Category: Penetration Testing

  • Raxis API Tool

    At Raxis we perform several API penetration tests each year. Our lead developer, Adam Fernandez, has developed a tool to use for testing JSON-based REST APIs, and we’re sharing this tool on GitHub to help API developers test their own code during the SDLC process and to prepare for third-party API penetration tests.This code does not work on its own… it’s a base that API developers can customize specifically for their code. You can find the tool at https://github.com/RaxisInc/api-tool.

    Here’s a basic overview of the tool from Adam himself:

    The Raxis API tool is a simple Node.js class built for assessing API endpoints. The class is designed to be fully extensible and modifiable to support many different types of JSON-based REST APIs. It automatically handles token-based authentication, proxies requests, and exposes several functions designed to make it easier and faster to write a wrapper around an API and associated test code for the purposes of a penetration test. This tool is not designed to work on its own, but to serve as a building block and quickstart for code-based API penetration testing.

     

  • Hopefully You’re Not Next

    Recently in the news, our national security director explained that we’re under constant attack from foreign adversaries. These attacks are at the nation-state level and they are attacking “virtually everything”. This isn’t limited to the super critical power generation companies and government institutions- they mean everything, including your website, email, and personal workstation. To make matters worse, there are still many of attacks originating from other bad actors, such as credit card and personal information thieves.

    Many people think they are not targets because they have nothing of value. However, the contrary is true.  At a minimum, your computer and internet connection can be leveraged to attack other systems to cause an outage or hide the tracks of a real attacker.  Unfortunately, the worse case scenario might involve an installed key logger to capture credentials for your banking and retirement accounts.We’ve seen this first hand.  

    Raxis performs hundreds of penetration tests and breach responses a year, and 2017 proved to be no exception.  There have been many occasions where we would breach a customer network only to find the door was left open and clear evidence that someone had already been there.  After a system has been breached, there are only two viable options: to restore from a known good backup, or a complete reinstall of any software.  Recovering from a breach is very difficult as in many cases the attacker will control many or all of the systems within an organization, resulting in a massive undertaking to rebuild.

    Do something to make sure you’re not next.  Reach out to us, we’ll help you understand how a penetration test can shed some light on where the risks really are.

  • Penetration Testing is a Critical Tool For Your Business

    Penetration testing is so important for businesses today. Almost every day we see companies in the news after the result of a big hack. The aftermath is ugly – lawsuits, loss of trust, downtime and, in many cases, the hacked entity finds itself out of business.In a recent interview with an IT management firm, I was told that many of their customers (mostly SMB) didn’t want a penetration test because they knew they would fail. I see this same reaction in larger companies as well.

    This fear of failure is the wrong way to look at penetration testing. At Raxis, we say it all the time, “You can’t fix what you don’t know is broken.” Penetration testing should not be looked at as something that points out your failure; rather it should be embraced as something that helps you get better.

    Vulnerabilities are common

    We see many of the same vulnerabilities across the nation. Many of them are simple to remediate. Most of them have escaped the attention of the IT team for any number of reasons, but most of all because the IT team is simply busy. Most teams are over worked and under staffed. The workload is high. As a security professional you have to get it right 100% of the time – however, the hacker only has to get it right once.The fear of failing is misplaced. Almost every penetration test will show vulnerabilities or, at the very least, likely attack vectors that could be exploited given more time. Finding vulnerabilities should not be seen as a failure but rather as a responsible approach to better security.

    Penetration testing should be about partnership

    A penetration test is a valuable tool to help a security team more efficiently locate vulnerabilities, and, if you’ve partnered with a good company, it will offer remediation recommendations helping you efficiently fix the vulnerabilities.A good penetration testing company offers insight and help, not a judgment.I like to call our penetration tests an assessment. That’s truly a better word. We don’t test our customers as much as we partner with them. Raxis is the watchful eye that helps your company stay out of the news. We help you safeguard your data, and we help you maintain trust with your customers.

    Penetration testing should be a holistic approach

    When a hacker looks at your company, they are taking a holistic approach, and they are going to go for the easiest method with the least amount of risk that they can find. Common attack vectors include:

    • Social Engineering
    • WiFi Systems
    • Internal and External Networks
    • Mobile Applications
    • Web Applications
    • API’s

    Each of these areas allows escalation to others. While often viewed as independent systems, the reality is that a weakness in one often leads to a breach in another.Security is hard. This is why it’s so important to partner with a reputable penetration testing company that you can trust. I urge you to not look at penetration testing as the enemy but rather the relief you and your team so desperately need.Learn more about how our penetration tests work.

