Tag: Bonnie Smyre

  • How to Hire a Penetration Testing Firm Part Two

    I’m Bonnie Smyre, Raxis’ Chief Operating Officer, back with the second in our two-part feature about how to hire a penetration testing firm. This time, we’re suggesting some questions to ask and answers to listen for in the selection process.

    Bonnie Smyre, Raxis COO

    In the first article on this topic, I focused on the six things you and your company should do to begin your search for a pentesting firm. We discussed the importance of identifying why you need a pentest, understanding the data and systems that are at risk, figuring out what type of tests you need, consulting with trusted advisors, as well as checking ratings, reviews, and references.

    If you followed those steps, you’re well-prepared to begin your interviews with prospective firms. Toward that end, here are some questions you should ask during your conversations and some key points you should be listening for in the answers.

    Question 1: What is your experience in performing the type of penetration testing our company is looking for?

    At Raxis, we’re happy to tell you how many and what kind of tests we’ve done and share with you some of our most common findings. If we don’t think the pentest you’re shopping for is going to accomplish your goals, we’ll tell you why and recommend a different type of engagement that will. That’s part of our job as professionals, and we have found that it makes for a better customer experience and often saves time and money.

    On the other hand, if the firm you’re interviewing continually tries to steer you toward more expensive testing or something far different than you think you need, that can be a big red flag. They may be trying to upsell you, or they may simply not have the expertise to conduct it.

    A point we make frequently is that vulnerability scanning is not the same as penetration testing. So, also beware of firms that try to downplay your needs and tell you one is as good as the other. Raxis might recommend a vulnerability scan, but we will never tell you that it should supplant a genuine pentest.

    Question 2: Tell me about your experience in my industry?

    Obviously similar to question 1, this one is based on your reasons for doing a penetration test. If your business is regulated and subject to special laws, rules, or industry requirements, you’ll save a lot of time with pentesters who are familiar with them. For example, if your company takes electronic payments, Raxis knows the Payment Card Industry Data Security Standards (PCI-DSS), and we can plan our testing to make sure you’re compliant.

    When you ask this question, listen to see if the pentesting company proactively mentions any applicable regulations in your field – such as HIPAA compliance for health care organizations or FINRA, GLBA, or SOX, for financial institutions. If they don’t, ask and make sure they understand your needs so that you don’t have to pay for more testing later.

    Question 3: How comprehensive is your reporting?

    The goal of penetration testing should be to give your team actionable results that enable them to prioritize issues and begin resolving them in order of severity. Ask potential pentesting firms to provide a sample report. Does it summarize the issues for executives? Does it categorize the findings effectively and provide sufficient detail for your team members?

    Raxis includes storyboards so that your team can see exactly what we did and how. We also exfiltrate and redact sensitive data when we can. That’s powerful proof of what bad guys can do if your network isn’t secured.

    Also, be sure to ask whether they report where your defenses were solid. This can be especially important when you’re building a cybersecurity budget. Many Raxis clients have found it helpful to show their leadership examples of where previous security enhancements are working well. (And it shows you that those defenses were in fact checked.)

    Question 4: Who are the people I’ll be dealing with? What are their qualifications?

    Be sure that the companies you interview can identify the person who will serve as your point of contact throughout the testing, to work with you on scheduling or to quickly resolve problems that can cost precious time.

    The company should also be willing to tell you about the experience and certifications of team members. It’s a good idea to ask whether the team that conducts your test will include members with similar qualifications so you know it’s not a bait-and-switch.

    At Raxis, the diverse skillsets our team members bring to the table are one of our greatest strengths and something we like to talk about. Before they became penetration testers, our people were corporate cybersecurity leaders, software engineers, web developers, and network admins. And they also bring to the table computer hardware, electronics, mechanical, and IoT experience.

    Question 5: How much will it cost and why?

