Category: Penetration Testing

  • How Much Should You Pay for a Penetration Test?

    “Even after 10 years as CEO of Raxis, I’m still amazed at the wildly different pricing attached to a vast and loose array of services broadly labeled as penetration tests. I know something is amiss when I see quotes range from $1,500 to $18,000 per week (and more) for what is ostensibly the same work.“

    Mark Puckett, Raxis CEO

    I understand and appreciate the confusion among companies large and small who need this essential service, but who have no good way of knowing whether they’re getting a bargain or being fleeced. That’s why, once again, I’m stepping in with a straightforward guide that I hope will be helpful to any business that needs to test its cyber defenses against professional, ethical hackers.

    Rules of Thumb
    • As with other professional services, the adage that you get what you pay for does hold true in penetration testing. A quote that’s a lot lower than reputable competitors is cause for skepticism, as is one that is substantially higher. Fortune 500 companies may well need multi-month testing that can cost $250,000 and more, but it’s unlikely smaller firms do.
    • There are some external factors that can affect the price of a penetration test – whether it’s conducted onsite or remotely, or whether it’s a remedial test. For the purposes of this guide, we’ll stick with just the testing itself.
    • The scope is everything. Be certain that what you discuss is exactly what you are getting for the price. Consider carefully what you’re trying to achieve. Are you serious about preventing hackers from hijacking your network, stealing your data, or holding it for ransom? That’s a different objective than simply checking a box to comply with laws or industry regulations.
    The Differentiators

    When you’re considering a company to perform a penetration test, there are three major factors you should take into account alongside cost. They are the skillsets of the pentesters who will actually be doing the work, the time they propose to spend doing it, and the methodology they will employ in the process. Reputable firms like Raxis will spend the time necessary upfront to make certain you know what to expect before you sign a contract.

    Skillsets

    Not all pentesters are the same, and the pricing should reflect that. For example, some testers are phenomenal at hacking Windows systems, but are not nearly as strong when it comes to Linux or mobile technology. Many environments have a mix of Linux, Windows, Android, iOS, Mac OS X, Cisco IOS, wireless networks, and others. Make certain that the team you select is well-versed in all the technologies you have in scope so they can perform a valid test.

    Earth with a question mark

    To reiterate, you should know exactly who will be doing the testing. Just because a company is based in the US does not mean that its testers are. Some firms cut costs by using un-credentialed, offshore teams to do their work. That may or may not be a cause for concern if it’s disclosed upfront. If it’s not, however, I would consider that a big red flag. 

    Time Dedicated to the Job

    The amount of time penetration testers spend on jobs can really vary, and that will influence the price. Some pentesters believe that a week, two weeks, or even months are required to get a comprehensive test completed on your network. There are no hard and fast rules here, but the time should be proportional to the challenge.

    If you’re quoted anything less than a week, I would hope that it’s an extremely small scope of just a handful of IPs with a few services running on them. Otherwise, I’d be skeptical. The key here is to make sure the time spent on the job makes sense with what is in your scope. Also, remember to factor in complexity. For example, a single IP with a large customer facing web portal with 10 user roles will take a lot more time than 250 IP addresses that only respond to ping.

    Interestingly, I’ve heard that some of our competition is taking a week or more to quote the job.  I don’t understand the reasoning behind delays during the sales process, but I certainly recommend taking that into account when you make your decision.

    Methodology

    There are a few different ways to conduct penetration tests. I’ve broken them down into three types for reference.

    • Type A – The “Breach and Reach”: This type of test starts with the low hanging fruit and gains access as quickly as possible, just as a malicious hacker would. The goal is then to pivot, gain additional access to other systems, ensure retention of the foothold, and finally exfiltrate data. This is a true penetration test and demonstrates exactly what would happen in the event of a real-world breach. Some companies call this a “deep” penetration test as it gains access to internal systems and data. It’s the type of test that we prefer to do and what I would recommend as this is what the real adversarial hackers are doing.
    • Type B – The “360 Lock Check”: This test searches for every possible entry point and validates that it actually is exploitable. This validation is most often completed by performing the exploit and gaining additional privileges. The focus with this type is to find as many entry points as possible to ensure they are remediated. The underlying system might be compromised, but the goal is not to pivot, breach additional systems, or to exfiltrate data. This type is often useful for regulatory requirements as it provides better assurance that all known external security vulnerabilities are uncovered.
    • Type C – The “Snapshot”: This is more of a vulnerability scan in which the results from the scanner report are validated and re-delivered within a penetration testing report. Many lower-cost firms are calling this a penetration test, but that is not what it is. However, it may be all you need. If so, Raxis offers a vulnerability scan on an automatic, recurring basis, and it is very useful in discovering new security risks that are caused by changes to the environment or detecting emerging threats. (And no, it’s not a pen test.)

    If you’re serious about security, I strongly recommend testing that ensures both Type A and Type B are part of the scope. That means testing even a small range of IPs can often take a week. However, it is the most comprehensive way to pentest your environment and meet regulatory requirements as well. Type A tests for the ability to pivot and exfiltrate information. Type B will get you that comprehensive test of any vulnerabilities found to ensure that you’re fixing real issues and not false positives.

    In an upcoming post we’ll tell you about a new capability offered through Raxis One. This is pentesting that leverages the power of AI to extend and enhance the capabilities of our talented team of elite ethical hackers. Raxis Pentest AI is considered a hybrid of all three types of testing mentioned above in that it combines continual monitoring and random testing to find and exploit vulnerabilities as soon as they appear.

    The most important advice I can offer anyone shopping for penetration testing services is to ask a lot of questions. High-quality, reputable companies like Raxis will be happy to put experts on the phone with you to provide answers. You can draw your own conclusions about any who won’t.

     

  • Why Our Team is Excited about the Purchase of Boscloner

    If you haven’t heard the news yet, Raxis has purchased the industry-dominant Boscloner electronic access badge-cloning technology from our friend and frequent colleague, Phillip Bosco.

    For the benefit of those outside the pentesting world, Boscloner is basically the iPhone of physical hacking technology – except with fewer real competitors.

    WARNING: If advanced technology worries you, this next part might be terrifying.

    Our CEO, Mark Puckett, calls the Boscloner technology a “master key to corporate offices and server rooms.” That’s because it enables a penetration tester, often on a red team engagement, to read someone’s security badge data, copy it, and then make a duplicate with all the same permissions.

    While that’s impressive by itself, Boscloner can do it without ever touching the badge and from six feet away. Even better (or worse, depending on your perspective), Boscloner eliminates the need for a badge entirely in some situations and can use captured data from one badge to employ ‘smart brute force’ to hack and duplicate others with greater privileges.

    If you have a chance, visit Boscloner and check out its capabilities. When you do, you’ll be very glad that Phillip Bosco is a former Marine who truly is on the side of good and right.

    You’ll also see why our own team is pumped that we’ve brought this technology in house. In fact, we did an informal survey just to get everyone’s reactions and here’s what they said:

    • Bonnie Smyre, Chief Operating Officer: “Raxis has used the original Boscloner on social engineering and red team engagements for years. I’m incredibly excited to now include Boscloner in the list of products and services we offer to our customers. Nothing beats experience… and the experience of witnessing unauthorized access to your premises using Boscloner technology is an experience that motivates our customers to upgrade their badge technology to be more secure.”
    • Scott Sailors, Vice President of Security Consulting: “I am a huge fan of the first generation Boscloner. The ease of use on a high-pressure Red Team can make a big difference. The mobile apps are a game changer. Phil Bosco did an amazing job and the next generation Boscloner is even better. I’m excited to see Raxis take over the project and build on what Phil created.”
    • Brad Herring, Vice President of Business Development: “I’m excited about the Raxis acquisition of Boscloner. I’ve used several versions of badge replicators on SE jobs, and this is by far the best one out there. It matches the excellence that customer expect from the Raxis brand and is going to be a great tool for anyone wanting to test their electronic locks and physical security systems.” 
    • Tim Semchenko, Senior Manager of Operations: “As we return to normalcy, I have been looking forward to the team having the opportunity to conduct more physical social engineering tests. With the addition of the Boscloner to their respective utility belts, Raxis now has a HUGE differentiator over the competition.”
    • Adam Fernandez, Lead Developer: “Boscloner opens up a world of opportunities for Raxis as part of our physical social engineering engagements. It’s already an amazing tool for helping our customers secure physical access to their premises, and I’m looking forward to where Raxis will be able to take the product in the coming years.”
    • Scottie Cole, Lead Penetration Tester: “It is great to be working with Boscloner. Is it an extremely powerful tool to help us show customers how their physical security can be breached very quickly if they aren’t prepared.”
    • Matt Dunn, Lead Penetration Tester: “The acquisition of Boscloner is another great example of Raxis identifying top tier security tech and utilizing it to help our customers. Staying on top of current threats is paramount in penetration testing, and the Boscloner will continue to allow Raxis to do just that.”
    • Sean Brown, Senior Penetration Tester, “I enjoy working for a company that is always on the hunt for new and innovative tools that will help provide the most comprehensive security test on the market. The Boscloner is the most recent example of Raxis’ investment in new and cutting-edge security technology. As a security consultant for Raxis, I am looking forward to using the Boscloner on my Red Team engagements, as it outperforms any other RFID cloner available on the market.” 

