-
What to Expect in the initial FedRAMP briefing with your Agency Sponsor and the PMO
Nick Peters, Senior Manager, FedRAMP Assurance Services, Coalfire
Most people who have spent any time researching the FedRAMP authorization process know there are two routes for a Cloud Service Provider (CSP) to become FedRAMP authorized: Agency and Joint Authorization Board (JAB). Because of the limited number of CSPs selected each quarter for the JAB authorization process (FedRAMP Connect), many CSPs follow the agency authorization path. In fact, 77% of authorized CSPs have an Agency Authorization to Operate (ATO).
Read more
-
FedRAMP – 8 years in and 100 assessments achieved
Michael Carter, Vice President, Cyber Assurance – FedRAMP
Back in 2011, if you had asked me what cloud computing was, I would have looked at you with a blank look on my face. At the time, I was supporting a Federal client when my boss asked me to assist in applying to become a 3PAO. I had no clue what 3PAO even stood for (it stands for Third-Party Assessment Organization), but I volunteered to support the cause.
Read more
-
Cybersecurity Risk Management – From HIPAA to HITRUST
Rich Curtiss, Director, Healthcare Cyber Risk Services, Coalfire
Cybersecurity risk management for healthcare organizations continues to be a perplexing issue. While it is explicit in the security management standard of the HIPAA Security Rule that a Covered Entity and their Business Associates must conduct an “accurate and thorough” risk analysis teamed with a plan to “implement security measures to reduce risks,” it is not immediately clear how this is to be accomplished.
Read more
-
Cloud Transformation and the Shared Security Model
Sean Cyriaque, Senior Consultant, Cyber Risk Advisory, Coalfire
For many organizations, the lure of the cloud is very strong. Large enterprises usually have several justifications for adopting cloud-based services including preserving capital, adding scalability to applications, and minimizing IT staffing needs. Small- to medium-sized organizations often look at the cloud as an avenue to achieve all those same goals without the need for improved security skills from their existing IT staff. But as the number and sophistication of attacks in the cloud grow exponentially, there is increasing confusion regarding who is responsible for the security and compliance of applications and data in the cloud.
Read more
-
The Basics of Exploit Development 3: Egg Hunters
Andy Bowden, Consultant, Coalfire Labs
Hello dear reader. If you have read the other articles in this series, welcome back! If not I encourage you to read the previous installments before proceeding with this post. This post covers a surprisingly useful technique in exploit development called Egg Hunters. In order to demonstrate how Egg Hunters function, we will write an exploit for a 32 bit Windows application vulnerable to a SEH overflow. However, due to how the application handles input, we will be required to use an Egg Hunter to locate our payload in memory move execution to it.
Read more