[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20071220172652.89AB922846@mailserver9.hushmail.com>
Date: Thu, 20 Dec 2007 12:26:52 -0500
From: "SecReview" <secreview@...hmail.com>
To: <full-disclosure@...ts.grok.org.uk>,<guinness.stout@...il.com>
Subject: Re: [Professional IT Security Providers -
Exposed] Cybertrust ( C + )
Greetings list.
We've had an abundant amount of questions and challenges with
respect to the grades that we give to businesses. As a result we
will be posting a grade key on our site in the near future.
At the risk of being redundant, our opinions of companies are
formed by approaching the companies as prospective buyers. We have
deep technical conversations with managers and team leaders
whenever possible. In conjunction with that we collect a wide array
of information including but not limited to sample reports, testing
methodologies, team overviews, web page content, research
performed, and in some cases even proposals.
Even with that our reviews are not perfect which is why we are
willing to change our opinion provided that someone can help us
change it legitimately. It is also for this reason why we allow
people to post comments to the blog based on their experience with
particular companies.
It is good to say that so far, based on comments from readers,
we've been spot on with our reviews. We have yet to have anyone
prove to us that our reviews were wrong, bad, or unfair. Sure we've
had the teenage trolls bashing us, but they really don't count.
If you (the list) would like to see us change our grading from A to
F to something else, then please provide us with an example of what
you'd like. If enough people request it then we'll set up a vote
and choose a different standard.
Other than that, keep reading the blog and we'll post our key soon.
For now just remember A == Best and F == Worst... but then again,
isn't that obvious?
Once we collect those materials
On Thu, 20 Dec 2007 09:05:36 -0500 "guiness.stout"
<guinness.stout@...il.com> wrote:
>I'm not really clear on how you are grading these companies. I've
>had
>no personal experience with them but I don't decide a companies
>quality of work simply by their website and what information I get
>from some customer support person. These "grades" seem pointless
>and
>frankly unfounded. You should reword your grading system to
>specify
>the ease of use of their websites and not the service they
>provide.
>Especially if you haven't ordered any services from them. I'm not
>defending anyone here just pointing out some flaws in this
>"grading."
>
>On Dec 20, 2007 12:11 AM, secreview <secreview@...hmail.com>
>wrote:
>> One of our readers made a request that we review Cybertrust
>> ("http://www.cybertrust.com"). Cybertrust was recently acquired
>by Verizon
>> and as a result this review was a bit more complicated and
>required a lot
>> more digging to complete (In fact its now Cybertrust and
>Netsec). Never the
>> less, we managed to dig information specific to Cybertrust out
>of Verizon
>> representatives. We would tell you that we used the website for
>information
>> collection, but in all reality the website was useless. Not only
>was it
>> horribly written and full of marketing fluff, but the services
>were not
>> clearly defined.
>>
>> As an example, when you view the Cybertrust services in their
>drop down menu
>> you are presented with the following service offerings:
>Application
>> Security, Assessments, Certification, Compliance/Governance,
>Consulting,
>> Enterprise Security, Identity Management Investigative Response
>/Forensics,
>> Managed Security Services, Partner Security Program Security
>Management
>> Program, and SSL Certificates. The first thing you think is
>"what the hell?"
>> the second is "ok so they offer 12 services".
>>
>> Well as you dig into each service you quickly find out that they
>do not
>> offer 12 services, but instead they have 12 links to 12
>different pages full
>> of marketing fluff. As you read each of the pages in an attempt
>to wrap your
>> mind around what they are offering as individually packaged
>services you're
>> left with more questions than answers. So again, what the hell?
>>
>> Here's an example. Their "Application Security" service page
>does not
>> contain a description about a Web Application Security service.
>In fact, it
>> doesn't even contain a description about a System
>Software/Application
>> security service. Instead it contains a super high level, super
>vague and
>> fluffy description that covers a really general idea of
>"Application"
>> security services. When you really read into it you find out
>that their
>> Application Security service should be broken down into multiple
>different
>> defined service offerings.
