[<prev] [next>] [day] [month] [year] [list]
Message-ID: <00d601c8431c$b2421680$05102dd9@gizmo>
Date: Thu, 20 Dec 2007 15:26:28 -0000
From: "c0redump" <c0redump@...ers.org.uk>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Re: [Professional IT Security
Providers-Exposed] Cybertrust ( C + )
Exactly. Your 'grading' is based on your personal opinion.
Do us all a favour and get a proper job.
----- Original Message -----
From: "guiness.stout" <guinness.stout@...il.com>
To: <full-disclosure@...ts.grok.org.uk>
Sent: Thursday, December 20, 2007 2:05 PM
Subject: Re: [Full-disclosure] [Professional IT Security Providers -Exposed]
Cybertrust ( C + )
> I'm not really clear on how you are grading these companies. I've had
> no personal experience with them but I don't decide a companies
> quality of work simply by their website and what information I get
> from some customer support person. These "grades" seem pointless and
> frankly unfounded. You should reword your grading system to specify
> the ease of use of their websites and not the service they provide.
> Especially if you haven't ordered any services from them. I'm not
> defending anyone here just pointing out some flaws in this "grading."
>
> On Dec 20, 2007 12:11 AM, secreview <secreview@...hmail.com> wrote:
>> One of our readers made a request that we review Cybertrust
>> ("http://www.cybertrust.com"). Cybertrust was recently acquired by
>> Verizon
>> and as a result this review was a bit more complicated and required a lot
>> more digging to complete (In fact its now Cybertrust and Netsec). Never
>> the
>> less, we managed to dig information specific to Cybertrust out of Verizon
>> representatives. We would tell you that we used the website for
>> information
>> collection, but in all reality the website was useless. Not only was it
>> horribly written and full of marketing fluff, but the services were not
>> clearly defined.
>>
>> As an example, when you view the Cybertrust services in their drop down
>> menu
>> you are presented with the following service offerings: Application
>> Security, Assessments, Certification, Compliance/Governance, Consulting,
>> Enterprise Security, Identity Management Investigative Response
>> /Forensics,
>> Managed Security Services, Partner Security Program Security Management
>> Program, and SSL Certificates. The first thing you think is "what the
>> hell?"
>> the second is "ok so they offer 12 services".
>>
>> Well as you dig into each service you quickly find out that they do not
>> offer 12 services, but instead they have 12 links to 12 different pages
>> full
>> of marketing fluff. As you read each of the pages in an attempt to wrap
>> your
>> mind around what they are offering as individually packaged services
>> you're
>> left with more questions than answers. So again, what the hell?
>>
>> Here's an example. Their "Application Security" service page does not
>> contain a description about a Web Application Security service. In fact,
>> it
>> doesn't even contain a description about a System Software/Application
>> security service. Instead it contains a super high level, super vague and
>> fluffy description that covers a really general idea of "Application"
>> security services. When you really read into it you find out that their
>> Application Security service should be broken down into multiple
>> different
>> defined service offerings.
>>
>> Even more frustrating is that their Application Security service is a
>> consulting service and that they have a separate service offering called
>> Consulting. When you read the description for Consulting, it is also
>> vague
>> and mostly useless, but does cover the "potential" for Application
>> Security.
>>
>> So, trying to learn anything about Cybertrust from their web page is like
>> trying to pull teeth out of a possessed chicken. We decided that we would
>> move on and call Cybertrust to see what we could get out of them with a
>> conversation. That proved to be a real pain in the ass too as their
>> website
>> doesn't list any telephone numbers. We ended up calling verizon and after
>> talking to 4 people we finally found a Cybertrust representative.
>>
>> At last, a human being that could provide us with useful information and
>> answers to our questions about their services. We did receive about 2mb
>> of
>> materials from our contact at Cybertrust, but the materials were all
>> marketing fluff, totally useless. That being said, our conversation with
>> the
>> representative gave us a very clear understanding of how Cybertrust
>> delivers
>> there services. In all honesty, we were not all that impressed.
>>
>> Cybertrust does perform their own Vulnerability Research and Development
>> (or
>> so we were told) under the umbrella of ICSAlabs which they own. Usually
>> we'd
>> say that this is great because that research is often used to augment
>> services and enhance overall service quality. With respect to Cybertrust,
>> we
>> couldn't find out what they were doing with their research. They just
>> told
>> us that they don't release advisories and then refused to tell us what
>> they
>> did with the research.
>>
>> When we asked them about their services and testing methodologies, we
>> were
>> first told that they couldn't discuss that. We were told that their
>> methodologies were confidential. But after a bit of Social Engineering
>> and
>> sweet talking we were able to get more information...
>>
>> As it turns out, the majority of the Cybertrust services rely on what
>> they
>> say are proprietary automated scanners which were developed in-house.
>> Their
>> methodology is to run the automated scanners against a specific target or
>> set of targets, and then to pass the results to a seasoned professional.
>> That professional then verifies the results via manual testing and
>> produces
>> a report that contains the vetted results.
>>
>> This methodology doesn't really offer any depth and doesn't do much to
>> raise
>> the proverbial security bar. In fact, it is only slightly better than
>> running a Qualys scan, changing the wording of the report, and delivering
>> that. Quality methodologies should contain no more than 20% automated
>> testing and no less than 80% manual testing. Vulnerability discovery
>> should
>> be done via manual testing, not just via automated testing.
>>
>> In defense of Cybertrust, they did say that they would test in accordance
>> with the customers requirements. They also did say that if the customer
>> wanted 100% manual testing that they would do it. If they want 100%
>> automated "rubber stamp of approval" testing they would do that too.
>> Saying
>> it is a lot different than doing it though and we weren't impressed with
>> their standard/default testing methodology as previously mentioned.
>>
>> It is important to note that Cybertrust is also a full service security
>> provider. They offer a wide range of services from supporting secure
>> product
>> development services, to security testing, and even forensic services.
>> With
>> that said, their services do not seem to be anything special. In fact,
>> they
>> seem to be just about average short of their horrible website and
>> overwhelming marketing fluff.
>>
>> It is our recommendation that you choose a different provider if you are
>> looking for well defined, high quality services. Cybertrust is cloaked in
>> a
>> thick layer of marketing fluff and frankly doesn't seem to be very easy
>> to
>> work with. That being said, they were also not easy to review. If you
>> disagree with this post or have worked with Cybertrust in the past, then
>> please leave us a comment. We're going to give Cybertrust a "C" but if
>> you
>> can convince us that they deserve a different grade then we'll revise our
>> opinion.
>>
>> Thanks for reading.
>>
>> --
>> Posted By secreview to Professional IT Security Providers - Exposed at
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists