Lucene search
K
CoalfireRecent

603 matches found

The Coalfire Blog
The Coalfire Blog
added 2020/04/20 9:19 p.m.7 views

Privacy by design: Building customer trust

Historically, the question of privacy has been the domain of the legal community. This makes perfect sense, because privacy has its roots almost exclusively in laws and regulations. The EU General Data Protection Regulation GDPR, the California Consumer Privacy Act CCPA, and similar regulations...

6.9AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/04/17 11:6 p.m.71 views

PCI DSS for large organizations: A Coalfire perspective

As organizations grow, PCI DSS responsibilities become more complex. Logically, they gain more interconnected relationships internally and with third parties. Multiple payment channels, complex network architectures, and large inventories of devices in scope require preparation before performing...

7.1AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/04/16 3:45 p.m.25 views

How the COVID-19 epidemic is like cybersecurity

Today, every citizen is on the front lines of the epidemic. We are flooded with information about staying safe, keeping an eye out, and left to process unfamiliar language. We are all suddenly doctors and epidemiologists analyzing information and predicting how the world is changing. With countle...

6.7AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/04/15 4:6 p.m.14 views

Should cloud service providers be concerned with FIPS 140-3?

If youve dealt with FedRAMP, you may already know that FIPS 140-2 is the standard for cryptographic modules published by the National Institute of Standards and Technology NIST. All cloud service providers CSPs who wish to be FedRAMP compliant must use only crypto modules that have been validated...

7AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/04/14 4:34 p.m.23 views

Minimize business disruption and move forward with solid assessment guidance

COVID-19 has seized the worlds attention by disrupting the economy, the workforce, and our personal lives. While no one knows when this pandemic is going to end or its lasting impact, Coalfire is listening closely to our customers and doing everything we can to minimize disruption to their...

6.9AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/04/10 10:16 p.m.74 views

Clearing the clouds: Comparing CMMC to other frameworks

These days, I spend a lot of time talking to our cloud-based clients about Cybersecurity Maturity Model Certification CMMC: what it is, why its important, and how they can prepare. As one of the leading cybersecurity consulting firms and third-party assessment organizations 3PAO, Coalfires client...

6.9AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/04/09 8:52 p.m.34 views

Establishing remote data center assessment standards

For the foreseeable future, the COVID-19 crisis has changed the very nature of on-site cybersecurity compliance assessments and testing. Leading the way, the Payment Card Industry Security Standards Council PCI SSC quickly recognized that its requirements for physical, on-site data center...

7AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/04/09 1:12 a.m.47 views

The cloud is beige - The demise of black box testing

Black-box penetration testing is dead. Id question why it is even a consideration. Its of limited and dubious value in almost any context. Wait, wait… I didnt mean that. Put down the pitchforks and torches, development and QA teams, Im only talking about black-box penetration testing. Yes,...

7.1AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/04/07 7:45 p.m.28 views

Developing COVID-19 outbreak communication and adjustment to planned assessment activities

As the coronavirus outbreak continues and safety concerns relating to travel and large meeting groups increase globally, Coalfires Payments Assurance Practice has been monitoring the effect of this crisis on both its customers and its employees. As a Qualified Security Assessor Company QSAC,...

7.1AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/04/07 3:15 p.m.31 views

Controlling Cyber Risk for Teleworkers with HITRUST

Organizations across the globe have sent workers home to avoid spreading the Coronavirus and, as a result, technology leaders are hard-pressed to create cyber-safe work-from-home environments. Organizations must quickly identify and treat new cybersecurity risks introduced by the newly formed...

3AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/04/03 7:30 p.m.61 views

The HITRUST shared responsibility matrix – the assessor’s point of view

HITRUST® announced the availability of the new Shared Responsibility Program and MatrixTM Version 1.0 to help communicate and assign security and privacy responsibilities between cloud service providers CSPs and their customers. Coalfire is proud that we helped develop the Matrix as part of the...

7AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/04/02 6:51 p.m.14 views

With IoT, common devices pose new threats

For Instance… Hackers Setting Your 3D Printer on Fire The world is careening toward the reality that almost all electronics in your home and business are connected to the internet. Many of these devices contain things like heating elements, batteries, and motors that are entirely...

7AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/04/02 4:4 p.m.35 views

Security considerations for the social distancing era?

