Author: brian

  • 3 Steps You Should Take Right Now to Reduce Your Risk of a Cyberattack

    Hi everybody, it’s Brian with Raxis, back with another video today!

    This is a busy time for us all, with no signs of slowing down. Do you know who else is busy now? Hackers – especially ones that know just how easy it is for thousands of us to forget to update passwords, patch operating systems, and scan for new viruses.

    I get it. Life happens. Seniors are graduating, families are acclimating, dogs are crashing Zoom meetings, and many of us are adjusting to completely new work environments. But if you can remember to lock your doors at home, you can get in the habit of locking out cyber attackers at work.

    Watch the video above for the top 3 things I wish every company would do today to keep out intruders online:

    These steps are the basics that every company should be taking, but, as hackers know all too well, not everyone does. Your company’s security is a 24-hour-a-day responsibility. Make sure your employees and your IT department know how critical it is for everyone to use the tools you already have to stay one step ahead of criminals.

    If this video made you wonder how secure your company’s data is, contact Raxis and learn how our tests can help you assess and improve your cyber defenses. We partner with small- and mid-sized businesses, as well as Fortune 500 companies, to help protect your employees, your data, and your bottom line.

    Follow us on this blog or social media, and we’ll share more ways that hackers can get in — and how we can help you keep them out.

    Download our list of Top 10 Cyber Attacks to learn more about ways to secure your company.

    Want to learn more? Take a look at the next part of our Common Vulnerabilities discussion.

  • Here’s How Hackers Can Get Through Your Doors and Onto Your Network

    Watch my video to see how easy it can be to bypass your company’s sophisticated security system. You might assume I’m just a guy who left something at work and had to run back in. But that’s not my office, that’s not my badge, and, at sunset, my day is just getting started. 

    We’re all familiar with employee badges – plastic proximity cards that contain a unique identifier that tracks when and where an employee is on company property. Businesses around the world depend on this technology to prevent unauthorized access, yet most would be shocked to see how simple it is for those badges to be scanned, cloned, and used to access a secure server.  

    In truth, I’m the chief technology officer at Raxis, a team made up of ethical hackers who can get in and out of your secure office quickly and quietly. If we wanted to, we could walk away with access to every single file stored on your network. Luckily, we are not actually there for the files, we’re there to fix your vulnerabilities to a cyberattack. 

    Badges that use RFID technology can be scanned from a few feet away, then cloned in seconds using a handheld copier/reader/writer – a relatively inexpensive device that’s easy to find if you know where to look. Add a small hidden camera to capture the PIN code on an alarm, then drop a backdoor implant device onto your network, and you’ve got a budget-friendly break-in method that a competitor or a kid on the dark web could use to ruin your reputation. 

    Until it’s tested, security is only perception. Raxis assessments identify real-world vulnerabilities that may otherwise go unnoticed. We partner every day with companies like yours to harden their security through process and technology enhancements. The most important asset in any business is a customer’s trust. Secure it with effective, battle-tested solutions from Raxis.

    Follow us on this blog or social media, and we’ll share more ways that hackers can get in — and how we can help you keep them out.

  • Notes From a Hacker: Yes, You Have to Use Your VPN – and Here’s Why

    Right now, across the globe, there are millions of exasperated IT helpdesk workers on the phone with an equal number of frustrated colleagues who are working from home, some for the very first time. I don’t have exact numbers, but I’m willing to bet that the most common issue they’re discussing is problems logging onto a company’s virtual private network (VPN). From my own experience, at least some of those end users (maybe you included) are asking, “Do we really have to do this?” 

    The answer is, yes, you do. And, because your IT team is likely overwhelmed right now, I’ll step in and share just a few reasons why a VPN helps keep your company safe from people like me.

    The most common threat someone faces on unsecured WiFi networks is a man-in-the-middle (MitM) attack, where a hacker inserts himself into the data stream between two endpoints. You’ve probably been cautioned about public WiFi – coffee shops, airports, etc. – for that very reason.  Trust me, it will work on your home as well.

    A successful MitM attack allows a bad guy to intercept or modify data in transit, including credentials or financial information. In fact, most wireless attacks are perpetrated with the goal of acquiring MitM access to user data. A VPN connection encrypts your data and makes it much harder for a hacker to steal.

    MitM is similar to another threat known as the “Evil Twin” attack. This is sometimes referred to a rogue access point that exploits how wireless endpoints behave. When a phone, laptop, or tablet joins a wireless network, it will remember that connection. From that point forward, the endpoint will send out beacons looking for that network.

