Category: Security Recommendations

  • Why Worry About Unauthorized Entry?

    We’ve posted several videos recently that demonstrate how easy it can be to defeat some common physical security barriers by cloning badgesmanipulating sensors with air, and  using hidden cameras. In case you’re wondering, it is every bit as fun as it looks, and lots of folks tell us it’s cool to see it demonstrated. 

    Check out this video and watch how quickly a company’s data – and its customers’ data – can be compromised.

    If you think about it, it also raises the so-what question. What’s the worst that can happen if someone gets access to a secure area inside your office? Somebody’s bound to notice before they can cause any real trouble, right? 

    Unfortunately, no. Even if the hacker isn’t also an experienced social engineer (and Raxis team members are), they can still cause untold damage. Once inside, it only takes an intruder seconds to install a network backdoor device on an open network port. At that point, network traffic is being diverted to or through the hacker mother ship. 

    Fortunately, in this scenario, I was the hacker conducting the attack. Although this was only a demonstration, I should point out that I’ve done the same thing in many red team engagements with clients. As you can see, the computer skills necessary are more in line with a 7-year-old’s than 007’s. Oh, and that special equipment I was using? It’s readily available online for $50 to $100. 

    The point here is that you need multiple, effective layers of cybersecurity to protect your network. How do you find out what you’re missing? Simple. You call us.

    Raxis’ team of experts is ready to help your business evaluate and identify solutions to help safeguard sensitive data. Follow us on this blog or social media – FacebookTwitterLinkedIn and YouTube –  and we’ll share more ways that hackers can get in — and how we can help you keep them out.

  • External vs. Web App Pen Testing

    When it comes to pen testing, it’s easy to get confused about the differences between an external network pen test and a web application pen test. 

    In this video, I sit down – via zoom – with Chief Operating Officer Bonnie Smyre to discuss the differences between the two.

    Here’s a quick overview of the two tests.

    What is an external pen test?

    An external network penetration test is fairly broad and looks at the overall corporate cybersecurity environment. It is an attempt to find all the ways someone could get into your network without having any type of access. Testers look for any gaps they can find and explore ways they might exploit them. 

    What is a web application pen test?

    A web application pen test is much more focused on the application itself, exploiting it in ways that were never thought of during the development stage. For example, testers will start trying to find ways into different areas using credentials that have different access points. They want to know if different credentials can get them into areas where they may not belong, while also searching the application for any other vulnerabilities.  

    So which pen test do you need? Hopefully, the answer is much clearer now. If you have a web application and you want to vet it thoroughly, you need the web application pen test. If you are looking for any vulnerability that might give a hacker access to your data, you should consider the external pen test. 

    One of the many advantages to having a third party like Raxis come in and test is that it offers you a new perspective and a fresh set of eyes. Raxis testers come in with no expectations other than information they want. 

    A Raxis penetration test will assess your security posture using a combination of tools, techniques and mischief in pursuit of gaining full control of your network. But Raxis doesn’t stop there. Once weaknesses are found, the Raxis team is here to help you make corrections and secure your network. Find out more about our pen testing experience, or contact us to learn more.

  • Monitor. Detect. Alert. It’s worth the effort.

    Let’s talk about monitoring and alerting. 

    First – what is it? Simply put, monitoring and alerting is the ability to detect a suspicious incident and notify the appropriate team members who can decide what type and level of response is necessary.

    However, your monitoring and alerting system isn’t a set-it-and-forget-it component of your overall cybersecurity posture. It’s not quick and easy, but it is essential. Without properly tuned filters and someone who knows how to digest the information and react appropriately, malicious actors can slip inside your network without your knowledge. 

    As Brian discusses, monitoring and alerting take time, experience, and ongoing testing to get right. 

    At Raxis, our penetration testing not only tests for vulnerabilities, but we also test a company’s ability to detect an attack or exploit attempt. When we test, we do so in an escalating manner that allows us to determine at what threshold detection occurs. This in turns allows our clients to see how effective (or not) their monitoring is and modify their protocols accordingly.

    Download our list of Top 10 Cyber Attacks to learn more about ways to secure your company.

    Want to learn more? Take a look at the next part of our Common Vulnerabilities discussion.

  • Badge Cloning is Easier Than You’d Expect

    You would be hard pressed to find a company or an organization that doesn’t issue employee badges to every employee on Day one. These radio frequency identification cards usually include employee pictures as well as an electronic tag that allows access to secured doors throughout the building. The cards let IT teams know who went where and when. Companies love them because they are inexpensive and easy to manage. 

    What a lot of companies don’t realize, however, is that the technology to read and duplicate the cards is relatively inexpensive and easy to obtain by almost anyone. Unless you take proper precautions, the badge you’ve issued for security could become a vulnerability.

    Check out this video to see just how easy it is for someone with criminal intentions to gain access to secured areas of your building. The Raxis team has used this technique very successfully over the years on our red team engagements. 

    As the video demonstrates, the process is simple and fast. Even if you know what to look for, it’s hard to spot when it’s happening. 

