Hopefully you’re not next

Recently in the news, our national security director explained that we’re under constant attack from foreign adversaries. These attacks are at the nation-state level and they are attacking “virtually everything”. This isn’t limited to the super critical power generation companies and government institutions- they mean everything, including your website, email, and personal workstation. To make matters worse, there are still many of attacks originating from other bad actors, such as credit card and personal information thieves.

Many people think they are not targets because they have nothing of value. However, the contrary is true.  At a minimum, your computer and internet connection can be leveraged to attack other systems to cause an outage or hide the tracks of a real attacker.  Unfortunately, the worse case scenario might involve an installed key logger to capture credentials for your banking and retirement accounts.

We’ve seen this first hand.  Raxis performs hundreds of penetration tests and breach responses a year, and 2017 proved to be no exception.  There have been many occasions where we would breach a customer network only to find the door was left open and clear evidence that someone had already been there.  After a system has been breached, there are only two viable options: to restore from a known good backup, or a complete reinstall of any software.  Recovering from a breach is very difficult as in many cases the attacker will control many or all of the systems within an organization, resulting in a massive undertaking to rebuild.

Do something to make sure you’re not next.  Reach out to us, we’ll help you understand how a penetration test can shed some light on where the risks really are.

Penetration Testing is a Critical Tool For Your Business

Penetration Testing - Why You Should Embrace It

Penetration testing is so important for businesses today. Almost every day we see companies in the news after the result of a big hack. The aftermath is ugly – lawsuits, loss of trust, downtime and, in many cases, the hacked entity finds itself out of business.

In a recent interview with an IT management firm, I was told that many of their customers (mostly SMB) didn’t want a penetration test because they knew they would fail. I see this same reaction in larger companies as well.

This fear of failure is the wrong way to look at penetration testing. At Raxis, we say it all the time, “You can’t fix what you don’t know is broken.” Penetration testing should not be looked at as something that points out your failure; rather it should be embraced as something that helps you get better.

Vulnerabilities are common

We see many of the same vulnerabilities across the nation. Many of them are simple to remediate. Most of them have escaped the attention of the IT team for any number of reasons, but most of all because the IT team is simply busy. Most teams are over worked and under staffed. The workload is high. As a security professional you have to get it right 100% of the time – however, the hacker only has to get it right once.

The fear of failing is misplaced. Almost every penetration test will show vulnerabilities or, at the very least, likely attack vectors that could be exploited given more time. Finding vulnerabilities should not be seen as a failure but rather as a responsible approach to better security.

Penetration testing should be about partnership

A penetration test is a valuable tool to help a security team more efficiently locate vulnerabilities, and, if you’ve partnered with a good company, it will offer remediation recommendations helping you efficiently fix the vulnerabilities.

A good penetration testing company offers insight and help, not a judgment.

I like to call our penetration tests an assessment. That’s truly a better word. We don’t test our customers as much as we partner with them. Raxis is the watchful eye that helps your company stay out of the news. We help you safeguard your data, and we help you maintain trust with your customers.

Penetration testing should be a holistic approach

When a hacker looks at your company, they are taking a holistic approach, and they are going to go for the easiest method with the least amount of risk that they can find. Common attack vectors include:

  • Social Engineering
  • WiFi Systems
  • Internal and External Networks
  • Mobile Applications
  • Web Applications
  • API’s

Each of these areas allows escalation to others. While often viewed as independent systems, the reality is that a weakness in one often leads to a breach in another.

Security is hard. This is why it’s so important to partner with a reputable penetration testing company that you can trust. I urge you to not look at penetration testing as the enemy but rather the relief you and your team so desperately need.

Learn more about how our penetration tests work.

Your security gear is not enough.

Perhaps I am a little biased considering what we do at Raxis, but I am convinced that it isn’t a good idea to bet the farm on the latest security gear to defend your organization.  In 2017 alone, we’ve all seen many major hacks, including substantial releases from Shadow Brokers and WikiLeaks.  There’s a lot already lost, such as voter registration data and consumer credit information.

security hardware in data center
Security hardware and software is not a silver bullet.

