Hopefully you enjoyed Adam Fernandez’s recent Cool Tools post, Nmap For Penetration Tests. In this next post in the series, I’d like to introduce another great penetration testing tool: Nuclei.
Nuclei is an outstanding enumeration tool that performs a myriad of checks against the systems and services it discovers. It does particularly well against web applications. It also tests for known vulnerabilities, can pull versioning information from systems, and can try default credentials.
Installing Nuclei
You can use apt to easily install it on Kali Linux:
apt install nuclei
Templates
Nuclei uses saved templates to perform tests against systems. This lets users create new templates as new discoveries are made. You can also generate custom templates for tasks you often use or things you discover yourself.
There are a lot of different options when using the tool, but generally, when I’m using it for external network and web application tests, I just pass a target or a list of targets to the program.
To get a full list of options, all you need to do is this command:
nuclei –help
To scan a single device, simply use:
nuclei -u {Target}
Here is an example from a recent penetration test. There was only one target, so I simply passed that target to Nuclei:
You can see that Nuclei examined the responses from the web server and found that security-related headers were missing.
Here is an example using Nuclei against a list of targets. I put the targets for the engagement into a file called targets & ran the following command:
nuclei -list {File}
Real-World Nuclei Discoveries
Here are some examples of useful things Nuclei has found for me during various penetration tests.
Here Nuclei found a Solr panel, revealed the version running, and shared it in a human-readable format easy for me to use as a pentester:
Here Nuclei did some testing against a host on an internal network and successfully performed a Log4j exploit. It then reported the success with a critical flag as this could lead to remote code execution (RCE):
I’ve also found Nuclei’s ability to try default passwords to come in handy when testing.
As an example, I use a self-hosted Git instance and changed the root account’s password to one that Nuclei uses. You can see how Nuclei successfully logged into the GitLab and notified me:
Thanks for Reading
There’s a lot more to Nuclei, but this is a good start. Thanks for taking a look at this post, and I hope you’ll be back for future Cool Tools posts in the series.
We’re proud to announce that Raxis is recognized as a Sample Vendor for Penetration Testing as a Service technology in the recent Gartner® Hype Cycle™ for Security Operations, 2024 and Hype Cycle™ for Application Security, 2024 reports.
According to the Hype Cycle for Security Operations report, “PTaaS complements vulnerability scanning and application security testing, and provides cost optimization and quality improvement of pentesting output and validation of vulnerability status. PTaaS enables organizations to elevate their security posture through continual assessment, and can integrate validation earlier in the software development life cycle compared with traditional pentesting phases by giving access to real-time findings delivered through the platform, therefore enabling faster treatment of exposure.”
The Hype Cycle for Application Security report states, “Pentesting is foundational in a security program and mandated by various compliance standards (e.g., payment card industry [PCI]). PTaaS delivers continuous security testing via a platform that enables faster scheduling and execution of pentests, and real-time communications with testers and visibility of test results. It provides API access to enable integration with existing DevOps and ticketing solutions for workflow automation. It also provides the ability to document and track pentesting results to demonstrate progress over time to leadership/auditors.”
“We’re thrilled to receive these recognitions as a Sample Vendor for the second year in a row. With Raxis PTaaS, business stakeholders not only get visibility into actual security risks over time but also have the opportunity to collaborate directly with our penetration testing experts.”
Mark Puckett, CEO and Founder of Raxis
The Raxis Penetration Testing as a Service (PTaaS) solution allows customers to choose options based on their needs and budget. Raxis Attack, the premier PTaaS offering, combines continuous vulnerability scanning with unlimited penetration testing by senior engineers. Moreover, Raxis prioritizes real-time collaboration with customer teams, ensuring that penetration test findings are promptly discussed and actionable insights provided. The Raxis Protect offering removes manual testing; however, it provides continuous scanning, real-time alerting of new findings, and access to a senior penetration testing expert for remediation discussions. Regardless of the solution selected, Raxis One displays current and historical findings, ensuring businesses have constant insights into their security posture.
Gartner, Hype Cycle for Security Operations, 2024, By Jonathan Nunez, Andrew Davies, 29 July 2024.
Gartner, Hype Cycle for Application Security, 2024, By Dionisio Zumerle, 29 July 2024.
Gartner and Hype Cycle are registered trademarks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.
