Tag: Penetration Testing

  • How to Hire a Penetration Testing Firm – Part 1

    How to Hire a Penetration Testing Firm – Part 1

    I’m Bonnie Smyre, Raxis’ Chief Operating Officer. Penetration testing is a niche in the cybersecurity field, but one that is critical to the integrity of your network and your data. This is the first of a two-part guide to help you select the right firm for your needs.

    Step 1: Identify Your Why

    There are lots of reasons why companies should routinely do penetration testing. The most important is to understand your vulnerabilities as they appear to hackers in the real world and work to harden your defenses. It may also be that your industry or profession requires testing to comply with certain laws or regulations. Or perhaps you’ve been warned about a specific, credible threat.

    Whatever your reasons for seeking help, you’ll want to look for a firm that has relevant experience. For example, if you run a medical office, you’ll need a penetration testing company that knows the ins and outs of the Health Insurance Portability and Accountability Act (HIPAA). If you’re a manufacturer with industrial control systems, you’ll need a company that understands supervisory control and data acquisition (SCADA) testing. The point is to make sure you know your why before you look for a pentest firm.

    See a term you don’t recognize? Look it up in our glossary.

    Step 2: Understand What You Have at Risk

    A closely related task is to be clear about what all you need to protect. Though it might seem obvious from the above examples, companies sometimes realize too late that they are custodians of data seemingly unrelated to their primary mission. A law firm, for instance, might receive and inadvertently store login credentials to access clients’ medical transcripts or bank accounts. Though its case files are stored on a secure server, a clever hacker could potentially steal personal identifiable information (PII) from the local hard drives.

    Step 3: Determine What Type of Test You Need

    General use of the term “pentesting” can cover a broad range of services, from almost-anything-goes red team engagements to vulnerability scans, though the latter is not a true penetration test. In last week’s post, lead penetration tester Matt Dunn discussed web application testing. There are also internal and external tests, as well as wireless, mobile, and API testing, to name a few. Raxis even offers continuous penetration testing for customers who need the ongoing assurance of security in any of these areas.

    Raxis offers several types of penetration tests depending on your company’s needs:

    Step 4: Consult Your Trusted Advisors

    Most companies have IT experts onboard or on contract to manage and maintain their information systems. You may be inclined to start your search for a penetration testing service by asking for recommendations from them – and that’s a good idea. Most consultants, such as managed service providers (MSPs), value-added resellers (VARs), and independent software vendors (ISVs), recognize the value of high-quality, independent penetration testing.

    In the case of MSPs, it might even be part of their service offerings. However, it might make sense to insist on an arm’s-length relationship between the company doing the testing and the people doing the remediation.

    If your provider is resistant to pentesting, it might be because the company is concerned that the findings will reflect poorly on its work. You can work through those issues by making it clear that you share an interest in improving security and that’s the purpose for testing.

    The downloadable PDF below includes this list of Raxis services with an explanation of what we test and and a brief explanation of how we go about it.

    Raxis Penetration Testing Services
    PenetrationTestingServiceBriefDownload
    Step 5: Consider Ratings and Review Sites

    Another starting point – or at least a data point – is review and rating sites. This can be incredibly helpful since such sites usually include additional information about the services offered, types of customers, pricing, staffing, etc. That gives you a chance to compare the areas of expertise with the needs you identified in steps one and two. It can also introduce you to companies you might not have found otherwise.

    Here are some resources you might find helpful as a start:

    Step 6: Check References

    Once you have your short list of companies, it’s a good idea to talk to some of their customers, if possible, to find out what they liked or didn’t like about the service. Ask about communications. Were they kept in the loop about what was going on? Did the company explain both successful and unsuccessful breach attempts? Did they get a clear picture of the issues, presented as actionable storyboards?

    In addition, it’s a good idea to ask about the people they worked with. Were they professional? Was it a full team or an individual? Do they bring a variety of skillsets to the table? Did they take time to understand your business model and test in a way that made sense? It’s important to remember here that many pentesting customers insist on privacy. The company may not be able to provide some references and others may not be willing to discuss the experience, However, some will, and that will add to your knowledgebase.

    If you’ve completed steps 1 through 6, you should be armed with the information you need to begin interviewing potential penetration testing companies. You’ll be able to explain what you need and gauge whether they seem like a good match or not. And you’ll know how their customers feel about their service.

    If you found this post helpful, make sure to follow our blog. In the weeks ahead, we’ll be discussing the questions you should ask potential pentesting companies – and the answers you should expect to hear.

    Want to learn more? Take a look at the second part in our How to Hire a Penetration Testing Firm Series.

  • What is Web Application Penetration Testing?

    What is Web Application Penetration Testing?

    I’m Matt Dunn, a lead penetration tester at Raxis. In this series of posts, I’m going to introduce you to the Raxis method of penetration testing web applications. We’ll start with a look at what a web app test involves and how it differs from the network testing we do.

    By their very nature, web apps deserve special scrutiny because they are designed in most cases to be accessible to a broad base of users, often with different roles that convey higher levels of privilege or access. Additionally, they are often used to perform wide ranging functionality, from shopping and banking transactions, to accessing healthcare data. With that accessibility and functionality comes exposure to a wide range of threats from malicious actors who want to exfiltrate data, modify the application, or otherwise disrupt its operation.

    When Raxis performs a web application penetration test, we typically approach it from the viewpoint of both unauthenticated and authenticated user roles. In many cases, some of the app’s functionality is going to be behind some form of authentication. We’ll go into greater detail about authenticated and non-authenticated tests in a subsequent post. For now, however, we’ll limit the discussion to tests in which we are given credentials for all user roles.

    Armed with the appropriate credentials, we examine all the functionality of the app to find out what features are accessible to users and how the application is intended to work. Can users’ profiles be changed? Are users allowed to upload files? Where can the user input their own content? What is each user supposed to be allowed to do? These are just some of the questions we’re looking to answer in the beginning of the test.

    Once we know what the app should do, we’ll test all these features to see if the business logic is correct. For example, an app may allow only administrators to delete uploaded files. So, we’ll attempt to circumvent that restriction and see if we can accomplish that with lower-privileged credentials.

