“Brice noted the different ways that students could get into cybersecurity and pointed out that students need to put in work to qualify for jobs and explained the certification process and how to determine which certifications are valuable to possible employers.”
Georgia’s Putnam County School District takes cybersecurity seriously — not only as an administrative safeguard, but also as an important new skillset to teach the next generation. Regardless of their ultimate career choices, today’s students will be tomorrow’s workforce and cybersecurity will be a critical component of every job.
It was in that context that Ed Ozols, a computer science and cybersecurity teacher at Putnam County High School invited Raxis lead penetration tester Brice Jager to speak to his students about the role of pentesting and how it keeps networks safe.
Some Words from Ed:
Brice was a great help to my cybersecurity class. This is the first time that Putnam County High School has offered cybersecurity and we will be providing the full pathway that ends with a certification exam to our students. We are one of the few districts in Georgia that offers the full pathway. Brice spoke with students who are taking their first cyber class. He was able to outline what life was like for a cybersecurity specialist (in his case, as a pen tester).
Brice noted the different ways that students could get into cybersecurity and pointed out that students need to put in work to qualify for jobs and explained the certification process and how to determine which certifications are valuable to possible employers.
The students had numerous questions that Brice answered for us, and his explanations were understandable to my students who have just begun to get their toes wet in cybersecurity and do not have a depth of cybersecurity knowledge.
They were glad to hear from him. One student, who is normally shy, came up to me and talked with me about a future in cybersecurity. I have other students who plan on pursuing a career in cyber and this helped cement those plans.
I am helping develop the future of cybersecurity and Brice was an important part of this development in the students that he was talking to. My students and I thank you for connecting us with Brice. It is two weeks after his discussion and my students are still relating things that he said with the concepts I am teaching in my class (as in “Brice said…”).
Georgia’s Putnam County School District takes cybersecurity seriously — not only as an administrative safeguard, but also as an important new skillset to teach the next generation. Regardless of their ultimate career choices, today’s students will be tomorrow’s workforce and cybersecurity will be a critical component of every job.
According to Brice, the experience was very rewarding for him as well.
“I’ve been an instructor in some of my previous jobs, so it feels natural to ease back into that role,” he said. “What made this experience unique is that I had an opportunity to introduce young people to the field of penetration testing and, I hope, sparked a deeper interest in cybersecurity among them. It’s rewarding to think that one or more of those students could decide on a career in cybersecurity because of this introduction.”
I’m Bonnie Smyre, Raxis’ Chief Operating Officer, back with the second in our two-part feature about how to hire a penetration testing firm. This time, we’re suggesting some questions to ask and answers to listen for in the selection process.
In the first article on this topic, I focused on the six things you and your company should do to begin your search for a pentesting firm. We discussed the importance of identifying why you need a pentest, understanding the data and systems that are at risk, figuring out what type of tests you need, consulting with trusted advisors, as well as checking ratings, reviews, and references.
If you followed those steps, you’re well-prepared to begin your interviews with prospective firms. Toward that end, here are some questions you should ask during your conversations and some key points you should be listening for in the answers.
Question 1: What is your experience in performing the type of penetration testing our company is looking for?
At Raxis, we’re happy to tell you how many and what kind of tests we’ve done and share with you some of our most common findings. If we don’t think the pentest you’re shopping for is going to accomplish your goals, we’ll tell you why and recommend a different type of engagement that will. That’s part of our job as professionals, and we have found that it makes for a better customer experience and often saves time and money.
On the other hand, if the firm you’re interviewing continually tries to steer you toward more expensive testing or something far different than you think you need, that can be a big red flag. They may be trying to upsell you, or they may simply not have the expertise to conduct it.
A point we make frequently is that vulnerability scanning is not the same as penetration testing. So, also beware of firms that try to downplay your needs and tell you one is as good as the other. Raxis might recommend a vulnerability scan, but we will never tell you that it should supplant a genuine pentest.
Question 2: Tell me about your experience in my industry?
Obviously similar to question 1, this one is based on your reasons for doing a penetration test. If your business is regulated and subject to special laws, rules, or industry requirements, you’ll save a lot of time with pentesters who are familiar with them. For example, if your company takes electronic payments, Raxis knows the Payment Card Industry Data Security Standards (PCI-DSS), and we can plan our testing to make sure you’re compliant.
When you ask this question, listen to see if the pentesting company proactively mentions any applicable regulations in your field – such as HIPAA compliance for health care organizations or FINRA, GLBA, or SOX, for financial institutions. If they don’t, ask and make sure they understand your needs so that you don’t have to pay for more testing later.
Question 3: How comprehensive is your reporting?
The goal of penetration testing should be to give your team actionable results that enable them to prioritize issues and begin resolving them in order of severity. Ask potential pentesting firms to provide a sample report. Does it summarize the issues for executives? Does it categorize the findings effectively and provide sufficient detail for your team members?
Raxis includes storyboards so that your team can see exactly what we did and how. We also exfiltrate and redact sensitive data when we can. That’s powerful proof of what bad guys can do if your network isn’t secured.
Also, be sure to ask whether they report where your defenses were solid. This can be especially important when you’re building a cybersecurity budget. Many Raxis clients have found it helpful to show their leadership examples of where previous security enhancements are working well. (And it shows you that those defenses were in fact checked.)
Question 4: Who are the people I’ll be dealing with? What are their qualifications?
Be sure that the companies you interview can identify the person who will serve as your point of contact throughout the testing, to work with you on scheduling or to quickly resolve problems that can cost precious time.
The company should also be willing to tell you about the experience and certifications of team members. It’s a good idea to ask whether the team that conducts your test will include members with similar qualifications so you know it’s not a bait-and-switch.
At Raxis, the diverse skillsets our team members bring to the table are one of our greatest strengths and something we like to talk about. Before they became penetration testers, our people were corporate cybersecurity leaders, software engineers, web developers, and network admins. And they also bring to the table computer hardware, electronics, mechanical, and IoT experience.
Question 5: How much will it cost and why?
Raxis’ CEO Mark Puckett addressed pentest pricing in a recent blog post that goes into detail about the factors that can and should drive the cost of a high-quality penetration test. In summary, the scope of the testing, the time it will take, and the skills of the testers are all cost drivers.
If the firm mentions additional services they provide, be sure to ask if those are covered in the cost you’ve been quoted, or if there is an additional fee. And ask if there is a minimum engagement time.
Minimums are common in the industry. Raxis requires three days, but we’ve seen other companies with seven to 10-day minimums. Make sure you ask this early in the conversation. Otherwise, you could waste time you don’t have being sold services you don’t need.
Conclusion
Hiring the right penetration testing firm necessarily involves a lot of research and careful consideration. After all, you need a company that can bring to bear all the skills, determination, and devious creativity of black hat hackers – and still act as your trusted security advisor, providing actionable reporting on your vulnerabilities.
The preparation outlined in part one, along with the questions above, should help you find the best match for your specific needs.
Of course, we hope you choose Raxis, and we’re ready to put you in touch with our experts whenever you’re ready to talk.
I’m Bonnie Smyre, Raxis’ Chief Operating Officer. Penetration testing is a niche in the cybersecurity field, but one that is critical to the integrity of your network and your data. This is the first of a two-part guide to help you select the right firm for your needs.
Step 1: Identify Your Why
There are lots of reasons why companies should routinely do penetration testing. The most important is to understand your vulnerabilities as they appear to hackers in the real world and work to harden your defenses. It may also be that your industry or profession requires testing to comply with certain laws or regulations. Or perhaps you’ve been warned about a specific, credible threat.
Whatever your reasons for seeking help, you’ll want to look for a firm that has relevant experience. For example, if you run a medical office, you’ll need a penetration testing company that knows the ins and outs of the Health Insurance Portability and Accountability Act (HIPAA). If you’re a manufacturer with industrial control systems, you’ll need a company that understands supervisory control and data acquisition (SCADA) testing. The point is to make sure you know your why before you look for a pentest firm.
See a term you don’t recognize? Look it up in our glossary.
Step 2: Understand What You Have at Risk
A closely related task is to be clear about what all you need to protect. Though it might seem obvious from the above examples, companies sometimes realize too late that they are custodians of data seemingly unrelated to their primary mission. A law firm, for instance, might receive and inadvertently store login credentials to access clients’ medical transcripts or bank accounts. Though its case files are stored on a secure server, a clever hacker could potentially steal personal identifiable information (PII) from the local hard drives.
Step 3: Determine What Type of Test You Need
General use of the term “pentesting” can cover a broad range of services, from almost-anything-goes red team engagements to vulnerability scans, though the latter is not a true penetration test. In last week’s post, lead penetration tester Matt Dunn discussed web application testing. There are also internal and external tests, as well as wireless, mobile, and API testing, to name a few. Raxis even offers continuous penetration testing for customers who need the ongoing assurance of security in any of these areas.
Raxis offers several types of penetration tests depending on your company’s needs:
Step 4: Consult Your Trusted Advisors
Most companies have IT experts onboard or on contract to manage and maintain their information systems. You may be inclined to start your search for a penetration testing service by asking for recommendations from them – and that’s a good idea. Most consultants, such as managed service providers (MSPs), value-added resellers (VARs), and independent software vendors (ISVs), recognize the value of high-quality, independent penetration testing.
In the case of MSPs, it might even be part of their service offerings. However, it might make sense to insist on an arm’s-length relationship between the company doing the testing and the people doing the remediation.
If your provider is resistant to pentesting, it might be because the company is concerned that the findings will reflect poorly on its work. You can work through those issues by making it clear that you share an interest in improving security and that’s the purpose for testing.
The downloadable PDF below includes this list of Raxis services with an explanation of what we test and and a brief explanation of how we go about it.
Another starting point – or at least a data point – is review and rating sites. This can be incredibly helpful since such sites usually include additional information about the services offered, types of customers, pricing, staffing, etc. That gives you a chance to compare the areas of expertise with the needs you identified in steps one and two. It can also introduce you to companies you might not have found otherwise.
Here are some resources you might find helpful as a start:
Once you have your short list of companies, it’s a good idea to talk to some of their customers, if possible, to find out what they liked or didn’t like about the service. Ask about communications. Were they kept in the loop about what was going on? Did the company explain both successful and unsuccessful breach attempts? Did they get a clear picture of the issues, presented as actionable storyboards?
In addition, it’s a good idea to ask about the people they worked with. Were they professional? Was it a full team or an individual? Do they bring a variety of skillsets to the table? Did they take time to understand your business model and test in a way that made sense? It’s important to remember here that many pentesting customers insist on privacy. The company may not be able to provide some references and others may not be willing to discuss the experience, However, some will, and that will add to your knowledgebase.
If you’ve completed steps 1 through 6, you should be armed with the information you need to begin interviewing potential penetration testing companies. You’ll be able to explain what you need and gauge whether they seem like a good match or not. And you’ll know how their customers feel about their service.
If you found this post helpful, make sure to follow our blog. In the weeks ahead, we’ll be discussing the questions you should ask potential pentesting companies – and the answers you should expect to hear.
I’m Mark Puckett, CEO of Raxis. By now, you’ve met all but the newest members of our team, so it’s time I step up and tell you more about how this company came to be. Before I do, however, you should know that the secret to Raxis’ success is the incredible individuals you’ve met up to this point. I’ve never worked directly or indirectly with a finer group of people anywhere. I’m fortunate to call them colleagues and friends. If you’d like to be a part of our team – and you have what it takes – keep an eye on our careers page. Maybe you can be part of our exciting future.
Jim: Mark, it’s a small percentage of people who have the courage to start a business – and then only a relative handful that enjoy the success Raxis has had over the past decade. How did you decide that launching a business was the right move?
Mark: Initially, I chose a different path by working for large corporations like GE and Home Depot, as school always taught us that was the best path for success. Yet, I always had an interest in starting a business. My mother is an entrepreneur at heart. My parents owned a jewelry store when I was growing up. Later, my mom started a translating and interpreting agency that provided language services for the legal industry. It took some time for me to realize that I had that same inclination toward entrepreneurship.
Jim: Was Raxis your first attempt at starting a business?
Mark: Yes and no. I’ve owned the raxis.com domain name since 1999, and it started out as a website hosting business. Then it morphed into a rental property management company, an SEO business, back to web hosting, and then to secure software development. But after 18 years in corporate America and toying with side-businesses, I decided it was time to take a shot at making Raxis my full-time endeavor, only this time as a penetration testing company.
Jim: With apologies to Tolkien, one doesn’t simply walk into pentesting. You must have had a strong background in security to even consider the field.
Mark: That’s true. Penetration testing became an interest of mine years ago when my career pushed me in that direction. I moved from a network and application security defense role to managing Home Depot’s internal Red Team. After a couple of years in that role, I found I really enjoyed penetration testing and realized it had a lot of business potential as a relatively young concept at the time.
Jim: Seems like a scary prospect to jump in with both feet.
Mark: Knowing that you can’t really tell two stories well, I knew I had to leave Home Depot and take a chance at running Raxis full time. For a true entrepreneur, the scariest proposition is not pursuing an idea. So, I left Home Depot in 2011 to chase my dream. That dream, known to many as Raxis, has been profitable since inception and growing steadily to date.
Jim: A very common theme among most of the Raxis team is this intense curiosity that seems to be present from an early age. Was that true of you as well?
Mark: As a matter of fact, yes. And I think that deep curiosity is a character trait you’ll find among all the best ethical hackers. We know there’s a way in, and we will find it. And I can remember that same feeling of determination from early in life.
Jim: How did that emerge?
Mark: First, it was an interest in electronics that started when I was about 6 or 7 years old. I really enjoyed taking apart electronic toys and appliances to see how they worked. I’d salvage all sorts of parts like motors, lights, LEDs (only in red at the time), and switches. I came up with all sorts of little projects just for fun, like fasten parts to a cardboard box to make a “switchboard.” Mine was only able to turn on and off lights and run a DC-powered fan that used a popsicle stick for a prop, but I really thought it was fun to build. My parents correctly realized they were on to something. So, they got me a 50-in-1 electronics kit from Radio Shack that I absolutely loved.
Jim: Was that your ‘gateway’ tech?
Mark: Yes, apparently so. Because, as soon as computer technology became affordable to consumers, I had to have one. My first computer at age 8 was a Tandy Color Computer 2, also from Radio Shack. I taught myself how to write BASIC programs from typing in code I got from a computer magazine subscription. That began a life-long relationship with technology. After the Tandy CoCo 2, I became an avid IBM PC clone fan, then to Linux, Windows, and now MacOS X.
Jim: Another theme that recurs in these interviews is the close-knit relationship among the team members. Raxis’ COO Bonnie Smyre talked about your friendship that began in high school and continued through the years. And (VP of business development) Brad Herring is a longtime friend as well, right?
Mark: That’s right. I’ve been friends with Bonnie since high school, and we stayed in touch until I convinced her to join Raxis several years ago. I’ve known Brad even longer. My family moved from Carrollton, Georgia to Marietta when I was 10 years old. I met Brad in middle school, and he was my first new friend in a new town. He also had a computer and really enjoyed technology, so we had a lot in common. There were times our lives led us in different directions, but we always were able to keep in touch. We were catching up at a lunch, just as we did every now and then, when I mentioned to Brad that I needed some help with generating more business for Raxis. Brad jumped in with both feet and was able to build a first-rate sales program that has exceeded expectation since inception
Jim: Speaking of Brad, he told me that, in addition to your love of technology and electronics, you also have a longtime passion for cars. Is that what keeps you busy when you’re not focused on Raxis?
Mark: Aside from spending as much time as I can with my lovely wife and three beautiful daughters, I seem to be a jack of all trades and master of none when it comes to hobbies. My favorite hobby is pretending to be a race driver at Road Atlanta. I also enjoy boating (but not so much fishing), cycling, photography, videography, astronomy, and home theater.
Jim: One of the Raxis YouTube videos discusses teamwork as the company’s “secret sauce.” What’s your take on that statement?
Mark: Truer words were never spoken. Raxis hires people, not positions. We look for folks who care about making a difference more than just making a paycheck. It takes longer to find the right team members, but it’s so worth it when you see how well all our various skillsets complement each other. And, even though we’ve got absurdly talented people here, we don’t have giant egos to deal with. As a result, we’re continuously learning from each other and our customers get the best service possible.
I don’t take credit for their great work, but I’m certainly proud to be a catalyst for bringing them all onto one team.
I’m Brad Herring, VP of business development for Raxis. In that role, I work very closely with our marketing specialist on a near-daily basis. So, our interview was more like an extension of our normal conversations. And that’s one of the great things about working with Raxis – we’re a tight-knit team. We’re professionals who are also friends and family-of-choice. If that sounds like a work environment you’d enjoy, please subscribe to our YouTube channel and check our careers page to learn more.
Jim: Brad, in many cases, you’re the first Raxis team member customers interact with. That seems like it would be incredibly hard.
Brad: Actually, it’s one of my favorite parts of the job.
Jim: I meant for the customers.
Brad: Ha! Yes, for them I’m sure it’s very hard. But once they’re done with me, they get to deal with Tim (Semchenko) and our engineers. So, there’s light at the end of that tunnel.
Jim: Raxis has a lot of new and repeat business, so I’m obviously joking. Tell us more about why you enjoy working with customers and potential customers.
Brad: It’s because I know that we’re genuinely helping them become more secure and, by extension, making the world a little bit better place. I know that sounds hokey, but it really is true.
Jim: You’re doing sales, but that’s not really your background. How did you land in this role?
Brad: I really enjoy telling the story about how our CEO, Mark Puckett, has been a friend since childhood. We’ve always shared a love for computers and cars. After he founded Raxis, he asked for my take on a different business venture he was considering. He decided against that opportunity, but Mark told me that he thought I would be a good fit for Raxis. I said, “Anything but sales.”
Jim: Yet, here you are!
Brad: That goes to show how good Mark is at selling.
Jim: But you are a storyteller at heart and you have a strong technical background as well.
Brad: Yes, my background is in theater. My actual major at Kennesaw State was in Acting and Directing. (I also minored in business law, just to keep people guessing.) And, believe it or not, storytelling is a lot of what I do when I’m speaking with customers. I never know how much technical knowledge someone is bringing to the table, so I have to be sure I understand the technical parts of our job well enough to explain it to people who have little or no expertise on the subject.
Jim: But you also have to work with CIOs and CISOs who live and breathe this stuff.
Brad: Yes, I do. And that’s where I’m fortunate that much of my theater career was spent in the more technical realms of sound and lighting. I owned two companies and did a lot of work for theaters, both indoor and outdoor, as well as houses of worship. A lot of that work is computer-driven, and the technology is based on network protocols.
Jim: I’m sensing that your early love of computers helped pull you in the technical direction, at least in part.
Brad: Absolutely! My first computer was an old Commodore VIC-20 with no storage media. So, if you wanted to play a game, for example, you had to type in pages of commands from books, debug them, hope the power didn’t go out, and then watch all that work disappear when you switched it off. I remember digital cassette recorders as life-changing technology. Then modems came along and gave guys like Mark and me an opportunity to share our passion and connect with others. And, really, those computer-to-computer connections were the origin of the Internet and the main reason why penetration testing is so necessary now.
Jim: What does a typical day at work look like for you.
Brad: You know me. Nothing about me or my work is ever ‘typical’ — and I wouldn’t have it any other way. I do spend a lot of time negotiating with customers — again, making sure that we’re selling them what they need. I’m also involved, as you know, in marketing our services. I still enjoy production work, creating videos that showcase our talented team members, and checking in with other company leadership to make sure we’re on the same page.
Jim: You also have a lot of projects around the house to keep you busy, right?
Brad: My home and property are projects. In fact, sometimes it seems like my life is a project. We have chickens and a garden to tend. I just got done rebuilding an antique tractor that our CTO, Brian Tant, gave me. There are boats to tinker with, a jeep to keep alive, and a lot of carpentry and metal work that keeps me busy.
Jim: And you still have time for your faith and your family.
Brad: Yes. Those are the most significant treasures in my life, and I’m very fortunate that Raxis gives me the flexibility and time I need to nurture them. I’m also privileged to work for the ‘good guys’ in this world and help my children understand the importance of standing up for what’s right. Ultimately, I think that’s what determines whether or not a job is fulfilling and worthwhile — I know that the world is a better place because Raxis is here.
I’m Brian Tant, and I serve as Raxis’ VP of Engineering. This week, I’m the subject of our in-house infosec inquisition where I’ll be asked all manner of probing questions intended to give you, the reader, some insight into the machinations of a troubled mind. Normally, I avoid this type thing, but, after a series of increasingly dire threats from our COO, Bonnie Smyre, I relented.
Jim: When did you first get into security?
Brian: Do you want the professional answer or the seedy underground one?
The professional version is that I started in IT at the ripe age of 17. I lied about my age to get on with a tech staffing company. They made me do a series of placement tests, although back in the day we used paper.
Jim: [shudders]
Brian: I know, right? Anyways, I had been doing computer stuff for a while and the tests were pretty basic. I did well enough that I bubbled up to the top of the roster for a big brand company looking for a tech. They brought me in and made me a field technician day one. It was the typical firehose-sippy-cup experience that comes with jumping up a level.
Fast forward several cubes later. At some point, I found I had a knack for Terminal Server and Citrix and did that for several years. My last deployment was one of the largest Citrix farms in the world at the time: 1000+ servers and 30k concurrent users across the globe.
Jim: And then?
Brian: I got bored. How many times a day can you hear the phrase, “I can’t print” before you start questioning some fundamental life choices. I loved the tech, but the users. Oi.