Gartner does not endorse any vendor, product or service depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
AICPA (the American Institute of Certified Public Accountants) developed the SOC 2 (System and Organization Controls) framework in 2010 to provide guidance for evaluating the operating effectiveness of an organization’s security protocols, especially within cloud environments.
SOC 2 is a compliance and privacy standard that outlines how organizations should manage customer data and related systems to ensure confidentiality, integrity, and availability.
SOC 2 defines five Trust Services Criteria (TSC) that evaluate various aspects of information security and governance. The first, security, must be a part of any SOC 2 audit, and organizations can choose to include other trust services categories. Organizations tailor their SOC 2 audits based on their specific needs and the services they provide.
Security: Ensures protection against unauthorized access, breaches, and other security incidents by assessing the effectiveness of controls related to data protection, access, and system security.
Availability: Ensures systems are available for use as needed by examining whether the service is available as promised and whether any planned or unplanned downtime occurs.
Processing Integrity: Ensures accurate and complete processing of data as well timeliness and consistently of data processing.
Confidentiality: Ensures data confidentiality by examining data encryption, access restrictions, and confidentiality agreements.
Privacy: Ensures compliance with privacy regulations for personal information.
Customizing SOC 2 Controls to Best Fit Your Organization
Organizations design their own internal controls to meet these requirements, as needs and controls are unique to each organization. It’s common for organizations to use a service or consulting company, such as Raxis’ partner Strike Graph, to help them understand the different controls, to assess which are relevant for the organization’s systems and services, and to ensure that they have fulfilled the controls properly before an audit takes place.
Many organizations focus entirely on the Security TSC, also known as the common criteria, for their SOC 2 audits. The common criteria are required for all SOC 2 audits. These are the areas of focus, created in 2017 and revised in 2022:
CC1: Control Environment
CC2: Communication and Information
CC3: Risk Assessment
CC4: Monitoring Activities
CC5: Control Activities
CC6: Logical and Physical Access Controls
CC7: System Operations
CC8: Change Management
CC9: Risk Mitigation
During the SOC 2 audit, an independent auditor evaluates the organization’s security posture related to the selected Trust Services Criteria. Organizations provide evidence for the controls they have in place, and, if auditors feel there are deficiencies, organizations can choose to remedy those during the audit or to explain why they accept the risk.
SOC 2 Type 1 versus SOC 2 Type 2
While Type 1 provides a foundational layer regarding the control design for the organization, Type 2 offers a comprehensive view of control effectiveness over time. Type 1 is the first step in annual SOC 2 compliance. Organizations can choose to combine Type 1 and Type 2 during their first SOC 2 audit or to become Type 1 compliant the first year and then move on to Type 2 in subsequent years.
SOC 2 Type 1 evaluates an organization’s cybersecurity controls for their effectiveness at safeguarding customer data at a specific point in time, while Type 2 examines how well the organization’s system and controls actually perform over a period of time (often 3-12 months).
Raxis, for example decided to focus on SOC 2 Type 1 in our first year of compliance so that our team had the time to focus on building out the necessary controls in the most robust manner possible that matched our systems and services. SOC 2 allows organizations (to a certain extent) to setup their controls with as much simplicity or complexity as they see fit. As security is integral to every part of Raxis’ business and goals, our aim in choosing to become SOC 2 compliant was to take the time to build the controls out to best protect the data entrusted to us.
Honestly, we discovered that we could not discover the best way to implement our controls without building out and testing the systems themselves. In the end, we could have performed our SOC 2 Type 2 audit in 2023 as well, but with the busy end-of-year penetration testing season, we decided to complete our first SOC 2 Type 2 compliance audit this April, covering this past winter and spring.
How Does Penetration Testing Relate to SOC 2 Compliance
SOC 2 compliance is essential for demonstrating your commitment to data protection, while penetration testing provides an extra layer of security by identifying vulnerabilities so that your organization can correct them before they are exploited.
But there’s more… SOC 2 compliance often requires a penetration test (and a retest of critical and severe findings) as one of the controls in order to show that organizations successfully monitor and correct/mitigate security risks to their systems.
Raxis often performs SOC 2 penetration tests for our customers and is proud to work with SOC 2 partners to perform penetration tests for their customers as part of their framework offerings. Tailoring your penetration test to your specific needs and goals is an important first step in scoping any test.