    Unfortunately for you, it’s easier than you think to trick your devices. We can use tools such as Mana or the WiFi Pineapple to respond to create a fake access point. Your device will associate with it as though it was the legitimate network. From there we have a MitM and can intercept or modify data in flight, or even create fake captive portals to capture credentials.  

    Other tools help attackers go after wireless networks directly by sending de-authentication packets, which cause devices to disconnect. When they attempt to reconnect to the network, they must re-authenticate. This process involves a four-way handshake in which a hashed form of the Pre-shared Key (PSK) is exchanged. A hacker can capture this handshake and attempt to crack it offline using tools such as Hashcat. If the hash is cracked, the PSK is revealed in cleartext.

    The most widely used is the Aircrack-ng suite of tools which includes Airmon-ng for capturing wireless traffic, Aireplay for injecting wireless packets, and Aircrack for cracking the PSK. Other tools such as WiFite offer a menu-driven interface that automates a wide variety of attacks.

    You may be thinking these tools are rare and hard to find, but that’s not the case. Both hardware and software are readily available and relatively cheap. They’re also very simple to set up and operate. 

    My point is that it can be relatively easy for a hacker to compromise your home WiFi. By contrast, your IT security team has a number of safeguards in place to protect you and the company’s network from the tools and tactics I described above. Extending that protection to those working remotely is the reason you have to use your VPN.

    Does that mean you can’t be hacked? Certainly not. But it does make my job a lot harder and it probably will cause me to move on – to another employee, another method of attack, or best case, another company.

    Preferably one that doesn’t use a VPN for remote workers.

     

  • Remote Security Series: Review Remote Workforce Policies

    The coronavirus emergency has made it clear that some companies are ready for the new work-from-home (WFH) reality, with mature and tested policies for managing remote business workflows. Others were caught off-guard and now find themselves developing and refining their procedures even as they’re being implemented.

    Especially in times of crisis, we humans need structure, boundaries, and clear guidance to help us feel secure and remain productive. So much so that we’ll create our own in the absence of any guidance. And while a little flexibility is a good thing, remote work brings technology and cybersecurity challenges that demand clear, relevant, and effective policies to protect the company’s network.

    Turning the problem into an opportunity

    Though most companies are now facing the radical shift to a remote workforce, the smart ones are using this emergency as an opportunity to review and update their remote work policies. Even for those that have transitioned smoothly to WFH, the scale of this change makes it prudent to double check the security posture of their teams. Those that do will find more ways to make their operations more secure and efficient; those that don’t may become corporate casualties of the coronavirus.

    Safeguarding sensitive data

    One of the biggest security issues for businesses is handling sensitive data like Social Security, credit card, or bank account numbers. Do you have procedures in place to make sure that information can be sent and received securely? Take a close look at how sensitive data flows across your newly extended network boundaries. Make sure you’ve accounted for identity management, client information, and any type of financial divulgence or payment.

    Like a rubber band, your network perimeter thins as it expands. Remote workers are at a heightened risk of direct attacks against their personal data. Emphasize the importance of documented policies regarding internal communications. Some examples might include never asking for passwords, verifying critical or sensitive requests, and MFA support.

    Business continuity processes (you do have them, don’t you?) no longer enjoy the luxury of encompassing a small number of sites. They now must accommodate an increasingly dynamic footprint of inputs from remote workers. Use this experience to update them to include such things as better internal communications, more productivity checkpoints, remote device wipe, and alternate contact information for remote workers.

    Include guidance about the personal use of business assets and make sure your VPN enforces a minimum level of security compliance before authorizing network connections. That should include requiring the use of company devices, keeping your endpoint protection up to date, and making sure any necessary agents are installed.

    In addition, you should enforce MFA on all systems that connect to network resources. Implementing MFA requires planning, but it offers much more robust security at the perimeters.

    All of these efforts are important, but they’re doomed unless you also have an effective way to let your workers know about them. Now is the time to communicate more frequently about security and be on guard against localized attacks like phishing and spear-phishing. Not sure about that email? Don’t open it. Hold off on sending hyperlinks so that any links received stand out for additional scrutiny.

    Where to start

    These are just a few of the ways you can make sure your business turns the problems you face with remote work into opportunities to make the experience more effective for your company and your team.