COVID-19 is changing the way nearly all of us work and, for some specialist security operations, this is a real challenge. For others, its an excellent opportunity to add value to the business for when the economy starts to recover...

6.9AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/03/31 5:29 p.m.30 views

What Will Happen to My ISO Certificate During a Global Pandemic?

As the coronavirus outbreak continues and safety concerns relating to travel and large group meetings increase globally, Coalfire ISO "CFISO" has been monitoring the effects of this crisis on both its customers and its employees. As a certification body, CFISO maintains accreditation with both th...

1AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/03/31 4:39 p.m.33 views

COVID-19 Pandemic Stresses the Importance of Business Continuity

One of the more critical aspects of organizational risk management is that of Business Continuity. Many organizations overlook the importance of developing and instituting a Business Continuity Plan BCP...

1.7AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/03/30 10:58 p.m.30 views

Compliance in the Cloud - Effective Strategies to Ensure Success

It's no secret that the principles, controls, and terminology associated with compliance can be a confusing alphabet soup that hinders an organization's ability to go-to-market and expand its customer base. The difficulties in meeting compliance objectives are not limited to organization size or...

1.8AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/03/28 12:41 a.m.9 views

Applied ThreadFix: Automated Vulnerability Exception Reporting

One of the most valuable things about ThreadFix is that it centralizes the results of all your testing, assurance, and remediation activities so you no longer have separate silos of data. This is really valuable from a reporting standpoint. If you need to you can drill down into specific parts of...

0.2AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/03/20 3:11 p.m.25 views

Keeping Privacy Afloat During a Pandemic

The world is navigating uncharted digital waters and facing evolving challenges to maintain patient privacy. Protected Health Information PHI is a ship sailing in a sea of digital risks and vulnerabilities. Humans wreak havoc at every turn - not always intentionally - and actions during times of...

2AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/03/19 9:44 p.m.19 views

Aligning Enterprise Cyber Risk and Business Strategy

Most business leaders have a contextual awareness of cyber risk and the threats facing their organizations. However, this contextual awareness rarely contributes to a clear, consolidated directive that can be applied across the organizations. Further, many organizations struggle to align their...

1.8AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/03/19 9:44 p.m.49 views

Aligning Enterprise Cyber Risk and Business Strategy

Most business leaders have a contextual awareness of cyber risk and the threats facing their organizations. However, this contextual awareness rarely contributes to a clear, consolidated directive that can be applied across the organizations. Further, many organizations struggle to align their...

1.8AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/03/13 6:34 p.m.35 views

The Basics of Exploit Development 2: SEH Overflows

In this article we will be writing an exploit for a 32-bit Windows application vulnerable to Structured Exception Handler SEH overflows. While this type of exploit has been around for a long time, it is still applicable to modern systems...

1.6AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/03/13 12:50 a.m.12 views

What can Application Security Testing add to DevOps programs?

The adoption of DevOps practices by organizations to shorten the standard development lifecycle has put new pressure on security teams to keep up with the pace of development within CI/CD pipelines. In order to accomplish this, security teams need to provide better security insights to developers...

1.1AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/03/11 11:47 p.m.29 views

Third Party Risk Management and the Cloud

Security awareness and preparation are getting more widespread. Corporate boards and C-suite executives are taking Third-Party Risk Management TPRM more seriously as they see what has happened to other enterprises in the not-so-distant past. I am speaking primarily of the top-level enterprises, b...

0.5AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/03/06 1:54 a.m.11 views

Applied ThreadFix: Getting the Most Out of Your Training Investment

As we talked about in an earlier blog post, secure coding training for developers can be expensive. Knowledgeable individuals who are adept at training are relatively rare. Quality training materials are expensive to develop and maintain. For these reasons, solid commercial instructor-led trainin...

3AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/03/02 7:19 p.m.35 views

Quality is Job One When it Comes to the HITRUST CSF Assurance Program

The HITRUST CSF® remains an essential security and privacy controls framework that addresses the multitude of security, privacy, and regulatory challenges facing both public and private sector organizations. As framework adoption increases across all industries, maintaining integrity is crucial,...

1.7AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/02/25 2:0 a.m.15 views

What are the benefits of SAST testing in CI/CD pipelines?

Static application security testing SAST is traditionally used in software development lifecycles both early on in the process and often to "white box" test all files containing source code. Integrating SAST into modern CI/CD pipelines allows developers to continuously monitor their code, providi...

1.9AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/02/21 6:44 p.m.47 views

The Significance of the NIST Privacy Framework

Kudos to the NIST Privacy Team! Privacy Framework v.1.0 has finally been released. Ive been tracking the growth of this initiative since the focus group was kicked off in September 2018 and respect its thoroughly explored yet fundamentally grass roots approach. A few points worth bringing to your...

2.3AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/02/20 7:43 p.m.9 views

Applied ThreadFix: Fire Bullets, Then Cannonballs – Part 2

In Part 1 of this blog post, we looked at the concept of "firing bullets and then cannonballs" that comes from the book Great By Choice by Jim Collins and Morten T. Hansen. The idea works a little like this: first fire your "bullets" - low-cost, low-risk, low-distraction experiments to figure out...

0.1AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/02/20 4:8 p.m.21 views

Attention Payment Application Developers: Begin Your Transition from the PA-DSS to the PCI SSF Today

The Payment Card Industry PCI Council plans to formally retire the Payment Application Data Security Standard PA-DSS in October 2022 and replace it with the PCI Software Security Framework SSF. For vendors, the new framework expands program eligibility with improved support for evolving...

2.6AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/02/11 7:52 p.m.12 views

Applied ThreadFix: Fire Bullets, Then Cannonballs – AppSec Edition

The concept of "firing bullets and then cannonballs" comes from the book Great By Choice by Jim Collins and Morten T. Hansen. The idea works a little like this: first fire your "bullets" - low-cost, low-risk, low-distraction experiments to figure out what will work. This allows you to calibrate...

0.2AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/01/21 9:47 p.m.31 views

The Basics of Exploit Development 1: Win32 Buffer Overflows

In this article we will cover the creation of an exploit for a 32-bit Windows application vulnerable to a buffer overflow using X64dbg and the associated ERC plugin. As this is the first article in this series, we will be looking at an exploit where we have a complete EIP overwrite and ESP points...

2.6AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/01/15 11:22 p.m.28 views

Windows Update Warning

Coalfire is issuing this notice to alert our clients about a very important set of updates that were issued by Microsoft, as well as a pre-release announcement released by Oracle. While these are commonly handled through modern enterprise patch management systems, we want to underscore the...

3.4AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2020/01/14 8:1 p.m.7 views

Managing Web Application Security

Web application scanners using dynamic application security testing DAST methods are ideal at identifying common vulnerabilities such as cross-site scripting, SQL injection, command execution and more. When used in conjunction with whitebox static application security testing SAST results that...

2.1AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2019/12/09 9:3 p.m.17 views

Deserialized Double Dirty

Recently I was able to fully root a NetApp OnCommand Performance Manager appliance using a Java Deserialization vulnerability and Dirty COW...

3.3AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2019/11/20 8:36 p.m.18 views

Will ISO 27701 Be the New GDPR Certification?

On August 6, ISO published the ISO/IEC 27701:2019 "ISO 27701" standard, which lays out the requirements for implementing an organizational program to govern the handling of personally identifiable information PII, known as a Privacy Information Management System PIMS. In many ways, the new standa...

1.3AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2019/10/18 4:34 p.m.11 views

New News About the HITRUST Scoring Rubric and PRISMA Model

This is a high-level overview of the most significant changes about the updated HITRUST scoring rubric and PRISMA model that will affect all organizations using the HITRUST framework. It contains tips and guidance for how to prepare for upcoming HITRUST assessments. If you need a deeper dive into...

1AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2019/10/08 10:49 p.m.71 views

FUD is Dead

A friend of mine who runs a cybersecurity firm told me recently, "Bro, FUD is dead. People are tired of all the fearmongering." I completely agreed. For the uninitiated, FUD stands for Fear, Uncertainty, and Doubt...

2.6AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2019/10/03 10:19 p.m.54 views

What Is the DoD’s New Cybersecurity Maturity Model Certification, and What Does It Mean for Defense Contractors?

Citing the threat of compromise of Controlled Unclassified Information CUI within the defense industrial base DIB, along with the high cost of cyber breaches in general, the Office of the Assistant Secretary of Defense for Acquisition has initiated a program for rating the cybersecurity maturity ...