Why Choose to Become SOC 2 Compliant?
While not yet required, SOC 2 compliance helps establish trust between service providers and their customers. With high-profile data breaches becoming more common, many organizations, like Raxis, choose to become SOC 2 compliant both as an exercise to ensure the security controls they’ve created are robust and also to ensure the controls are updated as the threat landscape changes over time.
SOC 2 compliance is audited annually, ensuring that both the organization’s controls themselves and their implementation are tested regularly to ensure that new risks are accounted for and that security policies and procedures do not become stale. SOC 2 compliance ensures that organizations handle customer data securely and transparently, meeting specific criteria for trust and protection.
Raxis’ Cybersecurity Red Team Test is our top tier test that gives our customers a true feel of what hackers could and would do to their systems, networks, employees, and even offices and storefront locations.
Curious to know more? Take a look at this short video that gives a true look at real Raxis red team tests.
While that looks like fun and games, it’s actually serious business. Red team tests are slow and methodical, making sure not to trip any alarms or cause wariness… until the first crack in the armor appears and then things often move quickly from there.
Hackers look for the low hanging fruit. Whether that is a friendly employee who lets them in, a badge reader system that is vulnerable to simple attacks, or an unsecured wireless network reachable from the parking lot, it’s likely only the first step. Once the Raxis team has some sort of access, we move quickly to establish long term access and to gain deeper access.
While network and application penetration tests check your security controls and make sure that you are protecting each system to the fullest extend and following best security business practices, a red team widens the scope and looks at any way – often the easiest way – to get in. The scope of a red team widens to cover all or most of your systems, just as a malicious hacker would.
We’re proud to announce that Gartner identified Raxis as a Sample Vendor for Penetration Testing as a Service in two Gartner Hype Cycle reports in 2023.
According to the Gartner Hype Cycle for Security Operations, “Organizations are turning to PTaaS to deal with the increase of attack surfaces due to accelerating use of public cloud and expansion of public-facing digital assets. PTaaS allows developers to talk to and receive guidance from pentesters instead of arguing with scanners, such as dynamic application security testing/static application security testing (DAST/SAST) scanners.”
In the Hype Cycle for Application Security report, Gartner states “PTaaS complements vulnerability scanning and application security testing, and provides cost-optimization and quality improvement of pentesting output and validation of vulnerability status. PTaaS enables organizations to elevate their security posture through continual assessment. It integrates validation earlier in the software development life cycle compared with traditional pentesting phases by giving access to real-time findings delivered through the platform, therefore enabling faster reduction of exposure.”
“We believe our recognitions certainly validate the importance and value that organizations can realize by engaging in a continuous Penetration Testing as a Service solution. By implementing Raxis PTaaS, business stakeholders will now have visibility into the actual security risks to the organization over time.”
Mark Puckett, CEO and Founder of Raxis
Raxis’ Penetration Testing as a Service solution customers receive at least one annual traditional penetration test to set a baseline and to meet common compliance requirements. For businesses where full time security is a priority, Raxis’ continuous anomaly detection and on-demand penetration tests are a key defense to newly emerging security findings. With current and historical findings detailed in the Raxis One portal and Raxis’ zero-day detection within PTaaS, businesses can rest assured that they have constant, key insights into their security posture.
Gartner, Hype Cycle for Security Operations, 2023, 20 July 2023.
Gartner, Hype Cycle for Application Security, 2023, 24 July 2023.
Gartner and Hype Cycle are registered trademarks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.
Gartner does not endorse any vendor, product or service depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Over the years, we’ve posted several times about the need for pentesting and a focus on security in the healthcare industry. Healthcare security may start with HIPAA regulations, but, in the end, it all comes down to protecting patients and the healthcare workers – from doctors to nurses to insurance offices, administrative staff, and everyone else who gives their all so that you and your family members are safe to focus on healing.
Getting Better, But There’s More to Do
Years ago, when I was still on the pentest team at Raxis, I recall walking through hospital patient floors during physical social engineering engagements. I’d put on the scrubs that I bought at Walmart, and even though they often didn’t match the scrubs the other nurses and doctors wore, I never got stopped while wearing them.
I took papers off printers (to photograph for my report and return) and sat down at computer workstations to learn the software available since the systems weren’t locked. I walked through all levels of the hospital that were in scope for the test, using elevators and stairwells without finding a locked door and without being questioned.