    Raxis’ CEO Mark Puckett addressed pentest pricing in a recent blog post that goes into detail about the factors that can and should drive the cost of a high-quality penetration test. In summary, the scope of the testing, the time it will take, and the skills of the testers are all cost drivers.

    If the firm mentions additional services they provide, be sure to ask if those are covered in the cost you’ve been quoted, or if there is an additional fee. And ask if there is a minimum engagement time.

    Minimums are common in the industry. Raxis requires three days, but we’ve seen other companies with seven to 10-day minimums. Make sure you ask this early in the conversation. Otherwise, you could waste time you don’t have being sold services you don’t need.

    Conclusion

    Hiring the right penetration testing firm necessarily involves a lot of research and careful consideration. After all, you need a company that can bring to bear all the skills, determination, and devious creativity of black hat hackers – and still act as your trusted security advisor, providing actionable reporting on your vulnerabilities.

    The preparation outlined in part one, along with the questions above, should help you find the best match for your specific needs.

    Of course, we hope you choose Raxis, and we’re ready to put you in touch with our experts whenever you’re ready to talk.

     

    Want to learn more? Take a look at the first part in our How to Hire a Penetration Testing Firm Series.

  • How to Hire a Penetration Testing Firm – Part 1

    I’m Bonnie Smyre, Raxis’ Chief Operating Officer. Penetration testing is a niche in the cybersecurity field, but one that is critical to the integrity of your network and your data. This is the first of a two-part guide to help you select the right firm for your needs.

    Step 1: Identify Your Why

    There are lots of reasons why companies should routinely do penetration testing. The most important is to understand your vulnerabilities as they appear to hackers in the real world and work to harden your defenses. It may also be that your industry or profession requires testing to comply with certain laws or regulations. Or perhaps you’ve been warned about a specific, credible threat.

    Whatever your reasons for seeking help, you’ll want to look for a firm that has relevant experience. For example, if you run a medical office, you’ll need a penetration testing company that knows the ins and outs of the Health Insurance Portability and Accountability Act (HIPAA). If you’re a manufacturer with industrial control systems, you’ll need a company that understands supervisory control and data acquisition (SCADA) testing. The point is to make sure you know your why before you look for a pentest firm.

    See a term you don’t recognize? Look it up in our glossary.

    Step 2: Understand What You Have at Risk

    A closely related task is to be clear about what all you need to protect. Though it might seem obvious from the above examples, companies sometimes realize too late that they are custodians of data seemingly unrelated to their primary mission. A law firm, for instance, might receive and inadvertently store login credentials to access clients’ medical transcripts or bank accounts. Though its case files are stored on a secure server, a clever hacker could potentially steal personal identifiable information (PII) from the local hard drives.

    Step 3: Determine What Type of Test You Need

    General use of the term “pentesting” can cover a broad range of services, from almost-anything-goes red team engagements to vulnerability scans, though the latter is not a true penetration test. In last week’s post, lead penetration tester Matt Dunn discussed web application testing. There are also internal and external tests, as well as wireless, mobile, and API testing, to name a few. Raxis even offers continuous penetration testing for customers who need the ongoing assurance of security in any of these areas.

    Raxis offers several types of penetration tests depending on your company’s needs:

    Step 4: Consult Your Trusted Advisors

    Most companies have IT experts onboard or on contract to manage and maintain their information systems. You may be inclined to start your search for a penetration testing service by asking for recommendations from them – and that’s a good idea. Most consultants, such as managed service providers (MSPs), value-added resellers (VARs), and independent software vendors (ISVs), recognize the value of high-quality, independent penetration testing.

    In the case of MSPs, it might even be part of their service offerings. However, it might make sense to insist on an arm’s-length relationship between the company doing the testing and the people doing the remediation.

    If your provider is resistant to pentesting, it might be because the company is concerned that the findings will reflect poorly on its work. You can work through those issues by making it clear that you share an interest in improving security and that’s the purpose for testing.

    The downloadable PDF below includes this list of Raxis services with an explanation of what we test and and a brief explanation of how we go about it.

    Raxis Penetration Testing Services
    PenetrationTestingServiceBriefDownload
    Step 5: Consider Ratings and Review Sites

    Another starting point – or at least a data point – is review and rating sites. This can be incredibly helpful since such sites usually include additional information about the services offered, types of customers, pricing, staffing, etc. That gives you a chance to compare the areas of expertise with the needs you identified in steps one and two. It can also introduce you to companies you might not have found otherwise.

    Here are some resources you might find helpful as a start:

    Step 6: Check References

    Once you have your short list of companies, it’s a good idea to talk to some of their customers, if possible, to find out what they liked or didn’t like about the service. Ask about communications. Were they kept in the loop about what was going on? Did the company explain both successful and unsuccessful breach attempts? Did they get a clear picture of the issues, presented as actionable storyboards?

    In addition, it’s a good idea to ask about the people they worked with. Were they professional? Was it a full team or an individual? Do they bring a variety of skillsets to the table? Did they take time to understand your business model and test in a way that made sense? It’s important to remember here that many pentesting customers insist on privacy. The company may not be able to provide some references and others may not be willing to discuss the experience, However, some will, and that will add to your knowledgebase.

    If you’ve completed steps 1 through 6, you should be armed with the information you need to begin interviewing potential penetration testing companies. You’ll be able to explain what you need and gauge whether they seem like a good match or not. And you’ll know how their customers feel about their service.

    If you found this post helpful, make sure to follow our blog. In the weeks ahead, we’ll be discussing the questions you should ask potential pentesting companies – and the answers you should expect to hear.

    Want to learn more? Take a look at the second part in our How to Hire a Penetration Testing Firm Series.

  • Meet the Team: Bonnie Smyre, Chief Operating Officer

    As Raxis’ chief operating officer, I’ve been busy prodding coworkers to do these meet-the-team interviews. (Looking at you, Brad, Brian, and Mark). Now, it’s my turn for a conversation with our marketing specialist, and the result is the interview below. I’m more accustomed to conducting interviews than giving them, so, if you’re a qualified penetration tester, check out our YouTube channel and our careers page. If Raxis is the type of company you’d like to work with, who knows – maybe I’ll get a chance to interview you.

    Jim: First of all, condolences for your Tarheels’ recent loss to my Seminoles in football.

    Bonnie: That’s all right. I’m a baseball fan, so North Carolina will get its redemption in the spring – if not before.

    Jim: Really? I wouldn’t picture you as a baseball person. How did become a fan?

    Bonnie: That started while I was at UNC. I was working as a web and database developer for many years. Baseball just seemed to be an athletic extension of that same mindset. As a game, it fit in with the details, patience, and long-game required to code a complex application from start to finish… and end up with a result that faculty, staff, and students were all happy with.

    Bonnie cheering on her alma mater.

    Jim: I don’t think I’ve ever heard anyone make that connection before. Is that what attracted you to a career in IT in the first place?

    Bonnie: I was a shy bookworm when I was younger. IT was a field I thought would allow me to work independently and not require me to interact as much with other people. However, as I grew in my profession, I realized that I needed to get past that shyness if I wanted to really make a difference.

    Jim: Did that happen naturally, or did you have to work at it?

    Bonnie: Oh, I worked on it. I moved on to a development job at PBS North Carolina (UNCTV while I was there). During our pledge drives, I was usually backstage working on a computer, but occasionally I would be on the phones and on live television. There are people who still tell me they remember seeing me on air.

    Jim: Did that make you more comfortable being in front of people?

    Bonnie: That started me on the path, I think. But the real breakthrough was when I went completely outside my comfort zone and took improv classes for a few years. I was petrified at first, but I met some great people who gave me the courage to get over my fear.

    Jim: I think most people would find that terrifying – to be on stage, all eyes on you, and the pressure to be funny.

