603 matches found
Deploying and Troubleshooting Compliance Baselines
If you are in the IT space, youve most likely encountered or are bound by some form of regulation/framework such as PCI, HIPAA, FISMA, and/or CGIS. Most of these compliance programs require a hardened baseline to be implemented within your information systems to reduce the risk and impact of an...
She Powers Tech
November 28th at the Venetian in Las Vegas, AWS re:INVENT held an important session that could shape the future of technology. The sold-out session, SHE POWERS TECH: Women Supporting Women in Tech, filled a ballroom with 500 women in technology and a few men who were interested in the topic. The...
How Next-Generation Firewall Platforms Help Protect Your Perimeter at Each Stage of the Cyber Kill Chain*
Whether you need to upgrade your firewalls on-premise or in the cloud, next-generation firewalls NGFWs can significantly reduce the risks associated with the modern threat landscape. Since attacks have evolved using techniques such as encryption, polymorphism, etc., firewalls have also evolved to...
News and Updates from the PCI Europe Community Meeting
In September, Hurricane Irma forced the PCI SSC to cancel the North America Community Meeting; and the uncertainty of Catalonian independence from Spain may have led some to stay home from the Europe Community Meeting held in Barcelona last week. Nevertheless, the Coalfire team was well-represent...
Capital One Fraud Seminar Recap
Recently, I was honored to be invited as a panelist at a recent seminar hosted by Capital One Spark Business to share some views on fraud prevention and cybersecurity with their customers. I was joined by a few other industry experts, Gerald Glickman, a Manager of Capital Ones Fraud Analysis team...
Scripted Inputs and Splunk
Splunk is an extremely versatile tool when dealing with data: - Monitor files? Check! - Listen in on an open port? Check! - Monitor the file system? Performance monitor? HTTP Event Collector? - Check, check aaaaand check! But what if the data you want to ingest does not have a method listed...
Top 10 Things CSPs Need to Know about FedRAMP Authorization on Amazon Web Services
Coalfire conducted a webinar, FedRAMP on AWS: What you need to know. The discussion covered what cloud service providers need to know when pursuing FedRAMP authorization leveraging AWS U.S East/West or GovCloud. Below youll find the Top 10 things that cloud service providers should know...
An Analysis of PCI DSS Requirement 11.3.4.1 and the Compliance Expectations
For some organizations, understanding, navigating, and complying with the Payment Card Industry PCI Data Security Standard DSS, especially after the release of the latest version v3.2 released in April 2016, has become confusing and/or challenging because of the inclusion of phased-in applicabili...
Blockchain: Are You Ready?
By now, most of us have heard of Bitcoin. Few of us really know the specifics about what that is. Fewer still have a workable or even cursory knowledge of the underlying technology that makes Bitcoin possible...
How I discovered CVE-2017-13707
New Vulnerability Found Using Techniques Taught at Black Hat USA One of the topics I teach in Coalfires Adaptive Penetration Testing course, given most recently at Black Hat 2017, is manual privilege escalation on Linux- and Unix-based systems. I also talk about how common it is to gain an initia...
How You Respond Can Make All the Difference
Part Three of a Three Part Series As the narrative on the Equifax compromise evolves, the general public, politicians, and speculators continue to seek blame for what happened. Was it an unpatched vulnerability? Was Equifax not following proper configuration management? Was management derelict in...
The Value of Governance in Minimizing Cybersecurity Incidents
Part Two of a Three Part Series Since Equifaxs September 15th statement about their well-publicized, broadly discussed major security incident, Coalfire has fielded multiple inquiries from clients who are wondering if such an incident could happen to them, and if there is anything that they can d...
Protecting Confidential Data: You May Not Be as Secure as You Think
Part One of a Three Part Series Unless you have been out of the country or otherwise shunning the news, you have likely heard that on September 7th and again on September 15th, Equifax reported that it suffered a security incident from May 13th through July 30th, 2017. This breach is broad reachi...
Blueborne – Don’t Panic!
Here is what we know right now: Security company Armis recently released research identifying eight newly discovered vulnerabilities that exist in the wireless communications protocol Bluetooth, which could potentially affect a large percentage of the estimated 8.2 billion Bluetooth enabled...
How to Address Major Gaps in Third-Party Risk Management Programs
While securing the organizational environment, its easy to focus on the enterprise assets without thinking as much about the vendor ecosystem. However, that extended ecosystem and how it interacts with the organization is a potential significant risk if not secured properly...
Forensically Imaging a Microsoft Surface Pro 4
Working on digital forensics can sometimes create some challenging situations. Recently, we received a couple of Microsoft Surface Pro tablets to image and analyze. Having conducted forensics for a while, I realized that, depending on the version, imaging this tablet could be a challenge. Some...