In this short video, Raxis CEO Mark Puckett speaks about healthcare pentests he’s performed in the past and how the vulnerabilities we find concern us all.
More recently we’ve found hospitals more likely to automatically lock workstations, but with the shortage of healthcare workers and no short-supply of emergency situations, we want to give the healthcare industry every possible advantage to stay secure.
STILL MORE TO DO
Just as hackers are constantly changing and discovering new ways to attack, Raxis also changes in order to keep our customers secure in this ever-changing environment. We offer several options for the healthcare industry, and we created our newest option, PTaaS (Penetration Testing as a Service), in order to help our customers who have their eye on the strongest security possible today.
“Brice noted the different ways that students could get into cybersecurity and pointed out that students need to put in work to qualify for jobs and explained the certification process and how to determine which certifications are valuable to possible employers.”
Georgia’s Putnam County School District takes cybersecurity seriously — not only as an administrative safeguard, but also as an important new skillset to teach the next generation. Regardless of their ultimate career choices, today’s students will be tomorrow’s workforce and cybersecurity will be a critical component of every job.
It was in that context that Ed Ozols, a computer science and cybersecurity teacher at Putnam County High School invited Raxis lead penetration tester Brice Jager to speak to his students about the role of pentesting and how it keeps networks safe.
Some Words from Ed:
Brice was a great help to my cybersecurity class. This is the first time that Putnam County High School has offered cybersecurity and we will be providing the full pathway that ends with a certification exam to our students. We are one of the few districts in Georgia that offers the full pathway. Brice spoke with students who are taking their first cyber class. He was able to outline what life was like for a cybersecurity specialist (in his case, as a pen tester).
Brice noted the different ways that students could get into cybersecurity and pointed out that students need to put in work to qualify for jobs and explained the certification process and how to determine which certifications are valuable to possible employers.
The students had numerous questions that Brice answered for us, and his explanations were understandable to my students who have just begun to get their toes wet in cybersecurity and do not have a depth of cybersecurity knowledge.
They were glad to hear from him. One student, who is normally shy, came up to me and talked with me about a future in cybersecurity. I have other students who plan on pursuing a career in cyber and this helped cement those plans.
I am helping develop the future of cybersecurity and Brice was an important part of this development in the students that he was talking to. My students and I thank you for connecting us with Brice. It is two weeks after his discussion and my students are still relating things that he said with the concepts I am teaching in my class (as in “Brice said…”).
Georgia’s Putnam County School District takes cybersecurity seriously — not only as an administrative safeguard, but also as an important new skillset to teach the next generation. Regardless of their ultimate career choices, today’s students will be tomorrow’s workforce and cybersecurity will be a critical component of every job.
According to Brice, the experience was very rewarding for him as well.
“I’ve been an instructor in some of my previous jobs, so it feels natural to ease back into that role,” he said. “What made this experience unique is that I had an opportunity to introduce young people to the field of penetration testing and, I hope, sparked a deeper interest in cybersecurity among them. It’s rewarding to think that one or more of those students could decide on a career in cybersecurity because of this introduction.”
I’m Bonnie Smyre, Raxis’ Chief Operating Officer, back with the second in our two-part feature about how to hire a penetration testing firm. This time, we’re suggesting some questions to ask and answers to listen for in the selection process.
In the first article on this topic, I focused on the six things you and your company should do to begin your search for a pentesting firm. We discussed the importance of identifying why you need a pentest, understanding the data and systems that are at risk, figuring out what type of tests you need, consulting with trusted advisors, as well as checking ratings, reviews, and references.
If you followed those steps, you’re well-prepared to begin your interviews with prospective firms. Toward that end, here are some questions you should ask during your conversations and some key points you should be listening for in the answers.
Question 1: What is your experience in performing the type of penetration testing our company is looking for?
At Raxis, we’re happy to tell you how many and what kind of tests we’ve done and share with you some of our most common findings. If we don’t think the pentest you’re shopping for is going to accomplish your goals, we’ll tell you why and recommend a different type of engagement that will. That’s part of our job as professionals, and we have found that it makes for a better customer experience and often saves time and money.
On the other hand, if the firm you’re interviewing continually tries to steer you toward more expensive testing or something far different than you think you need, that can be a big red flag. They may be trying to upsell you, or they may simply not have the expertise to conduct it.