  • Your Security Gear Is Not Enough

    Perhaps I am a little biased considering what we do at Raxis, but I am convinced that it isn’t a good idea to bet the farm on the latest security gear to defend your organization.

    In 2017 alone, we’ve all seen many major hacks, including substantial releases from Shadow Brokers and WikiLeaks.  There’s a lot already lost, such as voter registration data and consumer credit information.

    Don’t get me wrong, I think the latest fancy security solution can help.  However, our team at Raxis is seeing many attacks that are not being stopped by current gear.  For example, we’ve breached applications through manually fuzzing API calls using a method that most hardware can’t protect against.  The latest web application firewall might be able to stop these attacks, but most organizations don’t configure it appropriately to do so.  In some cases, it’s a logic error that we’re able to exploit to gain information from the backend systems without making any illegal calls.

    And even worse, we’ve seen, time and time again, where security operations centers send an email out with no further action taken.

    Our experience also has shown that nearly every organization has a far weaker security posture internally.  Once the perimeter is breached, from using a stolen password to gaining shell access through a web service call, pivoting to other machines is often quite trivial.  None of this is hard to exploit, but fortunately none of it is hard to fix.  

    The problem is not the difficulty of the fix, it is knowing what needs to be fixed.  In almost every case, the hacks we find are very simple to execute, and our customer had no idea they existed.

    The fix for these hacks usually is not spending $100K on a new fancy next generation firewall with all of the bells and whistles.  It’s a simple code change or a system that was missed in patch management.  Perhaps this is too good to be true; but, keep in mind that hackers go after the path of least resistance.  It is far easier to breach your competitor with the Windows 2003 server install than to spend significant time researching how to get past your reasonably secure system.So keep buying your security gear.  Combine it with a penetration test on every single piece of code that runs in production, and we’ll help you find the vulnerabilities you missed. 

  • Petya Ransomware Strikes Businesses Globally

    Petya, the next major security malware since Wannacry is specifically targeting companies across the globe.  Originating from the Ukraine, the Petya ransomware uses the same Eternalblue/MS17-010 vulnerability that was used with Wannacry.  The difference this time is there is no kill switch that we know of.  It’s getting some significant traction, infecting systems everywhere.  In the US, it’s hit a major pharmaceuticals company and a food services company.  Petya has also hit Danish, French, and Russian companies.Similar to Wannacry, the malware virus is encrypting systems and demanding a ransom to get access to the data.  Our research has not found a way to bypass this ransom at this time.  Fortunately, it seems that working decryption keys are being provided once paid.

    It’s not just ransomware

    Unfortunately, there’s much more to this variant.  Once the ransomware gains a foothold, it has worm capabilities and is breaching other systems using a variety of exploitation methods.  It appears to be focused on critical infrastructure across the world, but is not limiting devices it infects by any means.  Various news sources have reported that power plants in the US and other countries have been breached. If this turns out to be a successful attack, it is quite scary to think about the damage that could occur.For those who don’t remember, you can thank the NSA for this. The NSA had developed a tool that could breach Windows systems remotely using an exploit that was previously undisclosed.  The Shadow Brokers hacker group obtained the source to the NSA tool and leaked it on April 14, 2017.

    Stop PETYA with a penetration test

    When it comes to ransomware, we haven’t found a good way to retroactively deal with the damage.  Even once the ransom is paid, it is very likely that the attackers will return again in the future.  Particularly if they know that they’ve received payment in the past.  The only real way to defend against Petya is to eliminate the vulnerability from the beginning, and a penetration test from a trusted third party might be the only real way to know you’re protected. Petya (and Wannacry) uses the Eternalblue vulnerability in SMB, fixed by MS17-010.  Systems are still falling victim, even when the organization has a patch management program.  Mistakes with configuring the vulnerability scanning tool, or unknown systems to the patch management tool will cause a few systems to remain vulnerable and outside of the view of the security administrators. A penetration test can find these gaps in process before malware can exploit these systems.  In addition, the penetration test will attempt to exploit any issues found as a proof of concept – providing you and your security organization proof that a potentially significant security event was avoided. Schedule a penetration test with Raxis before the next malware variant hits.

  • Vulnerability Scan Vs Penetration Test: What’s The Difference

    Many people seem confused when it comes to understanding the difference between a vulnerability scan and a penetration test. This article will examine the differences between the two and help guide you with decision points in making the right choice for your needs.