>>
>> Even more frustrating is that their Application Security service
>is a
>> consulting service and that they have a separate service
>offering called
>> Consulting. When you read the description for Consulting, it is
>also vague
>> and mostly useless, but does cover the "potential" for
>Application Security.
>>
>> So, trying to learn anything about Cybertrust from their web
>page is like
>> trying to pull teeth out of a possessed chicken. We decided that
>we would
>> move on and call Cybertrust to see what we could get out of them
>with a
>> conversation. That proved to be a real pain in the ass too as
>their website
>> doesn't list any telephone numbers. We ended up calling verizon
>and after
>> talking to 4 people we finally found a Cybertrust
>representative.
>>
>> At last, a human being that could provide us with useful
>information and
>> answers to our questions about their services. We did receive
>about 2mb of
>> materials from our contact at Cybertrust, but the materials were
>all
>> marketing fluff, totally useless. That being said, our
>conversation with the
>> representative gave us a very clear understanding of how
>Cybertrust delivers
>> there services. In all honesty, we were not all that impressed.
>>
>> Cybertrust does perform their own Vulnerability Research and
>Development (or
>> so we were told) under the umbrella of ICSAlabs which they own.
>Usually we'd
>> say that this is great because that research is often used to
>augment
>> services and enhance overall service quality. With respect to
>Cybertrust, we
>> couldn't find out what they were doing with their research. They
>just told
>> us that they don't release advisories and then refused to tell
>us what they
>> did with the research.
>>
>> When we asked them about their services and testing
>methodologies, we were
>> first told that they couldn't discuss that. We were told that
>their
>> methodologies were confidential. But after a bit of Social
>Engineering and
>> sweet talking we were able to get more information...
>>
>> As it turns out, the majority of the Cybertrust services rely on
>what they
>> say are proprietary automated scanners which were developed in-
>house. Their
>> methodology is to run the automated scanners against a specific
>target or
>> set of targets, and then to pass the results to a seasoned
>professional.
>> That professional then verifies the results via manual testing
>and produces
>> a report that contains the vetted results.
>>
>> This methodology doesn't really offer any depth and doesn't do
>much to raise
>> the proverbial security bar. In fact, it is only slightly better
>than
>> running a Qualys scan, changing the wording of the report, and
>delivering
>> that. Quality methodologies should contain no more than 20%
>automated
>> testing and no less than 80% manual testing. Vulnerability
>discovery should
>> be done via manual testing, not just via automated testing.
>>
>> In defense of Cybertrust, they did say that they would test in
>accordance
>> with the customers requirements. They also did say that if the
>customer
>> wanted 100% manual testing that they would do it. If they want
>100%
>> automated "rubber stamp of approval" testing they would do that
>too. Saying
>> it is a lot different than doing it though and we weren't
>impressed with
>> their standard/default testing methodology as previously
>mentioned.
>>
>> It is important to note that Cybertrust is also a full service
>security
>> provider. They offer a wide range of services from supporting
>secure product
>> development services, to security testing, and even forensic
>services. With
>> that said, their services do not seem to be anything special. In
>fact, they
>> seem to be just about average short of their horrible website
>and
>> overwhelming marketing fluff.
>>
>> It is our recommendation that you choose a different provider if
>you are
>> looking for well defined, high quality services. Cybertrust is
>cloaked in a
>> thick layer of marketing fluff and frankly doesn't seem to be
>very easy to
>> work with. That being said, they were also not easy to review.
>If you
>> disagree with this post or have worked with Cybertrust in the
>past, then
>> please leave us a comment. We're going to give Cybertrust a "C"
>but if you
>> can convince us that they deserve a different grade then we'll
>revise our
>> opinion.
>>
>> Thanks for reading.
>>
>> --
>> Posted By secreview to Professional IT Security Providers -
>Exposed at
>> 12/19/2007 07:32:00 PM
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
Regards,
The Secreview Team
http://secreview.blogspot.com
Professional IT Security Service Providers - Exposed
--
Click to learn how to become a world famous writer or poet.
http://tagline.hushmail.com/fc/Ioyw6h4d5YXMhO9GyzS1Aset0uvsnjfR4lqmTKEjRGA6ezTy2t6Vyo/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists