The Coalfire Blog

PCI DSS 3.0 Is Coming Soon

Mon, 13 May 2013 19:36:43 GMT

The PCI Security Standards Council (SSC) plans on releasing the newest version of the PCI Data Security Standard in October, 2013. Predictably, the PCI SSC has been tight-lipped on divulging details regarding any expected changes.

Determining if your Company is Prepared for FedRAMP

Mon, 13 May 2013 07:00:00 GMT

Many companies interested in pursuing FedRAMP are seeking guidelines, checklists and any referenceable source to help them understand and determine their level of preparedness to go through the FedRAMP process. The GSA's FedRAMP.gov site provides documentation on the FedRAMP process in their "Guide to Understanding FedRAMP." In it is a 12-step checklist to help organizations gauge their readiness for FedRAMP.

Compliance Talk: Debt Collectors and PCI

Mon, 06 May 2013 15:27:33 GMT

As the largest IT audit and compliance advisor in the U.S., Coalfire is exposed to a wide variety of compliance concerns. In this series of Compliance Talk blogs, Dirk and Ken are back at their favorite coffee shop…the Bean and Berry in Louisville, Colorado. Over a couple cappuccinos, their discussion turned to some of the unique aspects, when it comes to data security, of debt collection companies.

Agencies to report progress with FedRAMP

Fri, 26 Apr 2013 13:00:00 GMT

The FedRAMP PMO recently conducted webinars on April 23 and 25 regarding Agencies requirement to report their progress on compliance with FedRAMP. The discussion covered the FedRAMP progress to date, the reporting requirements and process for moving services to FedRAMP authorized cloud service providers. You will find the archived webinars on the Past Events page of FedRAMP.gov when they are available.

The PCI DSS Cloud Computing Guidelines: An Executive Summary

Mon, 22 Apr 2013 16:01:35 GMT

The PCI SSC and its Cloud Special Interest Group has released its Cloud Computing Guidelines after a year of collaboration and input from SIG members. Coalfire was a big contributor to this document, and we think it is required reading for anyone who has front-line responsibility for managing compliance at companies using a Cloud Service Provider (CSP).

Getting Your Databases Audit Ready

Thu, 04 Apr 2013 18:56:26 GMT

Your database is perhaps one of the most sensitive targets for cybercriminals as they are your company’s primary repository for confidential and proprietary data. Besides knowing what vulnerabilities exist for your perimeter network and also for your internal systems, best practices require you to manage and protect your databases from unauthorized access, whether intentional or otherwise.

Information Governance: Get Data Classification Right First

Thu, 21 Mar 2013 21:48:09 GMT

Data classification is one of the most crucial elements of an effective information governance process—yet it’s also one that many companies fail to implement well. In its simplest terms, data classification is the process of categorizing data based on its level of sensitivity. When done properly, the classification of data helps a company determine the most appropriate level of safeguards and controls that need to be in place.

War on Passwords? Check with Your QSA First!

Thu, 14 Mar 2013 18:58:34 GMT

Passwords have long been the workhorse of user authentication schemes, and many security experts are speaking out on the need for more effective controls. It seems like hardly a week goes by when we don’t see a password breach in the news.

Whether you are a large or small business, beware of these 5 common security problems

Mon, 11 Mar 2013 19:44:31 GMT

Every January, the trade press if full of new year’s resolution-like advice… things to do in the coming year, even Coalfire made a few predictions for 2013. I work at Coalfire Labs, and since our business is IT security and testing, we want to share some advice on how to avoid your systems and accounts from being breached. While larger companies may feel they can skip some of these steps, and still remain safe, TJX, the parent company of T.J. Maxx and Marshalls learned the hard way the damages a breach can cause. Information from up to tens of millions of credit and debit cards was stolen costing TJX millions of dollars to get the problem under control. With this in mind, here is a list of five issues companies are prone to make, and ways to avoid negative ramifications.