FedRAMP JAB Business Case extended
The FedRAMP Business Case for being considered for this cycle of the Joint Authorization Board JAB has been pushed out to August 31 at 5:00pm eastern. The additional time is to accommodate the large number of requests to document demand verification. Earlier the JAB has stated that federal demand...
Coalfire’s Adaptive Penetration Testing at Black Hat Helped Prepare Tomorrow’s Security Talent
What makes a penetration tester highly successful? Most obviously, the technical skills to hack into a network, application, or location comes to mind first, and without those capabilities and the ability to continuously learn, an aspiring pen tester has a tough road ahead of them...
SOC 2 Criteria: Change Is Coming - And You Can Have a Voice
SOC 2 reports are an important tool service providers use to give their customers assurances about their services security, compliance, privacy, availability, confidentiality and processing integrity by providing details about the service and the related controls that are in place. SOC 2...
Black Hat 2017: training, cybersecurity trends and end-point protection
Every year, Black Hat is a highly anticipated event in the cybersecurity community--and Black Hat 2017 certainly did not disappoint! It was yet another year of record traffic, bustling with visitors from the security community that want to strengthen their security skills and postures...
Just a Few Seats Left at the Coalfire Adaptive Pen Testing Training at Black Hat!
Black Hat is just around the corner, and Coalfire is gearing up for the best Adaptive Penetration Testing Training yet! Weve adapted the Adaptive Penetration Test Training course with new instructors, enriched content, and new labs to provide the richest training to date. The revised training now...
Getting cert-y with all-5 AWS certs
I thought my recent experience achieving all five 5 AWS certs might be helpful to others in the community that are looking to do the same. However, this blog isnt meant to stand on its own, and I encourage everyone interested in going for all 5 certs to read other blogs posts too...
Petya/NotPetya: What It Is, and What You Can Do Right Now
Just when we thought there were no more tears left in the wake of WannaCry, its time to pull out the tissues yet again for the latest global cyber incident: introducing "NotPetya," the most recent ransomware variant to creep across continents and affect companies across many industries. Please re...
Getting the Most Value Out of Your Phishing Program
Are your phishing tests worth the money you are spending on them? Please dont misinterpret that as suggesting you shouldnt be testing your users. To the contrary, I think you should be testing all your users executives of all ranks included on a regular basis. What I mean by that question is; are...
AWS Public Sector Summit 2017: Cloud Super Powers and Security
Coalfire recently returned from the Amazon Web Services AWS Public Sector Summit, held in Washington, D.C., which addresses some of the most pressing issues todays leaders face around security, governance and compliance, and more. While Coalfire has attended the show in the past, we were especial...
Q&A from P2PE-NESA Webinar for Merchants
The selection of a PCI-listed P2PE solution and determination of expected benefits can be challenging for even the most sophisticated merchants. The introduction of the NESA program can make decisions more difficult. To help guide merchants, Coalfire and FreedomPay held a webinar "P2PE & NESA for...
A Growing Symphony of Security Analytics Tools Needs Careful Orchestration
Security analytics tools available to companies are increasing rapidly. However, cyber incident and vulnerability prevention, detection, response, and recovery times remain significant challenges as the types of attacks and attack vectors increase. Newer cyber analytics using machine learning are...
Ransomware: the anatomy of paying a ransom to decrypt hostage files
Ransomware is on the rise and clients seeking to understand the process can learn from this clients story about being a victim of ransomware as to what can be expected and how to handle a ransomware attack. Recently a company facing a malware infection approached us to help them deal with the...
President’s Cybersecurity Executive Order
On May 11, 2017, President Trump released the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. This E.O. -- while stand alone in focus --should be seen in the context of a greater move in the Executive Branch to elevate the awareness...
Information and guidance for dealing with WannaCry
Coalfire continues to closely monitor the WannaCry ransomware attack. Much has been written over the past few days about the attack. For those of you who may not have had time to review in detail and assess appropriate actions for your organization, we wanted to provide summary information...
SOC 2 Type 1 and SOC 2 Type 2 Frequently Asked Questions
Coalfires SOC Practice Directors Dixon Wright and Jeff Cook recently conducted a webinar on AWS and SOC Reporting, What you need to know. The presentation provided a lot of good points that organizations should know or be prepared for regardless of the technology that is being used. Below you wil...
Meeting FedRAMP and Government Standards – Coalfire Securealities Report
Coalfire released the results of its first annual FedRAMP Marketplace report - Securing Your Cloud Solutions: Research and Analysis on meeting FedRAMP and Government Standards. The findings highlight many positives for cloud service providers and federal agencies, but also opportunities for both ...
Ransomware Response: To Pay or Not to pay
Recently, I was speaking with a CISO friend of mine and he mentioned that his company suffered a breach. I asked if it was a ransomware attack, and sadly, that was the case. Malware had infected nearly every connected computer. Clearly there was a breakdown in protective controls, but Ill get to...
