Author: Bonnie Smyre

  • 12 New Cyber Terms the World Needs Now

    There ought to be words for these things . . . and now there are. How many examples do you see in your work each day?

    Over the course of hundreds of penetration tests, red team assessments, and incident responses, we’ve encountered situations that left us without words. So, rather than just stand around speechless, we decided to create some new verbiage to fill in the blanks. See if you find any of these appropriate around your office or within your company.

    • Againstigation. uh-gain-stuh-GAY-shun. n. Studying the root causes of a large-scale breach even though the same basic tactics have been used repeatedly and the underlying problems remain.
    • Backoops. BACK-oopz. n. The act of deploying a secure backup solution after sensitive company data has been encrypted by ransomware.
    • Breacher’s pet. BREE-churz-pet. n. Anyone who leaves helpful notes with usernames and passwords on sticky notes attached to their monitor.
    • Chivalregret. SHIV-ul-ree-gret. n. The realization that a person for whom you’ve politely opened a door was actually a hacker who has now owned your network.
    • Clickmate. KLIK-mate. n. The moment when a hacker realizes a phishing campaign has captured the credentials of a network administrator.
    • Cyberchosis. si-bur-KO-sus. n. Delusional state that causes business owners to imagine they live in a world where hackers only attack other companies.
    • Duhpgrades. DUP-gradez. n. A series of long-overlooked and time-consuming upgrades that must be completed before a critical software patch can be installed.
    • Homepwnrship. HOME-PONE-er-ship. n. Taking over a corporate network by first hacking a remote worker who fails to follow proper security protocols.
    • Pastword. PAST-werd. n. 1) A password in use on multiple sites. 2) Any password that remains in use after a site where it is used has been hacked.
    • Pen-guesting. PIN-guess-ting. v. Using visitor login information to access sensitive data improperly secured on a company network.
    • Premiscuity. pri-miss-KEW-e-tee. n. Allowing an unknown person or persons into secure areas of a facility.
    • Ransomdare. RAN-sum-dair. v. To passively invite a cyberattack by refusing to provide cybersecurity training, allowing poor password hygiene, and failing to employ secure backup.

    Do you have any terms you’d like to add to our list? If so, visit us on Facebook, LinkedIn, Twitter, or Instagram and leave us a message. Better yet, share this post and bring your friends in on the fun.

    If you’d like to learn about cybersecurity terms we didn’t just make up, visit our glossary.

  • Why Mutual Assured Destruction is an Incomplete Cyber Defense Strategy

    “Like it or not, all of us are on the front lines in a cyberwar that is heating up with every day that passes.”

    Bonnie Smyre, Raxis Chief Operating Officer

    In the wake of the Colonial Pipeline breach, security analysts have discussed the idea that direct retribution might be an effective deterrent to the large-scale cyberattacks of the sort the US is experiencing ever more frequently nowadays. As someone with a strong background in Russian and Eastern European studies, I understand the historical precedent that drives this mindset. However, as a cybersecurity professional, I know that half-century-old strategy will not be nearly as effective against the challenges we face today.

    Some ‘MAD’ Background

    In the most dangerous days of the Cold War, US and Soviet leaders agreed to a counterintuitive policy that helped ensure neither side would launch a catastrophic nuclear first strike. Recognizing that stockpiles of atomic weapons were sufficient to destroy Earth many times over, the two superpowers agreed that the world was most secure when both sides maintained the ability to respond to a first strike with an equally devastating counterstrike.

    Though it sounds barbaric, the strategy of mutual assured destruction (MAD) was one reason a period of détente lasted long enough for both nations to de-escalate tensions and negotiate dramatic reductions in the size of their nuclear arsenals.

    The New Battlespace

    Though the Soviet Union fell apart in the early 1990s, and the US ‘normalized’ relations with China, the threat they posed to America never disappeared completely. Instead, it has evolved with new technology and shifted into cyberspace. Hackers with ties to Russia and China are widely believed to have been responsible for high-profile breaches of government agencies and contractors, meddling in US political campaigns, and sabotaging critical infrastructure.

    I say ‘widely believed’ because in the shadowy world of hackers it’s nearly impossible to prove an attack was state-sponsored. Malicious actors are very much cybercriminals without borders, and it’s not hard for hostile nations to contract out some of their dirtiest work.

    As for the weaponry, ransomware, like the type used in the Colonial Pipeline hack, can be a few lines of code, readily available for sale on the dark web. Some of the more helpful black hats even offer support for an additional fee.