    If you need more help or want experts to help you transition to WFH, Raxis offers thorough security reviews and guidance on Teleworking, Security, and Business Continuity / Disaster Recovery (BC/DR) policies.

    Contact Raxis today for more information.

    Want to learn more? Take a look at the next part of our Remote Security Series.

  • Top Five Actions NOT to Take When Your Pentest Results are High Risk

    Monday Morning Voicemail:

    Good morning high-powered CSO, this is Brian with Raxis. I sent over a draft of the most recent assessment report as you requested. Just to recap, there were seven critical findings, 5 severe, and a menagerie of others that we can discuss at your convenience.

    You’re the CSO of a major enterprise. You’ve hired us to perform a penetration test, and the results aren’t pretty.  What now?The team at Raxis brings a rich depth of experience in articulating risk to all audiences. We can talk technical with the engineering groups and discuss strategy with C-level executives. It’s how someone deals with adversity that defines them as a leader. We’ve seen leaders emerge from the fire to rise above the fray. We’ve also witnessed the fallout when leadership decisions are made in ignorance or for political expediency.A security assessment is only one step in a process, and its value is largely determined by what happens after we’re out of the fray, so to speak.  So, there you are; you have an unexpectedly thick and verbose penetration test report sitting in your inbox. Here are the 5 worst things you can do, based on what we’ve seen happen in the real world.

    5. Sweep it Under the Rug

    It may be tempting to just quietly file that report away because you think it might tarnish your reputation or because, “that only happens to other companies.” Maybe you would prefer to fix the findings with minimal political overhead. Here’s the problem. The report you received is a bona-fide disclosure of risk. When it landed in your inbox, all level of plausible deniability left the building. If you do anything less than boldly embrace it, and the company is breached, you are going to be in a rough spot with tough questions to answer. By owning the problem, you can own the resolution. Let that be the focus.

    4. Play the “Blame Game”

    It is easy in the world of corporate culture to get bogged down in political maneuvering.  A corporate leadership role requires a certain level of posturing, but there are few things less productive than finger pointing. The fact that you were against rolling out the vulnerable application or platform that was compromised may carry weight in your inner circle of colleagues, but your stockholders only want to know their investment has underlying value and that effective leadership is at the helm. It’s helpful to acknowledge mistakes and learn from them, but keep the emphasis on moving forward.

    3. Cling to Penny Wise and Pound Foolish Remediations

    The findings in the assessment report are not a checklist to be ticked off and call it a day. Yes, of course they should be fixed, but it’s critical to understand that a penetration test is opportunistic. The findings that are presented are probably not the only significant exposure. Look at the bigger story that they tell and formulate remediations at a systemic level. Were all the findings related to applications?  If so, the problem probably is not the applications but more likely with their development and deployment. Yes, fix the symptom, but do not neglect the underlying problems that led to it.

    2. Rain Down Fire and Wrath

    We see this far too often. A phishing email is sent out, and an employee clicks on the link, which then becomes the bridgehead for a compromise. When the report is delivered, specific individuals are identified as the source of the compromise and are promptly fired. That is absolutely the wrong course of action. Look at it this way. Once they understand the ramifications of their action, that person is the most secure person in the company at that moment. It’s likely that they will continue to operate under a heightened level of vigilance and will be the last person to click on a suspicious link in the future. Replacing them with someone who has not learned that lesson, simply presses the reset button for future phishing attacks. Help them understand the attack and how their actions contributed, and they may become a power advocate among their peers for better security.

    1. Silo Solutions

    Would a capable attacker limit themselves to a single application, network, or technology?   The answer, of course, is that they would not. Lateral movement is a huge component of privilege escalation.  It’s important to scrutinize specific elements of any environment. We conduct assessments regularly against a single application or system, but what we always try to underscore is that rarely are attacks vertical. Rather, the attack chain tends to zigzag across technologies and business units within an organization. Just because you tested and remediated a specific web application does not mean that the app no longer presents a risk. It means that the direct exposure created by the app has been mitigated. Maybe there is another vulnerable application running on the same server that can be used as a point of compromise?The point is that attackers do not silo their efforts, so don’t silo your defenses.

    Your Decisions Make the Difference

    Fortunately, these observations are more the exceptions than the rule, but they do happen. And they happen in surprising large and mature organizations. Most of these mistakes can be attributed to a knee-jerk moment of self-preservation. When our lizard brain steps in, sometimes we don’t make the best decisions for our career.The best way to avoid these pitfalls is to never put yourself in that situation in the first place. Yes, some pentests are horrific. In leadership, it’s not how you fall.  It’s how you rise above.