Don’t get me wrong, I think the latest fancy security solution can help.  However, our team at Raxis is seeing many attacks that are not being stopped by current gear.  For example, we’ve breached applications through manually fuzzing API calls using a method that most hardware can’t protect against.  The latest web application firewall might be able to stop these attacks, but most organizations don’t configure it appropriately to do so.  In some cases, it’s a logic error that we’re able to exploit to gain information from the backend systems without making any illegal calls.  And even worse, we’ve seen, time and time again, where security operations centers send an email out with no further action taken.

Our experience also has shown that nearly every organization has a far weaker security posture internally.  Once the perimeter is breached, from using a stolen password to gaining shell access through a web service call, pivoting to other machines is often quite trivial.  None of this is hard to exploit, but fortunately none of it is hard to fix.  The problem is not the difficulty of the fix, it is knowing what needs to be fixed.  In almost every case, the hacks we find are very simple to execute, and our customer had no idea they existed.

The fix for these hacks usually is not spending $100K on a new fancy next generation firewall with all of the bells and whistles.  It’s a simple code change or a system that was missed in patch management.  Perhaps this is too good to be true; but, keep in mind that hackers go after the path of least resistance.  It is far easier to breach your competitor with the Windows 2003 server install than to spend significant time researching how to get past your reasonably secure system.

So keep buying your security gear.  Combine it with a penetration test on every single piece of code that runs in production, and we’ll help you find the vulnerabilities you missed.


Fangs, coffins, crucifixes… and pointe shoes!

Raxis is a proud sponsor of the Georgia Metropolitan Dance Theater.  Don’t miss their performance of Dracula at The Earl Smith Strand Theater!  Raxis is proud to have an ad on the back cover of the Dracula program and we hope to see you there.

GMDT's Dracula
Raxis is a proud sponsor of Dracula and the Georgia Metropolitan Dance Theater.


Fangs, coffins, crucifixes… and pointe shoes? Ga Metro Dance Theatre boldly presents Dracula, the Halloween ballet with a bite! Let us transport you to the land of Transylvania where dance and myth mix together in this legendary tale of Count Dracula and his three brides, the misfortunes of Jonathan Harker and fiancé Mina Murray, and the ultimate struggle between good and evil. Vampires, gypsies, castles, masquerades, superstition, and eternal love collide in this chilling new ballet based on the classic novel by Brahm Stoker, set to the hauntingly beautiful score of Philip Feeney. Dracula premieres at the Earl Smith Strand Theatre on October, Friday the 13th! Grab your seats and hold tight for three haunting performances October 13th-15th at the Earl Smith Strand Theatre on the Marietta Square.

Tickets on sale September 13, 2017

Friday, October 13, 2017 @ 7:30pm (Join us for a post show meet and greet with some of the cast members in the Lumière Lounge at the Strand… come enjoy a handcrafted cocktail with Dracula, if you dare!)
Saturday, October 14, 2017 @7:30pm
Sunday, October 15, 2017 @ 3:00pm (Kids 18 and under – come dressed in your Halloween costume and get ready to strut your stuff across the stage in a Halloween costume contest for a chance to win a picture with Dracula and his brides after the show!)

Performances at The Earl Smith Strand Theatre on the Marietta Square, 117 North Park Square, Marietta, GA 30060.

InfoSec Shorts With Brad – Why Social Engineering is Important for Your Business

In this episode of “InfoSec Shorts with Brad” we’re diving into social engineering. Hands down one of the largest vulnerabilities your business faces comes from employees. Often well-meaning people, trying to be helpful or simply lacking the understanding of security procedures, are often manipulated and exploited by hackers every day.

We commonly test company employees through various methods and find a 90% success rate in obtaining sensitive information as a result. This information is typically then used to further exploit the company and obtain control over the network, websites, and critical information.

At Raxis, we like to say, “You can’t fix what you don’t know is broken”. That’s why it’s so important to continually assess your people. With each assessment, you’ll learn more about where your people are and how to better train them in your continual effort to improve in warding off social engineering attacks.

Learn more about social engineering.

Petya Ransomware Strikes Businesses Globally

petya ransomware screen

Petya, the next major security malware since Wannacry is specifically targeting companies across the globe.  Originating from the Ukraine, the Petya ransomware uses the same Eternalblue/MS17-010 vulnerability that was used with Wannacry.  The difference this time is there is no kill switch that we know of.  It’s getting some significant traction, infecting systems everywhere.  In the US, it’s hit a major pharmaceuticals company and a food services company.  Petya has also hit Danish, French, and Russian companies.

Similar to Wannacry, the malware virus is encrypting systems and demanding a ransom to get access to the data.  Our research has not found a way to bypass this ransom at this time.  Fortunately, it seems that working decryption keys are being provided once paid.

It’s not just ransomware

Unfortunately, there’s much more to this variant.  Once the ransomware gains a foothold, it has worm capabilities and is breaching other systems using a variety of exploitation methods.  It appears to be focused on critical infrastructure across the world, but is not limiting devices it infects by any means.  Various news sources have reported that power plants in the US and other countries have been breached. If this turns out to be a successful attack, it is quite scary to think about the damage that could occur.

For those who don’t remember, you can thank the NSA for this. The NSA had developed a tool that could breach Windows systems remotely using an exploit that was previously undisclosed.  The Shadow Brokers hacker group obtained the source to the NSA tool and leaked it on April 14, 2017.

Stop PETYA with a penetration test

When it comes to ransomware, we haven’t found a good way to reactively deal with the damage.  Even once the ransom is paid, it is very likely that the attackers will return again in the future.  Particularly if they know that they’ve received payment in the past.  The only real way to defend against Petya is to eliminate the vulnerability from the beginning, and a penetration test from a trusted third party might be the only real way to know you’re protected.

Petya (and Wannacry) uses the Eternalblue vulnerability in SMB, fixed by MS17-010.  Systems are still falling victim, even when the organization has a patch management program.  Mistakes with configuring the vulnerability scanning tool, or unknown systems to the patch management tool will cause a few systems to remain vulnerable and outside of the view of the security administrators. A penetration test can find these gaps in process before malware can exploit these systems.  In addition, the penetration test will attempt to exploit any issues found as a proof of concept – providing you and your security organization proof that a potentially significant security event was avoided.

Schedule a penetration test with Raxis before the next malware variant hits.

petya ransomware screen
An actual screen generated from the Petya malware

Physical Security Pitfalls: What our physical assessments show us

Physical Security Pitfalls

A Strong Front Door

An effective information security program is built upon a strong physical security strategy. After all, if an attacker can breech your physical security all of the network controls are more easily mitigated. On average our internal network penetration tests yield an 85% success rate. Once an attacker physically gains access to network connectivity, the chances of a data breech become exponentially higher. The role of a physical security strategy is to prevent an attacker from gaining tangible access to company resources so that secondary attacks are not possible.

Raxis is frequently retained to test the physical security of corporations in various verticals. We utilize many techniques in our attempt to gain unauthorized access via highly technical approach vectors such as RFID badge cloning and IR cameras to simple social engineering pretexts.

We average an 85% success rate on internal network penetration tests

We commonly find that companies implement technology and processes that, on the surface, lend the impression of safety. Often, however, these controls are ineffective against a capable adversary, thus the net result is that the attack surface gains complexity without benefit, making the organization more vulnerable to targeted attacks.

While some companies go to such lengths as employing security guards, both armed and unarmed, the presence of such personnel often provides a false sense of security. While they are excellent visual deterrents, security guards are only one component of a robust security strategy for physically safeguarding your critical data.

Likewise, hi-tech security measures such as proximity cards and cameras often help an organization feel more secure, but the reality is these technologies add complexity and require additional resource overhead to maintain their effectivness. Highly technical physical controls often can be hacked and, if not properly managed, sometimes leave a facility more vulnerable than it would be without them.

Here is a sampling of the attack vectors we have employed in the past to circumvent physical security controls and gain unauthorized access to a facility:


Poorly Trained Employees / Employees with a Casual Approach to Security:

At the end of the day a company’s best defense is a well-trained and vigilent employee. The popular phrase, “if you see something – say something” is incredibly important. Employees know better than anyone else what is out of the ordinary – be it a suspicious package or a person. Employees need to be trained in secure practices, and given the authority to challenge or report anything or anyone that seems out of place.