    At Raxis, our assessments are meant to identify real-world vulnerabilities that may otherwise go unnoticed. We are here to attack – in a completely ethical way – and show you how to make your company a harder target for hackers.

  • Securing Your Wireless Network

    This week Raxis Chief Technology Officer Brian Tant continues his video series about the most common vulnerabilities our team has discovered as they’ve performed thousands of penetration tests across the US over the years.

    In this video Brian highlights the unique challenges wireless security brings to the table and breaks down which type of encryption you may want to consider to enhance your wireless security posture and protect your network. 

    Brian explains the pros and cons of WPA2 Personal Encryption, WPA2 Enterprise Encryption, and Certificate-based Authentication and discusses which one the Raxis team recommends to bolster your security.

    Hopefully, you’ve watched the video and have a better understanding about which type of network encryption is most secure. If you still have questions or want to learn more about protecting your corporate network, please reach out.

    The Raxis team brings years of hacking and penetration testing experience to the table. We can use that experience to improve your skills and make your environment more secure.

    Download our list of Top 10 Cyber Attacks to learn more about ways to secure your company.

    Want to learn more? Take a look at the next part of our Common Vulnerabilities discussion.

  • What to Expect When You’re Expecting a (Raxis) Penetration Test

    I made this video to help you understand a little better how Raxis works, and specifically what happens once you engage us. I hope it allays some of your concerns about penetration testing.

    There’s no reason to fear a pen test. Seriously. After all, it’s just a simulated cyberattack, one that you authorize and allow. Yet some CEOs, CIOs, and CISOs are hesitant to allow this ethical hacking for fear that the bad guys will somehow use it against them, that it will cause security issues, or that it will make them look bad. In fact, it’s just the opposite – especially if you choose to engage Raxis.

    We get it, though. It’s natural to be cautious, and it’s prudent to want to know more about the people you’re working with, especially when granting access to your company’s most sensitive data. Whether you choose to work with Raxis or any other firm, we recommend you ask (and answer) plenty of questions up front. You want to know the company has the right experience to offer a range of high-quality services. One size definitely does not fit all. The firm you select should speak to you in advance to understand your specific needs and expectations . . . and then design and deliver the type of test, training, and follow-up that best protects you and makes you more resilient.

    The Raxis team has some of the industry’s most advanced certifications, but we don’t intimidate our customers or hide anything from them. We believe knowledge empowers our clients, and we share it freely. Whether you use us or someone else, penetration testing is a critical part of your corporate cybersecurity strategy that you should not put off or bypass.

    As you can see, we welcome your questions and concerns during every phase of our process. We conclude our pen tests with an executive summary for management and detailed findings and screenshots that can serve as a to-do list for your internal teams.  

    Raxis stands by our processes, our team, and our word. Now it’s up to you to perform due diligence and research the expertise and deliverables of any cybersecurity company you’re considering. Follow us on this blog or social media, read more about our pen testing experience, or contact us directly to learn more about why some of America’s corporations (and small businesses) choose to work with us.

  • Securing the Internet of Things

    The term “Internet of Things” is almost redundant now. If it’s a “thing” that has more than one setting, odds are it is or can be online. Whether or not you need remote access to your toaster oven is a question for another day, but it is an option

    Here’s the problem: As the Raxis team proves on a near-daily basis, anything that’s connected can be hacked. It’s not that someone’s going to overcook your morning bagel as a prank (although that would be a good one). Instead, it’s that uncontrolled access to any device can give a bad guy a way into your network (and maybe all your devices) if you’re not careful.

    The good news is that there are some simple safeguards you can take to protect your smart devices, and our new Securing the Internet of Things series will take you through them.

    Scottie Cole, senior penetration tester, is kicking things off with the quick video above about securing your home thermostat or corporate HVAC system. I encourage you to watch and to follow Scottie’s advice. Better to take a few minutes now than take a big loss later.

    PS – We’ll do a video on protecting your smart toaster . . . as soon as we find someone who owns one.

  • Understanding the Why Behind Password Management

    In this video, Brian will help you understand password management from the viewpoint of a hacker. It’s more than a how-to; it’s also a why-to. We’re hopeful that by seeing a little of what we see, you’ll make password management a high priority for your company.

    Despite years of warning, cajoling, and even begging by security professionals, password mismanagement is still one of the most reliable (and one of our favorite) ways to breach a company network. This week, our chief technology officer, Brian Tant, continues his video series about the most common vulnerabilities we see during hundreds of penetration tests each year.

    Remember: Complex passwords, unique to each account, and changed frequently are keys to effective password management and security. Also remember to check your service accounts and make sure that old passwords aren’t lingering on your devices.

    Effective cybersecurity is a matter of behavior as much as it is technology. Let’s make strong password management a habit that catches on. 

    Download our list of Top 10 Cyber Attacks to learn more about ways to secure your company.

    Want to learn more? Take a look at the next part of our Common Vulnerabilities discussion.