    Vulnerability Scan

    A vulnerability scan is conducted using an automated tool that is purpose built to identify potential security gaps on a remote system. This ‘vulnerability scanner’ sends targeted traffic to ports and services on systems and analyzes the responses in an attempt to identify the presence of a vulnerability. At the completion of the scan, a report is generated. The engineer that initiated the scan designates what type of report to generate depending on the specific requirements with regards to verbosity, margin of error, intended purpose, or other business drivers. Some reports are hundreds of pages detailing each individual “finding” while others are as simple as a two page summary.Because a vulnerability scanner has a limited means with which to validate the presence of a vulnerability, the accuracy of the output may be suspect. Depending upon the scanner configuration and the target system, a report may contain a myiad of false positives or fail to identify legitimate vulnerabilities. The end result is that a security engineer has a laundry list of possible flags to chase down and attempt to verify the validity of the issues as well as develop a solution.

    Penetration Test

    A penetration test is a real-world exercise at infiltrating your network systems. To such ends, a security engineer will utilize many tools (including in some cases a vulnerability scan). Wheras vulnerability scanning is a largely automated process, penetration testing involves manual and targeted testing using specific toolsets and custom scripts. Using a combination of techniques and technical knowledge, the penetration tester focuses their efforts on areas of exposure that likely constitute a legitimate risk to an organization’s security.Having identified likely insertion points, the penetration tester will actively attack gaps in the network’s security posture. The execution of a practical attack using the same methodologies that an actual attacker would employ is the most effective way by which to ascertain the real world exposure of a given system or network.As the engineer begins to infiltrate the system he or she will take detailed notes and screen shots documenting the process. The goal is to articulate to the customer the nature of the exposure, and how its presence helped to facilitate a compromise.A seasoned penetration tester will provide a detailed report outlining the various vulnerabilities as well as the severity of each finding within the context of the business, something that a vulnerability scanner cannot provide. The result is an actionable report that provides validation of exposures and targeted guidance on remediation measures.

    Which is Best?

    A true penetration test by a qualified engineer is most often the best overall value for a business. Not only does the stakeholder gain an understanding of the workflow of a real-world attack they also get specific guidance from the perspective of an attacker on what measures would be most effective in thwarting validated attacks. This is articulated in the context of the business drivers of the organization. The end result is that the security organization can focus their efforts where they are most effective and prioritize remediation tasks based on real-world data.A penetration test is more expensive because of the thoroughness of the assessment and the greater value of the outputs. A vulnerability scan is a good starting point and may achieve the bare minimum of satisfying compliance mandates. An organization that understands the difference between compliance and security, however, will endeavor to move beyond automated outputs and seek to understand the practical nature of their security posture.

    Are All Penetration Tests The Same?

    The short answer is no. When you are shopping for a penetration test there are several things you should consider:

    1. Get a sample report – some companies are much more informative in their documentation and a sample report will reflect what you should expect to receive.
    2. History – ask about the team and their experience working with organizations of a similar caliber.
    3. Diversification – find out the background of the team members; the technical expertise brought to bear during the test should be appropriate to the technologies that your organization utilizes.
    4. Duration of test – based on your specific situation ask how long the assessment should take to perform. This may be governed in part by the scope of assessment or other logistical factors.
    5. Their level of specialization – do they only offer penetration testing or do they also provide other products and services.

    Each of these questions will give you insight to the quality of assessment you’ll receive. Especially in security, the relationship between cost and value is subject to variation. Determine if the team is going to spend adequate time on your assessment and if their security engineers have the expertise for your specific situation. Compare reports and insure the report will satisfy your ability to properly remediate the findings. And finally, don’t be afraid to ask to speak to a security engineer and dive deep in questioning their methodologies and experience with the type of testing you need. A competent penetration testing provider will not shy away from such discussions and will welcome the opportunity to add value to your security program.

  • Rising Above The Minimum Cyber Security

    Cyber attacks on the rise

    With the end of each year there are blog posts and articles suggesting the next year will be worse than the previous when it comes to cyber security. Whether those predictions are true or not, one thing is sure – IT Security is a top concern for most network administrators – and it’s a concern that’s only likely to get bigger.

    2016 saw a rise in ransomware and other malware attacks (FBI This Week – March 2016). We also saw insinuations of foreign governments leveraging their way into critical data (DNC & FDIC were two stories of 2016 that suspected international hacking as the culprit) .Companies large and small alike were crippled by cyber attack.

    What’s at risk

    A successful cyber attack can not only damage a company but also could impact business continuity to such a point that the business could not recover. There are ancillary impacts to be considered aside from the critical loss or compromise of data – down time, recovery cost, reputation damage, fees for providing identity theft protection for customers, and possible litigation are just a handful of hurdles an attacked company can face.

