Cybercriminals develop new sophisticated threats or keep on upgrading the existing ones and that’s their full-time job. So, it’s no surprise that we see advanced malware variants appear every other day and the numbers of successful infections are growing exponentially.
While regular computer users can protect their desktop and mobile devices by installing antivirus software, companies are much more prone to attacks and a single security solution is often not enough. For effective protection, businesses must identify the weak spots on their systems that can be exploited by cyberattacks.
Today, we asked the Principal Security Engineer at Raxis, Brian Tant, to tell us more about penetration testing and how it can improve the company’s security posture.
What has the journey been like since your launch back in 2011?
Our CEO, Mark Puckett, created Raxis to fill a huge unmet need for high-quality, real-world penetration testing that could truly challenge Fortune 500 networks. Both of us came from the infosec world at a major corporation and we saw the threats evolving and becoming more sophisticated, but the pentest companies weren’t. The market was dominated by companies selling repackaged vulnerability scans or doing checkbox assessments.
What surprises me most is that we’re still seeing that today, despite the countless catastrophic breaches we’ve witnessed and the growing potential for a full-scale cyberwar. The good news is that our business has grown rapidly and steadily over the past decade, so more companies are taking cyber threats seriously.
Can you tell us more about what you do? What makes Raxis stand out from the market?
Raxis is a pure-play penetration testing company. We bring a team of experts to the job, with diverse backgrounds and skillsets, so we can often find a way in when other companies can’t. In fact, we’ve been hired to check the work of competitors on occasion. Beyond our technical expertise, we have a deep understanding of how admins, developers, engineers, and cybersecurity professionals approach their work. We’ve been in those roles, so we usually know where the soft spots are and how to exploit them quickly and efficiently.
You take great pride in your Pentest AI solution. Do you think penetration testing can be solely done with the help of AI, or does it need a human approach?
It’s our human team members that make our Pentest AI solution so valuable. Technology can automate, expedite, and expand human capabilities. The difference is in the humans whose skills are being leveraged. If it’s one developer creating a scanning tool one time, that’s as good as it will ever be. Our solution incorporates the best of automated technology with the skills of all our team members as needed, so it will get smarter and better over time – but always with human guidance.
Do you think the current global events influenced the way people perceive cybersecurity?
I’m always hopeful, but we’ve seen so many catastrophic breaches and ransomware attacks over the past few years that companies should know that the serious threats are real and imminent. Maybe Putin’s naked aggression in Ukraine will remind US companies that we still have powerful, sophisticated enemies, who benefit from disrupting our economy.
What types of cyberattacks do you find the most concerning nowadays, and how common are they?
I think all of us in this profession worry about attacks on critical infrastructure – water, electricity, pipelines, and those types of high-value targets. I’m concerned, however, that we’re putting too much emphasis on stopping massive, large-scale attacks against major systems. We need to remember that there are more than 3,000 utility companies in the US. That’s a lot of potential targets, many without strong safeguards in place.
In your opinion, which types of organizations should take penetration testing more seriously?
The short answer, of course, is all of them. But from our experience at Raxis, companies that employ SCADA industrial control systems should do much more testing. That’s also true for organizations that sell or manage connected (IoT) devices. IoT security is still in its infancy, and we’re probably in for some hard lessons at some point before serious consideration is given to securing that sector.
Besides regular penetration tests, what other security measures do you think are essential for every company in this day and age?
Remote work is here to stay for at least some time, so I think enforcing the use of secure VPNs and Multi-factor Authentication (MFA) should be a no-brainer. Battle-tested backup and restoration capability is essential to mitigate the impact of ransomware attacks. And I believe educating employees should be an ongoing process that reinforces the idea that no one can afford to take shortcuts on security.
Talking about individual users, what tools do you think everyone should look into to upgrade their cybersecurity posture?
Multi-factor authentication and a digital password keeper are two steps that individuals can take to dramatically reduce their chances of being hacked. Beyond that, simple awareness about phishing, smishing, and vishing are all helpful as well.
Would you like to share what’s next for Raxis?
In many ways, we’re in a technological arms race against the blackhats out there. To stay ahead, we are continuing to innovate and adapt to the threats we see on the horizon and over it. We’re fortunate to have a team of ethical hackers who are enthusiastic about finding new exploits and exposing new threats.