    There’s one other reaction that’s worth sharing as well. This one from Phillip Bosco himself. As I said earlier, Phil is a friend, and we enjoy working with him frequently. Here’s what he had to say about the sale of his company to Raxis:

    “As a penetration tester, the Boscloner was built out of necessity to render physical security assessments easier and more streamlined. With the industry leading talents and vision that Raxis brings to the brand, the Boscloner now has a more exciting future than ever before. There is no other group of individuals that I would rather trust with a project that has been as close to my heart as this than the folks at Raxis. I am blessed and grateful for my ongoing personal and professional relationship with this team that has spanned many years. I cannot wait to see the Boscloner grow and transform as it continues on under the direction and leadership of team Raxis.”

    Phil Bosco

    Red teams are Raxis’ flagship offering, and Boscloner is a force multiplier in that space. Acquiring Boscloner allows us to continue Phil Bosco’s innovative vision of bringing next generation RFID attacks to market.  It’s a chance for us to raise the bar for the industry overall and really transform how organizations look at premises security.

    Security is an exciting place to be, and as the team’s enthusiasm demonstrates, we can’t wait to up the ante.

     

  • What You Need to Know (But Were Afraid to Ask) about Raxis Web App Testing

     What’s special about a Raxis web app test?

    One thing that sets Raxis apart is that our pentesting team is made up of engineers who performed varying roles creating and supporting IT systems before they became pentesters. This includes several engineers who have strong backgrounds in software and web development.

    Even better, Raxis is proud to have a close-knit team of pentesters who collaborate and share their ever-growing knowledge with each other and with our customers. You may have a former web developer performing your test, and that person can easily reach out to a former network admin. They can share info about the most secure web app features as well as how the supporting network should be configured securely..

    Our customers repeatedly tell us how much they appreciate this because it directly translates to relevant, actionable findings. It also encourages natural conversation between their development teams and the security engineers here at Raxis.

    How does this collaboration help customers?

    A recent test we conducted provides a great example: We identified several findings, and the customer was very pleased with the process. Upon follow-up, our sales team found out that the customer saw a small performance reduction after implementing our recommendations. From the customer’s perspective, enhanced security was worth the small drop in performance.

    Because of our development background, however, Raxis’ team members knew that didn’t have to be the case. Our project manager proactively set up a call with the customer to discuss. Result: The customer remediated using Raxis’ advice and regained all of the original performance. They told us they appreciated how Raxis “went the extra mile.”

    To us, that’s just business as usual.

    How many application tests do we do?

    Customers often ask about our application testing process. Application testing accounts for over 50% of our penetration tests. Last year, we performed over 600 application tests. Like all of our assessments, each test is custom tailored to the customer’s application and overall objectives. This could mean testing the entire app, a portion of the app, or following the app throughout the entire development cycle.

    What is your methodology?

    Like all of our assessments, our application tests are primarily manual attack simulations against a customer’s application. Where you see an email field, we see an opportunity for cross-site scripting. Aside from our own experience and expertise, Raxis applies the OWASP framework to our penetration testing, including (though, of course not limited to) the following assessment categories:

    • Access Control
    • Authorization and Authentication
    • Session Management
    • Configuration Management
    • Error Handling
    • Sensitive Data Exposure
    • Input Validation, Injection and Cross-Site Scripting
    • Root Cause Analysis / Reporting
    So, what do I get out of this?