Creative Ideas for Replacing Passwords

Fri, 08 Mar 2013 22:47:29 GMT

Passwords have been the de facto manner of providing security for IT systems. They’ve got a bad reputation, but it’s not the passwords themselves that deserve the reputation – it’s the individuals using them and the weak standards to which these passwords are managed. In fact, a password system implemented in a secure manner – long and complex passwords that change periodically – can be (virtually) uncrackable. However, a typical user isn’t apt to embrace a system that requires 15 characters or more (including numbers, upper and lower case, and special characters) and needs to change every two to four weeks.

The FFIEC proposes guidance on social media - can you stay two steps ahead?

Wed, 06 Mar 2013 20:06:43 GMT

On January 22, 2013, the FFIEC put out a press release called “Financial Regulators Propose Guidance on Social Media”. We should begin by saying that even without a social media presence, every company should address social media risks in their annual risk assessment. In this day and age where the average person has a smartphone, laptop, and a tablet, everyone is aware of social media. But what exactly is social media?

White House Executive Order on Cyber Security

Thu, 14 Feb 2013 23:23:05 GMT

The tense standoff between an unresponsive Congress and a reluctant critical infrastructure industry has been broken. On February 13, 2013, the President issued an Executive Order that provides initial guidance for the country to confront escalating cyber threats. Finally, we have someone with the courage to address the ‘elephant in the room’. Our critical infrastructure is under attack and our ability to defend against increasingly sophisticated attacks is simply not adequate.

All Aboard the HIPAA Omnibus - but is the ‘bus’ missing anything?

Wed, 06 Feb 2013 22:35:44 GMT

In the wake of the recently-released HIPAA Omnibus Rule with its upcoming deadline, healthcare organizations are trying to figure out how they’re going to achieve compliance. We’ve been busy trying to get through the 563-page rule and determine what it means to our clients.

Long-awaited HIPAA Omnibus Rule is Unveiled

Mon, 21 Jan 2013 22:56:04 GMT

As of January 17, 2013, the HIPAA Omnibus Rule has finally been released by the Department of Health and Human Services (HHS), which will modify the HIPAA privacy, security, and enforcement rules. The package of regulations, in regard to this long-overdue HIPAA Omnibus Rule, will officially be posted on the Federal Register on January 25, 2013 and will be put into effect on March 26, 2013. Covered entities and business associates will have until September 23, 2013 to comply with the new regulations.

FedRAMP PMO - FedRAMP Process and Developing SSP webinar Q&A

Wed, 16 Jan 2013 21:19:33 GMT

The FedRAMP program continues to gain momentum and GSA and the FedRAMP PMO conduct great, interactive, webinars available to attend live or to watch later. There is much to learn from the GSA on how to navigate the FedRAMP process according to their requirements.

South Carolina Data Breach Survey Results on Residents' Attitudes

Tue, 15 Jan 2013 23:44:49 GMT

Coalfire recently conducted a survey of South Carolina residents who were victims of the recent data breach at the Department of Revenue. The data breach affected residents of the State who had filed their taxes online exposing 3.8 million taxpayer Social Security numbers and nearly 400,000 credit and debit card numbers.

The PCI SAQ P2PE-HW: Patience, POIs and PIMs

Tue, 15 Jan 2013 19:25:48 GMT

The new PCI SAQ P2PE-HW (Point to Point Encryption Self-Assessment Questionnaire) was released in July 2012, and many merchants are excited about the prospect of a shorter, less arduous compliance validation effort. After all, it’s significantly shorter than the SAQ-D; instead 12 sections, there are 4, and 284 controls are reduced to 19.

What's Next in Retail IT? The Convergence of Mobile, P2PE and the Cloud

Tue, 15 Jan 2013 18:47:59 GMT

Greetings from the Javits Center in New York City, the site of the National Retail Federation’s Big Show. This year, the theme of NRF is “Next”.

When it comes to Retail technology – and in particular, security and compliance, the most talked about “next” things are:

Small Breach, Big Settlement

Tue, 08 Jan 2013 20:15:38 GMT

Earlier this week the Department of Health and Human Services (HHS) announced the first ever breach settlement where fewer than 500 patient records were compromised. The $50,000 settlement was issued as a result of 441 patient records being stored on an unencrypted laptop that was stolen from the Hospice of North Idaho (HONI).

