally, Coalfire ISO "CFISO" has been monitoring the effects of this crisis on both its customers and its employees. As a certification body, CFISO maintains accreditation with both th...
COVID-19 Pandemic Stresses the Importance of Business Continuity
One of the more critical aspects of organizational risk management is that of Business Continuity. Many organizations overlook the importance of developing and instituting a Business Continuity Plan BCP...
Compliance in the Cloud - Effective Strategies to Ensure Success
It's no secret that the principles, controls, and terminology associated with compliance can be a confusing alphabet soup that hinders an organization's ability to go-to-market and expand its customer base. The difficulties in meeting compliance objectives are not limited to organization size or...
Applied ThreadFix: Automated Vulnerability Exception Reporting
One of the most valuable things about ThreadFix is that it centralizes the results of all your testing, assurance, and remediation activities so you no longer have separate silos of data. This is really valuable from a reporting standpoint. If you need to you can drill down into specific parts of...
Keeping Privacy Afloat During a Pandemic
The world is navigating uncharted digital waters and facing evolving challenges to maintain patient privacy. Protected Health Information PHI is a ship sailing in a sea of digital risks and vulnerabilities. Humans wreak havoc at every turn - not always intentionally - and actions during times of...
Aligning Enterprise Cyber Risk and Business Strategy
Most business leaders have a contextual awareness of cyber risk and the threats facing their organizations. However, this contextual awareness rarely contributes to a clear, consolidated directive that can be applied across the organizations. Further, many organizations struggle to align their...
Aligning Enterprise Cyber Risk and Business Strategy
Most business leaders have a contextual awareness of cyber risk and the threats facing their organizations. However, this contextual awareness rarely contributes to a clear, consolidated directive that can be applied across the organizations. Further, many organizations struggle to align their...
The Basics of Exploit Development 2: SEH Overflows
In this article we will be writing an exploit for a 32-bit Windows application vulnerable to Structured Exception Handler SEH overflows. While this type of exploit has been around for a long time, it is still applicable to modern systems...
What can Application Security Testing add to DevOps programs?
The adoption of DevOps practices by organizations to shorten the standard development lifecycle has put new pressure on security teams to keep up with the pace of development within CI/CD pipelines. In order to accomplish this, security teams need to provide better security insights to developers...
Third Party Risk Management and the Cloud
Security awareness and preparation are getting more widespread. Corporate boards and C-suite executives are taking Third-Party Risk Management TPRM more seriously as they see what has happened to other enterprises in the not-so-distant past. I am speaking primarily of the top-level enterprises, b...
Applied ThreadFix: Getting the Most Out of Your Training Investment
As we talked about in an earlier blog post, secure coding training for developers can be expensive. Knowledgeable individuals who are adept at training are relatively rare. Quality training materials are expensive to develop and maintain. For these reasons, solid commercial instructor-led trainin...
Quality is Job One When it Comes to the HITRUST CSF Assurance Program
The HITRUST CSF® remains an essential security and privacy controls framework that addresses the multitude of security, privacy, and regulatory challenges facing both public and private sector organizations. As framework adoption increases across all industries, maintaining integrity is crucial,...
What are the benefits of SAST testing in CI/CD pipelines?
Static application security testing SAST is traditionally used in software development lifecycles both early on in the process and often to "white box" test all files containing source code. Integrating SAST into modern CI/CD pipelines allows developers to continuously monitor their code, providi...
The Significance of the NIST Privacy Framework
Kudos to the NIST Privacy Team! Privacy Framework v.1.0 has finally been released. Ive been tracking the growth of this initiative since the focus group was kicked off in September 2018 and respect its thoroughly explored yet fundamentally grass roots approach. A few points worth bringing to your...
Applied ThreadFix: Fire Bullets, Then Cannonballs – Part 2
In Part 1 of this blog post, we looked at the concept of "firing bullets and then cannonballs" that comes from the book Great By Choice by Jim Collins and Morten T. Hansen. The idea works a little like this: first fire your "bullets" - low-cost, low-risk, low-distraction experiments to figure out...
Attention Payment Application Developers: Begin Your Transition from the PA-DSS to the PCI SSF Today
The Payment Card Industry PCI Council plans to formally retire the Payment Application Data Security Standard PA-DSS in October 2022 and replace it with the PCI Software Security Framework SSF. For vendors, the new framework expands program eligibility with improved support for evolving...
Applied ThreadFix: Fire Bullets, Then Cannonballs – AppSec Edition
The concept of "firing bullets and then cannonballs" comes from the book Great By Choice by Jim Collins and Morten T. Hansen. The idea works a little like this: first fire your "bullets" - low-cost, low-risk, low-distraction experiments to figure out what will work. This allows you to calibrate...
The Basics of Exploit Development 1: Win32 Buffer Overflows
In this article we will cover the creation of an exploit for a 32-bit Windows application vulnerable to a buffer overflow using X64dbg and the associated ERC plugin. As this is the first article in this series, we will be looking at an exploit where we have a complete EIP overwrite and ESP points...
Windows Update Warning
Coalfire is issuing this notice to alert our clients about a very important set of updates that were issued by Microsoft, as well as a pre-release announcement released by Oracle. While these are commonly handled through modern enterprise patch management systems, we want to underscore the...
