Re: [Professional IT Security Providers -Exposed] Cybertrust ( C + )

[guiness.stout <guinness.stout () gmail com>]

What kind of grading scale will you use?  A through F or maybe a 1 to
10 type scale?  I am very interested in your services!

On Dec 20, 2007 10:09 AM, Kurt Dillard <kurtdillard () msn com> wrote:
> Because its absurd to write a review for a service without actually
> experiencing the service. The original poster's messages have only had
> entertainment value, they've had no value from an information security
> perspective. If you'd like to provide a link to your MSN profile and
> facebook pages I'll write up a resume for you. Does that sound like a good
> idea?
>
>
>
>
> From: full-disclosure-bounces () lists grok org uk
> [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Epic
>  Sent: Thursday, December 20, 2007 11:56 AM
>  To: c0redump
>  Cc: full-disclosure () lists grok org uk
>
>
>  Subject: Re: [Full-disclosure] [Professional IT Security Providers
> -Exposed] Cybertrust ( C + )
>
>
>
>
>
> Isn't ANY review subjective to opinion?    I do not understand the basis of
> this flame.  It appears to me that a lot of the reviews on this site offer
> some great insight into the companies being presented.   Granted it is an
> opinion, but that is what a blog is isn't it?
>
>
> On 12/20/07, c0redump <c0redump () ackers org uk> wrote:
>
> Exactly.  Your 'grading' is based on your personal opinion.
>
>  Do us all a favour and get a proper job.
>
>  ----- Original Message -----
>  From: "guiness.stout" <guinness.stout () gmail com>
>  To: <full-disclosure () lists grok org uk >
>  Sent: Thursday, December 20, 2007 2:05 PM
>  Subject: Re: [Full-disclosure] [Professional IT Security Providers
> -Exposed]
>  Cybertrust ( C + )
>
>
>  > I'm not really clear on how you are grading these companies.  I've had
>  > no personal experience with them but I don't decide a companies
>  > quality of work simply by their website and what information I get
>  > from some customer support person.  These "grades" seem pointless and
>  > frankly unfounded.  You should reword your grading system to specify
>  > the ease of use of their websites and not the service they provide.
>  > Especially if you haven't ordered any services from them.  I'm not
>  > defending anyone here just pointing out some flaws in this "grading."
>  >
>  > On Dec 20, 2007 12:11 AM, secreview <secreview () hushmail com> wrote:
>  >> One of our readers made a request that we review Cybertrust
>  >> ("http://www.cybertrust.com";). Cybertrust was recently acquired by
>  >> Verizon
>  >> and as a result this review was a bit more complicated and required a
> lot
>  >> more digging to complete (In fact its now Cybertrust and Netsec). Never
>  >> the
>  >> less, we managed to dig information specific to Cybertrust out of
> Verizon
>  >> representatives. We would tell you that we used the website for
>  >> information
>  >> collection, but in all reality the website was useless. Not only was it
>  >> horribly written and full of marketing fluff, but the services were not
>  >> clearly defined.
>  >>
>  >> As an example, when you view the Cybertrust services in their drop down
>  >> menu
>  >> you are presented with the following service offerings: Application
>  >> Security, Assessments, Certification, Compliance/Governance, Consulting,
>  >> Enterprise Security, Identity Management Investigative Response
>  >> /Forensics,
>  >> Managed Security Services, Partner Security Program Security Management
>  >> Program, and SSL Certificates. The first thing you think is "what the
>  >> hell?"
>  >> the second is "ok so they offer 12 services".
>  >>
>  >> Well as you dig into each service you quickly find out that they do not
>  >> offer 12 services, but instead they have 12 links to 12 different pages
>  >> full
>  >> of marketing fluff. As you read each of the pages in an attempt to wrap
>  >> your
>  >> mind around what they are offering as individually packaged services
>  >> you're
>  >> left with more questions than answers. So again, what the hell?
>  >>
>  >> Here's an example. Their "Application Security" service page does not
>  >> contain a description about a Web Application Security service. In fact,
>  >> it
>  >> doesn't even contain a description about a System Software/Application
>  >> security service. Instead it contains a super high level, super vague
> and
>  >> fluffy description that covers a really general idea of "Application"
>  >> security services. When you really read into it you find out that their
>  >> Application Security service should be broken down into multiple
>  >> different
>  >> defined service offerings.
>  >>
>  >> Even more frustrating is that their Application Security service is a
>  >> consulting service and that they have a separate service offering called
>  >> Consulting. When you read the description for Consulting, it is also
>  >> vague
>  >> and mostly useless, but does cover the "potential" for Application
>  >> Security.
>  >>
>  >> So, trying to learn anything about Cybertrust from their web page is
