603 matches found
Humans Are the Weakest Link in Security
In our recent analysis of penetration testing engagements contained in our Penetration Risk Report, we discuss the impact that social engineering, specifically phishing, has on the ability to allow attackers insider access to compromise an organization...
Transitioning to the New SOC 2 Criteria – What You Need to Know
SOC 2 has seen quite a few changes in the past year in how reports must be presented in the future. The American Institute of Certified Public Accountants AICPA replaced the old SSAE 16 standard with SSAE 18, released the 2017 Trust Services Criteria, the new Description Criteria DC-200, and a ne...
NIST SP 800-171A Assessment: Finalized Assessment Objectives Foster a Roadmap to Compliance
On June 13, 2018, NIST formally released their Special Publication SP 800-171A, Assessing Security Requirements Controlled Unclassified Information CUI.This publication provides organizations with an assessment methodology to evaluate their compliance with the CUI security requirements defined in...
Expanded Privacy Protections Granted to California Residents: The California Consumer Protection Act
In late June, California passed a new consumer privacy law--the California Consumer Privacy Act CCPA. This statute provides protections to California residents; but it will also have wide-ranging effects outside of California as it will apply to organizations that conduct business in California...
Incident Response: Do Your Vendor Contracts Have Claws (for Liability)?
In previous blogs, weve discussed some of the struggles organizations have when responding to cyber incidents. For many, it is the recovery aspect, and specifically vendor liability for the data or privacy breach, that poses many questions. In trying to assign liability, the obvious place to star...
Common Questions and Answers Salesforce ISVs Need to Know for FedRAMP
Many Salesforce Independent Software Vendors ISVs are interested in pursuing FedRAMP to serve federal customers, but have many questions about the process. The four questions below are the most common questions that Coalfire receives from these ISV partners; we have provided some basic responses ...
Executing Meterpreter on Windows 10 and Bypassing Antivirus
One of my Labs colleagues recently published an article on the Coalfire Blog about executing an obfuscated PowerShell payload using Invoke-CradleCrafter. This was very useful, as Windows Defender has upped its game lately and is now blocking Metasploits Web Delivery module. I wanted to demonstrat...
The CMS Allows Health Plans to Host Their Own Enrollment Applications for Improved Consumer Experience
As part of the ongoing implementation of the Affordable Care Act ACA, the Centers for Medicare and Medicaid Services CMS recently began permitting direct enrollment entities qualified health plan issuers and web-brokers to host their own enrollment applications on their websites instead of proxyi...
The Threats That Are Your Weakest Link
Coalfire published the latest report in its Securealities series, The Penetration Risk Report, and its based on findings from Coalfire penetration tests. It includes data drawn from engagements with businesses of all sizes, spanning financial services, retail, healthcare, and technology/cloud...
IoT Discussion at the Leidos Supplier Innovation & Technology Symposium
Coalfire was asked to participate on a technical panel about the Internet of Things IoT at the Leidos Supplier Innovation & Technology Symposium on June 6. This event is a dynamic day enabling Leidos largest suppliers as well as targeted start-ups to showcase their offerings and capabilities to a...
How I Found CVE-2018-8819: Out-of-Band (OOB) XXE in WebCTRL
I like to do bug bounties from time to time, mostly when I am sacrificing sleep once the kids are finally out cold. This seemed like a worthy experience to document. Let me just start by saying I dont plan on going into the whole recon bits too deeply here. Maybe I will someday if I ever have...
Pro Tips: Testing Applications Using Burp, and More
Burp Suite is one of my favorite tools for web application testing. The feature set is rich, and anything that it does not do by default can usually be added with an extension. There are a few things, however, that while they exist in Burp Suite, are not completely intuitive. Below are a few pro...
A Cyber Engineering Primer: Vulnerability Management Lifecycle
According to the SANS Institute, "Vulnerability management is the process in which vulnerabilities in IT are identified and the risks of these vulnerabilities are evaluated. This evaluation leads to correcting the vulnerabilities and removing the risk or a formal risk acceptance by the management...
Continuous Monitoring in the Cloud
I recently spoke at the Cloud Security Alliances Federal Summit on the topic "Continuous Monitoring / Continuous Diagnostics and Mitigation CDM Concepts in the Cloud." As government has moved and will continue to move to the cloud, it is becoming increasingly important to ensure continuous...
PowerShell: In-Memory Injection Using CertUtil.exe
Have you ever heard the old saying," The only constant in life is change?" Nothing is truer in the world of penetration testing and information security than the certainty of change. New defenses are always emerging, and the guys and gals in the red team game are always having to evolve our effor...
Exploiting an Unsecured Dell Foglight Server
Dell Foglight for Virtualization is an infrastructure performance monitoring tool that can also be used to manage systems as well. It comes configured with a default username and password of "foglight."...
Pro Tip: The Right Way to Test JSON Parameters with Burp
Heres a Burp trick you might not know, which helped find this instance of command execution and lots of SQL injection in other applications. Despite PortSwigger claiming otherwise, Burp does not parse JSON very well, especially nested JSON parameters and values like you see below...
PCI DSS v3.2.1 – What You Need to Know
On Thursday, May 17, the PCI Security Standards Council PCI SSC released an updated version of the PCI DSS standard, primarily to include clarifications and minor revisions around controls that referenced SSL/early TLS. The new version removes notes referring to the effective date of February 1,...
A Cyber Engineering Primer: Automated Tools for Compliance Auditing
Cybersecurity practitioners sometimes forget to define and explain the terms we use during the course of our work. Thus, my colleagues and I have embarked on a series of posts that provide a primer on some of the most important cyber engineering practices. In this post, we will focus on...
AWS Certified Cloud Practitioner: A Valuable Certification for Professionals in Non-Technical Roles
Within the past year, AWS unveiled what is arguably one of the best programs they have ever offered to non-technical professionals in the AWS Partner Network APN: the AWS Certified Cloud Practitioner certification. The program, which is especially valuable for those in sales or marketing roles,...
Microsoft Word Document Upload to Stored XSS: A Case Study
Anytime I see a file upload form during an application test, my attention is piqued. In a best-case scenario, I can upload a reverse shell in a scripting language available on the webserver. If the application is running in PHP or ASP for example, it becomes quite easy. If I cant get a backdoor...
Cloud Security Governance - Optimizing the Business Benefits of Security in the Cloud
Enterprises are increasingly pursuing the business advantages of migrating technology platforms and services into the cloud environment leveraging one or more of the three main cloud service areas - Infrastructure as a Service IaaS, Platform as a Service PaaS, and Software as a Service SaaS. Thes...
Cooking Up Shells with Chef
I was able to compromise a Chef server on one of my recent engagements. Owning a Chef server means having the keys to the castle. I wasnt quite sure how to go about using this tool. Im familiar with Puppet as Ive spent the majority of my career on the systems side. Having never run into Chef, I...
RSA 2018 recap: GDPR, Increasing Visibility and Transparency of Cloud Security
RSA 2018 is in the books! The event welcomed 42,000 attendees to San Francisco, including cybersecurity professionals, vendors, media, and analysts. The themes of visibility and transparency repeatedly came up in discussions and presentations as organizations grapple with ever-increasing data flo...
PCI Compliance: Early-TLS and Cloud Service Providers
Organizations tracking their PCI compliance are likely aware of the impending June 30, 2018 deadline to disable SSLv3 and early-TLS. This blog post examines the special case of Cloud Service Providers CSPs and how their customers should proceed to achieve compliance...
A Cyber Engineering Primer: System Compliance and Hardening
Cybersecurity is a hot topic for just about everyone: it affects organizations as well as individuals, workers, and citizens. Each of us needs at least a basic understanding of how to safely use and protect the devices and systems that are a part of our day-to-day lives...
AICPA Releases New SOC 2 Guide – What You Need to Know
In March 2018, the American Institute of Certified Public Accountants AICPA released its highly anticipated new System and Organization Controls 2 SOC 2 guide, which includes information for the extant 2016 trust services principles and the new 2017 trust services criteria. The following is a...
Amanda Mesler of Microsoft Addresses the Women of Coalfire
Last month RISE, Coalfires association of women in cybersecurity and leadership, welcomed our inaugural guest speaker, Amanda Mesler, General Manager of Microsoft Central and Eastern Europe. I had the great fortune to interview her and lead a discussion with our members...
Sleuthing the Cloud: The Challenges of Forensics in Cloud Environments
More and more companies are embracing Cloud computing for the practicality, efficiency, and economy of outsourcing the housing, maintenance, and monitoring of applications and their associated infrastructure to a third-party provider. As the Cloud becomes more the norm than the exception, there i...
Background Checks on AIs and Other Challenges in the PCI World
Coalfire has noted a number of leading-edge technological challenges for enterprises managing the rapid pace of innovation while also aiming for PCI compliance. Wed like to review our recent experience and offer suggestions for these comparatively novel situations...
A Good Shell Is Hard to Choose
I had the recent opportunity to speak at BSides SLC, held on the Sandy campus of Salt Lake Community College. I tailored my presentation to the student demographic and chose to talk about one of the fundamental concepts that a penetration tester must understand: types of shells. I touched on the...
On Padding Oracle Attacks
Poodle is a vulnerability found in late 2014, and it is still occasionally seen during penetration tests. The vulnerability allows an attacker with a man-in-the-middle position to downgrade a secure connection between a client and a server to the vulnerable SSLv3. After the connection is...
Takeaways from GAM 2018: Internal Audit Embraces Cybersecurity
Last week, the Institute of Internal Auditors IIA held its 2018 Global Audit Management Conference at the Aria Resort in Las Vegas. With over 1,700 attendees, this was the most well-attended event in the history of the conference. Coalfire was one of the sponsors, and we were delighted to meet wi...