Managing Web Application Security
Web application scanners using dynamic application security testing DAST methods are ideal at identifying common vulnerabilities such as cross-site scripting, SQL injection, command execution and more. When used in conjunction with whitebox static application security testing SAST results that...
Deserialized Double Dirty
Recently I was able to fully root a NetApp OnCommand Performance Manager appliance using a Java Deserialization vulnerability and Dirty COW...
Will ISO 27701 Be the New GDPR Certification?
On August 6, ISO published the ISO/IEC 27701:2019 "ISO 27701" standard, which lays out the requirements for implementing an organizational program to govern the handling of personally identifiable information PII, known as a Privacy Information Management System PIMS. In many ways, the new standa...
New News About the HITRUST Scoring Rubric and PRISMA Model
This is a high-level overview of the most significant changes about the updated HITRUST scoring rubric and PRISMA model that will affect all organizations using the HITRUST framework. It contains tips and guidance for how to prepare for upcoming HITRUST assessments. If you need a deeper dive into...
FUD is Dead
A friend of mine who runs a cybersecurity firm told me recently, "Bro, FUD is dead. People are tired of all the fearmongering." I completely agreed. For the uninitiated, FUD stands for Fear, Uncertainty, and Doubt...
What Is the DoD’s New Cybersecurity Maturity Model Certification, and What Does It Mean for Defense Contractors?
Citing the threat of compromise of Controlled Unclassified Information CUI within the defense industrial base DIB, along with the high cost of cyber breaches in general, the Office of the Assistant Secretary of Defense for Acquisition has initiated a program for rating the cybersecurity maturity ...
ERC.Net – A Toolset for Analyzing Windows Application Crashes
ERC.Net is a collection of tools designed to assist in analyzing and debugging Windows application crashes in order to identify potential security vulnerabilities. Supporting both 64 and 32 bit applications, ERC.Net has many use cases including parsing Windows file headers, identifying compile-ti...
FedRAMP and Its Applicability to ISVs Hosted on FedRAMP-Authorized IaaS
Independent Software Vendors ISVs often ask Coalfire about the FedRAMP compliance framework and how it applies to them. They hear that all software procured by the U.S. federal government must be FedRAMP authorized, and they come to the experts to help them navigate the process. The good news is...
The HITRUST CSF 90-Day Rules – What You Need to Know
Earlier this year, HITRUST announced required changes, effective April 1, 2019 applicable to all CSF assessor firms, regarding quality and consistency for validated assessments. The changes were outlined in the CSF Assurance Bulletin and included the release of the HITRUST CSF® Assessor Quality...
Successful SOC 2 Approaches to Address Fraud Risk
Coalfire has found that many SOC 2 clients struggle with addressing COSO Principle 8 fraud risk considerations because they innately think only about financial fraud risks. Many clients do not understand that fraud risks depend on the nature of the business and the environment in which the busine...
Dodge Data Breaches with Real-Time PCI Compliance
Its been five years since the PCI Council released the first "Best Practices for Maintaining PCI DSS Compliance" guidance document in August 2014. Since then, many prominent payment data breaches have occurred, with the finger often pointing to lapses in the affected organizations compliance...
When Checking the Box Results in Two Zero Days and Root (CVE-2019-14257 and CVE-2019-14258)
Finding new bugs and exploiting them can be exciting and fun for a penetration tester. I was ecstatic to find my first two zero-days, and I used them to break a system from no access to root. This was a good day for me - but the story behind the story provides some real lessons enterprises can...
Pulling Back the Curtain
As ASVs, a lot of what we do is shrouded in mystery and danger well, at least the former of those two. Today, we would like to take a moment to let you in on some of the processes we use to deal with all those disputes you might have to submit...
Healthcare Slow to Adopt NIST Digital Identity and Authentication Guidance
The National Institute of Standards and Technology NIST published an updated guide Special Publication 800-63b for Digital Identity Guidance in June 2017. This is a comprehensive and holistic guide to authentication processes, which includes choices of authenticators that may be used at various...
Preparing for PCI DSS 4.0
PCI DSS 4.0 is currently in its request for comments RFC process, where the industry can provide comments and feedback to help shape the next iteration. This process is initially open to the participating organizations - members that help steer and inform the PCI SSC based on their experiences. T...
Data Governance in the Cloud
Data governance is something your organization has likely considered, put into action, and implemented. The question is, to what degree is the data actually being governed - or not?...
The HITRUST Common Security Framework: Not Just for Healthcare Anymore
The HITRUST 2019 conference took place last month in Dallas, Texas, and covered important topics such as risk management, compliance, third-party assurance, cybersecurity, medical devices, and the Internet of Things IoT. As speakers and sponsors, we saw much enthusiasm about HITRUST Common Securi...
Introducing Slackor, a Remote Access Tool Using Slack as a C2 Channel
As a penetration tester at Coalfire Labs, I frequently use exploitation frameworks such as Metasploit or PowerShell Empire to perform post-exploitation actions on compromised endpoints. While anti-virus AV bypass and detection avoidance is often trivial in all but the most mature environments,...