P2PE Hybrid, the next best thing since the Prius

Mon, 07 Jan 2013 20:47:54 GMT

P2PE promises many things, the most coveted being scope reduction for the merchant and a shifting of the compliance burden from the merchant to the service provider. A properly implemented P2PE solution can indeed reduce the risk of compromise for a merchant as well as reduce the scope of what must be done to continue to maintain compliance to the PCI DSS.

What “Dexter Malware” tells us about the future of POS security (It might just be P2PE)

Fri, 21 Dec 2012 05:51:26 GMT

The recently announced Dexter malware is targeting POS systems and once in, it collects sensitive credit card data and surreptitiously sends it off to attackers. While the details of this particular attack are not yet available, this is not the first time this general approach has been exploited.

FedRAMP Question and Answer session from PMO webinar

Tue, 13 Nov 2012 17:18:29 GMT

On October 25, the FedRAMP PMO conducted its first webinar, in what will be a series of webinars, on the FedRAMP process. This first webinar covered the four methods that CSPs can get listed in the FedRAMP repository.

This webinar is well worth the time to listen to it. The PMO had a lengthy Q&A session, which we have transcribed for your convenience below. The FedRAMP PMO also provides a transcription, but leverages a speech-to-text service which garbled some of the phrases and meanings. Our human reviewed Q&A of that section of the webinar is below.

IT Security Horror Stories: Tale of the Fake IT Rep

Mon, 29 Oct 2012 21:08:32 GMT

Some IT security monsters aren't as obvious as a Mummy. At Coalfire Labs, we discover—and help our clients address—some pretty scary security and compliance problems. There are lots of deceptive monsters looking to exploit the weaknesses of their victims. This is one of those terrifying but true stories...

IT Security Horror Stories: Truth is Scarier Than Fiction

Mon, 29 Oct 2012 20:56:04 GMT

At Coalfire Labs, we discover—and help our clients address—some pretty scary security and compliance problems. Everyone’s heard of blood-sucking cyber criminals looking for vulnerable IT systems. Even when organizations have protections in place, these monsters just won’t give up. Their appetite is insatiable...

IT Security Horror Stories: The Case of the Phantom Technician

Mon, 29 Oct 2012 20:45:03 GMT

At Coalfire Labs, we discover—and help our clients address—a lot of scary security and compliance problems. Like zombies out looking for a victim, nefarious characters are out to attack your IT infrastructure and compromise your systems. Even when organizations have protections in place, the monsters just won’t give up. They keep coming. Consider this frightening tale...

Penetration Testing Frequently Asked Questions

Mon, 29 Oct 2012 15:37:12 GMT

You may have noticed this recent article about Google’s contest that rewarded a hacker for discovering a vulnerability in Chrome. Once Google verified the vulnerability, they were able to fix the bug and issue the cash prize to the hacker. This is a very public example similar to what Coalfire Labs does every day - working with security leaders to test their security programs.

Coalfire Client FireHost Achieves HITRUST CSF Certification

Fri, 19 Oct 2012 19:22:29 GMT

Yesterday, we were delighted to see our long-time client Firehost announce that they achieved Common Security Framework (CSF) “Certified” status from the HITRUST Alliance. Headquartered in Richardson, Texas, FireHost has made compliance a top priority, and we’ve enjoyed working with them to achieve this important designation.

Cyber Security Legislation

Thu, 04 Oct 2012 20:45:31 GMT

October is Cyber Security Awareness Month: Get Informed and Get Involved on Cyber Legislation. Every October, the National Cyber Security Alliance sponsors National Cyber Security Awareness Month, and a growing number of businesses and institutions are joining the chorus. The White House got in on the act, too, with this Presidential Proclamation.

To celebrate the month, Coalfire will be blogging on topics of interest to our customers and business partners, and we invite you to join the discussion. This first post is an update on cyber legislation.