    PCI & HIPAA regulations

    Many companies and organizations look to guidelines such as PCI and HIPAA as a security framework, but the reality is these guidelines are best considered as a baseline and the MINIMUM a company should be doing. The proactive company is looking for strategies to safeguard their networks, apps, and APIs with as much fortitude as possible. Operationally, this translates to running in-house scans, delivering constant awareness training, and consistently leveraging the value of penetration tests. The responsible company is also hiring outside experts to attempt network, physical and social penetrations in addition to the in-house testing. The goal should be to ascertain exposures and remediate them to drive the improvement of the organization’s security posture.

    The cybersecurity risks are real

    Even with the best of intentions, shortfalls occur. Systems don’t always get patched and are often prone to insecure configurations. With the rise of social engineering as an attack vector, employees are often the weakest link (unintended of course). Threats are limited only by an attacker’s creativity, and it is impossible to predict all threat vectors. A realistic attack by a skilled adversary is the best way to understand the mindset of the attacker and gain an understanding of how your systems may be vulnerable to compromise.Nothing beats an outside set of eyes testing your defenses. Cyber attacks are on the rise, and companies have never had more to lose. With so much on the line, now is not the time to be looking at average security measures. What steps will you take in 2017 to improve your security posture?

  • Ransomware – What you can do to avoid being a victim

    Ransomware is the hot topic today. Malicious actors infect your system with sinister code that hijacks your information. In its most pure form it encrypts your data and yanks it from within your very grasp. Leaving behind only a message – a ransom note. If you ever wish to see your precious data ever again, you will pay. If you don’t pay, your data will be deleted and you will find yourself in the unemployment line.It’s the kind of thing that keeps business owners and managers up at night.The question is – what do you do to guard against it? Once the ransom appears on your screen, you’re done. There are several steps you should be taking to safeguard against ransomware.

    1. Prevention

    The number one thing you should do to guard against ransomware is to seal up the cracks. Find a good penetration testing company and have your internal and external networks evaluated. The right penetration testing company is going to come in with no credentials and attempt to exploit every weakness your network has. Don’t confuse this with a vulnerability scan – a true penetration test (pen test) approaches your system just like a real hacker. A real person is working your network and looking for exploits.Include social engineering (email phishing, vishing and spear phishing specifically) to your assessment. Ransomware often infiltrates your system by malicious code unintentionally installed by an employee. Using a found USB stick, visiting a malicious website, giving up credentials to an official sounding phone call, clicking a link in an email, etc. etc…. All of these are inadvertent ways an employee may infect their system.The report and remediation recommendations you will get from a pen test are priceless for patching the holes in your security. Evaluate your pen test company carefully. Ask to see sample reports and determine the depth of analysis you will truly get. Do not be guided by price alone.Along with assessing the network for vulnerabilities you should also consider a robust endpoint protection solution with an awareness of ransomware and zero-day vulnerabilities.Patching as a component of a comprehensive vulnerability management program should also be considered as a foundational element in any ransomware mitigation strategy.

    2. Anticipation

    Remember the saying – “failing to plan is planning to fail”. Ransomware is becoming more and more prevalent. You need to know what data you have, where you have it, and when it was last backed up. A completely audited data system will be much easier to restore. This will also help you get a grip on what has been compromised.

    3. Backup, Cloud backup and Services

    Once the thief has your data, the jig is up. Your data is encrypted, and there is a ransom to get it back. You’re not going to hack the encryption. If you pay – you’ll usually get your data back (not to mention a target on your back). If you don’t pay – they delete the data and you’re likely out of business.Once the attack happens you have three choices – pay the ransom, go out of business or restore from a backup.You DO backup, right? Surprisingly many companies don’t, and the ones that do often don’t have good practices in place for consistency. It’s critical this backup be separate from your network. You have a few options with backups:1 – Consistent internal backups to off-site drives isolated from the network.2 – Cloud based backupsWhile many experts agree that ransomware has not yet made the leap to the cloud, the issue is getting the data back in time for a reasonable restore. Normal data transfers aren’t reasonable with typical large companies. There are services available that will overnight a hard drive to your door once you’ve been attacked.

    4. Restoration Plan

    You need a plan in place to restore the data once you get it. Regardless of how you choose to backup and restore – you need this plan. You will have to wipe the entire system and systematically restore it. You also need to keep in mind the data you are restoring has the same vulnerability that got you hacked in the first place. So a smart hacker is likely to get right back in – and the game of cat and mouse continues.You can’t afford to keep playing the game. Restore the system and immediately get it assessed and patched. By now you should see why step 1 is so crucial to avoiding ransomware. You are also likely seeing why step 2 is important.Ransomware is here to stay for a while. It’s the new age stagecoach heist. The hi-tech way of bank robbery. Your best defense is a strong offense, good preparation and a plan for business continuity if and when it happens to you.

