Once your approval is received, your managed environment is penetration tested from the outside of your network, from a black hat's perspective. The report you receive after the testing allows you to better prepare for success.
If existing exploits are found, the attacker's information will be submitted to The US FBI's Infragard community.
Contracted Back Hat Pentesting
Phases of CyVectors penetration testing activities include:
Discovery and Scanning
Utilize the Testing Results
1. Information Gathering
CyVectors leverages hundreds of information sources and specialized search processes to uncover information about the organization, employees, internal processes, external-facing client resources, and much more. This information is provided as part of the standard pentesting report, allowing the client to contact Internet hosting resources and database owners and have information removed, or begin the process of taking systems exposed to the outside and move them into a more-internal operational footprint.
CyVectors takes information gathered from phase I and monitors related entities for activity. The reconnaissance phase of gray hat or white hat internal pentesting engagements is typical more involved than the black hat (external entity) process provided by CyVectors. In the CyVectors pentest, your penetration tester will identify likely targets by the vertical the company or organization operates in. For example, retail companies would be more likely to have sensitive credit card information, while a healthcare client for example would be more likely to have sensitive medical records.
3. Discovery and Scanning
CyVectors takes information gathered in phases 1 and 2, and begins to leverage scanning techniques that reveal hosts, hostnames, operating systems, ports and services hosted by the discovered nodes, vulnerable web application folder strategies, paths for initial exploits to be used, and hundreds of other enumerations, scans, and scripted and manual data collected. As any black hat hacker, CyVectors takes every possible measure to stay anonymous and invisible by avoiding firewall, IDS, and other detections during all phases of the penetration testing.
4. Vulnerability Assessment
Once phase 3 data collection concludes, your contracted black hat engineer takes that information and aligns it with vulnerability database entries. This phase is all about the attacker planning the attack, using the path of least resistance, and preparing attacks for delivery.
The attack begins. While continuing to be as discrete as possible, vulnerabilities from previous stages are exploited to the point of exploit pass or fail. CyVectors does not perform post-exploit procedures. Once the vector(s) have been breached, the CyVectors engagement typically ends. Post-exploit exercises should be conducted by a resource with extended contact with client, using the information provided by CyVectors. The CyVectors value proposition is focused on closing paths of vulnerabilities that are facing outside of the client’s organization, as seen by cyber-criminals, without interfering with ongoing business operations leveraging post-exploit activities.
6. Utilize the Testing Results
In the realm of penetration testing, it is widely known that one of the biggest vulnerabilities in the pentesting process is the client’s implementation of the remediation techniques provided by CyVectors, or any other cyber security organization. Your CyVectors penetration test reporting takes this into account and provides remediation in terms that make sense to an executive, IT staff, and security teams. Decades of experience in information technology, operations engineering, software coding, and security practices allows CyVectors to offer actual commands for remediation techniques, vendor-specific recommendations, and business process improvement with little as possible` interruption to existing business goals.
Please read this notice before contacting CyVectors
If you believe you are the victim of a cyber crime, please notify iC3 using this simple form to file a report before contacting CyVectors. If you need help determining if a cyber-related crime has been committed, please continue.
If you have a suspicion that your computer and/or surrounding home or office network has been compromised, you should assume all email, text, browser activity, and even your keyboard's keystrokes, are being monitored. To avoid notifying the cyber-criminal about your contact with CyVectors, do not contact CyVectors using any of these methods. It is also possible that your desktop screen, camera, and microphone are also being monitored. The best way to initially contact CyVectors is using the encrypted chat box on the bottom-right of this web page. Provide a phone number or email address where CyVectors may reach you, and a general description of what has brought you to CyVectors for assistance.
Unless you "opt out" within your CyVectors agreement document, network breaches discovered by CyVectors will result in the attacker's information being reported to the US Federal Bureau of Investigations via InfraGard.