    Raxis approaches a web application test from the perspective of unauthenticated users and authenticated users in multiple roles when more than one role exists.

    Login webpage with username and password

    Next, we will try to exploit the app’s features. For instance, we’ll test the various input fields to see if we can insert malicious code. If so, the app may be vulnerable to cross-site scripting (XSS) – a topic I’ve covered extensively on our blog and YouTube channel. In a similar manner, we’ll test areas where we can upload files to see if we can upload malicious content as part of an attack.

    One question we get from time to time is whether web application testing is included as part of our network penetration tests. The answer is no, for two reasons: First, it’s unlikely that, within the time of a well-scoped network test, we will be able to find credentials to all roles and parts of your web app. Second, network tests are broader in scope and identify the highest risk vulnerabilities across the entire network (as time allows). Depending on other findings, we often test the accessible pages as well as the authentication features. These include logins and “forgot password” pages, to name just a couple. Our goal is to see if we can gain unauthorized access, perform account enumeration, or attack the application externally. But we won’t test as a verified user unless we’re able to gain authenticated access, and even then, we will not focus on the web app in the same depth as we would in a web app test.

    That’s what makes web application testing so important. And with so many companies relying on (or even built around) web apps, it makes sense to conduct these tests regularly and address the findings in order of priority. Even if you are already performing network penetration tests, I strongly recommend that you conduct specific web application tests as well.

    Want to learn more? Take a look at the second part of our Web Application Penetration Testing discussion.

  • So, You Want to Earn Your OSCP?

    So, You Want to Earn Your OSCP?

    I’m Andrew Trexler, senior penetration tester at Raxis. As the Raxis team member to earn the Offensive Security Certified Professional (OSCP) designation most recently, I’m sharing my thoughts about the experience. My goals are to provide you with information I found helpful as well as to share some things I wish I had known in advance.

    Why take the OSCP?

    If you’re serious about being a penetration tester, the OSCP is, for all intents and purposes, the industry standard. As I considered pentesting as a career, I spoke with lots of people who were working in the field already. Consistently, they recommended getting the certificate, which requires taking the Penetration Testing with Kali Linux (PWK) course. I also watched a great YouTube video by John Hammond in which he recommended it.

    In truth, the course is useful for any career in cybersecurity, not just pentesting. If you’re working on a blue team, for example, the experience of hacking into a network provides a lot of valuable insights for developing a cyber defense strategy.

    Where to Start

    As I mentioned, you start officially with the PWK course. Going through it is helpful, and you really do learn a lot. The course includes a manual along with a lab environment. It is self-paced, so you go through it on your own time and schedule the test when you’re ready to take it.

    However, there are some things I recommend doing beforehand. If you are new to the pentesting/cybersecurity field I would start with some capture-the-flag (CTF) exercises like those found here. After getting comfortable with CTFs, you might find it helpful to move on to  sites like Hack the Box  or TryHackMe. Doing these first will help you hit the ground and get running a little faster in the lab environment.

    How to Make the Most of Your Coursework

    Take lots of notes. While going through the lab, you’ll do many different things – and you’ll do the same things multiple times. Keeping notes on how you got access to each machine during the lab work (yes, with copy/paste commands and explanations) will help during the test. Your notes can give you ideas and help you remember difficult syntax. Also, notes that act as cheat sheets with common commands are especially helpful. (I use Obsidian to take notes in Markdown.)

    Further, I recommend spending as much time in the lab as possible. While there is a forum for users, it may sound like the people there are speaking in code. If you struggle, just keep working the problem and learning. If you do get stuck, ask questions in the forum. From my experience everyone is helpful, but they know it’s more important to guide you to an answer than give it to you. Those who answer usually do it in a way that makes you learn the solution on your own, and you’ll thank them for that when you are taking the OSCP exam.

    About the Lab

    The lab houses more than 70 different computers. Most of these computers contain vulnerable software that can be exploited – and some don’t. The idea is to exploit a vulnerable machine, grab any information it’s storing, and then use it to access a machine that does not have a vulnerability.

    Among the vulnerabilities you’ll see in the lab are ones that are well-known and that have been around for years. EternalBlue is one example. Then, there are smaller applications that still have known vulnerabilities, but require a little searching to find the right exploit.

    The real challenges are the custom applications that either can be used to gain access or have their own vulnerabilities that require custom exploitation, using anything from XSS to SQLi to LFI/RFI. There are also remote and local exploits to gain access and then escalate privileges.

    See a term you don’t recognize? Visit our glossary.

    To me, the most interesting part of the lab is the subnet structure. There are different subnets that require access to an initial computer, at which point you can pivot and pass traffic through that computer. This proxying traffic can be the only way to hit and exploit the other machines on the subnet.

    Andrew Trexler, Lead Penetration Tester
    How the Test Works

    There are five different machines on the test. On each are text files that can be submitted to prove your access. Depending on the difficulty of the machine, these files are worth varying numbers of points. Of 100 available points, you’ll need 70 to pass the exam.

    However, to get credit for those points, you have 24 hours to write a report that includes the steps you took to exploit the machine. These must be replicable by a technically competent reader and must contain either the link to the exploit code used or the exploit code if changes were made to it.

    During the exam, you are not allowed to use automated exploit tools. Metasploit can only be used once during the test, whether it works or not. Other exploits must be created manually by inputting the correct data or scripts, which may require some trial and error.

    What to do Before the Exam

    It sounds counterintuitive, but I don’t recommend studying or practicing right up until test time. Instead, try to take the day before the exam to prepare for how you’re going to take it. The exam must be completed in 24 hours, but you can pick an early or late start time. If you’re an early riser, start early. If you like to sleep in, start later. The point is to make sure that you play to your own strengths.

    Use your prep to do other helpful things as well. Maybe make sandwiches for the next day or set up the computer you are going to use to take the test. Figuring out things that you can do the day before can and will make things easier come test day.

    What to do on Exam Day

    The hardest part of the exam is the time management. The attacks to gain access are straightforward once you find them. However, you might have to change things up to get the exploit to work.

    Be sure to watch out for rabbit holes. There aren’t many, but being able to recognize them and get out of them quickly is a critical skill. Part of what they are testing is how quickly you figure out when you’re on the wrong path . . . or if you just haven’t gone far enough down the right one.