    A security assessment is not a chance for someone to make you look bad. It’s a learning exercise. Embrace it and use it for a platform from which to build positive change..

    Raxis CTO, Brian Tant

  • Goodies for Hoodies: TCP Timestamps

    The Picts were a tribal culture in northern Scotland that history has relegated to the realm of myth and enigmatic legend. Largely forgotten, the Picts fought off the military superiority of Rome’s army and built a sophisticated civilization on the whole before disappearing from history. These were a people dismissed by the advanced thinkers of the day as unimportant and trivial in their capabilities, only to rise up unexpectedly to great effect. What does this have to do with Security? Nothing really, unless your data center is staffed by Roman centurions on horseback. If that’s you, then I am ripe with envy. But all levity aside, so it was with the Picts, it is today with the humble and unassuming TCP Timestamp.

    What is a TCP Timestamp?

    If you’ve ever run a vulnerability scan, you’ve probably seen a low or informational severity finding associated with TCP Timestamp responses. The recommendation is always to disable them, but rarely is any background information provided. What are those little timestamps doing there and who really cares anyway? Like the Picts, much lies below the surface, and we dismiss them at our peril. Before we can get into the ramifications of this misunderstood protocol option, we must understand the mechanics behind TCP Timestamps, and what they actually are. The basis of TCP is that it is a stateful, reliable means of sending and receiving IP packets. In order for reliable communications to take place, there must be bidirectional communication between the sending and receiving nodes so that, in basic terms, the sender can know that the target system received the communication correctly, and the receiving node has confidence that the message it received was correct. To such ends, TCP communications are session-based, and the two nodes employ features in the protocol as a framework to manage the reliability of communications. This involves things like resets, syn-acks, re-transmissions, and the like, that you’ve probably seen in any number of network captures. TCP was designed to communicate reliably over any transmission medium at any speed; it provides the same level of communications integrity over dial up as it does on a LAN.

    It is important to understand that TCP was originally designed to overcome the challenges of unreliable communication channels. Not much thought was given to excessively reliable and fast communications.

    It seems counter intuitive, but, because TCP is synchronous and keeps track of packets, it can break down over high bandwidth connections. It sounds crazy, I know, but let’s look at how this might happen.

    Grab your pocket protector here, folks. We have to get a little nerdy.

    If you asked President Trump about packet loss on TCP communications, he might respond, “It’s bad, very, very, very bad.” And he would be correct. But packet loss does occur for any number of reasons, and TCP maintains reliability by using selective acknowledgments to tell the sending node what TCP segments are queued on the receiving node and what segments it is still waiting for. These segments are, like anything else in network communications, numbered in finite sequence numbers. This value occupies a 32 bit space and exists within the confines of a Maximum Segment Lifetime (MSL), which is enforced at the IP level by something we’re more familiar with, the Time to Live (TTL). This MSL is usually adjusted based on the transfer rate so that faster speeds have smaller MSLs. This works pretty well until we introduce things like fiber optics. The bandwidth on a fiber connection can be so high that a TCP session can exhaust all of its sequence numbers and still have segments queued up in the same connection, leading to sequence number reuse, aka TCP Wrapping. This causes problems.

    In short, as things get faster, it becomes more error prone to use timeout intervals to manage reliability.

    The number of sequence numbers can not exceed the 32 bit value of 4,294,967,295 so as transmission speed increases, the MSL values must get shorter to compensate. With enough bandwidth, they can shrink to the point that they are no longer able to provide message integrity. If only there was a way to identify whether packets were dropped based on actual timing rather than a sequence number, but how?

    Behold the mighty TCP Timestamp!

    TCP Timestamps are an important component of reliable high speed communications because they keep TCP from stumbling over its own sequence numbers!Officially, this benefit is referred to adoringly as “PAWS” or Protection Against Wrapped Sequence Numbers. PAWS operates within the confines of a single TCP connection under the assumption that the TCP timestamp value increases predictably over time. If a segment is received with an older timestamp than one that was expected, it’s discarded. In doing so, PAWS protects against sequence numbers being reused in the same connection. It’s worth pointing out that there are a lot of weird exceptions and math around how that actually takes place, but for purposes of a blog post, we’ll steer clear of that rabbit hole. It should be clear at this point that TCP Timestamps serve a purpose in network communications, and that disabling them as a standard practice is a perilous endeavor.