2.6AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2019/10/02 10:22 p.m.13 views

ERC.Net – A Toolset for Analyzing Windows Application Crashes

ERC.Net is a collection of tools designed to assist in analyzing and debugging Windows application crashes in order to identify potential security vulnerabilities. Supporting both 64 and 32 bit applications, ERC.Net has many use cases including parsing Windows file headers, identifying compile-ti...

2AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2019/09/27 8:13 p.m.157 views

FedRAMP and Its Applicability to ISVs Hosted on FedRAMP-Authorized IaaS

Independent Software Vendors ISVs often ask Coalfire about the FedRAMP compliance framework and how it applies to them. They hear that all software procured by the U.S. federal government must be FedRAMP authorized, and they come to the experts to help them navigate the process. The good news is...

2.5AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2019/09/25 10:38 p.m.79 views

The HITRUST CSF 90-Day Rules – What You Need to Know

Earlier this year, HITRUST announced required changes, effective April 1, 2019 applicable to all CSF assessor firms, regarding quality and consistency for validated assessments. The changes were outlined in the CSF Assurance Bulletin and included the release of the HITRUST CSF® Assessor Quality...

2.1AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2019/09/12 8:19 p.m.72 views

Successful SOC 2 Approaches to Address Fraud Risk

Coalfire has found that many SOC 2 clients struggle with addressing COSO Principle 8 fraud risk considerations because they innately think only about financial fraud risks. Many clients do not understand that fraud risks depend on the nature of the business and the environment in which the busine...

2.9AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2019/08/26 9:3 p.m.12 views

Dodge Data Breaches with Real-Time PCI Compliance

Its been five years since the PCI Council released the first "Best Practices for Maintaining PCI DSS Compliance" guidance document in August 2014. Since then, many prominent payment data breaches have occurred, with the finger often pointing to lapses in the affected organizations compliance...

3.7AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2019/08/21 7:13 p.m.92 views

When Checking the Box Results in Two Zero Days and Root (CVE-2019-14257 and CVE-2019-14258)

Finding new bugs and exploiting them can be exciting and fun for a penetration tester. I was ecstatic to find my first two zero-days, and I used them to break a system from no access to root. This was a good day for me - but the story behind the story provides some real lessons enterprises can...

2.4AI score0.01729EPSS
Exploits2
The Coalfire Blog
The Coalfire Blog
added 2019/07/31 11:0 p.m.68 views

Pulling Back the Curtain

As ASVs, a lot of what we do is shrouded in mystery and danger well, at least the former of those two. Today, we would like to take a moment to let you in on some of the processes we use to deal with all those disputes you might have to submit...

0.9AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2019/07/31 9:42 p.m.125 views

Healthcare Slow to Adopt NIST Digital Identity and Authentication Guidance

The National Institute of Standards and Technology NIST published an updated guide Special Publication 800-63b for Digital Identity Guidance in June 2017. This is a comprehensive and holistic guide to authentication processes, which includes choices of authenticators that may be used at various...

2.4AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2019/07/02 8:16 p.m.102 views

Preparing for PCI DSS 4.0

PCI DSS 4.0 is currently in its request for comments RFC process, where the industry can provide comments and feedback to help shape the next iteration. This process is initially open to the participating organizations - members that help steer and inform the PCI SSC based on their experiences. T...

0.7AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2019/06/20 3:48 p.m.76 views

Data Governance in the Cloud

Data governance is something your organization has likely considered, put into action, and implemented. The question is, to what degree is the data actually being governed - or not?...

3AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2019/06/19 8:44 p.m.101 views

The HITRUST Common Security Framework: Not Just for Healthcare Anymore

The HITRUST 2019 conference took place last month in Dallas, Texas, and covered important topics such as risk management, compliance, third-party assurance, cybersecurity, medical devices, and the Internet of Things IoT. As speakers and sponsors, we saw much enthusiasm about HITRUST Common Securi...

3.1AI score
Exploits0
The Coalfire Blog
The Coalfire Blog
added 2019/06/19 7:31 p.m.116 views

Introducing Slackor, a Remote Access Tool Using Slack as a C2 Channel

As a penetration tester at Coalfire Labs, I frequently use exploitation frameworks such as Metasploit or PowerShell Empire to perform post-exploitation actions on compromised endpoints. While anti-virus AV bypass and detection avoidance is often trivial in all but the most mature environments,...

3.3AI score
Exploits0
Total number of security vulnerabilities603