lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 13 Dec 2007 12:23:02 -0800 (PST)
From: secreview <secreview@...hmail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: [Professional IT Security Providers - Exposed]
	Cyberklix ( F+ )

We discovered Cyberklix by searching for "Penetration Testing" on
Google, as usual. When we first saw their website we thought that it
looked very professional. We were actually under the impression that
they might end up being An A- or a B+ company. But, we were wrong and
here's why...Over the course of two days and a dozen calls we were
unable to contact a human at sales. Every time we tried we were
directed to a woman's voice mail. We decided to skip sales and call the
Cyberklix Security Operations Center and were successful. We had a
wonderful conversation with a very smart person in heir Security
Operations Center, and as a result, here is what we learned.The
Cyberklix Manged Security Services, with respect to IDS/IPS is nothing
special. They are using third party technology and tying it all
together with the RSA Envision Engine. Specifically the technologies
that they are using are Cisco technologies, McAfee IPS technology, and
RSA's Envision engine for correlation. (We would have used ArcSight
instead as we think its much better.) Frankly, if we wanted to choose a
provider of Managed IDS/IPS services, we'd want to see them using at
least some proprietary technologies. How else are they supposed to have
a competitive advantage?We also weren't very impressed with their
alerting capabilities. When we asked them how they alert people about
Events of Interest we were told that they create a ticket in a system.
Once the ticket is created then the customer needs to log into the
system to evaluate the ticket. We're sure that there's more to it than
that, but thats what we were told. Yes the system also has the ability
to block or shun attacks, but thats only if it can detect them. We
think that we could probably attack a Cyberklix customer and evade
detection... wanna challenge us?Anyway, enough on their Managed
Security Services. As previously mentioned we were unable to contact
anyone in sales. So, our opinion of the Cyberklix Professional Service
Capabilities are being forged strictly from their website and
information that we can collect from Google and other sources. We'd be
happy to update our opinion if someone would provide us with useful
information about Cyberklix. So here it is...Cyberklix offers
Information Security Consulting, Security Policy Design & Review,
Vulnerability Assessment & Remediation, Penetration Testing, Network
Security Architecture & Design, Security Audit, Project Management
Services, Implementation Services, and Computer Forensics. So, the
first thing that struck us as odd was "Project Management Services".
What the hell does that mean, right?Upon review of their services we
discovered that we could eliminate two of them. We eliminated their
Information Security Consulting Service and their Project Management
Services. The Consulting service offering isn't actually an offering
its just a repeat of the services that they offer, and the Project
Management service is not a security service, it is something that
should be offered by staffing companies. So... what the hell?When we
reviewed the services as presented on the Cyberklix website we realized
that they were nothing special, just like their Managed Security
Services. In fact, we're willing to bet that their services are what we
would call "rubber stamp" services and are based on automation as
opposed to true Ethical Hacker talent. We saw no indication anywhere
that Cyberklix was following any sort of strong testing methodology
like the OSSTMM, etc. and as a result are not impressed at all.All in
all our opinion is that Cyberklix services will do little to nothing to
raise the proverbial security bar and protect you from real world
malicious hackers. They might help you to identify common or known
issues but you could do that yourself by downloading nessus. (Oh and
you could also create a better IDS/IPS solution by combining OSSEC with
Prelude and snort =] for free. ) So, we'd recommend spending your hard
earned money with someone else. Sorry Cyberklix...Oh and one last
thing. The Cyberklix website is SQL Injectable. So why would anyone
hire a company to protect them if they can't even protect themselves?





--
Posted By secreview to Professional IT Security Providers - Exposed at
12/12/2007 02:39:00 PM
Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