603 matches found
To [Hell] Shell and Back
My initial thought was it has to be the firewall keeping my reverse shell from getting out of their environment. So, leveraging the command execution vulnerability, I started testing outbound internet access from the vulnerable server to my server on the internet, only to find that the port I had...
How Twitter, Amazon, and others were impacted by last Friday's DDOS attack - and what you might want to do about it.
Our partner, Chertoff Group issued the following advisory. Client Advisory: October 21 distributed denial of service DDoS attack. A major distributed denial of service DDoS attack recently 10/21/16 disrupted Internet communications throughout parts of the United States in several waves, and there...
What does the FBI have to say about ransomware
The FBI provided guidance on ransomware at a recent FBI/US Secret Service/ISAC event. They defined ransomware as a type of malware that is commonly transmitted through malicious email, which is disguised to look normal. Once the email link has been clicked on, or an email attachment has been...
The Cost of a FedRAMP Assessment from a 3PAO Perspective
FedRAMP.gov recently published a blog titled How Much Does It Cost to Go Through FedRAMP? As a FedRAMP Third Party Assessment Organization 3PAO, we wanted to provide additional factors for consideration for organizations that are evaluating or pursuing a FedRAMP authorization...
FedRAMP Prioritization
Coalfire has been participating in the American Council for Technology and the Industry Advisory Council ACT-IAC Cloud Computing community of interest in order to contribute in developing the new FedRAMP JAB Prioritization process...
Thoughts on BSides Las Vegas 2016
I recently attended "Infosec Week" in Vegas - Black Hat, BSides and DEFCON. BSides is a high point every year. This smaller Con has a plethora of perks which make it a "must attended" and also offers many of the same benefits or advantages or opportunities as Black Hat and DEFCON...
Best of Enterprise and AD Exploitation at Black Hat / DEFCON
Lots of hacks, lots of people, lots of content, and lots of parties. That basically sums up this years BlackHat and Defcon. The two conferences seem to get bigger every year with no sign of slowing down, which emphasizes how cybersecurity is becoming more and more of an issue for everyone:...
What is Defcon
The first year I attended, I was lucky enough to identify interesting wireless signals with a distinct sound - that of the POCSAG and FLEX protocols. Decoding these signals revealed party invites to the Telephreak party where I listened to raw, uncensored lightning talks covering topics from car...
Hacker Summer Camp – Recap of BSidesLV, Black Hat & Defcon
What a week! Hacker summer camp in Vegas was amazing! This was my first time through for all three of the conferences in Vegas - BSidesLV, Black Hat, and Defcon. Ive been to BSidesLV and Defcon plenty of times, but experiencing all of these back-to-back -to-back!, with a bit of overlap gives a...
Sam Pfanstiel Appointed Director, Solution Architecture for Payments
Coalfire today announced Sam Pfanstiel has joined the company as the Director of Solution Architecture for Payments. Pfanstiels experience spans solution engineering and consulting as well as research and development positions...
Robert Flores Named Vice President of IT
Coalfire welcomes Robert Flores as the newest addition to the cybersecurity risk management and compliance service leaders leadership team as its Vice President of Information Technology. Flores has a proven track record of driving strategy for high-growth IT companies while managing billion-doll...
What you need to know: Navigating EU Data Protection changes – EU-US Privacy Shield and EU General Data Protection Regulation
If youre an organization with trans-Atlantic presence that transmits and stores European citizen data e.g. employee payroll & HR data, client & prospect data in the U.S. you will want to pay attention. What we will discuss was administered under the European Unions Data Protection Directive and a...
One Way to Boost Proactive Cybersecurity
Its clear from media articles that new CISOs need to make an immediate impact on their organizations security program in the first 90 days with action items such as "make a quarterly plan for the next year"...
Creating a Cyber Insurance Policy
According to research from PartnerRe and Advisen, the global cyber-insurance market is currently worth $2 billion a year, a number which is expected to double by 2020.With 60% of underwriters and brokers seeing a significant demand in cyber-insurance from customers, there is clearly a great...
FedRAMP High Baseline Requirements Published
The Federal Risk and Authorization Management Program FedRAMP Project Management Office officially released its High baseline for High impact-level systems. This baseline is at the High/High/High categorization level for confidentiality, integrity, and availability in accordance with FIPS 199; an...
AWS releases PCI DSS Quick Start for Deploying PCI DSS In-Scope Workloads
In the next step to help customers adopt their platform for PCI, Amazon Web Services AWS has released their PCI DSS Quick Start program. The PCI DSS Quick Start program is the next evolution of cloud providers developing tools for rapid deployment of standardized configurations to drive adoption ...
Coalfire goes to Washington!
