enterprisesecuritymag

Raxis: Ethical Hackers Redefining Vulnerability Management

Follow Raxis on :

Mark Puckett, CEO, RaxisMark Puckett, CEO In today's digital world, cybercrime is on an alarming “attack and damage” spree across all industries. Even mighty web fortresses once believed to be indomitable have fallen before today’s hackers with malicious intent who are advancing their tools and tactics to infiltrate the data stores of organizations all over the globe. What better way to defeat such an adversary than to “hack back” and beat them at their own game. As a proponent of ethical hacking, Raxis is at the forefront—harnessing the hacking expertise of their team of exceptional white hat hackers. The Raxis team empowers organizations to test their network security and remove vulnerabilities. From merely focusing on a "reactive protection" approach, Raxis is implementing a more "proactive and aggressive penetration" approach against cybercrime. Complying with the rules of the target organization and the law of the land, team Raxis breaches the security posture of a target organization to repair and reinforce their cybersecurity. With their exceptional hacking expertise, Raxis safeguards some of the largest corporations in the world and emphasizes frequent testing to combat new vulnerabilities, new exploits, and configuration changes.

Vulnerability Management Expertise

The 2018 McAfee and the Center for Strategic and International Studies report highlights the gravity and impact of cybercrime on today’s organizations. Nearly one percent of the global GDP is lost to cybercrime each year. In other words, cybercrime robs the global economy of around $600 billion a year. As a countermeasure, Raxis employs real-world security professionals who have performed actual penetration or pen testing at the highest capacities. "We have a collaborative and professional team comprised of individuals with broad areas of expertise," states Scott Sailors, VP of Security Consulting at Raxis. Laying a sturdy foundation for the company's success and growth, Raxis' team of seasoned and credentialed pen testers are comprised of offensive security certified professionals (OSCP), certified information systems security professionals (CISSP), certified information security managers (CISM), and more.

"We hack the client to see how far we can get, validate findings, and help them plan ahead"

Backed by such accredited expertise, Raxis considers it imperative to fully understand a problem in order to solve it, while remaining cognizant to the fact that each company interprets and conducts vulnerability management differently. Raxis initiates the process by listening to the client in order to understand what they want to accomplish as well as the reasons, such as regulatory requirements or a data breach, that have compelled a client to test their vulnerabilities. "We hack the client, see how far we can get, validate findings, and help them plan ahead. We also help with remediation and training," says Sailors. He adds, "We are able to breach 85 percent of our customers and provide a remediation recommendation for all of our findings. Each day means a new vulnerability and we are continuously working with our customers to combat the new and make it harder for us to attack the old in subsequent tests." Raxis customizes their services as per their clients' requirements, works closely with clients to meet compliance regulations, and provides a hardware device called the Raxis Transporter that offers unfiltered Layer 2 access to the target customer network.

Baseline Security Assessment is letting clients see vulnerabilities they didn't even realize existed


Unmasking and Mending Vulnerabilities

Raxis recognizes that penetration testing is much more than vulnerability scans. Beyond vulnerability scanning and deploying patches, optimal security hygiene also includes frequent testing to remove weaknesses such as a small security vulnerability that is likely an oversight, a newly published issue, or a configuration error, that can lead to a full and total system compromise. "Exploits can lead to more exploits. What may appear like a single vulnerability on a low value system may possibly be leveraged to pivot to other higher value targets or could be chained together with other vulnerabilities," points out Sailors. The penetration testing team at Raxis conducts a hack attempt against the client's systems using manual testing techniques, including vulnerability/ code exploitation and exfiltration of data. Raxis specializes in various types of penetration testing for the external network, internal network, wireless network, web and mobile applications, REST/SOAP API, and embedded systems, as well as Social Engineering such as phishing and onsite physical security testing. In addition, with the service of Transporter remote access, on-site engineers, and cloud-friendly pen testing, Raxis can securely perform any type of pen testing anywhere around the world.