Often employees are lulled into a false sense of security through observational confirmation bias. They believe if someone has made it past the guard and is on the floor they must have permission to be there. This is reinforced by social behavior tendencies that make it uncomfortable to confront unknown individuals. A fundamental tenant of aweareness training is to re-train employees to practice heighted vigilance in the workplace. Raxis consultants bypass guards and other countermeasures regularly while conducting engagements for our clients. In every one of those cases, if an employee had simply recognized us as being outside of the normal and challenged us to to confirm the legitimacy of our presence, our attempts at compromise would have been thwarted. The reality is that most individuals do not feel comfortable with confronting someone in an office setting. This is a behavioral tendency that social engineering attacks exploit to lend legitimacy to a given pretext.

The better an employee is trained to question people and events that are unfamiliar, the more robust the organization’s security posture will become.


Proximity Badges

Many companies fall prey to the false sense of security that arises when using RFID proximity card access control systems. In practice, many of these systems can be easily hacked electronically without the employee’s knowledge.

For less than $600 and the ability to do a Google search one can obtain step by step instructions in making a weaponized badge reader that can be used to acquire an employee’s RFID badge data from a distance for later cloning.

In many cases, an old fashioned tumbler lock and key would offer greater peace of mind.


Lack of Photo Badging

To make matters worse, many companies that leverage badge access systems do not utilize personalized badges with employee photos. This may be due to a myriad reasons from budgeting to lack of headcount to manage such a program, to the level of effort to upgrade from legacy systems, or other business drivers. Even in environments where photo badges are prevalent, employees often do not take the time to verify that the photo on the badge is actually that of the person carrying it.  Indeed, a surprising number of companies feel satisfied simply using a white proximity badge without any type of accompanying credentials.

Proximity badges, if possible, should be paired with a photograph credential that validates the individual’s identity and indicates the level of access that person should be given. All visitors should have to sign in and in many cases be escorted while on premise.

Even the most robust badging system is completely innefectual unless employees are required to use it consistently. The physical layout of the office reception area plays heavily into enforcing access policies. Along with the photo ID the form factor of the office should require that each person must pass through a checkpoint (even if it’s a receptionist) to show their ID and perform the badge swipe.


Unmonitored Cameras

The use of video surveillance systems is another means by which a false sense of security can manifest.  In many cases, the cameras are either not functioning or are feeding directly to a DVR to provide investigative collateral after a security event has occured. The reactive use of surveillance systems negates the benefits of the added visibility they provide.The challenge is that most of the places we breech don’t even know we were there. We walk in, do our thing and exit. The company does not know to investigate because an incident response was never triggered; they were not leveraging their surveillance technology proactively.

In many cases, if the company had security personnel charged with monitoring the cameras, a security breach could be stopped before it happened, rather than investigated after the fact when the damage has already been done.

While cameras are an effective deterrent to many attackers, they must be used correctly and as part of a larger strategy lest they once again facilitate a false sense of security.


What You Can Do

The importance of awareness training can not be overstated. Understanding the role that company culure contributes to the level of employee vigilance offers critical insight into the implementation of any security training program.. The goal is not to make your employees paranoid or uncomfortable, but to help them develop a sense of situational awareness in the workplace. Empower them to report anything that is out of the ordinary and to know that it’s part of their job to do so. A formal security reporting process that is well understood will assist with streamling response efforts.

Recognize the limitations and vulnerabilities of your security systems. It is often said that security is a process. An effective security program encompasses dynamic layers of controls in which weaknesses are identified and mitigated through compensating controls.

Test the effectiveness of your systems regularly. Utilize an outside assessment firm such as Raxis to partner with you and your team and assess your performance. Tests such as these are critical to understanding the strengths and weaknesses inherent in any security strategy and how to best utilize available technology to increase the organization’s resilience to attack.

We hope you’ve found this article insightful. Below is a short video that illustrates a typical engagement for Raxis. This video will demonstrate some of the techniques employed to by Raxis consultants to infiltrate a facility, establish persistence, and exfiltrate sensitive information – all without the company being aware.

Vulnerability Scan Vs Penetration Test: What’s The Difference

What's the difference between a vulnerability scan and a penetration test

Many people seem confused when it comes to understanding the difference between a vulnerability scan and a penetration test. This article will examine the differences between the two and help guide you with decision points in making the right choice for your needs.

Vulnerability Scan

A vulnerability scan is conducted using an automated tool that is purpose built to identify potential security gaps on a remote system. This ‘vulnerability scanner’ sends targeted traffic to ports and services on systems and analyzes the responses in an attempt to identify the presence of a vulnerability. At the completion of the scan, a report is generated. The engineer that initiated the scan designates what type of report to generate depending on the specific requirements with regards to verbosity, margin of error, intended purpose, or other business drivers. Some reports are hundreds of pages detailing each individual “finding” while others are as simple as a two page summary.

Because a vulnerability scanner has a limited means with which to validate the presence of a vulnerability, the accuracy of the output may be suspect. Depending upon the scanner configuration and the target system, a report may contain a myiad of false positives or fail to identify legitimate vulnerabilities. The end result is that a security engineer has a laundry list of possible flags to chase down and attempt to verify the validity of the issues as well as develop a solution.

Penetration Test

A penetration test is a real-world exercise at infiltrating your network systems. To such ends, a security engineer will utilize many tools (including in some cases a vulnerability scan). Wheras vulnerability scanning is a largely automated process, penetration testing involves manual and targeted testing using specific toolsets and custom scripts. Using a combination of techniques and technical knowledge, the penetration tester focuses their efforts on areas of exposure that likely constitute a legitimate risk to an organization’s security.

Having identified likely insertion points, the penetration tester will actively attack gaps in the network’s security posture. The execution of a practical attack using the same methodologies that an actual attacker would employ is the most effective way by which to ascertain the real world exposure of a given system or network.

As the engineer begins to infiltrate the system he or she will take detailed notes and screen shots documenting the process. The goal is to articulate to the customer the nature of the exposure, and how its presence helped to facilitate a compromise.

A seasoned penetration tester will provide a detailed report outlining the various vulnerabilities as well as the severity of each finding within the context of the business, something that a vulnerability scanner cannot provide. The result is an actionable report that provides validation of exposures and targeted guidance on remediation measures.

Which is Best

A true penetration test by a qualified engineer is most often the best overall value for a business. Not only does the stakeholder gain an understanding of the workflow of a real-world attack they also get specific guidance from the Which one to chooseperspective of an attacker on what measures would be most effective in thwarting validated attacks. This is articulated in the context of the business drivers of the organization. The end result is that the security organization can focus their efforts where they are most effective and prioritize remediation tasks based on real-world data.

A penetration test is more expensive because of the thoroughness of the assessment and the greater value of the outputs. A vulnerability scan is a good starting point and may achieve the bare minimum of satisfying compliance mandates. An organization that understands the difference between compliance and security, however, will endeavor to move beyond automated outputs and seek to understand the practical nature of their security posture.

Are All Penetration Test The Same

The short answer is no. When you are shopping for a penetration test there are several things you should consider:

  1. Get a sample report – some companies are much more informative in their documentation and a sample report will reflect what you should expect to receive.
  2. History – ask about the team and their experience working with organizations of a similar caliber.
  3. Diversification – find out the background of the team members; the technical expertise brought to bear during the test should be appropriate to the technologies that your organization utilizes.
  4. Duration of test – based on your specific situation ask how long the assessment should take to perform. This may be governed in part by the scope of assessment or other logistical factors.
  5. Their level of specialization – do they only offer penetration testing or do they also provide other products and services.

Each of these questions will give you insight to the quality of assessment you’ll receive. Especially in security, the relationship between cost and value is subject to variation. Determine if the team is going to spend adequate time on your assessment and if their security engineers have the expertise for your specific situation. Compare reports and insure the report will satisfy your ability to properly remediate the findings. And finally, don’t be afraid to ask to speak to a security engineer and dive deep in questioning their methodologies and experience with the type of testing you need. A competent penetration testing provider will not shy away from such discussions and will welcome the opportunity to add value to your security program.