    At the end of a Raxis application assessment you get peace of mind and a solid deliverable. Our reports align with the NIST standard, so they meet regulatory compliance standards. The reports feature an executive summary, engagement storyboard (where applicable), and detailed vulnerability findings that include screenshots, risk explanations, remediation recommendation, and risk scoring.

    Is your web app security keeping you awake at night?

    We understand. Just as we are known for excellence in pen testing, we’re also known for our no-pressure sales and scoping process. We get it. We don’t like to be harassed, and we know you don’t either. If you’d like to start a conversation with one of our experts to help understand the possibilities for your project, feel free to reach out. We’d love to help.

  • Raxis’ Transporter Enables Remote Penetration Testing

    Adapt. That one word sums up what was, for most of us, the biggest challenge of 2020 and the COVID-19 crisis that came along with it.

    As the pandemic took hold, families, employers, and employees had to adapt to a new way of living. Children had to adapt to learning virtually. Parents had to adapt to working from home while caring for children and helping them with school. Pets had to adapt to everyone being home all the time. Companies had to adapt to remote work, Zoom meetings, and new ways to collaborate. 

    It was much easier for some than others. Raxis, for example, has been a remote-work company since its launch in 2011. For us, working from home was literally another day at the office. For many of our customers, however, it was a major disruption with lots of implications for security. The need for penetration testing was made more urgent by the dramatic shift to WFH. The question we faced was how to go about it in a way that was both safe for our team and effective for our customers.

    We did continue to travel when necessary, but the pandemic made it more difficult to get to our clients and more time-consuming to conduct our testing. Fortunately, we had another option, one that would allow us to complete internal and wireless network testing without the need for going onsite.

    We developed the Raxis Transporter device several years ago as a time- and cost-saving measure for our customers. With this secure network backdoor, which can be mailed to and installed easily by customers, we can conduct in-depth testing remotely. When the pandemic hit, the Transporter became a lifeline for customers who needed our services, even if they couldn’t host us at their physical locations.

    In the video above, I explain more about the Transporter, how we use it, and why it gives us another cost-effective option for delivering high-quality services to our clients.

    As you heard in the video, Raxis’ Transporter is a simple-to-install device that allows our elite team of professionals access to everything they need to perform a thorough penetration test. And that’s just one of the many practical innovations we bring to our work.

    All of us hope that the pandemic is on its way out, but remote work is here to stay. I’m proud to work with a company that remains way ahead of the curve for our team and for our customers. 

    If you are ready for Raxis to put your security to the test, contact us. We can discuss which type of test would best suit your company and your needs. 

  • What’s it Like to Work at Raxis?

    One of the great things about being a penetration tester is explaining what we do to people inside andoutside the world of cybersecurity. Having done this work myself and now managing others, I can’t imagine a more fascinating job. However, I also can’t imagine doing this job for any company other than Raxis.

    That’s because we’ve assembled a team of outstanding professionals with wildly diverse backgrounds that range from film and television to law enforcement to web design to IT administration and software development. We are, of course, expert hackers, but working for Raxis means that we all bring much more to the table.

    Over the next several weeks, we’ll be offering up a series of videos that will show you what our company and our work is truly like. These videos will likely be helpful if you’re interested in penetration as a career. They must-watch material if you want a career at Raxis.

    In addition to an advanced skillset, we expect an incredibly high degree of integrity. The nature of our works means that we only bring on people who have held positions of trust and who have proven themselves worthy of ours. 

    Integrity is essential, but it’s only one part of the larger picture that is culture. Beginning with our founder, we’ve brought on people who work well together, naturally. We have created a culture that places a high value on creative thinking, problem-solving, and above all, teamwork. 

    Please take a look at our inaugural video above. Raxis’ chief technology officer Brian Tant and I will explain how each penetration test demands presents different issues and opportunities. If you think you have what it takes to join our ranks, keep watching in the weeks ahead as other members of the Raxis team discuss different aspects of life in our world.

    Also, keep an eye on our careers page. Occasionally, we have openings for people with the right skills, determination, and attitude to join our team.

    Want to learn more? Take a look at the next part of our Working at Raxis discussion.

  • Three Reasons Why a Penetration Test Won’t Break Your Network

    Myth: A penetration test breaks your network. 

