Month: March 2022

Meet the Team: Jim McClellan, Marketing Director

I’m Jim McClellan, Raxis’ marketing director and newest (full-time) member of the team. Working with the company as a consultant for two years was a great intro to the people and the culture. When the opportunity arose to join them, it was an easy decision. Now, after months of conducting these interviews, our COO Bonnie Smyre turned the tables, and it’s my turn on the other side.

Bonnie: I would normally say, “Welcome aboard,” but I probably should say, “Welcome all the way aboard,” as you’ve been a Raxis consultant for two years now. What’s the biggest change you’ve noticed since joining us full-time?

Jim: Focus. Even though I’ve worked as a cybersecurity marketer for more than a decade, there’s still a very steep learning curve with penetration testing specifically – the tactics involved, the technologies you use, and even the vocabulary. Early on, I thought a CVE was made by Honda and that a Metasploit Module required medical intervention.

Bonnie: We have a glossary now that might help.

Jim: Haha! Yes, we do. Thank you for that, by the way!

Bonnie: You’ve worked in cybersecurity for a while, but that’s almost a second career for you, right?

Jim: At the very least, it’s an entirely different application of my skills from the first one.

Bonnie: You were a speechwriter for one of Florida’s previous governors, weren’t you? How did you get into that line of work?

Jim: This will sound like BS, but one night when I was 15, I heard a US Senator speak at a hometown fish fry, met a guy who said he was majoring in political science, and talked to an older man who told me about the importance of military service. Fast forward 12 years and I was a speechwriter for that former Senator who was now Governor Lawton Chiles. I was also an officer in the Florida National Guard with a political science degree from FSU.

Bonnie: Ha! That does sound like BS . . . or a very fortunate evening for you.

Jim: It would have been more fortunate to meet Bill Gates or Steve Jobs back then, but it certainly set the tone for the weirdness of my adult life. For example, I’ve had formal dinners in the Governor’s Mansion, but I’ve also fried fish on a creek bank. I’ve ridden in the Vice President’s motorcade during the same time I drove a Bronco with a rusted-out floorboard. There were so many times I wondered, “Am I really supposed to be here?”

Bonnie: Don’t worry, you’re in the right place. Do you miss working in politics?

Jim: Not in the least. I miss the people and the politics as they were then, but there was much more civility, respect, and appreciation for the complexities of public policy. Now, there’s a lot of unbridled and sometimes uninformed passion. As Arthur Schlesinger said, there’s “too much pluribus and not enough unum.”

Bonnie: You’ve obviously seen a lot of changes in your field. What do you consider most significant?

Jim: Emojis. I never thought hieroglyphics would make a comeback after all these millennia, but here we are.

Bonnie: You’re joking . . . I hope.

Jim: Really, I think it has been the convergent evolution of PR, marketing, and advertising. Those were very siloed disciplines for decades. Now, they’re just different starting points for conversations that happen mostly over social media.

Bonnie: Has that made it easier or harder to reach customers?

Jim: It’s a lot easier to get a message in front of customers but much harder to get them to notice. There are no more captive audiences listening to monologues from companies. The customers are in control, so businesses have to be ready to provide useful, high-quality information when and where buyers need it. And, of course, trust is everything. Word of poor service or a faulty product can, quite literally, travel around the world in minutes.

Marketing is still about authenticity and creativity, but the canvas is larger, and we have more colors and brushes to work with.

Bonnie: And emojis.

Jim: Yes!

Bonnie: I know one of your favorite tactics in these meet-the-team interviews is to get people to tell you about their hobbies or unusual things they’ve done. So, I’m going to do that with you.

Jim: My hobbies include backpacking, fishing, hunting, and any other reason I can dream up to be outdoors. I also like woodworking and volunteering with Habitat for Humanity. As for unusual? Let’s see: I wrote a book about growing up on the Apalachicola River and the adventures we had in my small hometown. After it was published, my brother (a judge) pointed out that I had confessed in writing to two felonies and multiple misdemeanors.

Bonnie: You’re not in jail, so it must have worked out okay.

Jim: I’m not in jail, and mine is Amazon’s 537th bestselling book . . . in the hunting and fishing humor category. Win, win.

Bonnie: Yes, just a short hop away from the New York Times Bestseller List. Speaking of the Apalachicola River, isn’t that where that delicious tupelo honey comes from? We all look forward to getting that from you during the holidays. Also, don’t feel the need to stop just because you work for us now.

Jim: Noted. And, yes, I even named my company Tupelo Media. The Apalachicola River is one of two places where there are enough tupelo trees to produce the honey commercially. One of the jobs I had growing up was helping a beekeeper during tupelo season. Giving away jars of it is a great way to start conversations about the river — and it reminds me that I never want to be a beekeeper again.

