Month: March 2021

  • Three Questions to Ask Before Connecting a Device to the Internet

    Three Questions to Ask Before Connecting a Device to the Internet

    “In theory, even our refrigerators could turn against us and order low-fat ice cream instead of our Ben & Jerry’s.”

    Raxis Lead Penetration Tester, Scottie Cole

    I’m a gadget guy with a lot of IT experience, which of course makes me the pro bono tech troubleshooter for every friend and relative within 100 miles. It also means I’m the guy they call when they want to connect their latest gizmo to the Internet.

    I don’t usually mind helping, but I often find myself wondering if people are putting enough thought behind this race to connect to the Internet of Things (IoT). 

    Ha! Just kidding. I know for a fact that most aren’t putting any thought behind it.

    The allure of convenience, the snob appeal of being an early adopter, and the FOMO factor make it incredibly easy to sell these devices. But there’s no incentive to also talk about security issues – and that’s a big problem. 

    So, as a public service, I’m taking off my gadget-geek gear and putting on my professional hacker hoodie. Before you connect any device to the Internet, ask yourself these questions (and answer them honestly):

    Will I really use it as much as I think? This is about more than simply being frugal. The less you use a device or an associated app, the more likely you are to miss important updates and leave security patches uninstalled. You might not be paying attention, but hackers surely are. Which brings up a second question . . . 

    Can I secure it? Why don’t we pose that question to Alexa? Oh, wait. Can we trust her? Really, we only have a pinky swear from the company that she’s not spying on us. And that’s a potential problem with many devices. Even as a security professional, I can only control the security on my end. If it’s a centrally administered service, I have to also trust the company to protect access to the device as well. That’s why it pays to really read what they have to say about security. And that raises a third, even more important question . . . 

    What am I putting at risk if it’s hacked? One of the great IoT ironies is that some of the products sold under the guise of making us more secure are often the most vulnerable to attack. That means security cameras can turn into spy cameras. The ability to lock our doors remotely means they can be unlocked the same way. In theory, even our refrigerators could turn against us and order low-fat ice cream instead of our Ben & Jerry’s.

    A more urgent concern is that any device connected to your network can become a pathway for unauthorized access. If you think that’s unlikely, watch my colleague Scott Sailors hack a wireless mouse. From a practical perspective, that means you should segment your network so that, if your toaster is hacked, you’re not putting all your bank and credit card data at risk as well. 

    The reality is that connected devices are improving our lives dramatically and we haven’t even scratched the surface of their real capabilities. It’s exciting to realize that more and more devices are becoming smarter and more capable. In order to fully enjoy the advantages of being connected, we simply need to be realistic about our abilities, mindful of the risks we take, and diligent about mitigating them effectively.

    Companies hire the team here at Raxis to identify vulnerabilities and correct them before hackers can take advantage. As individuals, it’s up to us to do it ourselves.

    Of course, you can also call on a friend or relative to help. (Not me, though. I’m all booked up through the end of the year.)

  • Change is Growth in the Pen Testing Field

    Change is Growth in the Pen Testing Field

    Ask most of us at Raxis what we do, and we’ll tell you we’re penetration testers or ethical hackers or simply that we work for a cybersecurity company. But if you ask what that means – what we really do on a day-to-day basis – you’ll likely get a variety of fun stories about sneaking into buildings, bluffing our way past security guards, using high-tech equipment and special software to hack into networks . . . you know, the usual things.

    That’s partly because the field of penetration testing requires us to try many different approaches to breach a customer’s defenses, which means the more skillsets we bring to the job, the better our chances. But it’s also because Raxis is a company where those additional talents are rewarded with opportunities to grow.

    In this week’s video, Adam Fernandez explains how his journey at Raxis has taken him from pen tester to his current role as our Lead Developer. 

    Adam is a great example of the unique talent we have at Raxis and the type of multifaceted professionals we look for to join our team. His professional growth is helping our company grow and in turn opening up new opportunities for all of us.

    Are you the kind of person who brings more than one set of skills to the job? Are you looking for a team where flexibility and adaptability are appreciated and rewarded? If so, take a look at the other articles in this series and let us hear from you.

    Want to learn more? Take a look at the next part of our Working at Raxis discussion.

  • Client Success is Raxis’ Success

    Client Success is Raxis’ Success

    At Raxis, we find communication with our clients is one of the most critical and key components of our service. 

    Throughout the penetration testing process we are communicating with our clients through daily updates, at the end we provide not only a debriefing call but also a full report describing what we found, what it means for them, and steps they can take to resolve any issues uncovered throughout the process. 

    In the video above, Raxis Senior Manager of Operations and Customer Delivery Tim Semchenko explains how critical the after-action reporting is for our clients.

    It is undeniable that finding network security vulnerabilities and helping our clients shore up those weak spots is a huge component of what we do. However, the key to a successful engagement between us and the client is all about the communication. Our penetration testers must be able to not only find security flaws but also to accurately communicate these issues with the client as well as detail how to remedy them. 

    We could simply drop a report on your desk showing what we found and what to do to fix it, but that just isn’t who we are. We want our clients to feel that Raxis is a trusted partner who respects them and is there to help them understand every aspect of their report.

    By treating customers like partners, we ensure our success is based on your success. 

    Here are some other posts you might enjoy:

    Want to learn more? Take a look at the next part of our Working at Raxis discussion.

  • Guiding the Next Generation of Cyber Pros

    Guiding the Next Generation of Cyber Pros

    “After graduation, I’m heading to the United States Naval Academy and plan to major in cyber operations.”

    Cameron Colavito

    At Raxis, we love what we do, and we relish any opportunity to share our passion with the next generation of cyber professionals, so I was thrilled when Cameron Colavito, a senior at the Lovett School in Atlanta, asked to interview me for her senior project focusing on cybersecurity. 

    During the interview Cameron asked what I believe is the most important trait for cybersecurity leaders to possess. I knew my answer immediately – integrity, without a doubt. Businesses, schools, individuals, and families all trust cybersecurity professionals to protect their most sensitive data from attacks, leaving these cyber pros with an extreme amount of power. And as we all know, with great power comes great responsibility. 

    We take the responsibility we’ve been entrusted with very seriously at Raxis, and we’re so glad to see that schools are giving students the opportunity to learn ethical practices as well. Judging from her project description below, Cameron will be more than ready for a future in this field.

    “The concept of my senior project is to learn about how cyber security professionals handle ethical hacking, leadership, and education. I have the opportunity to interview professionals in the field, as well as take up a spring internship with Curricula. During my internship, I will experience how they lead and educate their customers on important cyber issues such as ransomware, social engineering, information security, etc.

    “After graduation, I’m heading to the United States Naval Academy and plan to major in cyber operations. I am excited to see how this field of study becomes a reality in businesses such as Curricula, Raxis, and this growing industry.”

    Cameron Colavito

    I will add that Cameron has earned a great honor with her acceptance into Annapolis. If she sticks with cybersecurity, she will have an opportunity upon graduation to be an officer in the Navy’s information warfare community. In that role, she will help lead the ongoing fight against nations and non-state actors in an ongoing battle to protect our critical information systems.

    It has never been more important for us to encourage the next generation’s best and brightest to pursue a career in cybersecurity. Given the threats we face from within and from abroad, the opportunities are limitless. For those like Cameron, who answer the call with initiative and integrity, I expect that future will be incredibly rewarding.

  • At Raxis, Learning and Improving are Constants

    At Raxis, Learning and Improving are Constants

    In today’s video, you’ll hear from Lead Penetration Tester Matt Dunn, the newest member of our team, about why he appreciates the learning environment we’ve created and continue to nurture at Raxis. 

    Matt actually came to Raxis with several certifications under his belt and another now in progress. That proactive quest for knowledge was a good sign that he would be a great fit on our team and was among the reasons we hired him. As it turns out, we were right: Not only has he done excellent work as a penetration tester, Matt has also published his first Metasploit Module. (For the uninitiated, that is a very big deal in the pen testing world.)

    To be clear, it is certainly possible to be an outstanding penetration tester without professional certifications. Likewise, I’m sure there are bad testers out there with walls full of them. As with Matt, however, taking the initiative and making the effort suggests that you are willing and able to learn – and that is a key differentiator for both pen testers and the companies that employ them.

    Why? Because the threat landscape is constantly evolving, and our knowledge and skills have to keep pace. That means the pros that make up our team have to be smart enough to hit the ground running and humble enough to continue learning once they’re on board. 

    Listen to Matt describe his experience, and you’ll get an idea of what this means in practice.

    At Raxis, we foster a learning environment, not just through research and certification training, but also through open communication among our team members. This group includes people from diverse backgrounds who each bring unique skills to the table. When we hire, we look for individuals who are both willing to share their talents with us and also able to learn from the other accomplished professionals on our team.

    Do you thrive in a learning culture? If so, Raxis might just be for you. Be sure to check out our other videos in this series and see if Raxis is the opportunity you’ve been looking for. 

    Here are some other videos you may find interesting:

    Want to learn more? Take a look at the next part of our Working at Raxis discussion.