    Reality: A penetration test helps you find vulnerabilities so someone else doesn’t break your network (and your customers’ confidence in you).

    This is actually a common concern we hear from potential customers. Many are worried that a pen test will damage their network by crashing a server, knocking their website offline, causing an eclipse, or maybe releasing a 5G kraken. 

    In the video above I explain how we work with our customers ahead of testing to make them feel at ease and to help them understand that our profession is hacking but that our business is protecting theirs.

    As I explained in the video, our pen testers aim to make as little noise as possible while they’re slinking around in your network. Our whole goal is to get in, and to not get detected or get blocked. Crashing and breaking things is the opposite of that. And we’re simply not going to perform the kind of attacks that cause actual damage.

    The only scary part of our penetration tests are when you realize what might have happened if a hacker found your vulnerabilities before we did. 

    Be sure to also check out this article from Bonnie Smyre: What to Expect When Expecting a (Raxis) Pen Test?

    If you are ready for Raxis’ elite team of professionals to put your security to the test (did we mention they have successfully breached some of the most sophisticated corporate networks in the US?), then reach out to us here.

    Also, if you liked this video, please be sure to subscribe to our YouTube channel for more videos that can help you improve your security posture.

  • What to Expect When You’re Expecting a (Raxis) Penetration Test

    I made this video to help you understand a little better how Raxis works, and specifically what happens once you engage us. I hope it allays some of your concerns about penetration testing.

    There’s no reason to fear a pen test. Seriously. After all, it’s just a simulated cyberattack, one that you authorize and allow. Yet some CEOs, CIOs, and CISOs are hesitant to allow this ethical hacking for fear that the bad guys will somehow use it against them, that it will cause security issues, or that it will make them look bad. In fact, it’s just the opposite – especially if you choose to engage Raxis.

    We get it, though. It’s natural to be cautious, and it’s prudent to want to know more about the people you’re working with, especially when granting access to your company’s most sensitive data. Whether you choose to work with Raxis or any other firm, we recommend you ask (and answer) plenty of questions up front. You want to know the company has the right experience to offer a range of high-quality services. One size definitely does not fit all. The firm you select should speak to you in advance to understand your specific needs and expectations . . . and then design and deliver the type of test, training, and follow-up that best protects you and makes you more resilient.

    The Raxis team has some of the industry’s most advanced certifications, but we don’t intimidate our customers or hide anything from them. We believe knowledge empowers our clients, and we share it freely. Whether you use us or someone else, penetration testing is a critical part of your corporate cybersecurity strategy that you should not put off or bypass.

    As you can see, we welcome your questions and concerns during every phase of our process. We conclude our pen tests with an executive summary for management and detailed findings and screenshots that can serve as a to-do list for your internal teams.  

    Raxis stands by our processes, our team, and our word. Now it’s up to you to perform due diligence and research the expertise and deliverables of any cybersecurity company you’re considering. Follow us on this blog or social media, read more about our pen testing experience, or contact us directly to learn more about why some of America’s corporations (and small businesses) choose to work with us.

  • What is Least Privilege Access?

    This week, we’re continuing to explore some of the most common vulnerabilities the Raxis team has discovered during thousands of penetration tests across the US. In the video above, Brian Tant, our chief technology officer, discusses the principle of ‘least privilege access’ and why it’s an essential component of an overall business cybersecurity strategy.

    Hopefully, you’ve watched the video and have a better understanding about why you should restrict permissions as much as possible and still allow team members to get their jobs done. If you still have questions or want to learn more about protecting your corporate network, please reach out.

    The Raxis team brings years of hacking and penetration testing experience to the table. We can use that experience to improve your skills and make your environment more secure.

    Download our list of Top 10 Cyber Attacks to learn more about ways to secure your company.

    Want to learn more? Take a look at the next part of our Common Vulnerabilities discussion.

  • Here’s How Hackers Can Get Through Your Doors and Onto Your Network

    Watch my video to see how easy it can be to bypass your company’s sophisticated security system. You might assume I’m just a guy who left something at work and had to run back in. But that’s not my office, that’s not my badge, and, at sunset, my day is just getting started. 