My DEFCON social engineering talk and DerbyCon

Tue, 11 Sep 2012 19:14:31 GMT

This year has been a year of firsts for me and for Coalfire. I was recently hired to my first Information security job as a penetration tester for Coalfire Labs, the forensic and app/network testing side of Coalfire. Many of the Coalfire Labs team attended DEFCON in Las Vegas in early August.. Not only was it my first visit to DEFCON as an attendee but this was my first time speaking at a conference. Because it seems to be a year of firsts, we at Coalfire Labs thought it would be a good idea to share a first time speaker’s experience and an attendee’s views on this year’s DEFCON.

BYOD Survey Results: Employees are not playing it safe with company data

Tue, 14 Aug 2012 22:26:31 GMT

Employers are seeing a drastic increase in the number of employees using personal smartphones and tablets in the office. This “Bring Your Own Device” (BYOD) trend is causing headaches for the IT department and there is no stopping this trend. Due to the sensitive nature of company information often accessed on those devices, it has become a growing concern for small and large businesses alike.

Coalfire Certificates: Proof of a Job Well Done

Wed, 18 Jul 2012 19:58:35 GMT

Most security professionals don’t like to boast about their good work. They would rather stay behind the scenes to keep systems and data protected from harm. However, companies also need to let customers and business partners know that they have a security program and are compliant with applicable security regulations and standards. That is why we created the Coalfire Certificate program. -- so companies can highlight that their IT controls have been independently scanned, assessed or validated in accordance with the highest industry standards.

Proudly Supporting Our Country’s Navy Reserves

Tue, 10 Jul 2012 16:42:08 GMT

July is a month in which we celebrate our nation’s independence and we hope that you’ve had the chance to reflect on the many freedoms and blessing we enjoy as citizens of the United States. At Coalfire, we know full well that those freedoms have been paid for, at least in part by the America’s service men and women.

VMware releases PCI Solution Guide and it has good news for compliance-oriented buyers

Fri, 22 Jun 2012 22:41:09 GMT

This month VMware release an important document, the VMware Solution Guide for Payment Card Industry (PCI). It’s significant because it is the first document of its kind to map the PCI requirements – including those authored by the PCI SSC’s Virtualization SIG – to a commercially-available stack of virtualization solutions.

P2P Encryption Program now available from PCI Council

Fri, 25 May 2012 21:18:37 GMT

The PCI council has updated the Point-to-Point encryption (P2PE) program requirements (PDF). The update impacts merchants, payment applications, point of sale vendors and service providers. As a participating organization of the PCI P2PE task force, providing input into the standard, I wanted to briefly explain how this affects the various PCI ecosystem participants.

The ultimate goal of the P2PE program is to reduce the PCI DSS scope that merchants experience by shifting the burden away from merchants toward solution providers who are providing validated P2PE solutions. Deploying validated P2PE solutions will simplify PCI DSS validation for merchants while reducing the risk of cardholder data breaches.

Moving to the Cloud: Considerations for Implementing Cloud Migration Plans

Fri, 25 May 2012 20:13:02 GMT

Over 60 executive level attendees came to the Omni Interlocken Resort in Broomfield, Colorado for the National Council of Higer Education Loan Programs (NCHELP) Spring convention and to hear from a panel of cloud experts on how the migration to cloud IT services could impact their business in the future.

Coalfire Acquires Digital Resources Group in California

Thu, 10 May 2012 18:12:33 GMT

We have reached a new milestone at Coalfire and have announced the recent acquisition of privately held Digital Resources Group (DRG) in Redwood City, California. We are excited about our latest venture as it consolidates our leadership position within the IT Governance Risk and Compliance (IT GRC) services industry. As we continue to grow, acquisitions such as this will help us gain new staff, clients, skills and additional geographical presence enabling Coalfire to continue to provide top-notch services.

FISMA vs FedRAMP: Compliance requirement differences

Thu, 03 May 2012 17:47:32 GMT

Organizations that work with, or want to work with, government agencies must manage to government compliance regulations. Almost everyone is familiar with the FISMA compliance standards, but with the announcement of FedRAMP, which provides a structure to manage compliance requirements for "a cloud first initiative" for government agencies and organizations working with them, there’s a new set of compliance requirements to adhere to. Or is there?

