Author: raxis-sys-admin

  • Tesla Proves People are First Line of Cyber Defense

    By now, most of you have surely read or heard about the Tesla employee who turned down a lot of money to help a hacker break into the company. Who wouldn’t want $1 million to plug in a USB drive? As a business owner, how confident are you that an employee wouldn’t take this deal?

    This is a fantastic story, and I’m happy to see the integrity of this employee. Yeah, a million dollars is amazing but he was part of a great story and took down someone that could have cost his employer millions more.  

    This type of situation is extreme compared to most others we’ve seen. A lot of times it takes only $100 to convince a cleaning person or security guard to do this. Sometimes, just $50 can get an employee to open the door for an attacker so they can do it themselves.

    And don’t forget about extortion. We’ve seen situations where a C-Level person was blackmailed into giving up a password to a system or plugging in a drive because an affair or some other secret was discovered. 

    This story proves that people are watching and doing a very good job of knowing their staff. Technology can help in these types of situations but training and integrity are the keys here. This employee was honest and saved Tesla millions of dollars in potential ransom, not to mention the bad publicity and potential loss of intellectual property. 

    I hope they rewarded him with the million dollars he was originally offered.

  • Badge Cloning is Easier Than You’d Expect

    You would be hard pressed to find a company or an organization that doesn’t issue employee badges to every employee on Day one. These radio frequency identification cards usually include employee pictures as well as an electronic tag that allows access to secured doors throughout the building. The cards let IT teams know who went where and when. Companies love them because they are inexpensive and easy to manage. 

    What a lot of companies don’t realize, however, is that the technology to read and duplicate the cards is relatively inexpensive and easy to obtain by almost anyone. Unless you take proper precautions, the badge you’ve issued for security could become a vulnerability.

    Check out this video to see just how easy it is for someone with criminal intentions to gain access to secured areas of your building. The Raxis team has used this technique very successfully over the years on our red team engagements. 

    As the video demonstrates, the process is simple and fast. Even if you know what to look for, it’s hard to spot when it’s happening. 

    At Raxis, our assessments are meant to identify real-world vulnerabilities that may otherwise go unnoticed. We are here to attack – in a completely ethical way – and show you how to make your company a harder target for hackers.

  • Windows 10 Vulnerability Highlights Need for Physical Security Testing

    During our more advanced Red Team penetration testing attacks, Raxis customers are often shocked to discover that we’ve not only been inside their network, but we’ve also been inside their buildings, their server rooms, and even their individual offices. It would take days to explain all the tricks and techniques we use to do that, so let’s focus on the more important question of why we do it.

    The simple answer is that physical access to devices opens up a world of possibilities to an attacker. In fact a recent Forbes article about a Windows 10 security problem offers an excellent example of what can happen when a bad guy gets to spend a few minutes alone with your computer.

    Notice in the article that Bjorn Ruytenberg says that a hacker with the right equipment needs less than five minutes of access to exploit the Windows 10 vulnerability… even if the computer is not on. The attacker only needs physical access to the device. This is an important finding because 95% of the time when Raxis conducts a physical, social-engineering assessment, we succeed in gaining unchallenged physical access to facilities and devices – even when armed guards are employed. Security is often perception, and our techniques commonly bypass guards, electronic devices, and employees. We often find unmanned workstations and usually find ourselves with these devices for far longer than the 5 minutes that Ruytenberg says it takes.

    What’s the takeaway? In the real world, cybersecurity must complement physical security. In other words, patch your Windows but don’t forget to lock your windows as well.

  • Remote Security Series: Urgent Questions You’ll Face About VPN and Remote Access

     As the coronavirus has pushed almost all of the workforce remote, IT teams have been very busy making networks accessible in ways they weren’t previously. Most organizations plan for a consistent number of users remotely accessing the network. I doubt any planned for a nearly global work-from-home (WFH) event like COVID-19. 

    As a result, I’ve worked with a few companies to help implement some very last-minute WFH solutions. I came away with a better understanding that there are some critical questions companies need to be asking (and answering) right now. 

    Do you have enough VPN licenses? Imagine being told on a Friday afternoon that everyone will be working from home for the foreseeable future. One company’s VPN was licensed for 100 users but had over 250 working remotely. Their immediate answer was to open up remote desktop ports for each user’s office computer. Bad idea, especially considering a few passwords were very insecure, including “Winter2020!” and “Corona2020$.” 

    Do you have enough bandwidth? Like VPN licenses, most companies have plenty of bandwidth to handle office data and the normal load of remote users with no issues. But with everyone working from home and many streaming media, this can cause a lot of strain on your network and lead to performance issues and outages.  

    Is split tunneling appropriate for your company? In many cases, split tunneling is a great way to address the bandwidth issue. However, you lose some encryption as you now have only certain applications and network traffic going back through the encrypted VPN. This can lead to data being mishandled, so make sure you have safeguards in place to prevent that. Also, it’s a good idea to block streaming services through the VPN tunnel or on an endpoint protection product. 

    Are your users trained to use the VPN? With the rush to get users setup, users who worked in the office every day are now trying to do the same type of work from home. This may be painfully slow if they are accustomed to 1000 Mbps in the office and get only 50 Mbps at home. Their fix will be to download files locally, work on them, and then upload them back when done (we hope). That raises a couple of other important questions…

    Do they delete sensitive data from their computers when they are done?  Do they even know they should do this? If there’s even a speck of doubt, I strongly recommend putting data loss prevention (DLP) tools on the endpoints to ensure data isn’t leaving the network unsecured.

    Do you have a ‘shadow IT’ problem you didn’t know about? Here’s an interesting issue I ran into recently: A company realized there were employees who had been working remotely for years, but who didn’t know how to use the VPN to access files they need on a daily basis. I decided they either have integrity challenges, or they have unauthorized side channels they may not know about. Let’s set aside the ethics issue and assume you suspect the latter. Now would be a good time to start monitoring traffic going out to popular file sharing services. In an incident response situation, these services create more areas to audit, and your price tag and scope just increased a lot. Imagine thinking you have 10 servers and 400 workstations to check and then adding every Dropbox, Box.net, Sync and OneDrive account and folder. 

    Is your VPN network being monitored or logged? How many concurrent connections are allowed per user? This is important if a user is compromised and you allow unlimited connections per user. A malicious person can be connected to your network and it may go unnoticed. That’s why you should enforce MFA on your remote access solution.

    Are user endpoints encrypted and patched? Your end users are now working on networks with potential default passwords and weak wireless security, which you probably can’t control. It is very important then that you harden as much as you possibly can control.  Once your WFH solutions are in place, make sure you remember to audit their security. Don’t let a rush to get users working remotely lead to costly misconfigurations and data breaches — just because they click a malicious COVID-19 update or decide to watch cat videos.

    Does your business continuity plan reflect the new reality? Remote access to critical data should be a part of your business continuity plan. Being surprised by a hard limit of users on your VPN appliance can lead to a rush to provide accessibility, which in turn can lead to bad security decisions. Testing this plan will also show you areas that need to be addressed or that would be much easier to handle if you had known ahead of time. Also, ensure you have an updated remote access and VPN policy in place. Your end users will not always make smart security decisions, so ensure that they have a document to reference.

     The coronavirus emergency is putting all of us to the test, but especially the IT teams who shoulder the responsibility for keeping a remote workforce secure and productive. Make sure you have good answers to these questions and, if you need help, remember we are here for you.

     Raxis is always happy to discuss your unique circumstances and to offer options specific for your needs as well as your budget.

    Contact Raxis for more information.

     Want to learn more? Take a look at the next part of our Remote Security Series.