    Also keeping things fresh and not getting frustrated is key. That’s why it’s important to take your time, despite the deadline. I felt pressured by the 24-hour time limit, but it helped a lot to take a five-minute break about once each hour. Walking away from the computer and just re-setting a little bit can bring the burst of inspiration that helps you get to the next step.

    Incidentally, time management is a skill that’s even more essential in your career as a pentester. There’s only a certain amount of time allotted for testing, so you can’t get sidetracked chasing dead ends.

    Final Thoughts

    Remember that this is a professional certification, and many people don’t pass it on their first try. Let that take some of the pressure off. If you don’t pass this time, you always have next time.

    And, yes, it’s very hard. But that’s a good thing. If it were easy, everyone could do it and that would rob you of the satisfaction and respect that comes with earning your OSCP.

  • How Artificial Intelligence Will Power Raxis Continuous Penetration Testing

    How Artificial Intelligence Will Power Raxis Continuous Penetration Testing

    A few years ago, Mark Zuckerberg of Facebook and Tesla’s Elon Musk feuded very publicly over whether artificial intelligence (AI) would be the key to unlocking our true potential as humans (Zuck) or spell doom for our species and perhaps the Earth itself (Musk). Apparently, neither of them accepts the notion that AI, like all technology, will expose us to new concerns even as it improves our lives.

    Meanwhile, here in reality, business owners are still facing the less dramatic, but more urgent threat posed by all-too-human hackers. Most seek money, some are in it for fame, others cause havoc, and many want all of the above. It’s against this mob that Raxis is using AI, more accurately called machine learning, to give honest companies an upper hand in the fight.

    Here’s how it works:

    Human Talent Sets Us Apart

    Raxis has built an incredible team of elite, ethical hackers, who are all the more effective because of their diverse backgrounds and skillsets. Our process starts with a traditional penetration test. Based on our customers’ parameters, we set our team to work testing your defenses.

    Think of this like your annual physical at the doctor’s office (without the embarrassing paper gown). Our goal at this stage is to find ways into your network and determine where we can go from there. Once you know where you’re vulnerable, you can remediate and feel more comfortable that your defenses are solid.

    AI Extends Human Capabilities

    One major challenge of staying cybersecure is that new threats are emerging and new vulnerabilities are being discovered even as I write this sentence. The point of continuous penetration testing is that we leverage technology to account for the pace of this change. Our smart systems will continually probe your defenses looking for new weaknesses – with software that is updated in real time.

    In keeping with my earlier example, this part of the process is analogous to wearing a heart monitor and having routine blood work. As long as everything remains normal, we let the system do its job.

    Humans Enhance AI Effectiveness

    When our AI discovers an anomaly, it alerts our team members, who quickly determine if it’s a false positive or a genuine threat. If it’s the former, we’ll simply note it in your Raxis One customer portal, so you don’t waste time chasing it down. The latter, however, will trigger an effort by our team to exploit the vulnerability, pivot, and see how far we can go.

    Consider this exploratory surgery. We know there’s a problem, and we want to understand the extent so that you can fix it as quickly as possible. That’s why we give you a complete report of the vulnerability, any redacted data that we were able to exfiltrate, and storyboards to show you how we did it.

    More than a Vulnerability Scan

    If you’re familiar with vulnerability scanning, you’ll immediately recognize why the Raxis Continuous Penetration Testing is different . . . and better. Ours is not a one-and-done test, nor is it a set-it-and-forget-it process. Instead, you have the advantage of skilled penetration testers, aided by technology, diligently monitoring your network.

    AI isn’t ready to change the trajectory of the human race just yet, but it is improving our ability to protect the critical computer networks we rely on.

    If you’d like to learn more, just get in touch, and we’ll be happy to discuss putting this new service to work for your company.

     

  • Meet the Team: Mark Fabian, Senior Penetration Tester

    Meet the Team: Mark Fabian, Senior Penetration Tester

    My name is Mark Fabian – but to my friends and colleagues, it’s just Fabian. Today, I’m in the spotlight, discussing what really is my dream job — lead penetration tester here at Raxis. After just a few short months, I can highly recommend that you check our careers page and our YouTube channel to see if this is the career path and company for you.

    Jim: Mark, I think it’s important to let folks know that you represent “Raxis West” as the only Californian on the team.

    Fabian: That’s right. I’ve spent all but four years of my life in Northern California, here in the Sacramento area. Even the time away was just down south in San Diego.

    Jim: You must like it out there.

    Fabian: This is a perfect spot for folks who like to spend more time outdoors than indoors. Personally, I enjoy all kinds of activities like hiking, wakeboarding, dirt biking, riding jet skis, going out on houseboats, and just hanging out at the lake with my friends.

    Jim: Sounds like you’re definitely in the right place.

    Fabian: Yeah, the weather out here is great, though the water levels at the lakes have been down this year. There’s also an amazing number of activities within just a short drive, such as snowboarding or surfing.

    Jim:  Speaking of activities, I understand you’re a musician.

    Fabian: I play guitar and some other instruments . . .

    Jim: You should get together with Tim Semchenko. He can sing while you play.

    Fabian: I was actually in a band for a few years that played metal and punk. I love all things music. I even used to run the soundboard for my church.

    Jim: You have that in common with (VP of Business Development) Brad Herring.

    Fabian: That’s interesting because church is also how I got started building websites. I made a remark about how outdated the church’s site was and they invited me to do better. The short version of the story is that I did and that became my duty.

    Jim: Is that how you first got into tech?

    Fabian: My interest in technology started a lot earlier. When I first started using the internet, we had an old, slow dial-up connection. But my neighbor had a much faster connection and Wi-Fi. As a joke, he said if I cracked the password, then I could use his Wi-Fi. I don’t think he ever expected me to crack it, but I did. Faster internet, here I come!

    Jim: Are you really telling me that hacking was one of your first tech achievements?

    Fabian: Ha! I guess so.

    Jim: Geez. Where do you go from there?

    Fabian: For me, it transformed into an interest in the mechanical side. I started repairing smart phones and tablets, adding memory to computers . . . that kind of stuff, mostly for friends and relatives.