Accelerating Point-to-Point (P2PE) Adoption
How Coalfire is Helping Increase Access to PCI-listed P2PE Solutions - Use of a PCI-listed P2PE solution offers significant security and compliance benefits. However, merchants and service providers are still challenged to take full advantage of this opportunity. Coalfire has invested in solving...
DevOps, Automation, Security and Compliance
Phew, the title of this post alone sounds like it could be quite a lot to deal with! So what is DevOps? DevOps is simply the blending of infrastructure operations processes and software development to enable faster changes to business applications/technology. These processes share a lot of ideolo...
FedRAMP Tailored program for low-risk use cloud service offerings
On February 16, the FedRAMP Project Management Office PMO released the new FedRAMP Tailored security controls baseline for public comment comment period closes March 17, 2017. The new FedRAMP Tailored security controls baseline was created for Cloud Service Providers CSPs who have cloud service...
New York State Implements Cybersecurity Regulation 23 NYCRR 500
On March 1st, 2017, sweeping new cybersecurity requirements were placed on organizations regulated by the New York State Department of Financial Services. The law applies to a broad set of covered entities that are supervised by the NYDFS, including banks, trusts, budget planners, check cashers,...
Cloud Burst?
The cloud can burst!? This weeks AWS service disruption showed us the importance of architecting a system to account for failure, and how to be successful when deploying your solution in the cloud...
2017 RSA Conference Highlights
Over five days, 45,000 consumers and thought leaders convened at the 2017 RSA Conference, sharing insights on how to stay ahead of todays - and tomorrows - cyber threats. Coalfire was in the thick of it, and here weve compiled some of the most important takeaways...
SSAE No 18 effective for SOC reports dated May 1, 2017
The AICPA Auditing Standards Board ASB announces new changes for SOC reporting under SSAE No. 18 in April 2016. A description of the changes and what it means for service organizations is below. The AICPAs attestation standards contain the requirements and application guidance for performing and...
Reconciling Quarterly ASV and QSA Scanning Requirements
In the compliance realm, the term "quarterly" seems to be a sound and straight-forward term used to provide guidance and to aid entities in adhering to requirements. However, its meaning can vary based on its context in relation to dealing with various compliance requirements from your ASV and QS...
FedRAMP Readiness Assessment Report (RAR) template launched
As part of the FedRAMP Accelerated process, cloud service providers CSPs can now complete a Readiness Assessment Report RAR to demonstrate their readiness for the FedRAMP process. The RAR is required for CSPs pursuing the FedRAMP JAB approval route. CSPs should also consider having a Readiness...
New PCI DSS Scoping Guidance Corroborates Coalfire’s Approach
On Friday, December 6th 2016, the PCI Security Standards Council released their formal information supplement titled, Guidance for PCI DSS Scoping and Network Segmentation. This particular information supplement has been eagerly anticipated in the PCI DSS industry for several years. The document...
What’s Your Computer Thinking About? Examining Random Access Memory (RAM)
How valuable would it be to be able to read another persons mind? To know what theyre thinking or planning to do would be invaluable. Or, how valuable would it be to know what they have done in the recent past, especially if you believed they were involved in some criminal activity? Who they were...
FedRAMP in Bloomberg
Recently Bloomberg Government published an article that describes the increasing awareness of the Federal Risk and Authorization Management Program FedRAMP as a major factor affecting the federal marketspace. The article indirectly indicates a major first-mover advantage, as there are "only 77...
New PCI NESA Guidance is Good News for Non-Listed Encryption Solutions
While PCI P2PE is still the most secure approach, solution providers, who are not yet validated, can now offer additional clarity to merchants, QSAs, and acquirers...
Yahoo / Verizon: A $1B Data Breach Discount?
In July of this year Verizon announced it was going to buy Yahoo for $4.8B. A few weeks later, Yahoo starts investigating a potential data breach of around 200 million records that were for sale on the Dark Web. In mid-September, Yahoo discloses that sometime in 2014, they were attacked and rough...
Optimizing your PCI Compliance Investments
Everybody knows that the cost of a breach is high. Given the fact that the chance of a data breach for all merchants is nearly 1-in-4, its important to not only have PCI compliance in place, but also the right solutions to optimize your compliance spend...
FedRAMP Plans for 2017
The Federal Risk and Authorization Management Program FedRAMP plans to continue to build on 2016 successes by planning for an ambitious 2017 according to a series of blog posts released by the General Services Administration GSA...
Ghosts in the Bank
It was a dark night. A car pulled up in the parking space next to me and quickly extinguished his lights. I looked out the my window and saw the driver. He gave me a quick nod and we exited our cars. Opening the trunk I pulled out my tools for the night. A backpack full of trash bags, a flash...