Jim: So where does security come into the picture?
Brian: Ah. For that we have to re-visit the the dark seedy part I mentioned earlier. Back in the 90s, the hacker scene was mostly to do with phones and usenet groups. Networks were mostly flat, and email was a cool idea that would never take off. My taste for mischief found a home in that community. Twenty-some- odd years later I decided to re-kindle that and found that there was a whole sector of talented folks that shared a passion for devious tinkering.
Jim: And the rest of the story?
Brian: As a Raxis Paul Harvey would say…
Jim: Wow.
Brian: Yep. I am that dork. Mark (our esteemed CEO) took a chance and brought me onboard Raxis early on. We were tiny, but eventually found our voice. Since then, we’ve grown, and I’ve been privileged to be a part of building something special. What we have here is a real sense of family. I can’t imagine being anywhere else.
Jim: Switching gears. If there is one thing I’ve learned working with Raxis it’s that you guys roll hammer down all day. The pace is frenzied, and things are always changing. How do you unplug?
Brian: As my wife will tell you, I have a problem with hobbies.
Jim: Oh?
Brian: Most of them tend to connect with farming or agriculture in some way. We have a small homestead where we keep bees, goats, worms, chickens and an indeterminate number of dogs and cats at any given time. I sit on the board of directors for the local farm bureau and chair the bee keeping club.
Jim: No shortage of fur-babies then.
Brian: I also make wine, mead, soaps, preserves, and have been known to run a still now and again. For a while I even made a podcast that gained a modest following. I do a lot of backpacking and am a master diver.
Jim: Back up; a still as in moon-
Brian: As in alternative fuel for small engines.
Jim: [cough] Moving on, if you had to pick a favorite thing about working at Raxis, what would it be?
Brian: Easy. It’s the people. The people are the heart of this company. Raxis is an ego-free zone. We’re all passionate about what we do, but, unlike most shops, Raxis is built on empowerment. We’re only the best if our people are at their best, and that means we take care of each other. The same holds true with our customers. Our success comes from helping them succeed.
I’m Scottie Cole, and this week, it’s my turn to be interviewed by our marketing specialist. Unlike my Raxis colleagues, I’ve been friends and worked with Jim for well over a decade (that is, if you consider what he does actual ‘work.’ ) What follows is our best attempt at an interview, but it highlights one of the things I like best about this team: For as hard as we work, we also have a lot of fun. If that sounds like an environment that would bring out your best, check out our careers page and learn more about our opportunities.
Jim: I seem to remember you having much darker hair when we first met.
Scottie: That’s right! And I seem to remember you actually having hair when we first met.
Jim: True enough. You were responsible for our internal security at the cybersecurity company where we both worked for many years. Some of our readers might think that would be an easy job or maybe even redundant.
Scottie: Thanks to you and your marketing people, I always had plenty of new risks to mitigate.
Jim: You’re welcome.
Scottie: Seriously, security companies are frequent targets of hackers, so we have to pay extra attention to keeping our own house in order. We have customers counting on us, of course, but we also have our reputation to protect. That raises the stakes and adds a lot of pressure.
Jim: Given your previous jobs, you were accustomed to working under pressure, right?
Scottie: I spent several years as a dispatcher, a firefighter, and a law enforcement officer. Those jobs gave me plenty of experience working in high-stress situations. In cybersecurity, the ‘bad guys’ are different, and the fire drills aren’t literal, but the consequences can still be very severe. That’s especially true when you consider how many devices are being connected to the internet now.
Jim: You’d know that better than most. Your house is like Area 51, except with more electronics.
Scottie: Well, maybe more radios.
Jim: That’s right.You’re a HAM radio operator. How’d you get into that? More importantly, why?
Scottie: As a dispatcher, I became fascinated with radios. When cell service and other forms of communication go down, the HAM operators can continue to broadcast, and that’s an important civil defense benefit. During the terrible hurricane in Puerto Rico, for example, it was the HAM operators providing updates to people in the US. Think about how relieved people were to hear that their loved ones were okay. Or how important it was to know what relief supplies were needed where.
Jim: Is that how you found your way into the IT security world?
Scottie: That was actually more by chance than by design. As you remember, our former company was growing fast, especially in the early days. They needed help, so a friend of mine offered me an opportunity to join the team and learn about infosec. Being a first responder was a great job, but cybersecurity offered better pay and more predictable hours . . . in theory.
Jim: I’ve asked other team members how they found Raxis, but as I understand it, Raxis found you.
Scottie: That’s right. In my previous job, I didn’t like to take phone calls for security reasons.
Jim: I thought it was only my calls you didn’t take.
Scottie: There were a lot of reasons I didn’t take your calls. But I was always wary, and the folks at the front desk knew to screen everyone. But (Raxis’ COO) Bonnie Smyre actually got me on the phone to talk about doing a penetration test for us. My first thought was, “She must be really good if she got through that easily.”
Jim: Did you hire Raxis for the pentest?
Scottie: Yep. But I also got to know Bonnie, (VP of business development) Brad Herring, and (CEO) Mark Puckett and realized this is the type work I want to do, and they are the people I want to work with. As I met other team members, I knew it was a great culture and a great team, so I jumped at the opportunity to join them.
Jim: What’s your favorite part of the job?
Scottie: What’s not to like? I get paid to hack into other people’s networks. I get to learn from the best in the business and share what I know with them. It’s an outstanding company in a space that’s becoming a lot more important. When business owners say that a network breach would be more damaging than a fire, you understand just how critical cybersecurity is in our daily lives.
Hi, everyone! I’m Adam Fernandez, and it’s my turn to introduce myself as part of the Raxis Meet the Team series. So, I spoke to our marketing specialist, and we talked about my how I came to be a security professional. (As it turns out, I started down that path early in life). I certainly enjoy working with this team and, if you think you might also, read on and then check out our careers page or subscribe to our YouTube channel.
Jim: Adam, you’ve done a lot penetration tests, but your title is Lead Developer. What’s going on there?
Adam: I started out at Raxis as a penetration tester when I joined the company in 2017, but I also enjoy developing software, testing devices, and taking apart and building new ones. One of the great things about working for Raxis is that our leaders understand how those skills complement each other, and I have a lot of flexibility to work on new and advanced projects in addition to helping with pentesting engagements.
Jim: As I understand it, you came to Raxis from an entirely different career field, right?
Adam: That’s right. I actually studied stage management and lighting design at Kennesaw State University. In fact, theater was the focus of much of my time at Woodstock High School in Woodstock, GA as well as in college.
I started out as a stagehand, moving a ladder on and off stage. But I really wanted to work with sound and lighting, so I started learning as much as I could about that through YouTube videos, the Internet, and books my mom bought for me. I also sought out internships in Seattle, where I lived in the summers, and worked on the production of Sweeney Todd at SecondStory Reparatory Theater.
Jim: Did that help spur your interest in development?
Adam: In a way. As I transitioned into stage management, I knew that the sound and lighting people needed a better system for taking their cues, and my high school couldn’t afford an expensive solution. I really believed that was something I could figure out. So, I built a device to let them know what they were supposed to be doing when. Then I sold it to the school for $350.
Jim: That’s pretty amazing for a student, but you didn’t stop there, right?
Adam: No, I also wanted the theater department to have its own website to manage membership dues and ticket sales, so I created the whole thing from scratch. It was the ugliest site ever, but the school paid me $500 per year to manage it.
Jim: Sounds like you were a bit of an entrepreneur as well.
Adam: Well, I did create my first company at KSU. I developed software that would automate the audition process with searchable applications and headshots. The school paid me to manage events, but there was a rule that prevented them from paying students directly, so I had to create a company to make it all legit.
Jim: So, how did you move from doing events at KSU to penetration testing?
Adam: Well, I was also a student assistant at KSU for the Facilities Manager, Brad Herring, who ended up leaving KSU to go to work with Raxis and is now VP of Business Development. After he’d been here a while, he told me, “I think you’d be really good at pentesting, and I want you to talk to our CEO.” Brad’s always been a mentor to me and one of my best friends, so I took his advice and had lunch with him and (Raxis CEO) Mark Puckett. Before I knew it, I was working in a fascinating new field that I loved.
Jim: What is it about cybersecurity that’s interesting to you? How did you make that leap?
Adam: Looking back on it, security really wasn’t a leap at all. I remember as a small child, having an intense interest in padlocks and how they worked. I asked for a safe for Christmas one year. Then, it was spy gadgets, alarms, and games. My stepdad was a software developer, and, at a very young age, he helped me make a program that required you to enter a certain color sequence to unlock the app.
Now, I’m intrigued by using software to control things in the real world, which is why I love the IoT and figuring out how various devices work. In fact, I have an electronic access keycard system at my house. It’s antiquated, but I bought it in part so that I could reverse engineer it and learn how it works.
Jim: Do you get to work with devices at Raxis?
Adam: Yes, we have our Transporter that we use to do remote pentesting, and we recently bought the Boscloner company. That’s a very advanced badge-cloning device. Of course, with more and more devices online, IoT security is becoming a lot more important every day.
Jim: What’s your favorite part about working with Raxis?
Adam: I love having the ability to introduce new ideas and not only have them heard but also make them a reality. And Raxis just feels like family. Theatre was like that too, but this feels way more genuine.
I’m Tim Semchenko, senior manager of operations and customer delivery for Raxis. As part of our Meet the Team series, I agreed to do an interview with our marketing team. Below, you’ll see how I found my way to Raxis and why I like it so much here. If you’re interested in working with an outstanding group of folks, go visit our careers page or check out our YouTube channel to get an idea of what it’s like to work with us.
Jim: Tim, tell us about your role at Raxis.
Tim: My title is senior manager of operations and customer delivery. That means my job really starts once a sale is made and the scope of work is established. My role is to make sure the customer has a great experience from the beginning of the engagement to the end.
Jim: That sounds like a tall order. What all do you have to do in order to make sure the engagement is successful?
Tim: So, my role is “soup to nuts” – making sure we have the right resources available, that we stay on schedule, that we deliver everything we said we would, and that the customers get what they’re expecting. I’m Raxis’ liaison, so, when issues come up, it’s my job to figure out how to adapt and adjust to make sure they get what they need.
Jim: What’s your favorite part of the job?
Tim: Honestly, I enjoy the challenges that come with managing a heavy workload. No two jobs are exactly the same, so there are sometimes complications that we can’t foresee going in. When that happens, it’s like triage – solving ‘unsolvable’ problems. Scheduling around the birth of a baby, for example. There are always fires to put out, but I love the fast pace, the people, and the conversations.
Jim: How do you measure success? How do you know that your customer has had a great experience?
Tim: I know because they tell us. My work doesn’t end when the penetration test is over. We go back and ask them how we did and what we can do better. As I said, I like the conversations and it’s incredibly rewarding to hear what they say about our team and the quality of our work.
Jim: Is it fair to say you came into this role in an “indirect” fashion? You didn’t start out in tech, right?
Tim: You could say it was very indirectly. I grew up south of Boston, in Quincy, MA, and was actually a religion major with minors in music and philosophy in college. Afterwards, I was a high school music teacher and football coach for a while, and even went back to school to get a master’s degree in special ed. I was taking classes during the day and tending bar at night, but a softball injury ended my bartending, so I started driving a cab.
Jim: So, you went from driving a cab to working in cybersecurity?
Tim: Not quite. While I was driving the vice president of a large investment management firm one day, we started chatting and he told me his division was hiring. So, I took a job working in foreign exchange and from there got into project management with a different penetration testing company that does a lot of work with Raxis. I really liked the company and the people, so when the opportunity opened up last March, I joined the Raxis team.
Jim: You’ve had very diverse working career. What do you do for fun?
Tim: I enjoy all sorts of outdoor activities with my wife and two kids. Going to the beach, kayaking, playing sports.
Jim: You clearly have a lot of musical talent as well. Do you still perform?
Tim: Yep. I’m not in a band, but I have several friends who are. So, they let me join in for sets on occasion. And, of course, I like karaoke as well.
When you’re on stage, everyone’s eyes are on you and there’s a lot of pressure to perform well. To me that’s what makes it exciting. That same dynamic is one of the things I enjoy most about my job at Raxis.
Hi, I’m Matt Mathur. A few days ago, I did an interview with Jim, our marketing guru. The idea is to introduce you to Raxis through the eyes of our team, how we found our way to this profession, and to help you understand what drives our passion for penetration testing. Read on to learn more about my personal story, and if you’re interested in joining our team, check out our careers page and see if you might be a good fit.
Jim: Tell me a little about your background. How long have you been with Raxis?
Matt: I grew up on Long Island in New York and got my B.S. in Computer Science from Northeastern University in Boston. I now live in Philadelphia with my fiancée Natasha, who’s finishing up medical school. I joined the Raxis team last November after working on building some automated attack tools to assist in cybersecurity testing and training.
Jim: How did you come to focus on cybersecurity?
Matt: Well, I had some experience as a software engineer, in malware research and other security research before turning towards offensive security. I liked all those things, but the idea of offensive security – of using our hacking ability to help companies become more secure is really what excites me.
Jim: Helping people seems to be a theme in your career and in your personal life. Is that right?
Matt: Yeah, I think that’s really what led me to cybersecurity in the first place, helping people protect their users and important data. Outside of that, I try to volunteer at organizations such as Black Girls Hack and Women’s Society of Cyberjutsu to help empower people to succeed in cybersecurity. I’m also just inspired by Natasha, who is helping people every day.
Jim: How does working on the Raxis team fit into that mix?
Matt: When we help companies remediate vulnerabilities, we’re helping them secure their users, data, and company. The team is passionate about this, and about helping other security researchers by sharing knowledge with the community.
Jim: Help our readers and me understand what you mean by that.
Matt: The Raxis team is fully remote, and we’re constantly updating each other on the newest attacks, tools, and vulnerabilities. On top of that, we’re encouraged to publish our findings, tools, and techniques to help others in the community remediate them too.
Jim: Do you have an example?
Matt: Sure, I recently published a Metasploit Module based on a new vulnerability I discovered in Microsoft’s Remote Desktop Web Access application. This module helps people detect the vulnerability, and Raxis not only gave me the time to work on this, but also actively encouraged it. The team celebrates these things, and the same is true for team members who earn new certifications, find creative ways to breach a customer’s network, or develop other tools.
Jim: You’ve talked about a lot of advantages to being part of the Raxis team. What’s your favorite part of the job?
Matt: Outside of being able to use offensive security to help people, I like being challenged while learning new things. Outside Raxis, I like to play strategic games like MtG, go hiking and biking, and improve my cooking and baking. These are varied, but it’s nice to get outside my cybersecurity headspace.
With that said, my favorite part about the job is that it’s an ongoing challenge. We work with clients in various industries with vastly different networks, applications, and security postures. Even very similar companies can have entirely different tech stacks, so there’s constantly room to learn.
There ought to be words for these things . . . and now there are. How many examples do you see in your work each day?
Over the course of hundreds of penetration tests, red team assessments, and incident responses, we’ve encountered situations that left us without words. So, rather than just stand around speechless, we decided to create some new verbiage to fill in the blanks. See if you find any of these appropriate around your office or within your company.
Againstigation. uh-gain-stuh-GAY-shun. n. Studying the root causes of a large-scale breach even though the same basic tactics have been used repeatedly and the underlying problems remain.
Backoops. BACK-oopz. n. The act of deploying a secure backup solution after sensitive company data has been encrypted by ransomware.
Breacher’s pet. BREE-churz-pet. n. Anyone who leaves helpful notes with usernames and passwords on sticky notes attached to their monitor.
Chivalregret. SHIV-ul-ree-gret.n. The realization that a person for whom you’ve politely opened a door was actually a hacker who has now owned your network.
Clickmate. KLIK-mate. n. The moment when a hacker realizes a phishing campaign has captured the credentials of a network administrator.
Cyberchosis.si-bur-KO-sus. n. Delusional state that causes business owners to imagine they live in a world where hackers only attack other companies.
Duhpgrades. DUP-gradez. n. A series of long-overlooked and time-consuming upgrades that must be completed before a critical software patch can be installed.
Homepwnrship. HOME-PONE-er-ship. n. Taking over a corporate network by first hacking a remote worker who fails to follow proper security protocols.
