Tag: Cybersecurity

  • Meet the Team: Jim McClellan, Marketing Director

    I’m Jim McClellan, Raxis’ marketing director and newest (full-time) member of the team. Working with the company as a consultant for two years was a great intro to the people and the culture. When the opportunity arose to join them, it was an easy decision. Now, after months of conducting these interviews, our COO Bonnie Smyre turned the tables, and it’s my turn on the other side.

    Bonnie: I would normally say, “Welcome aboard,” but I probably should say, “Welcome all the way aboard,” as you’ve been a Raxis consultant for two years now. What’s the biggest change you’ve noticed since joining us full-time?

    Jim: Focus. Even though I’ve worked as a cybersecurity marketer for more than a decade, there’s still a very steep learning curve with penetration testing specifically – the tactics involved, the technologies you use, and even the vocabulary. Early on, I thought a CVE was made by Honda and that a Metasploit Module required medical intervention. 

    Bonnie: We have a glossary now that might help.

    Jim: Haha! Yes, we do. Thank you for that, by the way!

    Bonnie: You’ve worked in cybersecurity for a while, but that’s almost a second career for you, right?

    Jim: At the very least, it’s an entirely different application of my skills from the first one.

    Bonnie: You were a speechwriter for one of Florida’s previous governors, weren’t you? How did you get into that line of work?

    Jim: This will sound like BS, but one night when I was 15, I heard a US Senator speak at a hometown fish fry, met a guy who said he was majoring in political science, and talked to an older man who told me about the importance of military service.  Fast forward 12 years and I was a speechwriter for that former Senator who was now Governor Lawton Chiles. I was also an officer in the Florida National Guard with a political science degree from FSU.

    Bonnie: Ha! That does sound like BS . . . or a very fortunate evening for you.

    Jim: It would have been more fortunate to meet Bill Gates or Steve Jobs back then, but it certainly set the tone for the weirdness of my adult life. For example, I’ve had formal dinners in the Governor’s Mansion, but I’ve also fried fish on a creek bank. I’ve ridden in the Vice President’s motorcade during the same time I drove a Bronco with a rusted-out floorboard. There were so many times I wondered, “Am I really supposed to be here?”

    Bonnie: Don’t worry, you’re in the right place. Do you miss working in politics?

    Jim: Not in the least. I miss the people and the politics as they were then, but there was much more civility, respect, and appreciation for the complexities of public policy. Now, there’s a lot of unbridled and sometimes uninformed passion. As Arthur Schlesinger said, there’s “too much pluribus and not enough unum.”

    Bonnie: You’ve obviously seen a lot of changes in your field. What do you consider most significant?

    Jim: Emojis. I never thought hieroglyphics would make a comeback after all these millennia, but here we are.

    Bonnie: You’re joking . . . I hope.

    Jim: Really, I think it has been the convergent evolution of PR, marketing, and advertising. Those were very siloed disciplines for decades. Now, they’re just different starting points for conversations that happen mostly over social media.

    Bonnie: Has that made it easier or harder to reach customers?

    Jim: It’s a lot easier to get a message in front of customers but much harder to get them to notice. There are no more captive audiences listening to monologues from companies. The customers are in control, so businesses have to be ready to provide useful, high-quality information when and where buyers need it. And, of course, trust is everything. Word of poor service or a faulty product can, quite literally, travel around the world in minutes.

    Marketing is still about authenticity and creativity, but the canvas is larger, and we have more colors and brushes to work with.

    Bonnie: And emojis.

    Jim: Yes!

    Bonnie: I know one of your favorite tactics in these meet-the-team interviews is to get people to tell you about their hobbies or unusual things they’ve done. So, I’m going to do that with you. 

    Jim: My hobbies include backpacking, fishing, hunting, and any other reason I can dream up to be outdoors. I also like woodworking and volunteering with Habitat for Humanity. As for unusual? Let’s see: I wrote a book about growing up on the Apalachicola River and the adventures we had in my small hometown. After it was published, my brother (a judge) pointed out that I had confessed in writing to two felonies and multiple misdemeanors.

    Life Along the Apalachicola River book

    Bonnie: You’re not in jail, so it must have worked out okay.

    Jim: I’m not in jail, and mine is Amazon’s 537th bestselling book . . .  in the hunting and fishing humor category. Win, win.

    Bonnie: Yes, just a short hop away from the New York Times Bestseller List. Speaking of the Apalachicola River, isn’t that where that delicious tupelo honey comes from? We all look forward to getting that from you during the holidays. Also, don’t feel the need to stop just because you work for us now.

    Jim: Noted. And, yes, I even named my company Tupelo Media. The Apalachicola River is one of two places where there are enough tupelo trees to produce the honey commercially. One of the jobs I had growing up was helping a beekeeper during tupelo season. Giving away jars of it is a great way to start conversations about the river — and it reminds me that I never want to be a beekeeper again.

    Tupelo Honey

    Bonnie: That’s good because you still have work to do here. What’s your favorite part about working with Raxis?

    Jim: I’ve worked with lots of different companies as a consultant and employee, so I’ve learned it’s easy to look at the bottom line and know how a business is performing in the short term. But it’s the team, the leadership, and the culture that will tell you whether the company will be successful for the long haul. My favorite part of working for Raxis is the certainty of being on a winning team made up of people I really like.

    And the dancing penguin emoji. I love that guy.

    Bonnie:  Noted.

  • Cybersecurity in the Financial Sector: Regulations are Approaching Reality

    After years of development and public input, the Federal Trade Commission (FTC) in December finalized some changes to the Standards for Safeguarding Customer Information (Safeguards) Rule – a key part of the Gramm-Leach-Bliley Act (GLBA).

    Of the four major rule changes, one simply adds a new category of business under the definition of “financial institution,” another exempts institutions that serve fewer than 5,000 people, and a third standardizes some terminology across agencies.

    Though all of these are important for various reasons, the most significant changes from Raxis’ perspective are the ones that more clearly define the elements of the information security programs required by GLBA and which ensure better accountability for implementing and testing such programs.

    The Problems

    In the past, the federal government was reluctant to be overly prescriptive with its cybersecurity requirements. The prevailing mindset was that doing so would mean compliance would happen by “magic” – in this case, meaning mindless activities guaranteed to inspire complacency. Flexibility was necessary to ensure that institutions were free to adopt the practices that ensured the best protection for their company or niche.

    The reality we’ve witnessed during more than a decade of Raxis penetration testing is that the level of cybersecurity awareness and sophistication can vary wildly among financial institutions, regardless of size or business model. Ambiguity in the regulations allowed a patchwork of cybersecurity measures to emerge under the general umbrella of compliance. It was clear to our team that the Safeguards Rule needed to be more specific to make sure all the institutions were implementing the most basic best practices.

    Lack of specificity in the prior iterations of the rules also made it harder for regulators and the institutions themselves to know whether their infosec programs were effective. Along with more specifics, the institutions needed stronger accountability measures.

    The Improvements

    Toward the goal of greater accountability, the Safeguards Rule added two important provisions: Designation of a single “qualified individual” to act as a de facto chief information security officer (CISO) to manage the infosec program and a requirement that he or she report to the company’s board. Most institutions have those functions covered in some form or fashion, but we’ve seen instances where responsibilities were split among employees and even departments.

    Having a qualified infosec leader in place is a good first step toward consolidating authority, but more important is how well and how quickly the institutions adopt the following changes to the Safeguards Rule:

    • Review of access controls. This change requires institutions to regularly test digital and physical access to customer data to make sure only authorized personnel can see it – and see only the parts of it that are necessary to do their jobs. If a Raxis team member successfully breaches your network during a test, you can bet we will check to see if you’ve followed the principle of least privileged access.
    • Inventory of key data and systems. The inventory process ensures that institutions know what they are protecting with their infosec program. As we discussed in a prior post, it’s not always obvious what data and what systems are at risk.
    • Intrusion detection. This change makes annual pentesting and semi-annual vulnerability assessments a requirement for companies that don’t have continuous monitoring of their networks. Raxis offers all the services described above, but we don’t believe they should be presented as either/or choices. Continuous monitoring or vulnerability assessments should trigger a pentest if serious vulnerabilities are discovered.
    • Secure application development. With this rule change, the FTC outlines some best security practices for in-house and third-party app development. As we explained in some recent posts, public-facing web applications face some unique security challenges, and it’s good that the FTC understands the seriousness of that issue.
    • Incident response planning. This update simply requires that institutions develop written plans for responding to security incidents and includes information about what those plans should cover.
    • Encryption requirement. This may seem like a no-brainer, but the Safeguards Rule now requires encryption of data in transit and at rest. But it also provides for the ability of the “qualified individual” to authorize an acceptable alternative if encryption isn’t feasible.
    • Multifactor authentication (MFA) requirement. Again, this would appear to be table stakes for a financial institution, but based on Raxis’ experience, it has not been adopted nearly as widely as it should have been already. The rule change, we hope, will make MFA a standard practice industrywide.
    • Change management procedures outline the steps financial institutions should take when they alter their infosec programs. As a security measure, this ensures such changes are documented and approved beforehand.