    Jim: That mechanical interest went beyond computers, though, right?

    Fabian: Right. I grew up rebuilding cars and taking them to the track.

    Fabian changing fluids in his 2010 Mazda Miata

    Jim: (Raxis CEO) Mark Puckett must have enjoyed your interview.

    Fabian: Apparently, since I got the job. When I talked about my interest in cars, (COO) Bonnie Smyre joked, “Well, that’s it. We probably don’t need to know any more.” But I should add that I work on older, slower cars. No Porsches or Lamborghinis. And our track is more for drifting than racing.

    Jim: Did you find you had a knack for mechanic work, a greasy thumb or something?

    Fabian: Yes, as I kid, I used to rebuild gas powered scooters. Also thought it would be a blast to take a weed-whacker motor and attach it to my bike. It did not disappoint. As I grew, the projects just got bigger. So, I started rebuilding car engines, changing out the suspension, doing custom fab work, and so forth.

    Jim: Did you consider making that a career?

    Fabian: In a way, yes. When I really focused on what I wanted to do for a living, three possibilities were at the top of the list: helicopter pilot, master mechanic, or a job in the tech field. But helicopter instruction is very expensive, and it would have taken as long to be a master mechanic as it did to develop the same level of skills in the tech field. Plus, technology seemed more versatile.

    Jim: Once you decided on technology, how did you decide that penetration testing was going to be your area of focus?

    Fabian: That was always my biggest interest. I just didn’t know how to get there at the time. So, I started with building websites, affiliate marketing, landing pages, that kind of stuff.

    Jim: College?

    Fabian: I did get my A.A. degree in computer science, but then I decided to start working on certifications instead of continuing in college. I got a helpdesk job because I thought that would be a good first step.

    Jim: Seems like it was.

    Fabian: It was, but there were a lot more steps in between. I went from doing helpdesk work to becoming an IT admin. I moved from there into a security operations center (SOC) analyst role to doing blue and purple team assignments. Finally, I landed at Raxis.

    Jim: Is it as good as you thought it would be?

    Fabian: Absolutely. This was the dream job, and working with the Raxis team has been an incredible experience.  I love offensive security, finding and exploiting new vulnerabilities, and learning more every day. I also appreciate that we get to work independently, but we can reach out when we need help and offer help when it’s needed.

    “As others have said, the people are terrific and have a wealth of knowledge. They have high expectations for performance, but they give the team members a lot of flexibility and they encourage creativity.”

    Mark Fabian

     

  • Chained Attacks and How a Scan Can Leave You Vulnerable

    Chained Attacks and How a Scan Can Leave You Vulnerable

    The results from your vulnerability scan showed only a couple of low or moderate level findings, but there is no denying that two experienced hackers now have domain admin rights; the freshly printed summary document on your desk spells out in excruciating detail how they traversed the darkest corners of your network and gained access to critical data.

    Fortunately for you, they’re Raxis team members, and you’ve paid them to do just that.

    The Chained Attack

    This scenario plays out frequently for Raxis customers who previously relied on companies that pass off vulnerability scans as faux penetration tests. It highlights why a scan, by itself, can give businesses a false sense of security about their cyber defenses. At their best, scans only point out individual links in what skilled and experienced hackers can turn into a chained attack – using one vulnerability to discover others, increasing or escalating network access with each move. In the case of parameter or business logic exposures, scans often remain blissfully unaware, failing to identify the exposures at all.

    UNFAMILIAR WORD OR TERM? VISIT OUR GLOSSARY.

    We’ll use a real-life example from a recent Red Team engagement to illustrate just how this works. Keep in mind that the following recap is just one way to employ a chained attack. There are many others. In fact, it’s such a common technique that it’s part of the test ethical hackers take to earn the Offensive Security Certified Professional (OSCP) certification. (Read about Senior Penetration Tester Andrew Trexler’s experience with the OSCP exam.)

    The First Link

    Using a response poisoning attack, our testers achieved Man in the Middle (MitM) and relayed Server Message Block (SMB) handshakes to hosts with SMB signing disabled, which allowed them to execute local commands and extract local password hashes stored by the security account manager (SAM). One of those hashes was associated with a local administrator account, and they used it to connect to a system on the internal network.

    Once inside, they exploited a known design flaw in Windows authentication and used this local administrator hash in a Pass-the-Hash (PtH) attack using CrackMapExec (CME). They didn’t even have to crack the hash and get a cleartext password. Just sending the hash was sufficient to allow access.

    Creating the Chain

    Using PtH, our ethical hackers enumerated users logged on to a system, determined valid usernames, and extracted their Kerberos ticket hashes. This time, they did have to crack the hashed ticket for an administrative service account they found. A weak password and robust cracking hardware made this possible within seconds.

    Having identified the cleartext password for that administrator account, they found that it was shared amongst numerous systems. They connected to other systems across the network and found a domain administrator logged into one of them. An attempt to access the Local Security Authority Subsystem Service (lsass.exe) file failed at first because the company’s security blocked “procdump.exe,” the tool we were using to gather a memory dump of the process. However, a second attempt with Process Explorer was successful and allowed our team to download a memory dump of the “lsass.exe” process, giving us access to the runtime state of the service that performs Active Directory database lookups, authentication, and replication.

    Another tool, Mimikatz, enabled our testers to extract the contents of that file, including the reusable NTLM password hash of a Domain Administrator (DA). Again, using CME, they used the NTLM DA password hash to extract the contents of the entire Active Directory database. This is the database housing all Active Directory objects, including users and their password hashes for the entire domain (that often means every employee at a small company or every employee in a division of a large company).

    “Vulnerability scans are excellent point-in-time snapshots of potential problems. But it takes comprehensive penetration testing to demonstrate how easily a malicious hacker can link them together to create a chained attack.”

    Tim Semchenko
    Owning the Network

    Using this DA access, our team created a new backdoor domain administrator account in the Domain Admins group – ample proof for the customer that Raxis had in fact pwned their network.

    What else could they have done? Anything they wanted, including staying on the system indefinitely or just logging in periodically to steal data or disrupt operations. Once a hacker has this type of access, it’s very difficult for a company to know if their access has been truly and completely removed.