A point we make frequently is that vulnerability scanning is not the same as penetration testing. So, also beware of firms that try to downplay your needs and tell you one is as good as the other. Raxis might recommend a vulnerability scan, but we will never tell you that it should supplant a genuine pentest.
Question 2: Tell me about your experience in my industry?
Obviously similar to question 1, this one is based on your reasons for doing a penetration test. If your business is regulated and subject to special laws, rules, or industry requirements, you’ll save a lot of time with pentesters who are familiar with them. For example, if your company takes electronic payments, Raxis knows the Payment Card Industry Data Security Standards (PCI-DSS), and we can plan our testing to make sure you’re compliant.
When you ask this question, listen to see if the pentesting company proactively mentions any applicable regulations in your field – such as HIPAA compliance for health care organizations or FINRA, GLBA, or SOX, for financial institutions. If they don’t, ask and make sure they understand your needs so that you don’t have to pay for more testing later.
Question 3: How comprehensive is your reporting?
The goal of penetration testing should be to give your team actionable results that enable them to prioritize issues and begin resolving them in order of severity. Ask potential pentesting firms to provide a sample report. Does it summarize the issues for executives? Does it categorize the findings effectively and provide sufficient detail for your team members?
Raxis includes storyboards so that your team can see exactly what we did and how. We also exfiltrate and redact sensitive data when we can. That’s powerful proof of what bad guys can do if your network isn’t secured.
Also, be sure to ask whether they report where your defenses were solid. This can be especially important when you’re building a cybersecurity budget. Many Raxis clients have found it helpful to show their leadership examples of where previous security enhancements are working well. (And it shows you that those defenses were in fact checked.)
Question 4: Who are the people I’ll be dealing with? What are their qualifications?
Be sure that the companies you interview can identify the person who will serve as your point of contact throughout the testing, to work with you on scheduling or to quickly resolve problems that can cost precious time.
The company should also be willing to tell you about the experience and certifications of team members. It’s a good idea to ask whether the team that conducts your test will include members with similar qualifications so you know it’s not a bait-and-switch.
At Raxis, the diverse skillsets our team members bring to the table are one of our greatest strengths and something we like to talk about. Before they became penetration testers, our people were corporate cybersecurity leaders, software engineers, web developers, and network admins. And they also bring to the table computer hardware, electronics, mechanical, and IoT experience.
Question 5: How much will it cost and why?
Raxis’ CEO Mark Puckett addressed pentest pricing in a recent blog post that goes into detail about the factors that can and should drive the cost of a high-quality penetration test. In summary, the scope of the testing, the time it will take, and the skills of the testers are all cost drivers.
If the firm mentions additional services they provide, be sure to ask if those are covered in the cost you’ve been quoted, or if there is an additional fee. And ask if there is a minimum engagement time.
Minimums are common in the industry. Raxis requires three days, but we’ve seen other companies with seven to 10-day minimums. Make sure you ask this early in the conversation. Otherwise, you could waste time you don’t have being sold services you don’t need.
Conclusion
Hiring the right penetration testing firm necessarily involves a lot of research and careful consideration. After all, you need a company that can bring to bear all the skills, determination, and devious creativity of black hat hackers – and still act as your trusted security advisor, providing actionable reporting on your vulnerabilities.
The preparation outlined in part one, along with the questions above, should help you find the best match for your specific needs.
Of course, we hope you choose Raxis, and we’re ready to put you in touch with our experts whenever you’re ready to talk.
Most of us here in the US have followed the Russian invasion of Ukraine with a mix of disgust, outrage, and even existential fear. But there is a way to channel these negative feelings into positive actions by making yourself and your company a harder target for hackers, including those affiliated with or supported by the Russian government.
During World War II, families planted victory gardens to help feed our military here and abroad. As the Cold War brought us to the brink of nuclear conflict, private citizens were called on to be part of a civil defense force to supplement local emergency management personnel. Now, technology has introduced us to a new battlefield in cyberspace.
Though cyber war doesn’t offer the horrific imagery of a physical invasion, it is every bit as real, the stakes are incredibly high, and threats are growing more sophisticated. Russia sent its soldiers into Ukraine, but it also has an army of malicious hackers on its payroll and/or under its protection as well.