    Still awake? Good! Now we can talk about security!

    Strictly speaking, TCP Timestamps are no more a security risk than the TCP protocol itself. Why then are they subject to all the bad press and mob calls for their disablement? The security concerns arise with the underlying mechanisms that are used to populate the values within the timestamp option itself. As the name suggests, the timestamp makes use of a virtual “timestamp clock” in the sender’s operating system. This clock must approximate real time measurements in order to remain compatible with other RTT measurements. There is no requirement for the timestamp clock to match the system clock, but it often maps to it for ease of design. After all, why make a new clock if you can just use the existing clock to derive values to be presented as those belonging to the new clock?

    This leads to the one thing for which we hackers profess a deep and undying love for, unintended and predictable behavior. Am I right?

    By measuring multiple timestamp replies, we can determine what the clock frequency is of the target system. The clock frequency is how many “ticks” the timestamp clock increments per unit of real time. For example, if we measure 5 timestamp replies each 1 second apart, and each timestamp value increases by 100 with each reply, we can infer that the clock increments 100 ticks for every second of real time processed by the system clock.Since most (not all!!) clocks start at 0, we can compute the approximate uptime of the system. Using the above example, if the timestamp value is 60000, we know that each 100 ticks of that value equate to one second of real time. We can assume that 600 seconds have elapsed since the clock was started. In laymen’s terms, the system was rebooted 10 minutes ago. We’re using small whole numbers here for purposes of illustration, but you get the idea.

    In the real world, accurately fingerprinting the system will help with establishing timestamp validity, since clock specifications are documented.

    System uptime by itself is an arbitrary value and doesn’t give away much on it’s own. But consider that patch cycles almost always include mandatory reboots. By surveying these values over time, one might be able to determine patching intervals by correlating reboot times across systems. What if you surveyed the same IP address multiple times and received different but consistently disparate values in the timestamp responses? That might allow you to identify systems that are behind a NAT or a load balancer, and may even allow you to draw conclusions about the load balancing configuration itself. Suppose you were testing a customer for susceptibility to DOS attacks. You may be able to use timestamps to determine with certainty whether the target system was knocked over, or whether you were just shunned by the IPS.

    TCP Timestamps grant the hacker insight into a given system’s operational state, and how we use that information is limited only by our imagination.

    But to dismiss their presence as a low severity security finding just to be remediated is inappropriate, and it may do more harm than good. When to use TCP timestamps should be determined by operational requirements, not by blanket assumptions of their importance. Are you listening, vulnerability scanners?So next time you find yourself knee deep in informational findings from a vulnerability scan, put your ear close to a network cable. It’s possible you may hear the faint battle cry of a forgotten hero. Want to keep reading? Learn the difference between vulnerability scans and penetration tests, more about Vulnerability Management, and how a penetration test can help you understand which risks are most relevant to your network.

  • Physical Security Pitfalls: What our physical assessments show us

    A Strong Front Door

    An effective information security program is built upon a strong physical security strategy. After all, if an attacker can breach your physical security all of the network controls are more easily mitigated. On average our internal network penetration tests yield an 85% success rate. Once an attacker physically gains access to network connectivity, the chances of a data breach become exponentially higher. The role of a physical security strategy is to prevent an attacker from gaining tangible access to company resources so that secondary attacks are not possible.Raxis is frequently retained to test the physical security of corporations in various verticals. We utilize many techniques in our attempt to gain unauthorized access via highly technical approach vectors such as RFID badge cloning and IR cameras to simple social engineering pretexts.

    We average an 85% success rate on internal network penetration tests

    We commonly find that companies implement technology and processes that, on the surface, lend the impression of safety. Often, however, these controls are ineffective against a capable adversary, thus the net result is that the attack surface gains complexity without benefit, making the organization more vulnerable to targeted attacks.While some companies go to such lengths as employing security guards, both armed and unarmed, the presence of such personnel often provides a false sense of security. While they are excellent visual deterrents, security guards are only one component of a robust security strategy for physically safeguarding your critical data.Likewise, hi-tech security measures such as proximity cards and cameras often help an organization feel more secure, but the reality is these technologies add complexity and require additional resource overhead to maintain their effectiveness. Highly technical physical controls often can be hacked and, if not properly managed, sometimes leave a facility more vulnerable than it would be without them.Here is a sampling of the attack vectors we have employed in the past to circumvent physical security controls and gain unauthorized access to a facility: 