    How is this possible? Because a serious security flaw – one that would not be revealed in full by a vulnerability scan – offered our skilled team members an entry way to take down an entire network had they been bad guys.

    The point is that vulnerability scans are excellent at providing a point-in-time snapshot of potential problems on your network. But it takes comprehensive penetration testing to find out just how serious those issues are and to demonstrate how easily a malicious hacker can link them together to create a chained attack.

  • Meet the Team: Andrew Trexler, Senior Penetration Tester

    Meet the Team: Andrew Trexler, Senior Penetration Tester

    I’m Andrew Trexler, senior penetration tester and one of the newest members of the Raxis team. Recently, I spoke with our marketing specialist about how I got interested in penetration testing and what led me to Raxis. Take a look at our careers page — Raxis is always interested in speaking with qualified pentesters who may fit well with our team. So, visit the page and subscribe to our YouTube channel.

    Jim: Andrew, you started at Raxis recently, but you’ve been involved in information security for a while now, right?

    Andrew: Yes, I graduated from Pitt in three-and-a-half years. After I finished, I really wanted to focus my attention on cybersecurity, and I became obsessed with pen testing.

    Jim: From what I’ve heard, you earned a couple of high-end certifications as well.

    Andrew: I had my bachelor’s degree in Information Science, but, in the penetration testing field, certifications are just as important, if not more so. While I was looking for a job, I earned the Offensive Security Certified Professional (OSCP) and the eLearning Junior Penetration Tester (eJPT) certifications.

    Jim: Other Raxis team members have told me the OSCP is a very difficult cert to get. Was that your experience?

    Andrew: It took a lot of work over a long period of time. I only had a month of lab time, but I began studying for it five months before that. For the final exam, I had 24 hours to hack into five computers.

    Jim: That sounds painful.

    Andrew: The test was hard, but I really enjoyed the labs. My favorite was hacking into one computer, finding nothing on it, then figuring out how to use that computer to hack into others that did house the data I was after.

    Jim: What spurred your interest in technology initially?

    Andrew: I’ve always enjoyed computers. They’ve always just made sense to me, and so, in high school, I took all the computer classes that were available. Majoring in information science at Pitt was a natural next step. That’s where I got interested in network security and figured out that hacking and breaking into things is just plain fun.

    Jim: How did you find out about Raxis?

    Andrew: I was just looking around on the internet and came across the website. I interviewed with several companies, but Raxis really stood out.

    Andrew preparing to electronically detonate fireworks.

    Jim: How so?

    Andrew: For one thing, (chief operating officer) Bonnie Smyre really went out of her way on multiple occasions to make sure my questions were answered and to encourage me to take the job. The people I spoke with all seemed to enjoy what they do. It really felt like a happy family and it still does.

    Jim: You’ve said that hacking and breaking into things is fun, but I understand you’re also an expert at blowing things up.

    Andrew: I guess you could say that. On occasion, I get to be a pyrotechnics artist, putting on fireworks shows.

    Jim: I’m tempted to say, “That must be a blast,” but I’m sure you’ve heard that one before.

    Andrew: Ah, yeah, a few times.

    Jim: In all seriousness, it seems like that would be very exciting or terrifying, depending on your perspective. How did you get into that?

    Andrew: It started out as a one-time thing, helping my cousin put on a show. Next thing I know, I’m a trained technician.

    Jim: Where do you put on your shows?

    Another successful show.

    Andrew: My hometown is here in Monroeville, Pennsylvania, just outside Pittsburgh. We do shows here and as far away as Altoona. Mostly for the minor league baseball games.

    Jim: Isn’t that a dangerous occupation?

    Andrew: We take a lot of precautions, so we keep our operations very safe. It takes us anywhere from an hour to three hours to set up for what, sometimes, is a 15-minute show. Also, our mistakes tend to be blown up or burned up.

    Jim:  You don’t make many, I’m guessing.

    Andrew: Ha! None that you know about.

    Jim: It seems like fireworks would be computer-controlled nowadays? Is there a high-tech component to that work?

    Andrew: Some of the bigger shows use electronic controls, but, for the most part, ours are just old-fashioned fuse-lit fireworks.

    “Even the most senior people at Raxis will stop what they’re doing and help you out when you need it. On top of that, these are fun people to work with who are really, really smart.”

    Andrew Trexler

    Jim: It’s hard to compare with the excitement of a fireworks show, but you obviously enjoy your work with Raxis. What’s your favorite part so far?

    Andrew: What I’ve enjoyed most so far is being able to ask questions of my teammates and answer theirs when I can. The culture is one in which everyone is here for everyone else. Even the most senior people at Raxis will stop what they’re doing and help you out when you need it. On top of that, these are fun people to work with who are really, really smart.

  • Meet the Team: Mark Puckett, CEO

    Meet the Team: Mark Puckett, CEO

    I’m Mark Puckett, CEO of Raxis. By now, you’ve met all but the newest members of our team, so it’s time I step up and tell you more about how this company came to be. Before I do, however, you should know that the secret to Raxis’ success is the incredible individuals you’ve met up to this point. I’ve never worked directly or indirectly with a finer group of people anywhere. I’m fortunate to call them colleagues and friends. If you’d like to be a part of our team – and you have what it takes – keep an eye on our careers page. Maybe you can be part of our exciting future.

    Jim: Mark, it’s a small percentage of people who have the courage to start a business – and then only a relative handful that enjoy the success Raxis has had over the past decade. How did you decide that launching a business was the right move?

    Mark: Initially, I chose a different path by working for large corporations like GE and Home Depot, as school always taught us that was the best path for success. Yet, I always had an interest in starting a business. My mother is an entrepreneur at heart. My parents owned a jewelry store when I was growing up. Later, my mom started a translating and interpreting agency that provided language services for the legal industry. It took some time for me to realize that I had that same inclination toward entrepreneurship.

    Jim: Was Raxis your first attempt at starting a business?

    Mark: Yes and no. I’ve owned the raxis.com domain name since 1999, and it started out as a website hosting business. Then it morphed into a rental property management company, an SEO business, back to web hosting, and then to secure software development. But after 18 years in corporate America and toying with side-businesses, I decided it was time to take a shot at making Raxis my full-time endeavor, only this time as a penetration testing company.