Many of these are coin-operated criminal gangs working with the expressed or implicit approval of Vladimir Putin. They have a track record of targeting his enemies worldwide. The United States has been and will continue to be in their crosshairs.
As with generations past, it’s our turn now to recognize we all have a role to play – as private companies and private citizens – in protecting our institutions from attack. Here are some ways to do that immediately.
For individuals, it’s critical to enable multifactor authentication, create complex passwords and/or use a secure password manager. An old poster from WWII cautioned, “Loose lips might sink ships.” The point was that small pieces of information could be combined by our enemies to paint a clear picture of larger operations.
As professional hackers, we often rely on that same principle – piecing together minor vulnerabilities that ultimately enable us to breach networks and exfiltrate data. The key is to make sure you’re not the weak link at home or at work.
For businesses, now is the time to recognize that cybersecurity is part of your corporate mission, no matter what industry you’re in. If you’re a leader in your organization, be sure to establish regular check-ins with your information security team – if you haven’t already — and heed their advice.
This poster, found in bars across the US during WWII, was a reminder that Americans had a duty to protect information:
The point was that small pieces of information could be combined by our enemies to paint a clear picture of larger operations. As professional hackers, we often rely on that same principle – piecing together minor vulnerabilities that ultimately enable us to breach networks and exfiltrate data. The key is to make sure you’re not the weak link at home or at work.
Remember, too, that Raxis and other companies have veteran cybersecurity experts on their teams whose life’s work is to help protect you from those who would steal from you, hold your data hostage, or disrupt your operations. Now, as always, our certified professionals are ready to help.
Raxis can perform in-depth penetration tests, conduct red team assessments, test your web applications, or help train your infosec team. But we also offer a number of free resources that are publicly available as well.
Check out our YouTube channel, follow us on social media, and make sure you subscribe to this blog. We provide a lot of great security information aimed at helping you understand the latest threats and what you can do about them.
The people of Ukraine are rightfully in our thoughts and prayers at present. It’s unconscionable for one sophisticated, powerful nation to attack and invade its neighbor simply because it can. But we can do much more than fret over what’s happening overseas. We can take action that will make it harder for the Russian government to escalate its cyber war in Europe and here at home.
This is your chance to join the fight. Make your actions count.
I’m Bonnie Smyre, Raxis’ Chief Operating Officer. Penetration testing is a niche in the cybersecurity field, but one that is critical to the integrity of your network and your data. This is the first of a two-part guide to help you select the right firm for your needs.
Step 1: Identify Your Why
There are lots of reasons why companies should routinely do penetration testing. The most important is to understand your vulnerabilities as they appear to hackers in the real world and work to harden your defenses. It may also be that your industry or profession requires testing to comply with certain laws or regulations. Or perhaps you’ve been warned about a specific, credible threat.
Whatever your reasons for seeking help, you’ll want to look for a firm that has relevant experience. For example, if you run a medical office, you’ll need a penetration testing company that knows the ins and outs of the Health Insurance Portability and Accountability Act (HIPAA). If you’re a manufacturer with industrial control systems, you’ll need a company that understands supervisory control and data acquisition (SCADA) testing. The point is to make sure you know your why before you look for a pentest firm.
See a term you don’t recognize? Look it up in our glossary.
Step 2: Understand What You Have at Risk
A closely related task is to be clear about what all you need to protect. Though it might seem obvious from the above examples, companies sometimes realize too late that they are custodians of data seemingly unrelated to their primary mission. A law firm, for instance, might receive and inadvertently store login credentials to access clients’ medical transcripts or bank accounts. Though its case files are stored on a secure server, a clever hacker could potentially steal personal identifiable information (PII) from the local hard drives.
Step 3: Determine What Type of Test You Need
General use of the term “pentesting” can cover a broad range of services, from almost-anything-goes red team engagements to vulnerability scans, though the latter is not a true penetration test. In last week’s post, lead penetration tester Matt Dunn discussed web application testing. There are also internal and external tests, as well as wireless, mobile, and API testing, to name a few. Raxis even offers continuous penetration testing for customers who need the ongoing assurance of security in any of these areas.
Raxis offers several types of penetration tests depending on your company’s needs:
Step 4: Consult Your Trusted Advisors
Most companies have IT experts onboard or on contract to manage and maintain their information systems. You may be inclined to start your search for a penetration testing service by asking for recommendations from them – and that’s a good idea. Most consultants, such as managed service providers (MSPs), value-added resellers (VARs), and independent software vendors (ISVs), recognize the value of high-quality, independent penetration testing.