Bonnie: That’s good because you still have work to do here. What’s your favorite part about working with Raxis?

Jim: I’ve worked with lots of different companies as a consultant and employee, so I’ve learned it’s easy to look at the bottom line and know how a business is performing in the short term. But it’s the team, the leadership, and the culture that will tell you whether the company will be successful for the long haul. My favorite part of working for Raxis is the certainty of being on a winning team made up of people I really like.

And the dancing penguin emoji. I love that guy.

Bonnie: Noted.

March 25, 2022
How to Hire a Penetration Testing Firm Part Two

I’m Bonnie Smyre, Raxis’ Chief Operating Officer, back with the second in our two-part feature about how to hire a penetration testing firm. This time, we’re suggesting some questions to ask and answers to listen for in the selection process.

In the first article on this topic, I focused on the six things you and your company should do to begin your search for a pentesting firm. We discussed the importance of identifying why you need a pentest, understanding the data and systems that are at risk, figuring out what type of tests you need, consulting with trusted advisors, as well as checking ratings, reviews, and references.

If you followed those steps, you’re well-prepared to begin your interviews with prospective firms. Toward that end, here are some questions you should ask during your conversations and some key points you should be listening for in the answers.

Question 1: What is your experience in performing the type of penetration testing our company is looking for?

At Raxis, we’re happy to tell you how many and what kind of tests we’ve done and share with you some of our most common findings. If we don’t think the pentest you’re shopping for is going to accomplish your goals, we’ll tell you why and recommend a different type of engagement that will. That’s part of our job as professionals, and we have found that it makes for a better customer experience and often saves time and money.

On the other hand, if the firm you’re interviewing continually tries to steer you toward more expensive testing or something far different than you think you need, that can be a big red flag. They may be trying to upsell you, or they may simply not have the expertise to conduct it.

A point we make frequently is that vulnerability scanning is not the same as penetration testing. So, also beware of firms that try to downplay your needs and tell you one is as good as the other. Raxis might recommend a vulnerability scan, but we will never tell you that it should supplant a genuine pentest.

Question 2: Tell me about your experience in my industry?

Obviously similar to question 1, this one is based on your reasons for doing a penetration test. If your business is regulated and subject to special laws, rules, or industry requirements, you’ll save a lot of time with pentesters who are familiar with them. For example, if your company takes electronic payments, Raxis knows the Payment Card Industry Data Security Standards (PCI-DSS), and we can plan our testing to make sure you’re compliant.

When you ask this question, listen to see if the pentesting company proactively mentions any applicable regulations in your field – such as HIPAA compliance for health care organizations or FINRA, GLBA, or SOX, for financial institutions. If they don’t, ask and make sure they understand your needs so that you don’t have to pay for more testing later.

Question 3: How comprehensive is your reporting?

The goal of penetration testing should be to give your team actionable results that enable them to prioritize issues and begin resolving them in order of severity. Ask potential pentesting firms to provide a sample report. Does it summarize the issues for executives? Does it categorize the findings effectively and provide sufficient detail for your team members?

Raxis includes storyboards so that your team can see exactly what we did and how. We also exfiltrate and redact sensitive data when we can. That’s powerful proof of what bad guys can do if your network isn’t secured.

Also, be sure to ask whether they report where your defenses were solid. This can be especially important when you’re building a cybersecurity budget. Many Raxis clients have found it helpful to show their leadership examples of where previous security enhancements are working well. (And it shows you that those defenses were in fact checked.)

Question 4: Who are the people I’ll be dealing with? What are their qualifications?

Be sure that the companies you interview can identify the person who will serve as your point of contact throughout the testing, to work with you on scheduling or to quickly resolve problems that can cost precious time.

The company should also be willing to tell you about the experience and certifications of team members. It’s a good idea to ask whether the team that conducts your test will include members with similar qualifications so you know it’s not a bait-and-switch.

At Raxis, the diverse skillsets our team members bring to the table are one of our greatest strengths and something we like to talk about. Before they became penetration testers, our people were corporate cybersecurity leaders, software engineers, web developers, and network admins. And they also bring to the table computer hardware, electronics, mechanical, and IoT experience.

Question 5: How much will it cost and why?

Raxis’ CEO Mark Puckett addressed pentest pricing in a recent blog post that goes into detail about the factors that can and should drive the cost of a high-quality penetration test. In summary, the scope of the testing, the time it will take, and the skills of the testers are all cost drivers.

If the firm mentions additional services they provide, be sure to ask if those are covered in the cost you’ve been quoted, or if there is an additional fee. And ask if there is a minimum engagement time.

Minimums are common in the industry. Raxis requires three days, but we’ve seen other companies with seven to 10-day minimums. Make sure you ask this early in the conversation. Otherwise, you could waste time you don’t have being sold services you don’t need.