    Jim: With apologies to Tolkien, one doesn’t simply walk into pentesting. You must have had a strong background in security to even consider the field.

    Mark: That’s true. Penetration testing became an interest of mine years ago when my career pushed me in that direction. I moved from a network and application security defense role to managing Home Depot’s internal Red Team. After a couple of years in that role, I found I really enjoyed penetration testing and realized it had a lot of business potential as a relatively young concept at the time.

    Jim: Seems like a scary prospect to jump in with both feet.

    Mark: Knowing that you can’t really tell two stories well, I knew I had to leave Home Depot and take a chance at running Raxis full time. For a true entrepreneur, the scariest proposition is not pursuing an idea. So, I left Home Depot in 2011 to chase my dream. That dream, known to many as Raxis, has been profitable since inception and growing steadily to date.

    Mark with the Raxis leadership team on a job in Anchorage, Alaska

    Jim: A very common theme among most of the Raxis team is this intense curiosity that seems to be present from an early age. Was that true of you as well?

    Mark: As a matter of fact, yes. And I think that deep curiosity is a character trait you’ll find among all the best ethical hackers. We know there’s a way in, and we will find it. And I can remember that same feeling of determination from early in life.

    Jim: How did that emerge?

    Mark: First, it was an interest in electronics that started when I was about 6 or 7 years old. I really enjoyed taking apart electronic toys and appliances to see how they worked. I’d salvage all sorts of parts like motors, lights, LEDs (only in red at the time), and switches. I came up with all sorts of little projects just for fun, like fasten parts to a cardboard box to make a “switchboard.”  Mine was only able to turn on and off lights and run a DC-powered fan that used a popsicle stick for a prop, but I really thought it was fun to build. My parents correctly realized they were on to something. So, they got me a 50-in-1 electronics kit from Radio Shack that I absolutely loved.

    Young Mark with his 50-in-1 electronics set

    Jim: Was that your ‘gateway’ tech?

    Mark: Yes, apparently so. Because, as soon as computer technology became affordable to consumers, I had to have one. My first computer at age 8 was a Tandy Color Computer 2, also from Radio Shack. I taught myself how to write BASIC programs from typing in code I got from a computer magazine subscription. That began a life-long relationship with technology. After the Tandy CoCo 2, I became an avid IBM PC clone fan, then to Linux, Windows, and now MacOS X.

    Jim: Another theme that recurs in these interviews is the close-knit relationship among the team members. Raxis’ COO Bonnie Smyre talked about your friendship that began in high school and continued through the years. And (VP of business development) Brad Herring is a longtime friend as well, right?

    Mark: That’s right. I’ve been friends with Bonnie since high school, and we stayed in touch until I convinced her to join Raxis several years ago. I’ve known Brad even longer. My family moved from Carrollton, Georgia to Marietta when I was 10 years old. I met Brad in middle school, and he was my first new friend in a new town. He also had a computer and really enjoyed technology, so we had a lot in common. There were times our lives led us in different directions, but we always were able to keep in touch. We were catching up at a lunch, just as we did every now and then, when I mentioned to Brad that I needed some help with generating more business for Raxis. Brad jumped in with both feet and was able to build a first-rate sales program that has exceeded expectation since inception

    Jim: Speaking of Brad, he told me that, in addition to your love of technology and electronics, you also have a longtime passion for cars. Is that what keeps you busy when you’re not focused on Raxis?

    Mark: Aside from spending as much time as I can with my lovely wife and three beautiful daughters, I seem to be a jack of all trades and master of none when it comes to hobbies. My favorite hobby is pretending to be a race driver at Road Atlanta. I also enjoy boating (but not so much fishing), cycling, photography, videography, astronomy, and home theater.

    Mark indulging his need for speed in his Porsche GT3 at Road Atlanta

    Jim: One of the Raxis YouTube videos discusses teamwork as the company’s “secret sauce.” What’s your take on that statement?

    Mark: Truer words were never spoken. Raxis hires people, not positions. We look for folks who care about making a difference more than just making a paycheck. It takes longer to find the right team members, but it’s so worth it when you see how well all our various skillsets complement each other. And, even though we’ve got absurdly talented people here, we don’t have giant egos to deal with. As a result, we’re continuously learning from each other and our customers get the best service possible.

    I don’t take credit for their great work, but I’m certainly proud to be a catalyst for bringing them all onto one team.

  • Meet the Team: Brian Tant, VP of Engineering

    Meet the Team: Brian Tant, VP of Engineering

    I’m Brian Tant, and I serve as Raxis’ VP of Engineering. This week, I’m the subject of our in-house infosec inquisition where I’ll be asked all manner of probing questions intended to give you, the reader, some insight into the machinations of a troubled mind. Normally, I avoid this type thing, but, after a series of increasingly dire threats from our COO, Bonnie Smyre, I relented.

    Jim: When did you first get into security?

    Brian: Do you want the professional answer or the seedy underground one?

    The professional version is that I started in IT at the ripe age of 17. I lied about my age to get on with a tech staffing company. They made me do a series of placement tests, although back in the day we used paper.

    Jim: [shudders]

    Brian: I know, right? Anyways, I had been doing computer stuff for a while and the tests were pretty basic. I did well enough that I bubbled up to the top of the roster for a big brand company looking for a tech. They brought me in and made me a field technician day one. It was the typical firehose-sippy-cup experience that comes with jumping up a level.

    Fast forward several cubes later.  At some point, I found I had a knack for Terminal Server and Citrix and did that for several years. My last deployment was one of the largest Citrix farms in the world at the time: 1000+ servers and 30k concurrent users across the globe.

    Jim: And then?

    Brian: I got bored. How many times a day can you hear the phrase, “I can’t print” before you start questioning some fundamental life choices. I loved the tech, but the users. Oi.

    Jim: So where does security come into the picture?

    Brian: Ah. For that we have to re-visit the the dark seedy part I mentioned earlier. Back in the 90s, the hacker scene was mostly to do with phones and usenet groups. Networks were mostly flat, and email was a cool idea that would never take off. My taste for mischief found a home in that community. Twenty-some- odd years later I decided to re-kindle that and found that there was a whole sector of talented folks that shared a passion for devious tinkering.