Rising Above The Minimum Cyber Security

Cyber Security Minimums Aren't Enough

Cyber attacks on the rise

With the end of each year there are blog posts and articles suggesting the next year will be worse than the previous when it comes to cyber security. Whether those predictions are true or not, one thing is sure – IT Security is a top concern for most network administrators – and it’s a concern that’s only likely to get bigger.

2016 saw a rise in ransomware and other malware attacks (FBI This Week – March 2016). We also saw insinuations of foreign governments leveraging their way into critical data (DNC & FDIC were two stories of 2016 that suspected international hacking as the culprit) .

Companies large and small alike were crippled by cyber attack.

What’s at risk

A successful cyber attack can not only damage a company but also could impact business continuity to such a point that the business could not recover. There are ancillary impacts to be considered aside from the critical loss or compromise of data – down time, recovery cost, reputation damage, fees for providing identity theft protection for customers, and possible litigations are just a handful of hurtles an attacked company can face.

PCI & HIPAA regulations

PCI and HIPAA are minimum requirements for cyber securityMany companies and organizations look to guidelines such as PCI and HIPAA as a security framework, but the reality is these guidelines are best considered as a baseline and the MINIMUM a company should be doing. The proactive company is looking for strategies to safeguard their networks, apps, and APIs with as much fortitude as possible.

Operationally, this translates to running in-house scans, delivering constant awareness training, and consistently leveraging the value of penetration tests. The responsible company is also hiring outside experts to attempt network, physical and social penetrations in addition to the in-house testing. The goal should be to ascertain exposures and remediate them to drive the improvement of the organization’s security posture.

The cyber security risks are real

Even with the best of intentions, shortfalls occur. Systems don’t always get patched and are often prone to insecure configurations. With the rise of social engineering as an attack vector, employees are often the weakest link (unintended of course).

Threats are limited only by an attacker’s creativity, and it is impossible to predict all threat vectors. A realistic attack by a skilled adversary is the best way to understand the mindset of the attacker and gain an understanding of how your systems may be vulnerable to compromise.
Nothing beats an outside set of eyes testing your defenses.

Cyber attacks are on the rise, and companies have never had more to lose. With so much on the line, now is not the time to be looking at average security measures. What steps will you take in 2017 to improve your security posture?

Public USB Charging Ports & Their Potential Security Risks

Public USB Charging ports – Are they safe?

How many times have we found ourselves with a nearly depleted mobile device and no charger cable? Despite the array of adapters and cables that are available, on occasion we are found without our charge cable and a nearly dead phone or tablet battery. Increasingly, public locations are providing native USB convenience charging stations for the modern day smart device. It’s a common oversight to plug our devices into these public charging outlets without considering the risks in doing so.

What have you done??

Honestly, odds are, you’re simply charging your phone as expected. But the truth is you just don’t know. This is due to the nature of the USB interface and the fact that it has the capability to transmit both power and data.

Public_Charging_StationCharging ports that seem innocent enough can be a hot bed of disaster waiting to happen. By exploiting the USB data connection to your device, malware can easily be transferred onto your device revealing critical information to a malicious actor. You would likely never even know.

That charging device might not have even been placed by the establishment that you assume has placed it. A bad actor could simply drop the device in a public area waiting for the unassuming person to walk by and plug in their device.

The reality is that most charging ports are legitimate and pose no real threat, but you also never know for sure.

Here are some suggestions to keep yourself safe while using a public charging station:

  • Do Not plug your device’s USB cable into an untrusted USB port, such as those commonly found on public charging stations.
  • Always carry your own charging cable and wall adapter with you.
  • If you use a public station, practice situational awareness and assess the threat level of interfacing with the charging station.
  • When you plug your device in, never agree to trust the source or allow it any type of control on your phone. These functions vary by device type and model.

The Threat of Malware

The installation of malware is a key way to gain unauthorized privileges on a device. Be it a charging port, a free or found USB drive, a link in an email, or a malicious website. Cyber criminals are getting increasingly savvy in their attack vectors. This means you must be even more diligent than ever before to protect yourself from this emerging threat.