The hackerproof password? Tips and advice on password management

Wed, 02 May 2012 14:56:22 GMT

Having some security expert tell you that you should be creating strong passwords that are unique per account and change frequently is like your dentist telling you that you should floss morning, night and after consuming any dentally dangerous foods. The majority of us say, “yeah right”. The truth is that you really must do better than what the average person is doing today. In our penetration testing and forensics practices we constantly discover, usually very intelligent, people using the same weak password or PIN across every account without ever changing them.

Surprises Ahead for Some Level 2 Merchants

Thu, 12 Apr 2012 21:10:09 GMT

The PCI DSS has been around for years, and most PCI “pro’s” are familiar with the processes needed to validate compliance. However, insiders often forget that small changes to the guidelines can have a big impact on merchants.

One such change is upon us: MasterCard’s new validation guidelines for Level 2 merchants that are scheduled to take effect on June 30, 2012.

Mobile Banking Malware: Protect Your Finances

Mon, 02 Apr 2012 14:02:36 GMT

The prolific rise in smartphones, tablets and other portable devices has greatly expanded the ways in which we interact with personal and professional services. The public can now singlehandedly use their mobile device to pay for things with the ease of flashing their cell phone. Unfortunately, this rapid expansion of convenience and service also expands the threats.

What We Learned at HIMSS12

Fri, 16 Mar 2012 19:22:37 GMT

A few weeks ago, more than 35,000 healthcare IT professionals and 1,100 exhibitors converged on Las Vegas. Some were there to go shopping for “HIT” or health information technology; others were there to sell it. The IT professionals from across the healthcare spectrum were there to meet with each other and regulators, and stay abreast of the rapid technological changes in the healthcare industry. This was an overwhelming event; a flood of information. It’s been a couple of weeks. Here’s a few of the HIMSS12 highlights:

RSA 2012: Mobile, Cloud, and Intelligent Control

Fri, 02 Mar 2012 23:30:00 GMT

It was good to catch up with our customers and partners at RSA 2012 this week. Much of the buzz this year was around mobile devices and securing the cloud. We were glad to see innovative organizations introducing compliance-validated architectures based on these emerging technologies. One such organization was Hewlett-Packard, a Coalfire client and business partner.

The Budding Healthcare IT Spring

Thu, 23 Feb 2012 21:24:32 GMT

HIMSS12 is in full production in Las Vegas this week. Over 40,000 healthcare IT professionals and service providers have descended upon a conference that will set the direction for a new wave to technology innovations for the healthcare industry. Almost every booth has a sign that extolls the benefits of cloud-based services delivered through mobile devices. The promise to shake the industry to its core is a common theme.

Is your HIPAA Security and HITECH audit program in order?

Mon, 20 Feb 2012 20:25:20 GMT

Healthcare organizations have been working towards HIPAA and HITECH compliance for a few years now. “Surprise” HIPAA compliance audits conducted by the OCR have begun and at Coalfire we’ve come across some gaps that have led organizations to fall short of their compliance initiatives.

Password Management: How many do you need to remember?

Sat, 18 Feb 2012 00:05:34 GMT

In today’s online world, the proliferation of usernames and passwords has resulted in a cottage industry springing up to meet the need to keep track of them in a secure manner. Software and hardware providers have developed a number of unique approaches to deal with this problem, but they all achieve the end goal of being a single credential that grants access to all your passwords.

Data Privacy Day 2012 – BYOD

Mon, 30 Jan 2012 23:51:48 GMT

January marks Data Privacy Month and on January 28th we celebrated Data Privacy Day. In the past year, we have seen an increase in the consumerization of IT and “Bring Your Own Device” (BYOD) in the enterprise. In honor of Data Privacy Day 2012, we have partnered with The Center for Identity at The University of Texas to host a seminar on Wednesday, February 1.

Formalized IT Security Policy Now Required for Government Prime and Sub-contractors

Sat, 21 Jan 2012 00:13:29 GMT

This month the GSA announced an IT security mandate for government prime- and sub-contractors that requires them to have a formalized IT security plan that includes periodic audits. Many government sub-contractors, large and small, will benefit from a third-party compliance program review so they can meet the intent of the rule but more importantly, they can promote an IT risk audit as a benefit to their customer base in their business development efforts. There are a large number of sub-contractors, including IT service providers, that will need to comply with this new mandate.

Navis HITECH Complete Services Offer Protection for Medical Data

Thu, 19 Jan 2012 23:37:04 GMT

We are proud to introduce Navis HITECH Complete, our first Navis service for the healthcare industry. For years, Navis has been providing IT governance, risk and compliance (IT GRC) solutions to merchants that need to comply with the PCI DSS and banks and credit unions that measure compliance with the GLBA regulations.

Coalfire in the News

Tue, 17 Jan 2012 20:30:58 GMT

It’s been quite a season in the world of IT security as we move into 2012. As experts in our field, we are often asked to comment on current trends and recent stories. Take some time to check out what we have had to say recently:

Electronic Health Records and Meaningful Use: Protecting Electronic Health Information

Mon, 09 Jan 2012 23:33:42 GMT

Since 2009, healthcare providers and other companies providing services to the healthcare industry have been mobilizing to take advantage of government incentives to implement Electronic Health Records (or EHRs). These incentives were established by federal law as a part of the HITECH Act of 2009, and are now administered by the Centers of Medicare and Medicaid Services (CMS).

Cyber Security Fraud in the Banking Industry: Lessons Learned in OCC Examiner Training

Tue, 03 Jan 2012 20:59:00 GMT

In late October 2011, Coalfire participated in a day of IT audit training with about 35 bank examiners. As you would expect, we covered a lot of previously hot topics. The conversation changed as we started talking about the amount of fraud being realized by community banks and credit unions.

What is Your Risk Assessment Worth?

Thu, 08 Dec 2011 22:42:53 GMT

A risk assessment provides your organization with a tool to determine how, where and how much to invest in controls and security over technology. It also serves to document the risk acceptance policy of your organization as the acceptable level of risk dictates the level of controls to be implemented. It is also a requisite part of legal and regulatory compliance for Sarbanes-Oxley, HIPAA and PCI, among others.

GivingFirst Launches online Charity Processing Service

Tue, 06 Dec 2011 18:20:02 GMT

In the spirit of the Holiday Season, Coalfire has made a significant contribution to GivingFirst.org in the form of free Penetration Testing services. GivingFirst is a Denver-based community foundation whose mission is “to improve quality of life by increasing community generosity and involvement.”

Exercise your Incident Response Plan

Mon, 07 Nov 2011 18:45:33 GMT

So you’ve finally completed your Incident Response Plan. You’ve named your team, defined roles, documented standard operating procedures, and establishing escalation processes. Heck, you’ve even got training material. So now what?

Cyber Security Awareness - Are you Doing All You Can to Stay Safe?

Thu, 27 Oct 2011 02:45:50 GMT

Every company has vulnerabilities and must learn to protect themselves from fast-moving cyber threats. Below are a few tips to keep in mind as you examine your network security:

Can we kick the attachment habit?

Tue, 11 Oct 2011 21:56:49 GMT

As consumers of messaging services, particularly email, we have become addicted to attachments. This habit has become an easy avenue for mounting cyber-attacks against an organization. In the 2010 Verizon Data Breach Investigations Report, conducted in cooperation with the United States Secret Service, 38 percent of breaches utilized some form of malware and 28 percent employed social tactics.

Get Real-time Evidence Management with Navis Lighthouse

Wed, 21 Sep 2011 22:38:18 GMT

Data breaches have been dominating the headlines for months, and we are pleased to see so many of our customers sign up for our Navis services. These customers are serious about IT Governance, Risk and Compliance and are seeking to protect their organizations with accurate and thorough self assessments against the PCI DSS, HIPAA, GLBA/FFIEC and FISMA standards.

Recent Surveys Reveal Trends and Spending Habits for Retailers in PCI Compliance

Tue, 06 Sep 2011 23:11:48 GMT

Recently, Gartner Research released two separate research reports on retailer PCI DSS compliance progress, trends and strategies. These reports are based on a survey of 77 merchants of varying sizes and covers a wide range of topics, including compliance status, spending and the incidence of assessed fines and penalties.