    Jim: And the rest of the story?

    Brian: As a Raxis Paul Harvey would say…

    Jim: Wow.

    Brian: Yep. I am that dork. Mark (our esteemed CEO) took a chance and brought me onboard Raxis early on. We were tiny, but eventually found our voice. Since then, we’ve grown, and I’ve been privileged to be a part of building something special. What we have here is a real sense of family. I can’t imagine being anywhere else.

    Brian doing literally what he’s often suspected of doing figuratively.

    Jim: Switching gears. If there is one thing I’ve learned working with Raxis it’s that you guys roll hammer down all day. The pace is frenzied, and things are always changing. How do you unplug?

    Brian: As my wife will tell you, I have a problem with hobbies.

    Jim: Oh?

    Brian: Most of them tend to connect with farming or agriculture in some way. We have a small homestead where we keep bees, goats, worms, chickens and an indeterminate number of dogs and cats at any given time. I sit on the board of directors for the local farm bureau and chair the bee keeping club.

    Jim: No shortage of fur-babies then.

    Brian: I also make wine, mead, soaps, preserves, and have been known to run a still now and again. For a while I even made a podcast that gained a modest following. I do a lot of backpacking and am a master diver.

    Brian spending quality time with his six-legged livestock.

    Jim: Back up; a still as in moon-

    Brian: As in alternative fuel for small engines.

    Jim: [cough] Moving on, if you had to pick a favorite thing about working at Raxis, what would it be?

    Brian: Easy. It’s the people. The people are the heart of this company. Raxis is an ego-free zone. We’re all passionate about what we do, but, unlike most shops, Raxis is built on empowerment. We’re only the best if our people are at their best, and that means we take care of each other. The same holds true with our customers. Our success comes from helping them succeed.

  • Meet the Team: Bonnie Smyre, Chief Operating Officer

    Meet the Team: Bonnie Smyre, Chief Operating Officer

    As Raxis’ chief operating officer, I’ve been busy prodding coworkers to do these meet-the-team interviews. (Looking at you, Brad, Brian, and Mark). Now, it’s my turn for a conversation with our marketing specialist, and the result is the interview below. I’m more accustomed to conducting interviews than giving them, so, if you’re a qualified penetration tester, check out our YouTube channel and our careers page. If Raxis is the type of company you’d like to work with, who knows – maybe I’ll get a chance to interview you.

    Jim: First of all, condolences for your Tarheels’ recent loss to my Seminoles in football.

    Bonnie: That’s all right. I’m a baseball fan, so North Carolina will get its redemption in the spring – if not before.

    Jim: Really? I wouldn’t picture you as a baseball person. How did become a fan?

    Bonnie: That started while I was at UNC. I was working as a web and database developer for many years. Baseball just seemed to be an athletic extension of that same mindset. As a game, it fit in with the details, patience, and long-game required to code a complex application from start to finish… and end up with a result that faculty, staff, and students were all happy with.

    Bonnie cheering on her alma mater.

    Jim: I don’t think I’ve ever heard anyone make that connection before. Is that what attracted you to a career in IT in the first place?

    Bonnie: I was a shy bookworm when I was younger. IT was a field I thought would allow me to work independently and not require me to interact as much with other people. However, as I grew in my profession, I realized that I needed to get past that shyness if I wanted to really make a difference.

    Jim: Did that happen naturally, or did you have to work at it?

    Bonnie: Oh, I worked on it. I moved on to a development job at PBS North Carolina (UNCTV while I was there). During our pledge drives, I was usually backstage working on a computer, but occasionally I would be on the phones and on live television. There are people who still tell me they remember seeing me on air.

    Jim: Did that make you more comfortable being in front of people?

    Bonnie: That started me on the path, I think. But the real breakthrough was when I went completely outside my comfort zone and took improv classes for a few years. I was petrified at first, but I met some great people who gave me the courage to get over my fear.

    Jim: I think most people would find that terrifying – to be on stage, all eyes on you, and the pressure to be funny.

    Bonnie: Improv isn’t like stand-up comedy. The whole point is that you are not alone. The team has your back, and you have theirs. It gives you a confidence to just run with what pops into your head & see if it’s funny.

    Jim: Okay, so you’re a veteran IT pro and you’ve got all this improv experience. How did you find your way to Raxis and bring those skills together?

    Bonnie: Our CEO, Mark Puckett, & I were good friends in high school, and I met his wife when her mom and dad were “band parents” for the marching band. (I played the flute.) In 2014, I moved back to the Atlanta area to be closer to my family and began working as a penetration tester at Raxis. When my first PSE (physical security evaluation) job came up, I found that my improv experience helped me think on my feet.

    Jim: So, improv helped you convince people you were someone else and your IT background allowed you to capitalize on that?  

    Bonnie pretending to be an elderly woman on stage (l) and for a real-life PSE (r)

    Bonnie: Yep. It’s a bit scary how often people believed me, but the good news is, it was all for educational purposes. Once they see how easy it is for someone to slip past their security, it helps them better understand what they need to do to protect themselves and their companies.

    Jim: Unlike other companies, most of Raxis’ best work has to stay confidential for obvious reasons. In the absence of outside validation, what makes the work fulfilling to you?

    Bonnie: As I’ve grown in this job from pen tester, to project manager, to leading operations, I’ve found that I’m no longer in a shy IT position. Just like my improv team made me feel safe to try new things, the team here at Raxis makes things fun every day. It honestly doesn’t feel like a job. I get to work with great people and do what I love each day.

  • Meet the Team: Scottie Cole, Lead Penetration Tester

    Meet the Team: Scottie Cole, Lead Penetration Tester

    I’m Scottie Cole, and this week, it’s my turn to be interviewed by our marketing specialist. Unlike my Raxis colleagues, I’ve been friends and worked with Jim for well over a decade (that is, if you consider what he does actual ‘work.’ ) What follows is our best attempt at an interview, but it highlights one of the things I like best about this team: For as hard as we work, we also have a lot of fun. If that sounds like an environment that would bring out your best, check out our careers page and learn more about our opportunities.