    We’re all familiar with employee badges – plastic proximity cards that contain a unique identifier that tracks when and where an employee is on company property. Businesses around the world depend on this technology to prevent unauthorized access, yet most would be shocked to see how simple it is for those badges to be scanned, cloned, and used to access a secure server.  

    In truth, I’m the chief technology officer at Raxis, a team made up of ethical hackers who can get in and out of your secure office quickly and quietly. If we wanted to, we could walk away with access to every single file stored on your network. Luckily, we are not actually there for the files, we’re there to fix your vulnerabilities to a cyberattack. 

    Badges that use RFID technology can be scanned from a few feet away, then cloned in seconds using a handheld copier/reader/writer – a relatively inexpensive device that’s easy to find if you know where to look. Add a small hidden camera to capture the PIN code on an alarm, then drop a backdoor implant device onto your network, and you’ve got a budget-friendly break-in method that a competitor or a kid on the dark web could use to ruin your reputation. 

    Until it’s tested, security is only perception. Raxis assessments identify real-world vulnerabilities that may otherwise go unnoticed. We partner every day with companies like yours to harden their security through process and technology enhancements. The most important asset in any business is a customer’s trust. Secure it with effective, battle-tested solutions from Raxis.

    Follow us on this blog or social media, and we’ll share more ways that hackers can get in — and how we can help you keep them out.

  • Can This Simple Trick Outwit Your Smart Security?

    Armed with nothing more than an ordinary can of cool, compressed air, a hacker can gain entry to a key-card-only access facility in just 19 seconds. Skeptical? See for yourself in this video.

    Fortunately, the guy in this video is me. Our company, Raxis, is a team of ethical hackers and penetration testing experts who evaluate and identify solutions that help businesses safeguard their sensitive data, from healthcare to finance to innovative product and app development.  

    Some folks forget that physical security is the first line of defense for a cyberattack.  If someone can get inside your business, they can find your servers, and in seconds they can steal, sell, and destroy data you’ve invested thousands in protecting.  

    Our cybersecurity specialists have studied for years to find hidden, unscrupulous techniques that the world’s most sophisticated hackers use. Solving these puzzles and preventing cyberattacks is what we love to do – but often we find security vulnerabilities long before we get to delve deep.  

    Finding a failure in your company’s security isn’t something to fear; it’s something to fix. And you can only fix something when you know it is broken.  

    Follow us on this blog or social media and we’ll share more ways that hackers can get in — and how we can help you keep them out. 

  • Helping Nonprofits and Other Growing Businesses Understand Security Risks

    I’m excited that NTEN, the Nonprofit Technology Network with more than 50,000 community members, invited me to be a guest blogger this week.

    It’s important that nonprofits avoid the mindset that leaves so many businesses vulnerable. Specifically, I’m talking about the idea that they are too small or have too little money to be of interest to scammers, hackers, and other cyber criminals. The truth is that the bad guys often don’t discriminate, and you may have something they want more than money.

    For example, if you keep detailed donor records, that personally identifiable information (PII) might be devastating in the wrong hands. A skilled hacker or social engineer can do a lot with names, email addresses, and phone numbers alone. Add in Social Security numbers or bank account information, and you may be sitting on a gold mine for a malicious actor.

    Some of today’s most serious threats are driven by political goals more than financial interests. In many cases, these are well-financed state-sponsored attacks, and your organization may have data that can help them breach a government agency’s security or social engineer their way into a large corporation.

    And forget about hackers leaving you alone because of your mission. After my years in the cybersecurity sector, I’m no longer shocked at how low some of these black hats will go. We’ve seen hospitals and health care organizations, charities, churches, schools, and other do-good groups fall prey.

    The saddest part is knowing that some of these attacks were successful for the very reasons the organizations thought they would never happen. To a hacker, the idea that you’re too small to notice may mean they see you as an easy target, even if you’re only one step toward their larger goal.

    If you’re a nonprofit leader, board member, or even a volunteer, please take a moment to check out the article above. You may find some nuggets that will help you help your organization avoid a breach. And that may be the most important contribution you can make to your favorite cause.

  • Top Five Actions NOT to Take When Your Pentest Results are High Risk

    Monday Morning Voicemail:

    Good morning high-powered CSO, this is Brian with Raxis. I sent over a draft of the most recent assessment report as you requested. Just to recap, there were seven critical findings, 5 severe, and a menagerie of others that we can discuss at your convenience.