Phishing Season: Spam on the rise

Thu, 01 Sep 2011 23:11:37 GMT

Within the past two weeks there have been several reports on the increase in email spam, which can be directly correlated to an increase in phishing schemes and malware attacks. These attacks are frequently being delivered under the guise of legitimate business: they come in the form of shipment confirmations, credit card statements, and IRS alerts. They all request swift action to click a link or to read an attachment to address some pressing issue.

Coalfire Appoints Larry Jones to Board of Directors

Mon, 29 Aug 2011 23:25:00 GMT

We are proud to announce the election of Larry Jones to our board of directors. Larry is the former CEO of StarTek, Activant, Message Media and NeoData, and is a seasoned veteran in technology services. He also serves on the board of Comverge, Inc., a publicly traded provider of smart grid, demand management and energy efficiency solutions.

New Guidelines Address PCI DSS Tokenization

Fri, 19 Aug 2011 23:37:48 GMT

“Tokenization” is one of the best techniques to reduce the risk of credit card data loss. Basically, it is the process of substituting sensitive data with other values not considered sensitive. By doing this, tokenization technology essentially removes anything of value from the data stream, and, after all, what is not there cannot get stolen. This technique can be used with sensitive data of all kinds including financial transactions and medical records.

Cyber Defense Summit 2011

Tue, 16 Aug 2011 23:44:18 GMT

On September 14, we will be partnering with InfraGard’s New York City Alliance to host a one-day Cyber Defense Summit. This year we have seen a drastic increase in data breaches. As these hacks have become daily occurrences, enterprises must learn how to protect their data while simultaneously guarding their corporate reputation.

Viruses and Vendors Can Put Healthcare Data At Risk

Tue, 09 Aug 2011 23:48:55 GMT

A recent article in Healthcare Security Info highlights that computer viruses can cause security breaches, that can then in turn compromise health care data and potentially violate the HIPAA and HITECH Act regulations. Beth Israel Deaconess Medical Center in Boston had to notify more than 2,000 people that a computer virus sent data, including medical record numbers, names, etc. to an undisclosed location.

Where should CISO report?

Wed, 06 Jul 2011 23:53:21 GMT

A key question faced by many organizations in defining the role and responsibilities of the security organization, is where to align the most senior information security executive, (typically referred to as the Chief Information Security Officer or CISO). To answer this question it is important to clearly define the responsibilities of this position and place them in appropriate context.

Coalfire Systems Assessment: Merchant Link’s TransactionShield and TransactionVault Reduce Merchant’s PCI Scope

Thu, 23 Jun 2011 23:58:54 GMT

Merchants spend a lot of time and money developing IT controls programs to protect consumer credit card data. Through our work with thousands of retailers, we’ve learned that one of the best ways to contain costs and reduce risk is to keep cardholder data out of as many systems and business processes as possible. In our line of business, that’s called ‘reducing PCI scope’, since systems and processes that don’t store, process or transmit cardholder data are excluded from the controls required by the PCI DSS.

This Week: Coalfire Systems in the News

Thu, 16 Jun 2011 00:02:58 GMT

It’s been quite a week in the world of IT security, and as experts in our field, we are often asked to comment on current trends and recent stories. Take some time to check out what we had to say recently:

Coalfire Expands Dallas Office and Names Kurt Hagerman Managing Director

Wed, 15 Jun 2011 00:25:19 GMT

I am pleased to announce that our Dallas office is growing by leaps and bounds. Leading the charge is Kurt Hagerman, the newly appointed managing director. Kurt will serve more than 60 clients in the Southwest region and oversee Coalfire’s strategic vision while building new client relationships for the company. Also joining the Dallas office are Rick Link as an IT audit director, Adam Bush as a senior auditor and Justin Baker as a regional sales manager.

HIPAA Compliance and Call Centers

Thu, 09 Jun 2011 07:08:34 GMT

In a previous post titled Is It Safe to Speak? Protection for Telephone-Based Payment Card Data, I commented on the PCI SSC new requirements for call center operations and recording systems.

