[<prev] [next>] [day] [month] [year] [list]
Message-ID: <7796947a0712200732v617390e9l49d0b8e227e9d18a@mail.gmail.com>
Date: Thu, 20 Dec 2007 10:32:51 -0500
From: guiness.stout <guinness.stout@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [Professional IT Security Providers -Exposed]
Cybertrust ( C + )
What kind of grading scale will you use? A through F or maybe a 1 to
10 type scale? I am very interested in your services!
On Dec 20, 2007 10:09 AM, Kurt Dillard <kurtdillard@....com> wrote:
>
>
>
>
> Because its absurd to write a review for a service without actually
> experiencing the service. The original poster's messages have only had
> entertainment value, they've had no value from an information security
> perspective. If you'd like to provide a link to your MSN profile and
> facebook pages I'll write up a resume for you. Does that sound like a good
> idea?
>
>
>
>
> From: full-disclosure-bounces@...ts.grok.org.uk
> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Epic
> Sent: Thursday, December 20, 2007 11:56 AM
> To: c0redump
> Cc: full-disclosure@...ts.grok.org.uk
>
>
> Subject: Re: [Full-disclosure] [Professional IT Security Providers
> -Exposed] Cybertrust ( C + )
>
>
>
>
>
> Isn't ANY review subjective to opinion? I do not understand the basis of
> this flame. It appears to me that a lot of the reviews on this site offer
> some great insight into the companies being presented. Granted it is an
> opinion, but that is what a blog is isn't it?
>
>
> On 12/20/07, c0redump <c0redump@...ers.org.uk> wrote:
>
> Exactly. Your 'grading' is based on your personal opinion.
>
> Do us all a favour and get a proper job.
>
> ----- Original Message -----
> From: "guiness.stout" <guinness.stout@...il.com>
> To: <full-disclosure@...ts.grok.org.uk >
> Sent: Thursday, December 20, 2007 2:05 PM
> Subject: Re: [Full-disclosure] [Professional IT Security Providers
> -Exposed]
> Cybertrust ( C + )
>
>
> > I'm not really clear on how you are grading these companies. I've had
> > no personal experience with them but I don't decide a companies
> > quality of work simply by their website and what information I get
> > from some customer support person. These "grades" seem pointless and
> > frankly unfounded. You should reword your grading system to specify
> > the ease of use of their websites and not the service they provide.
> > Especially if you haven't ordered any services from them. I'm not
> > defending anyone here just pointing out some flaws in this "grading."
> >
> > On Dec 20, 2007 12:11 AM, secreview <secreview@...hmail.com> wrote:
> >> One of our readers made a request that we review Cybertrust
> >> ("http://www.cybertrust.com"). Cybertrust was recently acquired by
> >> Verizon
> >> and as a result this review was a bit more complicated and required a
> lot
> >> more digging to complete (In fact its now Cybertrust and Netsec). Never
> >> the
> >> less, we managed to dig information specific to Cybertrust out of
> Verizon
> >> representatives. We would tell you that we used the website for
> >> information
> >> collection, but in all reality the website was useless. Not only was it
> >> horribly written and full of marketing fluff, but the services were not
> >> clearly defined.
> >>
> >> As an example, when you view the Cybertrust services in their drop down
> >> menu
> >> you are presented with the following service offerings: Application
> >> Security, Assessments, Certification, Compliance/Governance, Consulting,
> >> Enterprise Security, Identity Management Investigative Response
> >> /Forensics,
> >> Managed Security Services, Partner Security Program Security Management
> >> Program, and SSL Certificates. The first thing you think is "what the
> >> hell?"
> >> the second is "ok so they offer 12 services".
> >>
> >> Well as you dig into each service you quickly find out that they do not
> >> offer 12 services, but instead they have 12 links to 12 different pages
> >> full
> >> of marketing fluff. As you read each of the pages in an attempt to wrap
> >> your
> >> mind around what they are offering as individually packaged services
> >> you're
> >> left with more questions than answers. So again, what the hell?
> >>
> >> Here's an example. Their "Application Security" service page does not
> >> contain a description about a Web Application Security service. In fact,
> >> it
> >> doesn't even contain a description about a System Software/Application
> >> security service. Instead it contains a super high level, super vague
> and
> >> fluffy description that covers a really general idea of "Application"
> >> security services. When you really read into it you find out that their
> >> Application Security service should be broken down into multiple
> >> different
> >> defined service offerings.