Pastword. PAST-werd. n. 1) A password in use on multiple sites. 2) Any password that remains in use after a site where it is used has been hacked.
Pen-guesting. PIN-guess-ting. v. Using visitor login information to access sensitive data improperly secured on a company network.
Premiscuity. pri-miss-KEW-e-tee. n. Allowing an unknown person or persons into secure areas of a facility.
Ransomdare. RAN-sum-dair. v. To passively invite a cyberattack by refusing to provide cybersecurity training, allowing poor password hygiene, and failing to employ secure backup.
Do you have any terms you’d like to add to our list? If so, visit us on Facebook, LinkedIn, Twitter, or Instagram and leave us a message. Better yet, share this post and bring your friends in on the fun.
If you’d like to learn about cybersecurity terms we didn’t just make up, visit our glossary.
If you haven’t heard the news yet, Raxis has purchased the industry-dominant Boscloner electronic access badge-cloning technology from our friend and frequent colleague, Phillip Bosco.
For the benefit of those outside the pentesting world, Boscloner is basically the iPhone of physical hacking technology – except with fewer real competitors.
WARNING: If advanced technology worries you, this next part might be terrifying.
Our CEO, Mark Puckett, calls the Boscloner technology a “master key to corporate offices and server rooms.” That’s because it enables a penetration tester, often on a red team engagement, to read someone’s security badge data, copy it, and then make a duplicate with all the same permissions.
While that’s impressive by itself, Boscloner can do it without ever touching the badge and from six feet away. Even better (or worse, depending on your perspective), Boscloner eliminates the need for a badge entirely in some situations and can use captured data from one badge to employ ‘smart brute force’ to hack and duplicate others with greater privileges.
If you have a chance, visit Boscloner and check out its capabilities. When you do, you’ll be very glad that Phillip Bosco is a former Marine who truly is on the side of good and right.
You’ll also see why our own team is pumped that we’ve brought this technology in house. In fact, we did an informal survey just to get everyone’s reactions and here’s what they said:
Bonnie Smyre, Chief Operating Officer: “Raxis has used the original Boscloner on social engineering and red team engagements for years. I’m incredibly excited to now include Boscloner in the list of products and services we offer to our customers. Nothing beats experience… and the experience of witnessing unauthorized access to your premises using Boscloner technology is an experience that motivates our customers to upgrade their badge technology to be more secure.”
Scott Sailors, Vice President ofSecurity Consulting: “I am a huge fan of the first generation Boscloner. The ease of use on a high-pressure Red Team can make a big difference. The mobile apps are a game changer. Phil Bosco did an amazing job and the next generation Boscloner is even better. I’m excited to see Raxis take over the project and build on what Phil created.”
Brad Herring, Vice President of Business Development: “I’m excited about the Raxis acquisition of Boscloner. I’ve used several versions of badge replicators on SE jobs, and this is by far the best one out there. It matches the excellence that customer expect from the Raxis brand and is going to be a great tool for anyone wanting to test their electronic locks and physical security systems.”
Tim Semchenko, Senior Manager of Operations: “As we return to normalcy, I have been looking forward to the team having the opportunity to conduct more physical social engineering tests. With the addition of the Boscloner to their respective utility belts, Raxis now has a HUGE differentiator over the competition.”
Adam Fernandez, Lead Developer: “Boscloner opens up a world of opportunities for Raxis as part of our physical social engineering engagements. It’s already an amazing tool for helping our customers secure physical access to their premises, and I’m looking forward to where Raxis will be able to take the product in the coming years.”
Scottie Cole, Lead Penetration Tester: “It is great to be working with Boscloner. Is it an extremely powerful tool to help us show customers how their physical security can be breached very quickly if they aren’t prepared.”
Matt Dunn, Lead Penetration Tester: “The acquisition of Boscloner is another great example of Raxis identifying top tier security tech and utilizing it to help our customers. Staying on top of current threats is paramount in penetration testing, and the Boscloner will continue to allow Raxis to do just that.”
Sean Brown, Senior Penetration Tester, “I enjoy working for a company that is always on the hunt for new and innovative tools that will help provide the most comprehensive security test on the market. The Boscloner is the most recent example of Raxis’ investment in new and cutting-edge security technology. As a security consultant for Raxis, I am looking forward to using the Boscloner on my Red Team engagements, as it outperforms any other RFID cloner available on the market.”
There’s one other reaction that’s worth sharing as well. This one from Phillip Bosco himself. As I said earlier, Phil is a friend, and we enjoy working with him frequently. Here’s what he had to say about the sale of his company to Raxis:
“As a penetration tester, the Boscloner was built out of necessity to render physical security assessments easier and more streamlined. With the industry leading talents and vision that Raxis brings to the brand, the Boscloner now has a more exciting future than ever before. There is no other group of individuals that I would rather trust with a project that has been as close to my heart as this than the folks at Raxis. I am blessed and grateful for my ongoing personal and professional relationship with this team that has spanned many years. I cannot wait to see the Boscloner grow and transform as it continues on under the direction and leadership of team Raxis.”
Phil Bosco
Red teams are Raxis’ flagship offering, and Boscloner is a force multiplier in that space. Acquiring Boscloner allows us to continue Phil Bosco’s innovative vision of bringing next generation RFID attacks to market. It’s a chance for us to raise the bar for the industry overall and really transform how organizations look at premises security.
Security is an exciting place to be, and as the team’s enthusiasm demonstrates, we can’t wait to up the ante.