Conclusion

Hiring the right penetration testing firm necessarily involves a lot of research and careful consideration. After all, you need a company that can bring to bear all the skills, determination, and devious creativity of black hat hackers – and still act as your trusted security advisor, providing actionable reporting on your vulnerabilities.

The preparation outlined in part one, along with the questions above, should help you find the best match for your specific needs.

Of course, we hope you choose Raxis, and we’re ready to put you in touch with our experts whenever you’re ready to talk.

Want to learn more? Take a look at the first part in our How to Hire a Penetration Testing Firm Series.

March 18, 2022
Cybersecurity in the Financial Sector: Regulations are Approaching Reality
After years of development and public input, the Federal Trade Commission (FTC) in December finalized some changes to the Standards for Safeguarding Customer Information (Safeguards) Rule – a key part of the Gramm-Leach-Bliley Act (GLBA).

Of the four major rule changes, one simply adds a new category of business under the definition of “financial institution,” another exempts institutions that serve fewer than 5,000 people, and a third standardizes some terminology across agencies.

Though all of these are important for various reasons, the most significant changes from Raxis’ perspective are the ones that more clearly define the elements of the information security programs required by GLBA and which ensure better accountability for implementing and testing such programs.

The Problems

In the past, the federal government was reluctant to be overly prescriptive with its cybersecurity requirements. The prevailing mindset was that doing so would mean compliance would happen by “magic” – in this case, meaning mindless activities guaranteed to inspire complacency. Flexibility was necessary to ensure that institutions were free to adopt the practices that ensured the best protection for their company or niche.

The reality we’ve witnessed during more than a decade of Raxis penetration testing is that the level of cybersecurity awareness and sophistication can vary wildly among financial institutions, regardless of size or business model. Ambiguity in the regulations allowed a patchwork of cybersecurity measures to emerge under the general umbrella of compliance. It was clear to our team that the Safeguards Rule needed to be more specific to make sure all the institutions were implementing the most basic best practices.

Lack of specificity in the prior iterations of the rules also made it harder for regulators and the institutions themselves to know whether their infosec programs were effective. Along with more specifics, the institutions needed stronger accountability measures.

The Improvements

Toward the goal of greater accountability, the Safeguards Rule added two important provisions: Designation of a single “qualified individual” to act as a de facto chief information security officer (CISO) to manage the infosec program and a requirement that he or she report to the company’s board. Most institutions have those functions covered in some form or fashion, but we’ve seen instances where responsibilities were split among employees and even departments.

Having a qualified infosec leader in place is a good first step toward consolidating authority, but more important is how well and how quickly the institutions adopt the following changes to the Safeguards Rule:
- Review of access controls. This change requires institutions to regularly test digital and physical access to customer data to make sure only authorized personnel can see it – and see only the parts of it that are necessary to do their jobs. If a Raxis team member successfully breaches your network during a test, you can bet we will check to see if you’ve followed the principle of least privileged access.
- Inventory of key data and systems. The inventory process ensures that institutions know what they are protecting with their infosec program. As we discussed in a prior post, it’s not always obvious what data and what systems are at risk.
- Intrusion detection. This change makes annual pentesting and semi-annual vulnerability assessments a requirement for companies that don’t have continuous monitoring of their networks. Raxis offers all the services described above, but we don’t believe they should be presented as either/or choices. Continuous monitoring or vulnerability assessments should trigger a pentest if serious vulnerabilities are discovered.
- Secure application development. With this rule change, the FTC outlines some best security practices for in-house and third-party app development. As we explained in some recent posts, public-facing web applications face some unique security challenges, and it’s good that the FTC understands the seriousness of that issue.
- Incident response planning. This update simply requires that institutions develop written plans for responding to security incidents and includes information about what those plans should cover.
- Encryption requirement. This may seem like a no-brainer, but the Safeguards Rule now requires encryption of data in transit and at rest. But it also provides for the ability of the “qualified individual” to authorize an acceptable alternative if encryption isn’t feasible.
- Multifactor authentication (MFA) requirement. Again, this would appear to be table stakes for a financial institution, but based on Raxis’ experience, it has not been adopted nearly as widely as it should have been already. The rule change, we hope, will make MFA a standard practice industrywide.
- Change management procedures outline the steps financial institutions should take when they alter their infosec programs. As a security measure, this ensures such changes are documented and approved beforehand.
This is just a snapshot of what Raxis considers the FTC’s most impactful changes to the GLBA Safeguards Rule. Like all such regulations, they should all be viewed by the institutions as minimum guidelines, not as a safe harbor or assurance of security. Similarly, regulators should judge compliance not by whether the boxes have been checked, but by how thoroughly the institutions have prepared themselves for the attacks that are coming.