    Poorly Trained Employees / Employees with a Casual Approach to Security:

    At the end of the day a company’s best defense is a well-trained and vigilant employee. The popular phrase, “if you see something – say something” is incredibly important. Employees know better than anyone else what is out of the ordinary – be it a suspicious package or a person. Employees need to be trained in secure practices, and given the authority to challenge or report anything or anyone that seems out of place.Often employees are lulled into a false sense of security through observational confirmation bias. They believe if someone has made it past the guard and is on the floor they must have permission to be there. This is reinforced by social behavior tendencies that make it uncomfortable to confront unknown individuals. A fundamental tenant of awareness training is to re-train employees to practice heightened vigilance in the workplace. Raxis consultants bypass guards and other countermeasures regularly while conducting engagements for our clients. In every one of those cases, if an employee had simply recognized us as being outside of the normal and challenged us to to confirm the legitimacy of our presence, our attempts at compromise would have been thwarted. The reality is that most individuals do not feel comfortable with confronting someone in an office setting. This is a behavioral tendency that social engineering attacks exploit to lend legitimacy to a given pretext.The better an employee is trained to question people and events that are unfamiliar, the more robust the organization’s security posture will become. 

    Proximity Badges

    Many companies fall prey to the false sense of security that arises when using RFID proximity card access control systems. In practice, many of these systems can be easily hacked electronically without the employee’s knowledge.

    For less than $600 and the ability to do a Google search one can obtain step by step instructions in making a weaponized badge reader that can be used to acquire an employee’s RFID badge data from a distance for later cloning.

    In many cases, an old fashioned tumbler lock and key would offer greater peace of mind. 

    Lack of Photo Badging

    To make matters worse, many companies that leverage badge access systems do not utilize personalized badges with employee photos. This may be due to a myriad reasons from budgeting to lack of headcount to manage such a program, to the level of effort to upgrade from legacy systems, or other business drivers. Even in environments where photo badges are prevalent, employees often do not take the time to verify that the photo on the badge is actually that of the person carrying it.  Indeed, a surprising number of companies feel satisfied simply using a white proximity badge without any type of accompanying credentials.Proximity badges, if possible, should be paired with a photograph credential that validates the individual’s identity and indicates the level of access that person should be given. All visitors should have to sign in and in many cases be escorted while on premise.Even the most robust badging system is completely innefectual unless employees are required to use it consistently. The physical layout of the office reception area plays heavily into enforcing access policies. Along with the photo ID the form factor of the office should require that each person must pass through a checkpoint (even if it’s a receptionist) to show their ID and perform the badge swipe. 

    Unmonitored Cameras

    The use of video surveillance systems is another means by which a false sense of security can manifest.  In many cases, the cameras are either not functioning or are feeding directly to a DVR to provide investigative collateral after a security event has occured. The reactive use of surveillance systems negates the benefits of the added visibility they provide.The challenge is that most of the places we breach don’t even know we were there. We walk in, do our thing and exit. The company does not know to investigate because an incident response was never triggered; they were not leveraging their surveillance technology proactively.In many cases, if the company had security personnel charged with monitoring the cameras, a security breach could be stopped before it happened, rather than investigated after the fact when the damage has already been done.While cameras are an effective deterrent to many attackers, they must be used correctly and as part of a larger strategy lest they once again facilitate a false sense of security. 

    What You Can Do

    The importance of awareness training can not be overstated. Understanding the role that company culture contributes to the level of employee vigilance offers critical insight into the implementation of any security training program.. The goal is not to make your employees paranoid or uncomfortable, but to help them develop a sense of situational awareness in the workplace. Empower them to report anything that is out of the ordinary and to know that it’s part of their job to do so. A formal security reporting process that is well understood will assist with streamlining response efforts. Recognize the limitations and vulnerabilities of your security systems. It is often said that security is a process. An effective security program encompasses dynamic layers of controls in which weaknesses are identified and mitigated through compensating controls.Test the effectiveness of your systems regularly. Utilize an outside assessment firm such as Raxis to partner with you and your team and assess your performance. Tests such as these are critical to understanding the strengths and weaknesses inherent in any security strategy and how to best utilize available technology to increase the organization’s resilience to attack.We hope you’ve found this article insightful. Below is a short video that illustrates a typical engagement for Raxis. This video will demonstrate some of the techniques employed to by Raxis consultants to infiltrate a facility, establish persistence, and exfiltrate sensitive information – all without the company being aware.