Tag: Cybersecurity Tips

  • Monitor. Detect. Alert. It’s worth the effort.

    Let’s talk about monitoring and alerting. 

    First – what is it? Simply put, monitoring and alerting is the ability to detect a suspicious incident and notify the appropriate team members who can decide what type and level of response is necessary.

    However, your monitoring and alerting system isn’t a set-it-and-forget-it component of your overall cybersecurity posture. It’s not quick and easy, but it is essential. Without properly tuned filters and someone who knows how to digest the information and react appropriately, malicious actors can slip inside your network without your knowledge. 

    As Brian discusses, monitoring and alerting take time, experience, and ongoing testing to get right. 

    At Raxis, our penetration testing not only tests for vulnerabilities, but we also test a company’s ability to detect an attack or exploit attempt. When we test, we do so in an escalating manner that allows us to determine at what threshold detection occurs. This in turns allows our clients to see how effective (or not) their monitoring is and modify their protocols accordingly.

    Download our list of Top 10 Cyber Attacks to learn more about ways to secure your company.

    Want to learn more? Take a look at the next part of our Common Vulnerabilities discussion.

  • Badge Cloning is Easier Than You’d Expect

    You would be hard pressed to find a company or an organization that doesn’t issue employee badges to every employee on Day one. These radio frequency identification cards usually include employee pictures as well as an electronic tag that allows access to secured doors throughout the building. The cards let IT teams know who went where and when. Companies love them because they are inexpensive and easy to manage. 

    What a lot of companies don’t realize, however, is that the technology to read and duplicate the cards is relatively inexpensive and easy to obtain by almost anyone. Unless you take proper precautions, the badge you’ve issued for security could become a vulnerability.

    Check out this video to see just how easy it is for someone with criminal intentions to gain access to secured areas of your building. The Raxis team has used this technique very successfully over the years on our red team engagements. 

    As the video demonstrates, the process is simple and fast. Even if you know what to look for, it’s hard to spot when it’s happening. 

    At Raxis, our assessments are meant to identify real-world vulnerabilities that may otherwise go unnoticed. We are here to attack – in a completely ethical way – and show you how to make your company a harder target for hackers.

  • It Might be a Phishing Attempt . . .

    Hackers and cybercrooks use lots of tools to get into your network and steal your information, but the cheapest, easiest, and most common is still by email phishing. Effective spam and virus filters can shield you from a lot of these attempts, but certainly not all. The most effective way to protect yourself is to educate your team. Toward that end, here is yet another reminder about some tell-tale signs in an email that it might be a phishing attempt. Of course, there are some other signs that tell you it’s definitely a phishing attempt.

    • If your CEO suddenly asks you to buy a ton of gift cards, it might be a phishing attempt. If she’s the type who also frets over the cost of paper clips, it’s definitely a phishing attempt.
    • If it’s a random news story from an outlet you don’t follow, it might be a phishing attempt. If the link points to http://mailorderbrides.someassemblyrequired.com, it’s definitely a phishing attempt.
    • If you see .ru in the email anywhere, it might be a phishing attempt. If it’s written in Cyrillic script, it’s definitely a phishing attempt.
    • If you vaguely remember your network admin warning you about the sender, it might be a phishing attempt. If she’s running toward you, waving her arms wildly, and shouting “nooooo!” it’s definitely a phishing attempt.
    • If it’s an unsolicited email, even from a reputable company, it might be a phishing attempt. If it’s from Facedook, Amazom, Microsfot, or Gooogle, it’s definitely a phishing attempt.
    • If your friend says she’s stranded in Japan, it might be a phishing attempt. If she hasn’t traveled outside the city since ‘N Sync broke up, it’s definitely a phishing attempt.
    • If it’s about your benefits or salary and you had no prior notice from HR, it might be a phishing attempt. If they misspelled HR, it’s definitely a phishing attempt.
    • If it’s from your significant other reminding you to bring home coffee, it might be a phishing attempt. It’s probably not a phishing attempt, but now you have a (lame) excuse if you forget.

     

  • Securing Your Wireless Network

    This week Raxis Chief Technology Officer Brian Tant continues his video series about the most common vulnerabilities our team has discovered as they’ve performed thousands of penetration tests across the US over the years.

    In this video Brian highlights the unique challenges wireless security brings to the table and breaks down which type of encryption you may want to consider to enhance your wireless security posture and protect your network. 

    Brian explains the pros and cons of WPA2 Personal Encryption, WPA2 Enterprise Encryption, and Certificate-based Authentication and discusses which one the Raxis team recommends to bolster your security.

    Hopefully, you’ve watched the video and have a better understanding about which type of network encryption is most secure. If you still have questions or want to learn more about protecting your corporate network, please reach out.

    The Raxis team brings years of hacking and penetration testing experience to the table. We can use that experience to improve your skills and make your environment more secure.

    Download our list of Top 10 Cyber Attacks to learn more about ways to secure your company.

    Want to learn more? Take a look at the next part of our Common Vulnerabilities discussion.

  • What to Expect When You’re Expecting a (Raxis) Penetration Test

    I made this video to help you understand a little better how Raxis works, and specifically what happens once you engage us. I hope it allays some of your concerns about penetration testing.

    There’s no reason to fear a pen test. Seriously. After all, it’s just a simulated cyberattack, one that you authorize and allow. Yet some CEOs, CIOs, and CISOs are hesitant to allow this ethical hacking for fear that the bad guys will somehow use it against them, that it will cause security issues, or that it will make them look bad. In fact, it’s just the opposite – especially if you choose to engage Raxis.

    We get it, though. It’s natural to be cautious, and it’s prudent to want to know more about the people you’re working with, especially when granting access to your company’s most sensitive data. Whether you choose to work with Raxis or any other firm, we recommend you ask (and answer) plenty of questions up front. You want to know the company has the right experience to offer a range of high-quality services. One size definitely does not fit all. The firm you select should speak to you in advance to understand your specific needs and expectations . . . and then design and deliver the type of test, training, and follow-up that best protects you and makes you more resilient.

    The Raxis team has some of the industry’s most advanced certifications, but we don’t intimidate our customers or hide anything from them. We believe knowledge empowers our clients, and we share it freely. Whether you use us or someone else, penetration testing is a critical part of your corporate cybersecurity strategy that you should not put off or bypass.

    As you can see, we welcome your questions and concerns during every phase of our process. We conclude our pen tests with an executive summary for management and detailed findings and screenshots that can serve as a to-do list for your internal teams.  

    Raxis stands by our processes, our team, and our word. Now it’s up to you to perform due diligence and research the expertise and deliverables of any cybersecurity company you’re considering. Follow us on this blog or social media, read more about our pen testing experience, or contact us directly to learn more about why some of America’s corporations (and small businesses) choose to work with us.

  • Securing the Internet of Things

    The term “Internet of Things” is almost redundant now. If it’s a “thing” that has more than one setting, odds are it is or can be online. Whether or not you need remote access to your toaster oven is a question for another day, but it is an option

    Here’s the problem: As the Raxis team proves on a near-daily basis, anything that’s connected can be hacked. It’s not that someone’s going to overcook your morning bagel as a prank (although that would be a good one). Instead, it’s that uncontrolled access to any device can give a bad guy a way into your network (and maybe all your devices) if you’re not careful.

    The good news is that there are some simple safeguards you can take to protect your smart devices, and our new Securing the Internet of Things series will take you through them.

    Scottie Cole, senior penetration tester, is kicking things off with the quick video above about securing your home thermostat or corporate HVAC system. I encourage you to watch and to follow Scottie’s advice. Better to take a few minutes now than take a big loss later.

    PS – We’ll do a video on protecting your smart toaster . . . as soon as we find someone who owns one.

  • Understanding the Why Behind Password Management

    In this video, Brian will help you understand password management from the viewpoint of a hacker. It’s more than a how-to; it’s also a why-to. We’re hopeful that by seeing a little of what we see, you’ll make password management a high priority for your company.

    Despite years of warning, cajoling, and even begging by security professionals, password mismanagement is still one of the most reliable (and one of our favorite) ways to breach a company network. This week, our chief technology officer, Brian Tant, continues his video series about the most common vulnerabilities we see during hundreds of penetration tests each year.

    Remember: Complex passwords, unique to each account, and changed frequently are keys to effective password management and security. Also remember to check your service accounts and make sure that old passwords aren’t lingering on your devices.

    Effective cybersecurity is a matter of behavior as much as it is technology. Let’s make strong password management a habit that catches on. 

    Download our list of Top 10 Cyber Attacks to learn more about ways to secure your company.

    Want to learn more? Take a look at the next part of our Common Vulnerabilities discussion.

  • What is Least Privilege Access?

    This week, we’re continuing to explore some of the most common vulnerabilities the Raxis team has discovered during thousands of penetration tests across the US. In the video above, Brian Tant, our chief technology officer, discusses the principle of ‘least privilege access’ and why it’s an essential component of an overall business cybersecurity strategy.

    Hopefully, you’ve watched the video and have a better understanding about why you should restrict permissions as much as possible and still allow team members to get their jobs done. If you still have questions or want to learn more about protecting your corporate network, please reach out.

    The Raxis team brings years of hacking and penetration testing experience to the table. We can use that experience to improve your skills and make your environment more secure.

    Download our list of Top 10 Cyber Attacks to learn more about ways to secure your company.

    Want to learn more? Take a look at the next part of our Common Vulnerabilities discussion.

  • 3 Steps You Should Take Right Now to Reduce Your Risk of a Cyberattack

    Hi everybody, it’s Brian with Raxis, back with another video today!

    This is a busy time for us all, with no signs of slowing down. Do you know who else is busy now? Hackers – especially ones that know just how easy it is for thousands of us to forget to update passwords, patch operating systems, and scan for new viruses.

    I get it. Life happens. Seniors are graduating, families are acclimating, dogs are crashing Zoom meetings, and many of us are adjusting to completely new work environments. But if you can remember to lock your doors at home, you can get in the habit of locking out cyber attackers at work.

    Watch the video above for the top 3 things I wish every company would do today to keep out intruders online:

    These steps are the basics that every company should be taking, but, as hackers know all too well, not everyone does. Your company’s security is a 24-hour-a-day responsibility. Make sure your employees and your IT department know how critical it is for everyone to use the tools you already have to stay one step ahead of criminals.

    If this video made you wonder how secure your company’s data is, contact Raxis and learn how our tests can help you assess and improve your cyber defenses. We partner with small- and mid-sized businesses, as well as Fortune 500 companies, to help protect your employees, your data, and your bottom line.

    Follow us on this blog or social media, and we’ll share more ways that hackers can get in — and how we can help you keep them out.

    Download our list of Top 10 Cyber Attacks to learn more about ways to secure your company.

    Want to learn more? Take a look at the next part of our Common Vulnerabilities discussion.

  • Can This Simple Trick Outwit Your Smart Security?

    Armed with nothing more than an ordinary can of cool, compressed air, a hacker can gain entry to a key-card-only access facility in just 19 seconds. Skeptical? See for yourself in this video.

    Fortunately, the guy in this video is me. Our company, Raxis, is a team of ethical hackers and penetration testing experts who evaluate and identify solutions that help businesses safeguard their sensitive data, from healthcare to finance to innovative product and app development.  

    Some folks forget that physical security is the first line of defense for a cyberattack.  If someone can get inside your business, they can find your servers, and in seconds they can steal, sell, and destroy data you’ve invested thousands in protecting.  

    Our cybersecurity specialists have studied for years to find hidden, unscrupulous techniques that the world’s most sophisticated hackers use. Solving these puzzles and preventing cyberattacks is what we love to do – but often we find security vulnerabilities long before we get to delve deep.  

    Finding a failure in your company’s security isn’t something to fear; it’s something to fix. And you can only fix something when you know it is broken.  

    Follow us on this blog or social media and we’ll share more ways that hackers can get in — and how we can help you keep them out.