Alongside maintaining a balance between the client's information security and business goals, Raxis' penetration methodology complies with NIST 800-115. With the advanced firewall/IPS validation service, Raxis offers an efficient evaluation of the effectiveness of the client's system controls and vulnerabilities that need rectification. The company also provides network scans, monthly point-in-time assessments, latest threat scans, full vulnerability scans, and more.

The team at Raxis offers a variety of valuable services to guard both their clients' infrastructure and information. These comprise vulnerability management, email and phone phishing, incident response and threat hunting, secure code review, security consulting, and more. Raxis leverages social engineering campaigns to find exactly where clients' human element vulnerabilities are and encourages better training and additional technical controls to remediate the findings.

"Our managed vulnerability scanning service is a combination of automation and manual process which greatly reduces the number of false-positives and irrelevant findings," states Sailors. Custom authored penetration testing reports with screenshots provided from actual evidence enable Raxis' clients to recreate the hack on their own systems and to learn how they can protect them. The executive summary, created by expert security engineers, lists remediation steps to help the client resolve the issues and maintain security across a number of industries including banking and financial, energy and utilities, medical and healthcare, PCI and retail, as well as software development.

Raxis also caters to small businesses that are unable to afford large expensive assessments. With their Baseline Security Assessment (BSA), an automated scan, Raxis scans the clients’ internal and external networks. "BSA helps organizations that are unable to afford a full-time IT person and much less a full-time security person; it's letting them see vulnerabilities they didn't even realize existed," explains Sailors.
Scott Sailors, VP of Security Consulting, RaxisScott Sailors, VP of Security ConsultingThrough their security consulting services, Raxis guides companies irrespective of size, to overcome vulnerabilities and mitigate risks. Consultants with PCI-DSS expertise and NERC CIP certification enable clients to comply with the changing PCI standards for the development of an optimal cardholder data environment, mitigation planning, and more. Raxis competently provides consulting services that help clients develop or modify security programs and customizes their services as per the clients' security requirements.

Raxis insightfully acknowledges the importance for a customer to determine risks vs. costs. For instance, in the healthcare domain, highly expensive healthcare scanning machines may be running on an older version of the operating system that is vulnerable due to the lack of regular updates by manufacturers. In such cases, Raxis explores the client's operating systems and network and helps determine if there is some way they can segment the vulnerable device off the network to mitigate the risk it poses to the rest of the network. Raxis conducts its work in healthcare to help ensure regulatory compliance to PHI and HIPAA.
Exhibiting its competence in the financial industry, Raxis recently showcased its vulnerability management expertise to a client that handles very large financial transactions between their customers and vendors. In order to see where they might have vulnerabilities on their network, the client deployed the services of Raxis to undertake penetration testing. In the process, Raxis utilized a technique called malice tracking wherein the client's network is scanned with a device for vulnerable units that can be injected with commands. Raxis leveraged the technique, commanded the client's computer to connect back to them, captured the password hash for a low-level user, and cracked it to reveal the clear text password. Within two to three hours, Raxis had access to all of the client's data, comprising their customer information, HR information, payroll, and more. Through their smart and skillful services, Raxis forewarned the client about risks to their system, which resulted in the sealing of their vulnerabilities.

Vulnerability Management in Vogue

In the wake of escalating damage inflicted by the rising volume of cybercrime, awareness and education about vulnerability management are a prerequisite to detect and tackle an organization’s vulnerabilities to ensure its security. Sailors notes the marked increase in the level of attention that end users are paying to security— using stronger passwords and being more cautious of cybercrime such as phishing among others—indicating the gradual shift toward enhanced end-user education. Steering ahead, Raxis intends to increase customer awareness of network vulnerabilities to augment cybersecurity vigilance.

Unlike its compeers who merely sell a "pen test", Raxis aspires to do their clients justice with vulnerability management services that are user-friendly, reliable, and completely fortify an organization's cyber defenses.
- Tenzin Chogkyi
    March 26, 2019
Share this Article:
Raxis

Company
Raxis

Headquarters
Atlanta, GA

Management
Mark Puckett, CEO and Scott Sailors, VP of Security Consulting

Description
Provides penetration testing, risk assessments, incident response, and social engineering services to enable vulnerability management for Fortune 500 to SMB companies