Third Party Risk Management and the Cloud
Michael Reiter, Director, Cyber Risk Advisory, Coalfire
Security awareness and preparation are getting more widespread. Corporate boards and C-suite executives are taking Third-Party Risk Management (TPRM) more seriously as they see what has happened to other enterprises in the not-so-distant past. I am speaking primarily of the top-level enterprises, but even smaller companies and less tech-oriented companies often have a hard time securing their infrastructure. If you are a widget supplier with a hundred employees, it’s hard—maybe impossible—to dedicate a full-time resource to things like patching, firewalls, identity and access management, and intrusion detection and incident response. The money just isn’t there.
Quality is Job One When it Comes to the HITRUST CSF Assurance Program
Zach Shales, Principal, Healthcare Certification, Coalfire
The HITRUST CSF® remains an essential security and privacy controls framework that addresses the multitude of security, privacy, and regulatory challenges facing both public and private sector organizations. As framework adoption increases across all industries, maintaining integrity is crucial, and continuous improvement should always be top of mind with any endeavor. This was HITRUST’s clear intent when they announced the formation of an Assessor Council back in 2016 and a Quality Subcommittee in 2017. Read more
The Significance of the NIST Privacy Framework
Mali Yared, Practice Director, Cyber Risk Advisory & Privacy, Coalfire
Kudos to the NIST Privacy Team! Privacy Framework v.1.0 has finally been released. I’ve been tracking the growth of this initiative since the focus group was kicked off in September 2018 and respect its thoroughly explored yet fundamentally grass roots approach. A few points worth bringing to your attention:
Attention Payment Application Developers: Begin Your Transition from the PA-DSS to the PCI SSF Today
Nick Trenc, Director, Payments – Solution Validation, Coalfire
The Payment Card Industry (PCI) Council plans to formally retire the Payment Application Data Security Standard (PA-DSS) in October 2022 and replace it with the PCI Software Security Framework (SSF). For vendors, the new framework expands program eligibility with improved support for evolving architectures / deployment models, streamlines the assessment process, and simplifies listing management. It also provides greater flexibility for meeting security requirements and modernizes the notion of application security for payment applications and the companies that develop them.
The Basics of Exploit Development 1: Win32 Buffer Overflows
Andy Bowden, Consultant, Coalfire Labs
In this article we will cover the creation of an exploit for a 32-bit Windows application vulnerable to a buffer overflow using X64dbg and the associated ERC plugin. As this is the first article in this series, we will be looking at an exploit where we have a complete EIP overwrite and ESP points directly into our buffer. A basic knowledge of assembly and the Windows operating system will be useful, however, it is not a requirement.