Icebreaker: Chip Away at Active Directory Passwords, Automatically
To break the ice with Active Directory and shorten the cycles penetration testers spend on cracking passwords, I developed Icebreaker, a tool that automates network attacks against Active Directory and provides plaintext credentials. Icebreaker performs five network attacks in order...
Managing Your Vulnerabilities, FedRAMP Style
As a member of Coalfires Cyber Engineering team, I frequently get questions about vulnerability Deviation Requests DRs from Cloud Service Providers CSPs seeking Federal Risk and Authorization Management Program FedRAMP authorizations. In this post, Ill try to answer questions we frequently...
Highlights from the HITRUST Third-Party Assurance Summit
The HITRUST TPA Summit brought together experts representing customers, vendors, and assessor firms in various aspects of risk management to share best practices, lessons learned and effective third-party risk management strategies leveraging the HITRUST CSF Assurance Program and HITRUST Assessme...
DFARS 7012 Compliance
At Coalfire, we field a lot of questions from government contractors about compliance with National Institute of Science and Technology NIST Special Publication SP 800-171. We also address requests for help with "DFARS 7012," which is a commonly used shorthand for Defense Acquisition Regulation...
NIST Interagency Report on IoT: An Incremental Step Toward IoT Standards
The Internet of Things IoT has been widely regarded as representing a significant cybersecurity risk, which will only grow as connected devices continue to proliferate. As an important step in addressing these concerns, the Interagency International Cybersecurity Standardization Working Group IIC...
New SEC Cyber Risk Disclosure Guidance: What Does It Mean for Public Companies?
On February 21, the U.S. Securities and Exchange Commission SEC issued the long overdue cybersecurity interpretive guidance to address the methods and timing of cybersecurity risks and incidents disclosures. To signify the importance of this updated guidance, five SEC commissioners issued the...
NIST SP 800-171: What U.S. Government Contractors Need to Know
In December 2016, NIST released Special Publication 800-171, Revision 1: Protecting Controlled Unclassified Information in Nonfederal Systems. Since that publication, I have worked with dozens of government contractors to help them understand this publication and determine if and how it applies t...
The HITRUST CSF Version 9.1 Release – How It Could Apply to Your Organization
If youre familiar with the Health Information Trust Alliance HITRUST Common Security Framework CSF, then youre likely aware that HITRUST revises the CSF requirements twice annually to account for new regulations, technologies, and business models affecting the security of Protected Health...
Cyber Engineering for 2018 and Beyond
2017 could be considered one of the most exciting or horrifying years in the technology industry. End-of-year statistics showed that the number of reported breaches in the business sector saw a 21% increase over the previous year, and headlines from all major news outlets were riddled with report...
Introducing Red Baron - Automate the Creation of Resilient, Disposable, Secure, and Agile Infrastructure for Red Teams
The need to automate the creation of disposable red-team infrastructure is key to providing effective adversary simulations. As Coalfire Labs continued to grow, our team needed a system to quickly configure and spin up C2 and/or phishing infrastructure, run multiple campaigns at the same time, an...
The Archimedes Medical Device Security 101 Conference - A Secure Forum for Security Issues
The University of Michigans Archimedes Center for Medical Device Security hosted its second annual MDS 101 conference in Orlando this month. The conference provides a secure forum for attendees to speak freely about cybersecurity issues with respected professionals who can help establish best...
Has Your O365 Account Been Hacked?
In the past six months, Coalfire has seen an increase in businesses receiving fraudulent emails from legitimate client accounts with fraudulent invoice attachments. In several cases, the recipient paid the invoices not realizing they were fraudulent. The losses have ranged between thousands and...
The Spectre of Chips on Meltdown
The news is rife with emerging details of Intel and other chip vulnerabilities and the hardware bugs that can potentially exploit them. While details are still developing and will likely continue to be uncovered in the days, weeks, and even months ahead, we will explore what is known to date...
Healthcare Security Pros Prioritize Sharing and Caring in the Wild, Wild West of Healthcare
Security professionals from healthcare delivery organizations HDOs, medical device manufacturers, and pharmaceutical companies gathered in Scottsdale, Arizona for the NH-ISAC Cyber Rodeo Summit last month. The big topics were how to share more threat intelligence, while at the same time ensuring...
Look Out! Risk Is on the Move, According to IoT Thought Leaders from Across the Globe
The IoT Security Summit 2017 in New York City in late October and the Security of Things World USA 2017 in San Diego last month were both packed with thought leaders from all parts of the IoT ecosystem - device manufacturers, telecom carriers, cloud providers, and early-adopter end users from...
Black Hat Europe puts cybersecurity on the C-Suite Agenda
Black Hat is renowned for being one of the biggest, most technical security conferences in the world operating in the USA, Europe and Asia. 2017 marks Europes first Black Hat Executive summit, a format well received for senior executives to be able to openly discuss cyber security concerns and...
Cybersecurity Incident Response: Three Lessons from Uber’s Story
The recent news regarding the Uber breach has captured the attention of both the public and legislators. It seems that Ubers security team discovered a breach, paid a ransom, and didnt report the matter to company leaders, law enforcement, personnel, or customers...