In the case of MSPs, it might even be part of their service offerings. However, it might make sense to insist on an arm’s-length relationship between the company doing the testing and the people doing the remediation.
If your provider is resistant to pentesting, it might be because the company is concerned that the findings will reflect poorly on its work. You can work through those issues by making it clear that you share an interest in improving security and that’s the purpose for testing.
The downloadable PDF below includes this list of Raxis services with an explanation of what we test and and a brief explanation of how we go about it.
Another starting point – or at least a data point – is review and rating sites. This can be incredibly helpful since such sites usually include additional information about the services offered, types of customers, pricing, staffing, etc. That gives you a chance to compare the areas of expertise with the needs you identified in steps one and two. It can also introduce you to companies you might not have found otherwise.
Here are some resources you might find helpful as a start:
Once you have your short list of companies, it’s a good idea to talk to some of their customers, if possible, to find out what they liked or didn’t like about the service. Ask about communications. Were they kept in the loop about what was going on? Did the company explain both successful and unsuccessful breach attempts? Did they get a clear picture of the issues, presented as actionable storyboards?
In addition, it’s a good idea to ask about the people they worked with. Were they professional? Was it a full team or an individual? Do they bring a variety of skillsets to the table? Did they take time to understand your business model and test in a way that made sense? It’s important to remember here that many pentesting customers insist on privacy. The company may not be able to provide some references and others may not be willing to discuss the experience, However, some will, and that will add to your knowledgebase.
If you’ve completed steps 1 through 6, you should be armed with the information you need to begin interviewing potential penetration testing companies. You’ll be able to explain what you need and gauge whether they seem like a good match or not. And you’ll know how their customers feel about their service.
If you found this post helpful, make sure to follow our blog. In the weeks ahead, we’ll be discussing the questions you should ask potential pentesting companies – and the answers you should expect to hear.
As Raxis’ chief operating officer, I’ve been busy prodding coworkers to do these meet-the-team interviews. (Looking at you, Brad, Brian, and Mark). Now, it’s my turn for a conversation with our marketing specialist, and the result is the interview below. I’m more accustomed to conducting interviews than giving them, so, if you’re a qualified penetration tester, check out our YouTube channel and our careers page. If Raxis is the type of company you’d like to work with, who knows – maybe I’ll get a chance to interview you.
Jim: First of all, condolences for your Tarheels’ recent loss to my Seminoles in football.
Bonnie: That’s all right. I’m a baseball fan, so North Carolina will get its redemption in the spring – if not before.
Jim: Really? I wouldn’t picture you as a baseball person. How did become a fan?
Bonnie: That started while I was at UNC. I was working as a web and database developer for many years. Baseball just seemed to be an athletic extension of that same mindset. As a game, it fit in with the details, patience, and long-game required to code a complex application from start to finish… and end up with a result that faculty, staff, and students were all happy with.
Jim: I don’t think I’ve ever heard anyone make that connection before. Is that what attracted you to a career in IT in the first place?
Bonnie: I was a shy bookworm when I was younger. IT was a field I thought would allow me to work independently and not require me to interact as much with other people. However, as I grew in my profession, I realized that I needed to get past that shyness if I wanted to really make a difference.
Jim: Did that happen naturally, or did you have to work at it?
Bonnie: Oh, I worked on it. I moved on to a development job at PBS North Carolina (UNCTV while I was there). During our pledge drives, I was usually backstage working on a computer, but occasionally I would be on the phones and on live television. There are people who still tell me they remember seeing me on air.
Jim: Did that make you more comfortable being in front of people?
Bonnie: That started me on the path, I think. But the real breakthrough was when I went completely outside my comfort zone and took improv classes for a few years. I was petrified at first, but I met some great people who gave me the courage to get over my fear.
Jim: I think most people would find that terrifying – to be on stage, all eyes on you, and the pressure to be funny.
Bonnie: Improv isn’t like stand-up comedy. The whole point is that you are not alone. The team has your back, and you have theirs. It gives you a confidence to just run with what pops into your head & see if it’s funny.
Jim: Okay, so you’re a veteran IT pro and you’ve got all this improv experience. How did you find your way to Raxis and bring those skills together?