Our CEO Larry Jones visited The White House Thursday morning to join with First Lady Michelle Obama and Dr. Biden in the celebration of the Joining Forces initiatives fifth-year anniversary and announce Coalfires pledge to hire and train veterans and military spouses...
What to Expect in the PCI 3.2 Update
A preview of new requirements and guidance expected later this month from the Payment Card Industry Security Standards Council was announced Thursday. The PCI DSS 3.2 version represents the first update to the standard that the Council has released since 3.1 in April 2015 and 3.0 in November of...
What You Need to Know From the Cybersecurity Act of 2015: Part One
On Dec. 18, 2015, President Obama signed into law an omnibus spending bill that included the Cybersecurity Act of 2015 "The Act". The Act was a compromise of cybersecurity information sharing bills that passed the House and Senate earlier in 2015. It creates a voluntary process for sharing...
PCI Council Gives Merchants Reprieve on PCI 3.1 Updates
The Payment Card Industry Security Standards Council PCI SSC released an update to its vulnerability standards and is giving merchants until June 2018 to migrate their security protocols, even though waiting is not recommended...
2016 Cybersecurity Predictions
The lessons learned from this past year teach us that no one is immune to cyber threats. The sooner corporate boards and executives come to understand that cybersecurity breaches are a very real and pervasive threat; then the hard work can begin to take preemptive measures and prepare an...
Highlights from the HITRUST Health Industry Third Party Assurance Summit
On June 29, 2015, the Health Information Trust Alliance HITRUST announced that several massive payer organizations, including Anthem, Health Care Services Corp., Highmark, Humana, and UnitedHealth Group will require their business associates to obtain CSF certification. While this is old news,...
The Ghosts Inside - Horror Stories 2015
By 8 p.m. the donuts from the previous day had gone stale, what was left of them anyway. There was the eerie feeling of spirits in the night mist tonight. It was late October and the chill was thick with Halloween. You could smell it in the haze. I consider myself quite tough, but when you are a...
Breaching a bank in 20 minutes - Horror Stories 2015
I arrived onsite to suite 102 the banks corporate headquarters around 9:40 a.m. I was impersonating a local utility worker - with all the garments like a hardhat, clipboard, obnoxious yellow vest, and some old Timberland work boots. I played the part well...
The 100 Million Dollar Getaway - Horror Stories 2015
In todays security landscape, companies face daily threats to their reputation and intellectual property. The typical response to these threats is to purchase a tool or a service claiming to be a magical silver bullet that can respond to all "cyber" threats. In reality, the quest for a security...
The Clock is ticking for EU and US to Negotiate New Safe Harbor Deal: What You Can Do to Stay Out of Legal Limbo
European authorities have given the European Union and US officials three months to come up with an alternative to the Safe Harbor agreement after the European Court of Justice ECJ declared Safe Harbor laws invalid earlier this month. The new agreement must protect the personal data of European...
EC Ruling Invalidates Safe Harbor - Now What?
In a ruling on October 7, 2015 the European Court of Justice ECJ invalidated the principal European component of the U.S.-E.U. Safe Harbor Framework when it ruled in Schrems v. Data Protection Commissioner. In the ruling the court said that the existing U.S.-EU Safe Harbor agreement, overseen by...
Audio Video Media Forensics
Our media forensics practice is a fast growing part of Coalfire. Were often asked what we can do, and this post is intended to be a quick primer to provide some background if youre in need of this service and what you can expect from us and others in the field...
Coalfire Contributes to New Book on Cybersecurity
Today marks the launch of a new book published by the New York Stock Exchange and Palo Alto Networks called, "Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers." Im proud to have worked with my predecessor, the late Rick Dakin, to contribute a chapter to th...
Report from the PCI SSC North American Community Meeting
The Payment Card Industry Security Standards Council held their 2015 North American Community Meeting this year in Vancouver, BC, from September 29 - October 1. Coalfire was well represented at the meeting, with Dan Fritsche, Managing Director, Application Security, making two presentations at th...
WS2-Cybersecurity Fundamentals Workshop
2 day Workshop Saturday 17 October - Sunday 18 October, 9:00 a.m. - 5:00 p.m...
Chip Cards Finally Come to America – But What Does it Mean for Merchants and Consumers?
Like it or not, today the U.S. finally adopts EMV technology. While the implementation by most major retailers and large U.S. banks is expected to be delayed, the "chip and PIN" card types are coming to America to stay. The real debate is, will EMV adoption do anything for card data security?...
RFPs and Needs Assessments for Higher Education
In this blog post, I will be discussing RFP best practices for Higher Education Institutions. Having worked with higher education organizations for a number of years, Ive noticed some trends that could be useful as you and your department or institution head into another year of projects that may...
DerbyCon is right around the corner (Sept. 23 - 25)
DerbyCon is right around the corner Sept. 23 - 25 and we wanted to highlight two sessions that Coalfire Labs team members will be presenting...
Coalfire Receives Investment from The Carlyle Group and The Chertoff Group
Im pleased to announce that we recently closed on a significant investment from The Carlyle Group and The Chertoff Group - two prestigious investment groups that both have extensive experience in the cybersecurity space. The selection of these two firms came after an extensive six-month process o...
A huge applause from the NIST-OCR-HIPAA 2015 conference
It looked like the 8th annual conference may have garnered record-breaking attendance as I noticed hotel staff rushing to add skirted tables and chairs to the back of the room to accommodate a standing-room-only crowd. I guess that was to be expected given the star-studded line-up of presenters...
Guest blog: PCI audits and how to recognize a good QSA auditor and partner
Many organizations approach a PCI audit with fear and trepidation. There are a lot of stories out there about how difficult, expensive and disruptive a PCI audit can be, but I want to see if I can add some balance to this view. I believe that when it comes to a PCI auditor it matters a great deal...
PCI Scope Assessments for Higher Education Institutions
With the release of PCI DSS version 3.0 and more recently 3.1, many Higher Education Institutions have found it hard to know which SAQs they should be filling out since there are now nine options. Higher Education Institutions have very complex merchant card environments and with the new...
What the PCI Council’s Point-to-Point-Encryption (P2PE) Update Means for You
Last week, the PCI Security Standards Council PCI SSC published the updated P2PE v2.0 standard. The Summary of Changes from v1.1 to v2.0, the updated P2PE Glossary and the PIM template are available in the PCI SSC documents library. According to the announcement, the highlights of the new version...
Banking with digital currency - A futuristic application
Digital Currency is a thing? $3 Billion dollars USD of money is out there in a digital format, not printed or managed by a government. It has many different product names and each one operates separately. One example of a digital currency is Bitcoin. It is only one of the many digital currencies...
Funeral Services for Rick Dakin
The funeral for Rick Dakin will be held on Tuesday, June 30 at 10 a.m. at the Gatehouse Lionsgate, located at 1055 South 112th Street, Hwy 287, Lafayette, CO 80026. Arrangements are being made through the Crist Mortuary in Boulder, Colorado. An online memorial page and guestbook will be set up...
In Memory of Our Friend, Rick Dakin
We are deeply saddened to announce that our founder and CEO Rick Dakin passed away suddenly over the weekend...
Is penetration testing required for HIPAA compliance?
In this blog post were going to focus our discussion on the technical requirement part of this standard. The evaluation is supposed to establish the extent to which a covered entitys or business associates security policies and procedures meet the requirements of the HIPAA Security Rule. A questi...
P2PE in Higher Education--Reducing Applicable Controls
Point to Point Encryption P2PE is the hottest topic in the PCI world right now and many of our Higher Education clients are anxious to take advantage of the solutions available to them. However, with 2.0 not yet released, and then the subsequent release of the audit guidelines, there are many...
Final HITECH Act Stage 3 Meaningful Use Rules May Require Annual Risk Analysis plus a Risk Management Component
The comments are in and the HHS is scrambling to review them all before they issue the final Stage 3 Meaningful Use rules later this summer. Comments from entities such as CHIME and HIMSS represent good news and bad news for healthcare providers, depending on how you look at it. The HIPAA Securit...
Big news from the HITRUST 2015 conference: The HITRUST CSF is gaining momentum as the de facto framework amongst healthcare organizations
As the HITRUST 2015 conference in Grapevine, Texas ended, I was reminded of the numerous predictions that flagged 2015 the year of the healthcare breach. And in just the first half of the year weve already witnessed three mega breaches that combined to compromise over 90 million patient records. ...
COSO Framework for Service Organizations and SOC Reporting (Part 3 of 3)
In part 1 of this series, we discussed the recent changes to the COSO framework and the overall impact that the updated framework has on service organizations that receive Service Organization Controls SOC reports...
Evolving Financial Services Security Requirements: Part 1
Through the end of the year, the New York State Department of Financial Services NYSDFS, or DFS for short, expects to proceed with a number of initiatives to help strengthen cybersecurity at its regulated companies. Among these changes will be integration of regular, targeted assessments of...
Reporting LIVE from the HIMSS 2015 Cybersecurity Command Center
Well, its not exactly live anymore but it certainly was worth tweeting live from the brand new Cybersecurity Command Center CCC at HIMSS 2015 in Chicago a couple weeks ago given all the excitement. The CCC was the place to be at HIMSS this year with standing room only at the educational sessions...
Upcoming Podcast: Python security projects
Join Coalfire penetration tester Dan McInerney on Thursday April 30th at 6:00pm ET on the Security Weekly Podcast...