    You’re the CSO of a major enterprise. You’ve hired us to perform a penetration test, and the results aren’t pretty.  What now?The team at Raxis brings a rich depth of experience in articulating risk to all audiences. We can talk technical with the engineering groups and discuss strategy with C-level executives. It’s how someone deals with adversity that defines them as a leader. We’ve seen leaders emerge from the fire to rise above the fray. We’ve also witnessed the fallout when leadership decisions are made in ignorance or for political expediency.A security assessment is only one step in a process, and its value is largely determined by what happens after we’re out of the fray, so to speak.  So, there you are; you have an unexpectedly thick and verbose penetration test report sitting in your inbox. Here are the 5 worst things you can do, based on what we’ve seen happen in the real world.

    5. Sweep it Under the Rug

    It may be tempting to just quietly file that report away because you think it might tarnish your reputation or because, “that only happens to other companies.” Maybe you would prefer to fix the findings with minimal political overhead. Here’s the problem. The report you received is a bona-fide disclosure of risk. When it landed in your inbox, all level of plausible deniability left the building. If you do anything less than boldly embrace it, and the company is breached, you are going to be in a rough spot with tough questions to answer. By owning the problem, you can own the resolution. Let that be the focus.

    4. Play the “Blame Game”

    It is easy in the world of corporate culture to get bogged down in political maneuvering.  A corporate leadership role requires a certain level of posturing, but there are few things less productive than finger pointing. The fact that you were against rolling out the vulnerable application or platform that was compromised may carry weight in your inner circle of colleagues, but your stockholders only want to know their investment has underlying value and that effective leadership is at the helm. It’s helpful to acknowledge mistakes and learn from them, but keep the emphasis on moving forward.

    3. Cling to Penny Wise and Pound Foolish Remediations

    The findings in the assessment report are not a checklist to be ticked off and call it a day. Yes, of course they should be fixed, but it’s critical to understand that a penetration test is opportunistic. The findings that are presented are probably not the only significant exposure. Look at the bigger story that they tell and formulate remediations at a systemic level. Were all the findings related to applications?  If so, the problem probably is not the applications but more likely with their development and deployment. Yes, fix the symptom, but do not neglect the underlying problems that led to it.

    2. Rain Down Fire and Wrath

    We see this far too often. A phishing email is sent out, and an employee clicks on the link, which then becomes the bridgehead for a compromise. When the report is delivered, specific individuals are identified as the source of the compromise and are promptly fired. That is absolutely the wrong course of action. Look at it this way. Once they understand the ramifications of their action, that person is the most secure person in the company at that moment. It’s likely that they will continue to operate under a heightened level of vigilance and will be the last person to click on a suspicious link in the future. Replacing them with someone who has not learned that lesson, simply presses the reset button for future phishing attacks. Help them understand the attack and how their actions contributed, and they may become a power advocate among their peers for better security.

    1. Silo Solutions

    Would a capable attacker limit themselves to a single application, network, or technology?   The answer, of course, is that they would not. Lateral movement is a huge component of privilege escalation.  It’s important to scrutinize specific elements of any environment. We conduct assessments regularly against a single application or system, but what we always try to underscore is that rarely are attacks vertical. Rather, the attack chain tends to zigzag across technologies and business units within an organization. Just because you tested and remediated a specific web application does not mean that the app no longer presents a risk. It means that the direct exposure created by the app has been mitigated. Maybe there is another vulnerable application running on the same server that can be used as a point of compromise?The point is that attackers do not silo their efforts, so don’t silo your defenses.

    Your Decisions Make the Difference

    Fortunately, these observations are more the exceptions than the rule, but they do happen. And they happen in surprising large and mature organizations. Most of these mistakes can be attributed to a knee-jerk moment of self-preservation. When our lizard brain steps in, sometimes we don’t make the best decisions for our career.The best way to avoid these pitfalls is to never put yourself in that situation in the first place. Yes, some pentests are horrific. In leadership, it’s not how you fall.  It’s how you rise above.

    A security assessment is not a chance for someone to make you look bad. It’s a learning exercise. Embrace it and use it for a platform from which to build positive change..

    Raxis CTO, Brian Tant