    Where Deterrence Fails

    The simplicity and anonymity of cyberwarfare do more than give cover to state-sponsored actors. In the context of mutual assured destruction, a more dangerous possibility is that non-state actors could launch an attack that triggers a misdirected, full-scale state response. In that scenario, it’s easy to envision a rapid escalation leading to military action.

    An even bigger problem with the MAD concept, however, is its central tenet that the civilian population is purposely left exposed. In the case of nuclear war, there is a macabre logic behind that. Taking away the fallout shelters, civil defense infrastructure, and air raid drills made clear to everyone that a nuclear war between the superpowers would likely be the end of civilization. Entering the launch codes meant worldwide annihilation, plain and simple.

    In the case of cyberwarfare, there simply isn’t a clear delineation between military and civilian or even public and private sector targets. Colonial is a private company, as are many utilities and other organizations that are of vital importance to our national security. Was the recent ransomware attack a simple economic crime or a strategic strike on the Eastern Seaboard?

    Nor is there a foolproof way to gauge the severity of the attack. A small business might be hacked in order to reach a larger upstream supplier. And disrupting several municipalities could have the same strategic impact as an attack on the federal government.

    We are the Front Line

    From a practical perspective, what all this means is that, at most, deterrence can only be one part of a much larger strategy. And, unlike the Cold War, this new state of perpetual, persistent cyberwarfare can’t be waged solely by our military or managed by diplomats alone.

    We’re all in this together. As long as one business is at risk, all of our businesses are. If our businesses are at risk, so is our government. And if our government is at risk, so are our people – from all walks of life.

    Like it or not, all of us are on the front lines in a cyberwar that is heating up with every day that passes. The good news is that there are things we can do to protect ourselves and to become harder targets. As we do so, we raise the technological barriers, drive up the costs, and increase the risk to those who would attack us.

    Mutual assured destruction helped end the Cold War without nuclear confrontation. But the key to ending global cyberwarfare may well be mutual cooperation – among our government, our military, and our businesses of all sizes.

  • A Culture of Freedom with an Expectation of Results

    When it comes to choosing a job, there are so many things to consider – benefits, responsibilities, leadership, and of course pay — to name just a few.

    But for many, a company’s culture is near the top of that list. In fact, an Indeed survey found that 72 percent of job seekers say that it is extremely or very important to see details about company culture in job descriptions. The survey also found that 46 percent of job seekers said they would not apply to a job if they did not believe it would be a good culture fit for them. That’s pretty eye opening.

    At Raxis, we look for talented people we know will work well with our unique culture. If you think that makes us very selective when hiring, I’d say that’s accurate. But here’s why: We give our employees a great deal of freedom about when and how to get their jobs done. With a fully remote team, we hire people who don’t need constant supervision and instruction. Instead, they are driven by a powerful desire to get results for our customers, and we hold them accountable for doing just that.

    Not everyone works well in that type of environment — and that’s okay. There are lots of tech jobs with an abundance of structure and routine. But if you’re the type who thrives outside a rigid environment, and you do your best work independently, check out the video below (and others in the series).

    Raxis lead penetration tester Scottie Cole talks about the freedom he has as a Raxis team member and the tremendous responsibility that comes along with it.

    We know how important culture is to prospective employees. It’s just that important to Raxis, too. If you’re a talented cybersecurity pro who values flexibility and is committed to results, you’re the kind of person we want to hear from.

    For more information, check out our careers page and the rest of our website to see what we offer.

    Want to learn more? Take a look at the first part of our Working at Raxis discussion.

  • Change is Growth in the Pen Testing Field

    Ask most of us at Raxis what we do, and we’ll tell you we’re penetration testers or ethical hackers or simply that we work for a cybersecurity company. But if you ask what that means – what we really do on a day-to-day basis – you’ll likely get a variety of fun stories about sneaking into buildings, bluffing our way past security guards, using high-tech equipment and special software to hack into networks . . . you know, the usual things.

    That’s partly because the field of penetration testing requires us to try many different approaches to breach a customer’s defenses, which means the more skillsets we bring to the job, the better our chances. But it’s also because Raxis is a company where those additional talents are rewarded with opportunities to grow.

    In this week’s video, Adam Fernandez explains how his journey at Raxis has taken him from pen tester to his current role as our Lead Developer. 

    Adam is a great example of the unique talent we have at Raxis and the type of multifaceted professionals we look for to join our team. His professional growth is helping our company grow and in turn opening up new opportunities for all of us.

    Are you the kind of person who brings more than one set of skills to the job? Are you looking for a team where flexibility and adaptability are appreciated and rewarded? If so, take a look at the other articles in this series and let us hear from you.

    Want to learn more? Take a look at the next part of our Working at Raxis discussion.

  • Client Success is Raxis’ Success

    At Raxis, we find communication with our clients is one of the most critical and key components of our service. 

    Throughout the penetration testing process we are communicating with our clients through daily updates, at the end we provide not only a debriefing call but also a full report describing what we found, what it means for them, and steps they can take to resolve any issues uncovered throughout the process. 

    In the video above, Raxis Senior Manager of Operations and Customer Delivery Tim Semchenko explains how critical the after-action reporting is for our clients.

    It is undeniable that finding network security vulnerabilities and helping our clients shore up those weak spots is a huge component of what we do. However, the key to a successful engagement between us and the client is all about the communication. Our penetration testers must be able to not only find security flaws but also to accurately communicate these issues with the client as well as detail how to remedy them. 

    We could simply drop a report on your desk showing what we found and what to do to fix it, but that just isn’t who we are. We want our clients to feel that Raxis is a trusted partner who respects them and is there to help them understand every aspect of their report.

    By treating customers like partners, we ensure our success is based on your success. 

    Here are some other posts you might enjoy:

    Want to learn more? Take a look at the next part of our Working at Raxis discussion.

  • Guiding the Next Generation of Cyber Pros

    “After graduation, I’m heading to the United States Naval Academy and plan to major in cyber operations.”

    Cameron Colavito

    At Raxis, we love what we do, and we relish any opportunity to share our passion with the next generation of cyber professionals, so I was thrilled when Cameron Colavito, a senior at the Lovett School in Atlanta, asked to interview me for her senior project focusing on cybersecurity. 

    During the interview Cameron asked what I believe is the most important trait for cybersecurity leaders to possess. I knew my answer immediately – integrity, without a doubt. Businesses, schools, individuals, and families all trust cybersecurity professionals to protect their most sensitive data from attacks, leaving these cyber pros with an extreme amount of power. And as we all know, with great power comes great responsibility. 

    We take the responsibility we’ve been entrusted with very seriously at Raxis, and we’re so glad to see that schools are giving students the opportunity to learn ethical practices as well. Judging from her project description below, Cameron will be more than ready for a future in this field.

    “The concept of my senior project is to learn about how cyber security professionals handle ethical hacking, leadership, and education. I have the opportunity to interview professionals in the field, as well as take up a spring internship with Curricula. During my internship, I will experience how they lead and educate their customers on important cyber issues such as ransomware, social engineering, information security, etc.

    “After graduation, I’m heading to the United States Naval Academy and plan to major in cyber operations. I am excited to see how this field of study becomes a reality in businesses such as Curricula, Raxis, and this growing industry.”

    Cameron Colavito

    I will add that Cameron has earned a great honor with her acceptance into Annapolis. If she sticks with cybersecurity, she will have an opportunity upon graduation to be an officer in the Navy’s information warfare community. In that role, she will help lead the ongoing fight against nations and non-state actors in an ongoing battle to protect our critical information systems.

    It has never been more important for us to encourage the next generation’s best and brightest to pursue a career in cybersecurity. Given the threats we face from within and from abroad, the opportunities are limitless. For those like Cameron, who answer the call with initiative and integrity, I expect that future will be incredibly rewarding.

  • At Raxis, Learning and Improving are Constants

    In today’s video, you’ll hear from Lead Penetration Tester Matt Dunn, the newest member of our team, about why he appreciates the learning environment we’ve created and continue to nurture at Raxis. 

    Matt actually came to Raxis with several certifications under his belt and another now in progress. That proactive quest for knowledge was a good sign that he would be a great fit on our team and was among the reasons we hired him. As it turns out, we were right: Not only has he done excellent work as a penetration tester, Matt has also published his first Metasploit Module. (For the uninitiated, that is a very big deal in the pen testing world.)

    To be clear, it is certainly possible to be an outstanding penetration tester without professional certifications. Likewise, I’m sure there are bad testers out there with walls full of them. As with Matt, however, taking the initiative and making the effort suggests that you are willing and able to learn – and that is a key differentiator for both pen testers and the companies that employ them.

    Why? Because the threat landscape is constantly evolving, and our knowledge and skills have to keep pace. That means the pros that make up our team have to be smart enough to hit the ground running and humble enough to continue learning once they’re on board. 

    Listen to Matt describe his experience, and you’ll get an idea of what this means in practice.

    At Raxis, we foster a learning environment, not just through research and certification training, but also through open communication among our team members. This group includes people from diverse backgrounds who each bring unique skills to the table. When we hire, we look for individuals who are both willing to share their talents with us and also able to learn from the other accomplished professionals on our team.

    Do you thrive in a learning culture? If so, Raxis might just be for you. Be sure to check out our other videos in this series and see if Raxis is the opportunity you’ve been looking for. 

    Here are some other videos you may find interesting:

    Want to learn more? Take a look at the next part of our Working at Raxis discussion.

  • Why Teamwork is Key to the Raxis Culture

    As individuals, the members of the Raxis team are among the most talented and accomplished people in the field of information security. They are super-smart high performers who have been or could be successful in many different lines of work. Yet, they have chosen to be a part of Raxis.

    Why? For one thing, the job is interesting and rewarding. Knowing that we’re giving business owners and corporate leaders peace of mind and allowing them to focus on their priorities is a very satisfying experience. And it’s hard to beat the sense of accomplishment that comes from solving the ‘puzzles’ that CTO Brian Tant discussed in a previous post.

    An even more important benefit, however, is the sense that, as Raxis, we’re part of something bigger than ourselves. That’s because effective teamwork creates a multiplier effect. We get the benefit of more minds working on tough problems and we have opportunities to learn and teach each other as we do. 

    The diversity of our team means that there’s always someone we can turn to who brings a different background and skillset to bear. As they do, we all gain new perspectives. The beautiful part is that the learning and improvement is continuous in the Raxis environment.

    As you might expect, this makes us very protective of our culture and very particular about who we ask to join us. Big talent is welcome. Big egos need not apply. It’s sometimes hard for us to find the right person only because it’s so hard to be the right person.

    Is that person you? Take a look at the video above and hear Brad Herring, our VP of Business Development, explain why teamwork truly is our special sauce. Also, check out our other videos in this series and see if Raxis looks like a good fit. 

     

    Want to learn more? Take a look at the next part of our Working at Raxis discussion.

  • What’s it Like to Work at Raxis?

    One of the great things about being a penetration tester is explaining what we do to people inside andoutside the world of cybersecurity. Having done this work myself and now managing others, I can’t imagine a more fascinating job. However, I also can’t imagine doing this job for any company other than Raxis.

    That’s because we’ve assembled a team of outstanding professionals with wildly diverse backgrounds that range from film and television to law enforcement to web design to IT administration and software development. We are, of course, expert hackers, but working for Raxis means that we all bring much more to the table.

    Over the next several weeks, we’ll be offering up a series of videos that will show you what our company and our work is truly like. These videos will likely be helpful if you’re interested in penetration as a career. They must-watch material if you want a career at Raxis.

    In addition to an advanced skillset, we expect an incredibly high degree of integrity. The nature of our works means that we only bring on people who have held positions of trust and who have proven themselves worthy of ours. 

    Integrity is essential, but it’s only one part of the larger picture that is culture. Beginning with our founder, we’ve brought on people who work well together, naturally. We have created a culture that places a high value on creative thinking, problem-solving, and above all, teamwork. 

    Please take a look at our inaugural video above. Raxis’ chief technology officer Brian Tant and I will explain how each penetration test demands presents different issues and opportunities. If you think you have what it takes to join our ranks, keep watching in the weeks ahead as other members of the Raxis team discuss different aspects of life in our world.

    Also, keep an eye on our careers page. Occasionally, we have openings for people with the right skills, determination, and attitude to join our team.

    Want to learn more? Take a look at the next part of our Working at Raxis discussion.

  • Bonnie Shares Words of Working Wisdom with Westminster Students

    “I have literally walked past security guards who assumed that a petite, professional woman couldn’t possibly be up to anything nefarious.

    Raxis Chief Operating Officer, Bonnie Smyre

    At Raxis, we believe in giving back to our community and especially to the young people who are our future workforce. That’s one reason why I was very excited for the recent invitation to deliver a video message to students of Atlanta’s Westminster Schools, a private academy for kindergarten through 12th grade students, as part of its Conversations Around Race and Equity (CARE) initiative.

    Westminster aims to instill in its students a strong belief that they can do anything they put their mind to, as long as they create meaningful goals and work hard to achieve them. In the US today, their choice of profession isn’t limited by anyone else. So, it’s important for young people to open their minds and explore a wide range of career options.