> like
>  >> trying to pull teeth out of a possessed chicken. We decided that we
> would
>  >> move on and call Cybertrust to see what we could get out of them with a
>  >> conversation. That proved to be a real pain in the ass too as their
>  >> website
>  >> doesn't list any telephone numbers. We ended up calling verizon and
> after
>  >> talking to 4 people we finally found a Cybertrust representative.
>  >>
>  >> At last, a human being that could provide us with useful information and
>  >> answers to our questions about their services. We did receive about 2mb
>  >> of
>  >> materials from our contact at Cybertrust, but the materials were all
>  >> marketing fluff, totally useless. That being said, our conversation with
>  >> the
>  >> representative gave us a very clear understanding of how Cybertrust
>  >> delivers
>  >> there services. In all honesty, we were not all that impressed.
>  >>
>  >> Cybertrust does perform their own Vulnerability Research and Development
>  >> (or
>  >> so we were told) under the umbrella of ICSAlabs which they own. Usually
>  >> we'd
>  >> say that this is great because that research is often used to augment
>  >> services and enhance overall service quality. With respect to
> Cybertrust,
>  >> we
>  >> couldn't find out what they were doing with their research. They just
>  >> told
>  >> us that they don't release advisories and then refused to tell us what
>  >> they
>  >> did with the research.
>  >>
>  >> When we asked them about their services and testing methodologies, we
>  >> were
>  >> first told that they couldn't discuss that. We were told that their
>  >> methodologies were confidential. But after a bit of Social Engineering
>  >> and
>  >> sweet talking we were able to get more information...
>  >>
>  >> As it turns out, the majority of the Cybertrust services rely on what
>  >> they
>  >> say are proprietary automated scanners which were developed in-house.
>  >> Their
>  >> methodology is to run the automated scanners against a specific target
> or
>  >> set of targets, and then to pass the results to a seasoned professional.
>  >> That professional then verifies the results via manual testing and
>  >> produces
>  >> a report that contains the vetted results.
>  >>
>  >> This methodology doesn't really offer any depth and doesn't do much to
>  >> raise
>  >> the proverbial security bar. In fact, it is only slightly better than
>  >> running a Qualys scan, changing the wording of the report, and
> delivering
>  >> that. Quality methodologies should contain no more than 20% automated
>  >> testing and no less than 80% manual testing. Vulnerability discovery
>  >> should
>  >> be done via manual testing, not just via automated testing.
>  >>
>  >> In defense of Cybertrust, they did say that they would test in
> accordance
>  >> with the customers requirements. They also did say that if the customer
>  >> wanted 100% manual testing that they would do it. If they want 100%
>  >> automated "rubber stamp of approval" testing they would do that too.
>  >> Saying
>  >> it is a lot different than doing it though and we weren't impressed with
>  >> their standard/default testing methodology as previously mentioned.
>  >>
>  >> It is important to note that Cybertrust is also a full service security
>  >> provider. They offer a wide range of services from supporting secure
>  >> product
>  >> development services, to security testing, and even forensic services.
>  >> With
>  >> that said, their services do not seem to be anything special. In fact,
>  >> they
>  >> seem to be just about average short of their horrible website and
>  >> overwhelming marketing fluff.
>  >>
>  >> It is our recommendation that you choose a different provider if you are
>  >> looking for well defined, high quality services. Cybertrust is cloaked
> in
>  >> a
>  >> thick layer of marketing fluff and frankly doesn't seem to be very easy
>  >> to
>  >> work with. That being said, they were also not easy to review. If you
>  >> disagree with this post or have worked with Cybertrust in the past, then
>  >> please leave us a comment. We're going to give Cybertrust a "C" but if
>  >> you
>  >> can convince us that they deserve a different grade then we'll revise
> our
>  >> opinion.
>  >>
>  >> Thanks for reading.
>  >>
>  >> --
>  >>  Posted By secreview to Professional IT Security Providers - Exposed at
>  >> 12/19/2007 07:32:00 PM
>  >> _______________________________________________
>  >> Full-Disclosure - We believe in it.
>  >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>  >> Hosted and sponsored by Secunia - http://secunia.com/
>  >>
>  >
>  > _______________________________________________
>  > Full-Disclosure - We believe in it.
>  > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>  > Hosted and sponsored by Secunia - http://secunia.com/
>  >
>  >
>
>  _______________________________________________
>  Full-Disclosure - We believe in it.
>  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>  Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/