    Jim: I seem to remember you having much darker hair when we first met.

    Scottie: That’s right! And I seem to remember you actually having hair when we first met.

    Jim: True enough. You were responsible for our internal security at the cybersecurity company where we both worked for many years. Some of our readers might think that would be an easy job or maybe even redundant.

    Scottie: Thanks to you and your marketing people, I always had plenty of new risks to mitigate. 

    Jim: You’re welcome.

    Scottie: Seriously, security companies are frequent targets of hackers, so we have to pay extra attention to keeping our own house in order. We have customers counting on us, of course, but we also have our reputation to protect. That raises the stakes and adds a lot of pressure.

    Jim: Given your previous jobs, you were accustomed to working under pressure, right?

    Scottie: I spent several years as a dispatcher, a firefighter, and a law enforcement officer. Those jobs gave me plenty of experience working in high-stress situations. In cybersecurity, the ‘bad guys’ are different, and the fire drills aren’t literal, but the consequences can still be very severe. That’s especially true when you consider how many devices are being connected to the internet now.

    Jim: You’d know that better than most. Your house is like Area 51, except with more electronics.

    Scottie: Well, maybe more radios.

    Jim: That’s right. You’re a HAM radio operator. How’d you get into that? More importantly, why?

    Some of Scottie’s HAM radio gear

    Scottie: As a dispatcher, I became fascinated with radios. When cell service and other forms of communication go down, the HAM operators can continue to broadcast, and that’s an important civil defense benefit. During the terrible hurricane in Puerto Rico, for example, it was the HAM operators providing updates to people in the US. Think about how relieved people were to hear that their loved ones were okay. Or how important it was to know what relief supplies were needed where.

    Jim: Is that how you found your way into the IT security world?

    Scottie: That was actually more by chance than by design. As you remember, our former company was growing fast, especially in the early days. They needed help, so a friend of mine offered me an opportunity to join the team and learn about infosec. Being a first responder was a great job, but cybersecurity offered better pay and more predictable hours . . . in theory.

    Jim: I’ve asked other team members how they found Raxis, but as I understand it, Raxis found you.

    Scottie: That’s right. In my previous job, I didn’t like to take phone calls for security reasons.

    Jim: I thought it was only my calls you didn’t take.

    Scottie: There were a lot of reasons I didn’t take your calls. But I was always wary, and the folks at the front desk knew to screen everyone. But (Raxis’ COO) Bonnie Smyre actually got me on the phone to talk about doing a penetration test for us. My first thought was, “She must be really good if she got through that easily.”

    Scottie Cole, drone operator and wannabe surfer

    Jim: Did you hire Raxis for the pentest?

    Scottie: Yep. But I also got to know Bonnie, (VP of business development) Brad Herring, and (CEO) Mark Puckett and realized this is the type work I want to do, and they are the people I want to work with. As I met other team members, I knew it was a great culture and a great team, so I jumped at the opportunity to join them.

    Jim: What’s your favorite part of the job?

    Scottie: What’s not to like? I get paid to hack into other people’s networks. I get to learn from the best in the business and share what I know with them. It’s an outstanding company in a space that’s becoming a lot more important. When business owners say that a network breach would be more damaging than a fire, you understand just how critical cybersecurity is in our daily lives.

  • What You Need to Know (But Were Afraid to Ask) about Raxis Web App Testing

    What You Need to Know (But Were Afraid to Ask) about Raxis Web App Testing

     What’s special about a Raxis web app test?

    One thing that sets Raxis apart is that our pentesting team is made up of engineers who performed varying roles creating and supporting IT systems before they became pentesters. This includes several engineers who have strong backgrounds in software and web development.

    Even better, Raxis is proud to have a close-knit team of pentesters who collaborate and share their ever-growing knowledge with each other and with our customers. You may have a former web developer performing your test, and that person can easily reach out to a former network admin. They can share info about the most secure web app features as well as how the supporting network should be configured securely..

    Our customers repeatedly tell us how much they appreciate this because it directly translates to relevant, actionable findings. It also encourages natural conversation between their development teams and the security engineers here at Raxis.

    How does this collaboration help customers?

    A recent test we conducted provides a great example: We identified several findings, and the customer was very pleased with the process. Upon follow-up, our sales team found out that the customer saw a small performance reduction after implementing our recommendations. From the customer’s perspective, enhanced security was worth the small drop in performance.

    Because of our development background, however, Raxis’ team members knew that didn’t have to be the case. Our project manager proactively set up a call with the customer to discuss. Result: The customer remediated using Raxis’ advice and regained all of the original performance. They told us they appreciated how Raxis “went the extra mile.”

    To us, that’s just business as usual.

    How many application tests do we do?

    Customers often ask about our application testing process. Application testing accounts for over 50% of our penetration tests. Last year, we performed over 600 application tests. Like all of our assessments, each test is custom tailored to the customer’s application and overall objectives. This could mean testing the entire app, a portion of the app, or following the app throughout the entire development cycle.

    What is your methodology?

    Like all of our assessments, our application tests are primarily manual attack simulations against a customer’s application. Where you see an email field, we see an opportunity for cross-site scripting. Aside from our own experience and expertise, Raxis applies the OWASP framework to our penetration testing, including (though, of course not limited to) the following assessment categories:

    • Access Control
    • Authorization and Authentication
    • Session Management
    • Configuration Management
    • Error Handling
    • Sensitive Data Exposure
    • Input Validation, Injection and Cross-Site Scripting
    • Root Cause Analysis / Reporting
    So, what do I get out of this?

    At the end of a Raxis application assessment you get peace of mind and a solid deliverable. Our reports align with the NIST standard, so they meet regulatory compliance standards. The reports feature an executive summary, engagement storyboard (where applicable), and detailed vulnerability findings that include screenshots, risk explanations, remediation recommendation, and risk scoring.

    Is your web app security keeping you awake at night?

    We understand. Just as we are known for excellence in pen testing, we’re also known for our no-pressure sales and scoping process. We get it. We don’t like to be harassed, and we know you don’t either. If you’d like to start a conversation with one of our experts to help understand the possibilities for your project, feel free to reach out. We’d love to help.