There is no finish line in cybersecurity, but these changes will give all US financial institutions a head start on better protection for their customers.

To read the full Safeguards Rule as finalized, be sure to visit the Federal Register.
March 11, 2022
What is Web App Pentesting? (Part Two)

I’m Matt Dunn, a lead penetration tester at Raxis. This is the second of a two-part series, aimed at explaining the differences between authenticated and unauthenticated web application testing. I’ll also discuss the types of attacks we attempt in each scenario so you can see your app the way a hacker would.

Although some applications allow users to access some or all their functionality without providing credentials – think of simple mortgage or BMI calculators, among many others – most require some form of authentication to ensure you are authorized to use it. If there are multiple user roles, authentication will also determine what privileges you have and/or what features you can access. This is commonly referred to as role-based access control.

As I mentioned in the previous post, Raxis conducts web application testing from the perspectives of both authenticated and unauthenticated users. In authenticated user scenarios, we also test the security and business logic of the app for all user roles. Here’s what that looks like from a customer perspective.

Unauthenticated Testing

As the name suggests, testing as an unauthenticated user involves looking for vulnerabilities that are public-facing. The most obvious is access: Can we use our knowledge and tools to get past the authentication process? If so, that’s a serious problem, but it’s not the only thing we check.

In previous articles and videos, we’ve talked about account enumeration – finding valid usernames based on error messages, response lengths, or response times. We will see what information the app provides after unsuccessful login attempts. If we can get a valid username, then we can use other tools and tactics to determine the password. As an example, see the two different responses from a forgot password API for valid and invalid usernames below:

From an unauthenticated standpoint, we also will try injection attacks, such as SQL Injection, to attempt to break past login mechanisms. We’ll also look for protections using HTTP headers, such as Strict-Transport-Security and X-Frame-Options or Content-Security-Policy, to ensure users are as secure as they can be.

With some applications, we can use a web proxy tool to see which policies are enforced on the client-side interface and which are enforced on the server side. In a future post, we’ll go into more detail about web proxies. For now, it’s only important to know that proxies sometimes reveal vulnerabilities that allow us to bypass security used on the client and allow us to interact with the server directly.

As an example, fields that require specific values, such as an email field, may be verified to be in the proper format on the client-side (i.e. using JavaScript). Without proper safeguards in place, however, the server itself might accept any data, including malicious code, entered directly into that same field. In practice, this can be bypassed, leading to attacks such as Cross-Site Scripting, as shown in my CVE-2021-27956 that bypasses email verification.

Authenticated Testing

During an authenticated web application test, we use many of the same tactics, toward the same ends, as we do with unauthenticated tests. However, we have the added advantage of user access. This vantage point exposes the application to more vulnerabilities due to the expanded surface area of the application. This is why we recommend authenticated testing, to ensure even a malicious user cannot attack the application.

Once authenticated, we attempt is to see if the app restricts users to the level of access that matches its business logic. This might mean we log in with freemium-level credentials and see if we can get to paid-users-only functionality. Or, in the role of a basic user, we may try to gain administrator privileges.

As with an unauthenticated test, we also see how much filtering of data is done at the interface vs. the server. Some apps have very tight server-level controls for authentication but rely on less-restrictive policies once the user is validated.

Though it may seem simple from the outside, one of the hardest things for web app developers to secure is file uploads.

This is another topic we’ll explore further in a future post, however, one good example of the complexity involved is photo uploads. Many apps enable or require users to create profiles that include pictures or avatars. One way to restrict the file type is by accepting only .jpg or .png file extensions. Hackers can sometimes get past this restriction by appending an executable file with a double extension – malware.exe.jpg, for example.

Another problem is that malicious code could be inserted into otherwise legitimate file types such as word documents or spreadsheets. For many apps, however, it’s absolutely necessary to allow these file types. When we encounter such situations, we often work with the customers and recommend other security measures that allow the app to work as advertised but that also detect and block malware.

Conclusion

As a software engineer by training, one advantage I have in testing web applications is understanding the mindset of the developers working on them. People building apps start with the goal of creating something useful for customers. As time goes on, the team changes or users’ needs change, and sometimes vulnerabilities are left behind. This can happen in expected ways, such as outdated libraries, or unexpected ways, such as missing access control on a mostly unused account type.

At Raxis, we employ a group of experts with diverse experiences and skillsets who will intentionally try to break the app and use it improperly. Having testers who have also developed applications gives us empathy for app creators. Even as we attack their work, we know that we are helping them remediate vulnerabilities and making it possible for them to achieve their application’s purpose.

Want to learn more? Take a look at the first part of our Web Application Penetration Testing discussion.

March 4, 2022