Bonnie: Our CEO, Mark Puckett, & I were good friends in high school, and I met his wife when her mom and dad were “band parents” for the marching band. (I played the flute.) In 2014, I moved back to the Atlanta area to be closer to my family and began working as a penetration tester at Raxis. When my first PSE (physical security evaluation) job came up, I found that my improv experience helped me think on my feet.
Jim: So, improv helped you convince people you were someone else and your IT background allowed you to capitalize on that?
Bonnie: Yep. It’s a bit scary how often people believed me, but the good news is, it was all for educational purposes. Once they see how easy it is for someone to slip past their security, it helps them better understand what they need to do to protect themselves and their companies.
Jim: Unlike other companies, most of Raxis’ best work has to stay confidential for obvious reasons. In the absence of outside validation, what makes the work fulfilling to you?
Bonnie: As I’ve grown in this job from pen tester, to project manager, to leading operations, I’ve found that I’m no longer in a shy IT position. Just like my improv team made me feel safe to try new things, the team here at Raxis makes things fun every day. It honestly doesn’t feel like a job. I get to work with great people and do what I love each day.
Unwanted text messages are always annoying, but some can be dangerous. Smishing is a phishing attempt carried out via text and it can be more effective than you might think.
We’ve all been there — waiting on an important text message, receiving a notification, and opening the phone only to see a message about our car’s warranty expiring.
Isn’t that just the worst?
As it turns out, no. Far more damaging are the ones that bring phishing and spear-phishing into the more personal, less-guarded world of SMS texting. You’ve probably heard the portmanteau “smishing” (SMS + phishing) to describe the practice, but you may wonder how and why it works. More importantly, you should know what you can do to make sure it doesn’t happen to you.
The psychology of smishing
At its essence, smishing is a form of social engineering that relies on the implied urgency and intimacy of a text message. Whereas most businesses have effective spam and virus filters in place, and we’re reminded often about the dangers of email, text messages often bypass company security. What’s more, they occupy a different place in our minds than standard business communications.
If email reflects the type of discussion you might have in the conference room, texting is more like banter over drinks after work. In the former, we’re conscious about what we say and what we hear. In the latter, we’re more relaxed and trusting of those around us. And, like other forms of social engineering, that’s what hackers count on when they send a smish.
Enabling technology
There are several widely available consumer-grade apps that allow the user to spoof a phone number, display a fake name, and send a message directly to voicemail or text. In the name of privacy, they offer anonymity to the sender, making it extremely hard to trace. Though the phone companies are working to identify and warn users that such messages may be fake, more customizable and concealable apps are available for sale on the dark web.
As with email, these provide scammers with the ability to deliver malicious phishing links to a broad audience. One click could download malware to your device or take you to a website that will attempt to harvest your credentials. But more troubling is the advanced spear-phishing abilities they provide. We might suspect a direct request for money (or gift certificates) or something obvious. However, consider the image above and ask yourself how many of your employees would immediately comply just to be helpful. If they do, it could render your multi-factor authentication meaningless.
Protecting yourself and your company
There are several other ways smishing can put your organization at risk, and there’s only so much technology can do to protect. With that in mind, here are several things you can do to make sure you and your organization don’t become smishing victims.
Remember that a legitimate person or company sending you a text message will want you to be wary and check.
Even if you recognize the company, think about other texts you’ve received from them. Most pay services, like Venmo and PayPal for example, include “we will never call or email you to request this PIN.” Most banks tell you to login to their site rather than include a URL in the text.
Even if the phone number looks correct, remember that numbers and names are easily spoofed. A strong phish may email, text, and call you so that you feel like someone has backed up the claim that it’s legit.
A true alert should provide a way for you to take the requested action without using the text. Login to a trusted URL that you have bookmarked. Call the number on the back of your credit card to confirm. Or, reach out in some other way that doesn’t rely on information provided by the same person or company.
Messaging apps often provide a way that you can report spam, scams, and phishes. Reporting them helps them block further attacks and makes it harder and more expensive for the hacker to continue.
The bottom line is that any form of electronic communication is subject to compromise by a determined hacker and there is an ongoing “arms race” between hackers and the experts working to keep us safe. That’s why personal vigilance will always be the most important security measure in our cybersecurity toolkit.