    Bonnie: Improv isn’t like stand-up comedy. The whole point is that you are not alone. The team has your back, and you have theirs. It gives you a confidence to just run with what pops into your head & see if it’s funny.

    Jim: Okay, so you’re a veteran IT pro and you’ve got all this improv experience. How did you find your way to Raxis and bring those skills together?

    Bonnie: Our CEO, Mark Puckett, & I were good friends in high school, and I met his wife when her mom and dad were “band parents” for the marching band. (I played the flute.) In 2014, I moved back to the Atlanta area to be closer to my family and began working as a penetration tester at Raxis. When my first PSE (physical security evaluation) job came up, I found that my improv experience helped me think on my feet.

    Jim: So, improv helped you convince people you were someone else and your IT background allowed you to capitalize on that?  

    Bonnie pretending to be an elderly woman on stage (l) and for a real-life PSE (r)

    Bonnie: Yep. It’s a bit scary how often people believed me, but the good news is, it was all for educational purposes. Once they see how easy it is for someone to slip past their security, it helps them better understand what they need to do to protect themselves and their companies.

    Jim: Unlike other companies, most of Raxis’ best work has to stay confidential for obvious reasons. In the absence of outside validation, what makes the work fulfilling to you?

    Bonnie: As I’ve grown in this job from pen tester, to project manager, to leading operations, I’ve found that I’m no longer in a shy IT position. Just like my improv team made me feel safe to try new things, the team here at Raxis makes things fun every day. It honestly doesn’t feel like a job. I get to work with great people and do what I love each day.

  • Bonnie Shares Words of Working Wisdom with Westminster Students

    “I have literally walked past security guards who assumed that a petite, professional woman couldn’t possibly be up to anything nefarious.

    Raxis Chief Operating Officer, Bonnie Smyre

    At Raxis, we believe in giving back to our community and especially to the young people who are our future workforce. That’s one reason why I was very excited for the recent invitation to deliver a video message to students of Atlanta’s Westminster Schools, a private academy for kindergarten through 12th grade students, as part of its Conversations Around Race and Equity (CARE) initiative.

    Westminster aims to instill in its students a strong belief that they can do anything they put their mind to, as long as they create meaningful goals and work hard to achieve them. In the US today, their choice of profession isn’t limited by anyone else. So, it’s important for young people to open their minds and explore a wide range of career options.

    As a woman in the male-dominated field of information security, I was able to talk about my experience and how, through hard work and focus, I have earned the respect of my (all-male) colleagues along with the position of chief operating officer (COO).

    I also had some fun explaining how being a penetration tester allowed me use my gender to my advantage. I have literally walked past security guards who assumed that a petite, professional woman couldn’t possibly be up to anything nefarious. Some cheap surgical scrubs from Walmart were all I needed to enter a nurse’s station and access a hospital’s computer network. A birthday cake was my ticket onto a secure elevator and directly into the office of a corporate vice president.

    My intention was to present the infosec field as a fun, challenging, and meaningful career choice. It’s also a field that is inclusive and accessible to everyone, regardless of race or gender, as long as they are willing to invest the effort.

    Congratulations to Westminster Schools for introducing students to a broad range of career options and for teaching them that all are within their reach. I was proud to be a part of that effort.

    If you’d like to learn more about our work as ethical hackers, be sure to subscribe to our YouTube channel and stay up to date on all our latest tips, tricks, and commentary.

  • Our COO, Bonnie Smyre, Featured on Fox 5 News!

    Our Chief Operating Officer, Bonnie Smyre, was interviewed on Fox 5 News in Atlanta in a story regarding a Facebook scam involving Tyler Perry. Essentially, the scammers behind the Facebook sites and accounts are “data mining to get your information”.   If you clicked the Facebook scam link, it’s probably too late to reverse it, but try to avoid it next time – if something seems too good to be true, it almost always is.

    Click here to watch the video on Fox 5 Atlanta’s website