    This is just a snapshot of what Raxis considers the FTC’s most impactful changes to the GLBA Safeguards Rule. Like all such regulations, they should all be viewed by the institutions as minimum guidelines, not as a safe harbor or assurance of security. Similarly, regulators should judge compliance not by whether the boxes have been checked, but by how thoroughly the institutions have prepared themselves for the attacks that are coming.

    There is no finish line in cybersecurity, but these changes will give all US financial institutions a head start on better protection for their customers.

    To read the full Safeguards Rule as finalized, be sure to visit the Federal Register.

  • Cyber Civil Defense: We Can All Fight the Russians

    Most of us here in the US have followed the Russian invasion of Ukraine with a mix of disgust, outrage, and even existential fear. But there is a way to channel these negative feelings into positive actions by making yourself and your company a harder target for hackers, including those affiliated with or supported by the Russian government.

    During World War II, families planted victory gardens to help feed our military here and abroad. As the Cold War brought us to the brink of nuclear conflict, private citizens were called on to be part of a civil defense force to supplement local emergency management personnel. Now, technology has introduced us to a new battlefield in cyberspace. 

    Though cyber war doesn’t offer the horrific imagery of a physical invasion, it is every bit as real, the stakes are incredibly high, and threats are growing more sophisticated. Russia sent its soldiers into Ukraine, but it also has an army of malicious hackers on its payroll and/or under its protection as well. 

    Many of these are coin-operated criminal gangs working with the expressed or implicit approval of Vladimir Putin. They have a track record of targeting his enemies worldwide. The United States has been and will continue to be in their crosshairs. 

    As with generations past, it’s our turn now to recognize we all have a role to play – as private companies and private citizens – in protecting our institutions from attack. Here are some ways to do that immediately.

    For individuals, it’s critical to enable multifactor authentication, create complex passwords and/or use a secure password manager. An old poster from WWII cautioned, “Loose lips might sink ships.” The point was that small pieces of information could be combined by our enemies to paint a clear picture of larger operations. 

    As professional hackers, we often rely on that same principle – piecing together minor vulnerabilities that ultimately enable us to breach networks and exfiltrate data. The key is to make sure you’re not the weak link at home or at work.

    For businesses, now is the time to recognize that cybersecurity is part of your corporate mission, no matter what industry you’re in. If you’re a leader in your organization, be sure to establish regular check-ins with your information security team – if you haven’t already — and heed their advice. 

    This poster, found in bars across the US during WWII, was a reminder that Americans had a duty to protect information:

    Loose lips might sink ships

    The point was that small pieces of information could be combined by our enemies to paint a clear picture of larger operations. As professional hackers, we often rely on that same principle – piecing together minor vulnerabilities that ultimately enable us to breach networks and exfiltrate data. The key is to make sure you’re not the weak link at home or at work.

    Help is also available from the United States Cybersecurity and Infrastructure Security Agency (CISA). Its Shields Up publication offers some excellent recommendations about steps you can take to harden your defenses. Take a few minutes to read and consider these suggestions.

    Remember, too, that Raxis and other companies have veteran cybersecurity experts on their teams whose life’s work is to help protect you from those who would steal from you, hold your data hostage, or disrupt your operations. Now, as always, our certified professionals are ready to help.

    Raxis can perform in-depth penetration tests, conduct red team assessments, test your web applications, or help train your infosec team. But we also offer a number of free resources that are publicly available as well.

    Check out our YouTube channel, follow us on social media, and make sure you subscribe to this blog. We provide a lot of great security information aimed at helping you understand the latest threats and what you can do about them.

    The people of Ukraine are rightfully in our thoughts and prayers at present. It’s unconscionable for one sophisticated, powerful nation to attack and invade its neighbor simply because it can. But we can do much more than fret over what’s happening overseas. We can take action that will make it harder for the Russian government to escalate its cyber war in Europe and here at home.

    This is your chance to join the fight. Make your actions count.

  • A Note from the Hacker-in-Chief

    Raxis is an amazing place to work. 

    As founder and CEO, I say that with a great deal of pride – and only one (very important) qualifier. 

    Raxis is an amazing place to work if you’re the right person for the job.

    Over the past several weeks, you’ve heard from our employees about what makes it special to be part of our team. 

    Throughout this series, they told you what it‘s like to work for Raxis, the skills needed to be a penetration tester, and how communication is key to, not only our success, but also the success of our clients. While I am very proud of what Raxis has done and how good we are at it, I am even more proud of the culture we have created. 