Call center security has been a hot topic for a long time. How safe is the information that is given over the phone? Especially in the healthcare industry, patient privacy is paramount.

They Changed What? HIPAA & HITECH

Tue, 24 May 2011 07:16:32 GMT

In 1996, the Healthcare Insurance Portability and Accountability Act (HIPAA) opened the door to increased exchanges of healthcare information in an effort to improve care and reduce costs. The Act included new provisions for protected health information (PHI). Since there are only a few limited reviews and enforcement efforts, the effectiveness of the implementations have remained open.

Meet John Rostern: Managing Director of the New York Office

Wed, 11 May 2011 07:38:15 GMT

We are pleased to announce that John Rostern has joined Coalfire Systems as managing director of the New York office.

Botnets: 2011 Rocky Mountain Information Security Conference

Mon, 09 May 2011 07:43:45 GMT

Botnets have become one of the most dangerous cyber threats affecting businesses today. Botnets criminals focus on the same things as most criminals: money and information. That is why these criminals are targeting payroll, human resources departments, C-level executives and senior strategists.

Trust the ‘Cloud’ (just make sure you have it examined first)

Tue, 26 Apr 2011 07:53:32 GMT

In the wake of Amazon’s Web Service disruption over the past few days we think it is important to look at the case a little closer.

Navis PCI Complete Arrives

Thu, 21 Apr 2011 17:59:07 GMT

Small companies often feel that to be compliant, they must spend a large sum of money on just testing and reporting compliance validation. Not true–that is why we have developed Navis PCI Complete. These new service bundles are specifically aimed at smaller and medium-sized businesses and are similar to other high-end services offered by Coalfire.

Mobile Application Security – The New Frontier

Mon, 18 Apr 2011 18:03:28 GMT

The power and popularity of consumer mobile computing is changing faster then you can say iFart (the #1 downloaded app worldwide). Commercial entities are rapidly adopting mobile-based applications for retail sales floors, restaurants and dining rooms, distributed mobile banking, and more.

Is it Safe to Speak? Protection for Telephone-Based Payment Card Data

Tue, 12 Apr 2011 18:06:16 GMT

Recently, the PCI Security Standards Council released educational resource requirements for securing cardholder data in audio recordings. The PCI SSC has been focusing on call center operations and recording systems of merchants. The need to provide a secure system to protect cardholder data is at an all-time high for these call centers.

Coalfire Systems Speaking at Shared Assessments Summit 2011

Fri, 25 Mar 2011 18:10:40 GMT

Do you know how to ensure reliability and resiliency in cloud and SaaS environments? Join leaders from within the IT outsourcing risk management industry at the Shared Assessments Summit 2011 in Boston on March 29 and 30.

Coalfire is participating in this summit because the value of managing risk for companies today cannot be underestimated.

Compliance and the Cloud

Mon, 14 Mar 2011 18:13:52 GMT

“The Cloud” is a hot topic right now. Yet most people can’t even define what “the cloud” really is. As I talk to more companies, who are considering the move, they all have two main concerns: security and compliance. Of course, security and compliance are key when it comes to cloud computing, but the questions you really need to be asking is not, “Will I be secure and compliant if I move to the cloud?” but rather, “What do I need to do to be secure and compliant when I move to the cloud?”

IT Compliance Matures into Risk Management

Mon, 07 Mar 2011 19:16:35 GMT

Over the past ten years rapid change and an evolving threat landscape has better prepared Coalfire to defend our clients against known risks. Not surprisingly, much of the progress is due to compliance-related investments. As we look towards the next ten years, we see a proactive risk management framework being set in place.

Full Steam Ahead! Coalfire Systems Secures $5 Million in Funding from Baird Venture Partners

Thu, 17 Feb 2011 19:21:03 GMT

People often ask me what defines a successful company. At Coalfire Systems, it’s having a clear roadmap of services that clients need and want, which in turn drives growth and expansion. I am pleased to announce that Coalfire Systems has received an investment of $5 million dollars from Baird Venture Partners.