  • What is Least Privilege Access?

    This week, we’re continuing to explore some of the most common vulnerabilities the Raxis team has discovered during thousands of penetration tests across the US. In the video above, Brian Tant, our chief technology officer, discusses the principle of ‘least privilege access’ and why it’s an essential component of an overall business cybersecurity strategy.

    Hopefully, you’ve watched the video and have a better understanding about why you should restrict permissions as much as possible and still allow team members to get their jobs done. If you still have questions or want to learn more about protecting your corporate network, please reach out.

    The Raxis team brings years of hacking and penetration testing experience to the table. We can use that experience to improve your skills and make your environment more secure.

    Download our list of Top 10 Cyber Attacks to learn more about ways to secure your company.

    Want to learn more? Take a look at the next part of our Common Vulnerabilities discussion.

  • 3 Steps You Should Take Right Now to Reduce Your Risk of a Cyberattack

    Hi everybody, it’s Brian with Raxis, back with another video today!

    This is a busy time for us all, with no signs of slowing down. Do you know who else is busy now? Hackers – especially ones that know just how easy it is for thousands of us to forget to update passwords, patch operating systems, and scan for new viruses.

    I get it. Life happens. Seniors are graduating, families are acclimating, dogs are crashing Zoom meetings, and many of us are adjusting to completely new work environments. But if you can remember to lock your doors at home, you can get in the habit of locking out cyber attackers at work.

    Watch the video above for the top 3 things I wish every company would do today to keep out intruders online:

    These steps are the basics that every company should be taking, but, as hackers know all too well, not everyone does. Your company’s security is a 24-hour-a-day responsibility. Make sure your employees and your IT department know how critical it is for everyone to use the tools you already have to stay one step ahead of criminals.

    If this video made you wonder how secure your company’s data is, contact Raxis and learn how our tests can help you assess and improve your cyber defenses. We partner with small- and mid-sized businesses, as well as Fortune 500 companies, to help protect your employees, your data, and your bottom line.

    Follow us on this blog or social media, and we’ll share more ways that hackers can get in — and how we can help you keep them out.

    Download our list of Top 10 Cyber Attacks to learn more about ways to secure your company.

    Want to learn more? Take a look at the next part of our Common Vulnerabilities discussion.

  • Here’s How Hackers Can Get Through Your Doors and Onto Your Network

    Watch my video to see how easy it can be to bypass your company’s sophisticated security system. You might assume I’m just a guy who left something at work and had to run back in. But that’s not my office, that’s not my badge, and, at sunset, my day is just getting started. 

    We’re all familiar with employee badges – plastic proximity cards that contain a unique identifier that tracks when and where an employee is on company property. Businesses around the world depend on this technology to prevent unauthorized access, yet most would be shocked to see how simple it is for those badges to be scanned, cloned, and used to access a secure server.  

    In truth, I’m the chief technology officer at Raxis, a team made up of ethical hackers who can get in and out of your secure office quickly and quietly. If we wanted to, we could walk away with access to every single file stored on your network. Luckily, we are not actually there for the files, we’re there to fix your vulnerabilities to a cyberattack. 

    Badges that use RFID technology can be scanned from a few feet away, then cloned in seconds using a handheld copier/reader/writer – a relatively inexpensive device that’s easy to find if you know where to look. Add a small hidden camera to capture the PIN code on an alarm, then drop a backdoor implant device onto your network, and you’ve got a budget-friendly break-in method that a competitor or a kid on the dark web could use to ruin your reputation. 

    Until it’s tested, security is only perception. Raxis assessments identify real-world vulnerabilities that may otherwise go unnoticed. We partner every day with companies like yours to harden their security through process and technology enhancements. The most important asset in any business is a customer’s trust. Secure it with effective, battle-tested solutions from Raxis.

    Follow us on this blog or social media, and we’ll share more ways that hackers can get in — and how we can help you keep them out.

  • Can This Simple Trick Outwit Your Smart Security?

    Armed with nothing more than an ordinary can of cool, compressed air, a hacker can gain entry to a key-card-only access facility in just 19 seconds. Skeptical? See for yourself in this video.

    Fortunately, the guy in this video is me. Our company, Raxis, is a team of ethical hackers and penetration testing experts who evaluate and identify solutions that help businesses safeguard their sensitive data, from healthcare to finance to innovative product and app development.  

    Some folks forget that physical security is the first line of defense for a cyberattack.  If someone can get inside your business, they can find your servers, and in seconds they can steal, sell, and destroy data you’ve invested thousands in protecting.  

    Our cybersecurity specialists have studied for years to find hidden, unscrupulous techniques that the world’s most sophisticated hackers use. Solving these puzzles and preventing cyberattacks is what we love to do – but often we find security vulnerabilities long before we get to delve deep.  

    Finding a failure in your company’s security isn’t something to fear; it’s something to fix. And you can only fix something when you know it is broken.  

    Follow us on this blog or social media and we’ll share more ways that hackers can get in — and how we can help you keep them out.