    At Raxis, we truly believe in fostering a culture of education. We take pride in the learning environment we have created and the continued growth of our people. We encourage our employees to constantly expand on their skills and to share as they go — when one learns, we all learn. 

    We also believe in giving our employees the freedom to do their job on their own time. With that freedom, the expectation of results is understood. Our fully remote team is made up of people who don’t need constant supervision and instruction. Instead, our team is driven by their commitment to finding results for our customers. 

    Most importantly, when it comes to fostering the Raxis culture, it comes down to teamwork. Our diverse team is composed of some of the brightest minds in the business all bringing different backgrounds and skillsets. We learn from one another, and by learning and working together, we provide amazing value for our clients. 

    Now, I’ll let you in on a little secret: What makes it special to me is all of them – the world-class team of professionals we’ve assembled. Their intellect, tech skills, experience, and personalities make each day interesting, exciting, and incredibly rewarding.

    Being part of the Raxis team is not an easy job, but it is a fun job. Again, if you’re the right person for it.

    Do you have what it takes to be part of our team? Please make sure to watch all the videos in this series. Honestly assess your ability to thrive in an environment where we value accountability far more than control. Where freedom and flexibility bring out our absolute best work. And where we’re as excited about tomorrow’s challenges as today’s victories. 

    If that sounds like your ideal work environment – and you’ve got the skills to hit the ground running – then let us hear from you.

     

  • A Culture of Freedom with an Expectation of Results

    When it comes to choosing a job, there are so many things to consider – benefits, responsibilities, leadership, and of course pay — to name just a few.

    But for many, a company’s culture is near the top of that list. In fact, an Indeed survey found that 72 percent of job seekers say that it is extremely or very important to see details about company culture in job descriptions. The survey also found that 46 percent of job seekers said they would not apply to a job if they did not believe it would be a good culture fit for them. That’s pretty eye opening.

    At Raxis, we look for talented people we know will work well with our unique culture. If you think that makes us very selective when hiring, I’d say that’s accurate. But here’s why: We give our employees a great deal of freedom about when and how to get their jobs done. With a fully remote team, we hire people who don’t need constant supervision and instruction. Instead, they are driven by a powerful desire to get results for our customers, and we hold them accountable for doing just that.

    Not everyone works well in that type of environment — and that’s okay. There are lots of tech jobs with an abundance of structure and routine. But if you’re the type who thrives outside a rigid environment, and you do your best work independently, check out the video below (and others in the series).

    Raxis lead penetration tester Scottie Cole talks about the freedom he has as a Raxis team member and the tremendous responsibility that comes along with it.

    We know how important culture is to prospective employees. It’s just that important to Raxis, too. If you’re a talented cybersecurity pro who values flexibility and is committed to results, you’re the kind of person we want to hear from.

    For more information, check out our careers page and the rest of our website to see what we offer.

    Want to learn more? Take a look at the first part of our Working at Raxis discussion.

  • When There’s More than Money on the Line

    In our line of work, reading about the latest cybersecurity breach instinctively raises the questions of how many records were lost or how much money did it cost to recover. Hackers are most always after the big payoff, either directly or indirectly, so we’re conditioned to think mainly in terms of economic losses, privacy issues, or damage to a company’s reputation. However, as more and more devices are connected to the Internet, the stakes can be much higher.

    Computer Weekly reported in June that cyberattacks against healthcare facilities had increased 15-fold between January and March of 2020 — coinciding with the COVID-19 outbreak. Think about that for a second. With our hospitals and medical personnel facing a global pandemic with overburdened resources, the bad guys seized the opportunity to ramp up their attacks. Not only hospitals, but the US Department of Health and Human Services (HHS) and the World Health Organization (WHO) were targets as well.

    Although we at Raxis enjoy our jobs, we never forget the true nature of the people we’re trying to stop. And we always remember the hard-working people we’re trying to help.

    One such person is my friend, Judy Chang, a senior nurse in a local hospital’s neonatal intensive care unit (NICU). As I thought about the potential impacts of a major health care breach, I thought it might be a good idea to introduce Judy to our friends and readers, so I set up a conversation with this front-line hero who works with some of the most vulnerable patients anywhere — the newborn babies who need intensive care in the first hours and days of their lives.

    I encourage you to watch the interview and hear Judy describe her work to help these struggling infants. As you do, consider the impacts of a cyber breach that impacts her team and the sensitive equipment they rely on. As much as I enjoy my work, her story helps me remember that cybersecurity doesn’t just protect networks — it also protects innocent lives.