    As a woman in the male-dominated field of information security, I was able to talk about my experience and how, through hard work and focus, I have earned the respect of my (all-male) colleagues along with the position of chief operating officer (COO).

    I also had some fun explaining how being a penetration tester allowed me use my gender to my advantage. I have literally walked past security guards who assumed that a petite, professional woman couldn’t possibly be up to anything nefarious. Some cheap surgical scrubs from Walmart were all I needed to enter a nurse’s station and access a hospital’s computer network. A birthday cake was my ticket onto a secure elevator and directly into the office of a corporate vice president.

    My intention was to present the infosec field as a fun, challenging, and meaningful career choice. It’s also a field that is inclusive and accessible to everyone, regardless of race or gender, as long as they are willing to invest the effort.

    Congratulations to Westminster Schools for introducing students to a broad range of career options and for teaching them that all are within their reach. I was proud to be a part of that effort.

    If you’d like to learn more about our work as ethical hackers, be sure to subscribe to our YouTube channel and stay up to date on all our latest tips, tricks, and commentary.

  • Exploring Attack Security: Insights from Raxis Experts

    In this captivating episode of the Confident Defense podcast, host Conor Sherman engages in an enlightening conversation with Raxis’ Brian Tant (CTO) and Brad Herring (VP of Business Development). Brian and Brad, with their extensive experience, provide invaluable insights into the ever-evolving sphere of attack security.

    As the discussion unfolds, Conor seeks to demystify fundamental terms such as red teaming and pen testing. Brian and Brad not only clarify these concepts but also delve into the intriguing realm of purple teaming. They guide companies on the optimal path for testing progression, emphasizing the need for mature attack security. Topics span from the unique security challenges posed by COVID-19 to framework-level assessments. Brian and Brad advocate for organizations to strive for greater security than their peers while addressing vulnerabilities effectively.

    The conversation takes a thrilling turn as Brian and Brad share real-world anecdotes from their consulting work. Listeners are treated to tales of a high-stakes penetration test for a bank and an adrenaline-fueled social engineering engagement with an EMC (where Brian found himself dodging bullets and seeking refuge). Amidst these gripping stories, they shed light on hacking key card security systems, underscore the importance of robust password management, and emphasize the value of visibility and ongoing assessment in the dynamic landscape of cybersecurity.

    Tune in to discover the secrets behind the scenes—a world where security professionals operate like modern-day 007 agents, navigating intrigue, risk, and resilience.

  • Five Red Flags for Black Friday

    ‘Tis the shopping season!  First up, Black Friday, followed by Shop Local Saturday, Cyber Monday, and all the shopping days that follow. 

    Did you wake up early to stretch out your “add to cart” fingers so you can snag that hard-to-find, hot item of the season at a discounted price? Planning on heading out to that cute little boutique next to your office during lunch? 

    Before you do, there are a few things you need to remember. Most important is that cybergrinches are out there year-round, just waiting for the perfect opportunity to steal your holiday joy. The holiday season is big business for them, and they are waiting for you to drop your guard. (And, no, they don’t care if it lands them on the naughty list.)

    In the video above, I detail five red flags you should look out for on Black Friday — and all the other shopping days of the year. I’m hopeful these tips will help keep you and your company’s network secure this holiday season.

    Let’s review, if you are going to be holiday shopping in the coming weeks, it is imperative you take the proper precautions to keep yourself and your company secure. 

    • Don’t click on links within emails, and be very suspicious of any emails that discuss your credit cards or bank accounts.
    • Be wary of phone calls seeking donations to various charities. Be vigilant, and do your research on the charity. Even then, donate directly, not from the email.
    • If you are out shopping on your lunch break or after work, make sure your work badge is in a protective sleeve to help prevent cloning.
    • Strangers are still strangers in the holiday season. Make sure everyone in your building and anyone trying to get in has the proper credentials to be there – or that they have an escort.
    • Stay vigilant with your security practices, even when your office is short-staffed. When we get busy, it’s easy to skip locking computers and returning sensitive documents to a secure location. Take the extra few seconds to do cybersecurity right.

    Raxis is an elite team of professionals who are paid to attack and assess cybersecurity systems. We can help you pinpoint security threats and find ways to remediate them leaving your company far more secure and giving you additional peace of mind.  

    Ready to find out how secure your network really is? Reach out to us, and let’s discuss your needs and how we can help.