Re: [Professional IT Security Providers -Exposed] Cybertrust ( C + )

["Kurt Dillard" <kurtdillard () msn com>]

Because its absurd to write a review for a service without actually
experiencing the service. The original poster's messages have only had
entertainment value, they've had no value from an information security
perspective. If you'd like to provide a link to your MSN profile and
facebook pages I'll write up a resume for you. Does that sound like a good
idea?

 

From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Epic
Sent: Thursday, December 20, 2007 11:56 AM
To: c0redump
Cc: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] [Professional IT Security Providers -Exposed]
Cybertrust ( C + )

 

Isn't ANY review subjective to opinion?    I do not understand the basis of
this flame.  It appears to me that a lot of the reviews on this site offer
some great insight into the companies being presented.   Granted it is an
opinion, but that is what a blog is isn't it? 

On 12/20/07, c0redump <c0redump () ackers org uk> wrote: 

Exactly.  Your 'grading' is based on your personal opinion.

Do us all a favour and get a proper job. 

----- Original Message -----
From: "guiness.stout" <guinness.stout () gmail com>
To: <full-disclosure () lists grok org uk >
Sent: Thursday, December 20, 2007 2:05 PM
Subject: Re: [Full-disclosure] [Professional IT Security Providers -Exposed]
Cybertrust ( C + )


> I'm not really clear on how you are grading these companies.  I've had 
> no personal experience with them but I don't decide a companies
> quality of work simply by their website and what information I get
> from some customer support person.  These "grades" seem pointless and 
> frankly unfounded.  You should reword your grading system to specify
> the ease of use of their websites and not the service they provide.
> Especially if you haven't ordered any services from them.  I'm not 
> defending anyone here just pointing out some flaws in this "grading."
>
> On Dec 20, 2007 12:11 AM, secreview <secreview () hushmail com> wrote: 
> > One of our readers made a request that we review Cybertrust
> > ("http://www.cybertrust.com";). Cybertrust was recently acquired by
> > Verizon 
> > and as a result this review was a bit more complicated and required a lot
> > more digging to complete (In fact its now Cybertrust and Netsec). Never
> > the
> > less, we managed to dig information specific to Cybertrust out of Verizon

> > representatives. We would tell you that we used the website for
> > information
> > collection, but in all reality the website was useless. Not only was it
> > horribly written and full of marketing fluff, but the services were not 
> > clearly defined.
> >
> > As an example, when you view the Cybertrust services in their drop down
> > menu
> > you are presented with the following service offerings: Application 
> > Security, Assessments, Certification, Compliance/Governance, Consulting,
> > Enterprise Security, Identity Management Investigative Response
> > /Forensics,
> > Managed Security Services, Partner Security Program Security Management 
> > Program, and SSL Certificates. The first thing you think is "what the
> > hell?"
> > the second is "ok so they offer 12 services".
> >
> > Well as you dig into each service you quickly find out that they do not 
> > offer 12 services, but instead they have 12 links to 12 different pages
> > full
> > of marketing fluff. As you read each of the pages in an attempt to wrap
> > your
> > mind around what they are offering as individually packaged services 
> > you're
> > left with more questions than answers. So again, what the hell?
> >
> > Here's an example. Their "Application Security" service page does not
> > contain a description about a Web Application Security service. In fact, 
> > it
> > doesn't even contain a description about a System Software/Application
> > security service. Instead it contains a super high level, super vague and
> > fluffy description that covers a really general idea of "Application" 
> > security services. When you really read into it you find out that their
> > Application Security service should be broken down into multiple
> > different
> > defined service offerings. 
> >
> > Even more frustrating is that their Application Security service is a
> > consulting service and that they have a separate service offering called
> > Consulting. When you read the description for Consulting, it is also 
> > vague
> > and mostly useless, but does cover the "potential" for Application
> > Security.
> >
> > So, trying to learn anything about Cybertrust from their web page is like

> > trying to pull teeth out of a possessed chicken. We decided that we would
> > move on and call Cybertrust to see what we could get out of them with a
> > conversation. That proved to be a real pain in the ass too as their 
> > website
> > doesn't list any telephone numbers. We ended up calling verizon and after
> > talking to 4 people we finally found a Cybertrust representative.
> >
> > At last, a human being that could provide us with useful information and 
> > answers to our questions about their services. We did receive about 2mb
> > of
> > materials from our contact at Cybertrust, but the materials were all
> > marketing fluff, totally useless. That being said, our conversation with 
> > the
> > representative gave us a very clear understanding of how Cybertrust
> > delivers
> > there services. In all honesty, we were not all that impressed.
> >
> > Cybertrust does perform their own Vulnerability Research and Development 
> > (or
> > so we were told) under the umbrella of ICSAlabs which they own. Usually
> > we'd
> > say that this is great because that research is often used to augment
> > services and enhance overall service quality. With respect to Cybertrust,

> > we
> > couldn't find out what they were doing with their research. They just
> > told
> > us that they don't release advisories and then refused to tell us what
> > they 
> > did with the research.
> >
> > When we asked them about their services and testing methodologies, we
> > were
> > first told that they couldn't discuss that. We were told that their 
> > methodologies were confidential. But after a bit of Social Engineering
> > and
> > sweet talking we were able to get more information...
> >
> > As it turns out, the majority of the Cybertrust services rely on what 
> > they
> > say are proprietary automated scanners which were developed in-house.
> > Their
> > methodology is to run the automated scanners against a specific target or
> > set of targets, and then to pass the results to a seasoned professional. 
> > That professional then verifies the results via manual testing and
> > produces
> > a report that contains the vetted results.
> >
> > This methodology doesn't really offer any depth and doesn't do much to 
> > raise
> > the proverbial security bar. In fact, it is only slightly better than
> > running a Qualys scan, changing the wording of the report, and delivering
> > that. Quality methodologies should contain no more than 20% automated 
> > testing and no less than 80% manual testing. Vulnerability discovery
> > should
> > be done via manual testing, not just via automated testing.
> >
> > In defense of Cybertrust, they did say that they would test in accordance

> > with the customers requirements. They also did say that if the customer
> > wanted 100% manual testing that they would do it. If they want 100%
> > automated "rubber stamp of approval" testing they would do that too. 
> > Saying
> > it is a lot different than doing it though and we weren't impressed with
> > their standard/default testing methodology as previously mentioned.
> >
> > It is important to note that Cybertrust is also a full service security 
> > provider. They offer a wide range of services from supporting secure
> > product
> > development services, to security testing, and even forensic services.
> > With
> > that said, their services do not seem to be anything special. In fact, 
> > they
> > seem to be just about average short of their horrible website and
> > overwhelming marketing fluff.
> >
> > It is our recommendation that you choose a different provider if you are 
> > looking for well defined, high quality services. Cybertrust is cloaked in
> > a
> > thick layer of marketing fluff and frankly doesn't seem to be very easy
> > to
> > work with. That being said, they were also not easy to review. If you 
> > disagree with this post or have worked with Cybertrust in the past, then
> > please leave us a comment. We're going to give Cybertrust a "C" but if
> > you
> > can convince us that they deserve a different grade then we'll revise our

> > opinion.
> >
> > Thanks for reading.
> >
> > --
> >  Posted By secreview to Professional IT Security Providers - Exposed at
> > 12/19/2007 07:32:00 PM
> > _______________________________________________ 
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________ 
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/