  • Penetration Testing Pricing

    Updated: April 9, 2018

    How Much Should You Pay for A Pen Test?

    It’s my job to ensure that we’re priced right and delivering a strong value for what we charge.  Yet, I’m continually amazed at the price differential I am seeing for penetration tests (pen tests).  With prices ranging from $1,500 to hundreds of thousands of dollars, I can imagine how difficult it might be for our customers to understand how penetration testing pricing works.Similar to many things that you buy, generally the higher cost products tend to be better than the lower cost products.  While this is likely true in the pen testing world too, how do you know what is adequate for your needs?  Even though there’s a need for high dollar tests at the highest category, most companies don’t need to spend $250,000 on a multi-month penetration test.  For just one week of penetration testing, pricing ranges from $1,500 to about $15,000 for a full retail price.  However, not all pen tests are equal.Here’s a breakdown of why pen testing prices are so different.  There are other elements that might come into play, such as on-site vs. remote and remediation testing, however this list focuses on the penetration test work itself.

    Skill Set

    Not all pen testers are the same, and the proposed pen test pricing should reflect that.  For example, some pen testers are incredible at hacking Windows systems, but are not nearly as strong when it comes to Linux or mobile technology.  Make certain that the team is well versed in all technologies that you have in scope.  Many environments have a huge mix of Linux, Windows, Android, iOS, Mac OS X, Cisco IOS, Wireless networks, and others.  Your pen tester needs to have skills in all of the areas that affect your environment to perform a valid test.

    Time Dedicated to the Job

    The amount of time that a penetration tester spends on a job can really vary, leaving lots of room in how the jobs are quoted. Some pen testers believe that a week, two weeks, or even months are required to get a comprehensive test completed on your network. If you’re quoted anything less than a week, I would hope that it’s an extremely small scope of just a few IPs with no services running on them.  Otherwise, I’d be skeptical.  The key here is to make sure the time spent on the job makes sense with what you’ve deemed in scope for the test.  Keep in mind a single IP with a large customer facing web portal with 10 user roles will take a lot more time than 250 IP addresses that only respond to ping.

    Methodology

    There’s a few different ways to complete a penetration test.  I’ve broken them down into types for reference.

    • Type A would be to search for the low hanging fruit and gain access to a system as quickly as possible. The goal would be to pivot, gain additional access to other systems, ensure retention of the foothold, and finally exfiltrate data. This is a true penetration test and demonstrates exactly what would happen in the event of a real world breach. Some companies call this a “deep” penetration test as it gains access to internal systems and data. It’s the type of test that we prefer to do and what I would recommend as this is what the real adversarial hackers are doing.
    • Type B searches for every possible entry point and validates that the entry point actually is exploitable. This validation is most often completed by performing the exploit and gaining additional privileges. The focus with this type is to find as many entry points as possible to ensure they are remediated. The underlying system might be compromised, but the goal is not to pivot, breach additional systems, or to exfiltrate data. This type is often useful for regulatory requirements as it provides better assurance that all known external security vulnerabilities are uncovered.
    • Type C is really more of a vulnerability scan where the results from the scanner report are validated and re-delivered within a penetration testing report. Many of your lower cost firms are delivering this as a penetration test, although it really isn’t one. It’s just a paid vulnerability scan, and, in some cases, that might be all you need. We offer a vulnerability scan called the BSA on an automatic, recurring basis and it is very useful in discovering new security risks that are caused by changes to the environment or detecting emerging threats. No, it’s not a pen test 😉

    My recommendation would be to ensure both Type A and B are part of your pen test.  This means that even a small IP range will have a week long test at a minimum, but it is the most comprehensive way to pen test your environment and best meets regulatory requirements as well.  Type A will ensure that a test is completed allowing pivoting and exfiltration of information.  Type B will get you that comprehensive test of any vulnerabilities found to ensure that you’re fixing real issues and not false positives.

    Don’t Go too Low

    If someone is offering you a pen test for less than $3,000 for an entire week of effort, I would be very skeptical that you’re getting an actual penetration test. The ethical hackers that perform these tests are costly, and as they don’t work for a salary that would fit the bill rate.  Remember that these resources need to understand networking, operating systems, applications, and security all at the same time.  In addition, there is also cost overhead from operating a business that should be considered.Regardless, penetration testing is a vital part of a strong security program.  Most regulations and security professionals recommend it be performed annually.  It’s better to be hacked by a pen testing vendor than the alternative, so give us a call at Raxis, and we’ll be glad to help you improve your security by uncovering any hidden security risks.