> >>
> >> Even more frustrating is that their Application Security service is a
> >> consulting service and that they have a separate service offering called
> >> Consulting. When you read the description for Consulting, it is also
> >> vague
> >> and mostly useless, but does cover the "potential" for Application
> >> Security.
> >>
> >> So, trying to learn anything about Cybertrust from their web page is
> like
> >> trying to pull teeth out of a possessed chicken. We decided that we
> would
> >> move on and call Cybertrust to see what we could get out of them with a
> >> conversation. That proved to be a real pain in the ass too as their
> >> website
> >> doesn't list any telephone numbers. We ended up calling verizon and
> after
> >> talking to 4 people we finally found a Cybertrust representative.
> >>
> >> At last, a human being that could provide us with useful information and
> >> answers to our questions about their services. We did receive about 2mb
> >> of
> >> materials from our contact at Cybertrust, but the materials were all
> >> marketing fluff, totally useless. That being said, our conversation with
> >> the
> >> representative gave us a very clear understanding of how Cybertrust
> >> delivers
> >> there services. In all honesty, we were not all that impressed.
> >>
> >> Cybertrust does perform their own Vulnerability Research and Development
> >> (or
> >> so we were told) under the umbrella of ICSAlabs which they own. Usually
> >> we'd
> >> say that this is great because that research is often used to augment
> >> services and enhance overall service quality. With respect to
> Cybertrust,
> >> we
> >> couldn't find out what they were doing with their research. They just
> >> told
> >> us that they don't release advisories and then refused to tell us what
> >> they
> >> did with the research.
> >>
> >> When we asked them about their services and testing methodologies, we
> >> were
> >> first told that they couldn't discuss that. We were told that their
> >> methodologies were confidential. But after a bit of Social Engineering
> >> and
> >> sweet talking we were able to get more information...
> >>
> >> As it turns out, the majority of the Cybertrust services rely on what
> >> they
> >> say are proprietary automated scanners which were developed in-house.
> >> Their
> >> methodology is to run the automated scanners against a specific target
> or
> >> set of targets, and then to pass the results to a seasoned professional.
> >> That professional then verifies the results via manual testing and
> >> produces
> >> a report that contains the vetted results.
> >>
> >> This methodology doesn't really offer any depth and doesn't do much to
> >> raise
> >> the proverbial security bar. In fact, it is only slightly better than
> >> running a Qualys scan, changing the wording of the report, and
> delivering
> >> that. Quality methodologies should contain no more than 20% automated
> >> testing and no less than 80% manual testing. Vulnerability discovery
> >> should
> >> be done via manual testing, not just via automated testing.
> >>
> >> In defense of Cybertrust, they did say that they would test in
> accordance
> >> with the customers requirements. They also did say that if the customer
> >> wanted 100% manual testing that they would do it. If they want 100%
> >> automated "rubber stamp of approval" testing they would do that too.
> >> Saying
> >> it is a lot different than doing it though and we weren't impressed with
> >> their standard/default testing methodology as previously mentioned.
> >>
> >> It is important to note that Cybertrust is also a full service security
> >> provider. They offer a wide range of services from supporting secure
> >> product
> >> development services, to security testing, and even forensic services.
> >> With
> >> that said, their services do not seem to be anything special. In fact,
> >> they
> >> seem to be just about average short of their horrible website and
> >> overwhelming marketing fluff.
> >>
> >> It is our recommendation that you choose a different provider if you are
> >> looking for well defined, high quality services. Cybertrust is cloaked
> in
> >> a
> >> thick layer of marketing fluff and frankly doesn't seem to be very easy
> >> to
> >> work with. That being said, they were also not easy to review. If you
> >> disagree with this post or have worked with Cybertrust in the past, then
> >> please leave us a comment. We're going to give Cybertrust a "C" but if
> >> you
> >> can convince us that they deserve a different grade then we'll revise
> our
> >> opinion.
> >>
> >> Thanks for reading.
> >>
> >> --
> >> Posted By secreview to Professional IT Security Providers - Exposed at
> >> 12/19/2007 07:32:00 PM
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists