Re: [Professional IT Security Providers -Exposed] Cybertrust ( C + )

["SecReview" <secreview () hushmail com>]

That will come soon...

On Thu, 20 Dec 2007 10:32:51 -0500 "guiness.stout" 
<guinness.stout () gmail com> wrote:
> What kind of grading scale will you use?  A through F or maybe a 1 
> to
> 10 type scale?  I am very interested in your services!
>
> On Dec 20, 2007 10:09 AM, Kurt Dillard <kurtdillard () msn com> 
> wrote:
> > Because its absurd to write a review for a service without 
> actually
> > experiencing the service. The original poster's messages have 
> only had
> > entertainment value, they've had no value from an information 
> security
> > perspective. If you'd like to provide a link to your MSN profile 
> and
> > facebook pages I'll write up a resume for you. Does that sound 
> like a good
> > idea?
> >
> >
> >
> >
> > From: full-disclosure-bounces () lists grok org uk
> > [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of 
> Epic
> >  Sent: Thursday, December 20, 2007 11:56 AM
> >  To: c0redump
> >  Cc: full-disclosure () lists grok org uk
> >
> >
> >  Subject: Re: [Full-disclosure] [Professional IT Security 
> Providers
> > -Exposed] Cybertrust ( C + )
> >
> >
> >
> >
> >
> > Isn't ANY review subjective to opinion?    I do not understand 
> the basis of
> > this flame.  It appears to me that a lot of the reviews on this 
> site offer
> > some great insight into the companies being presented.   Granted 
> it is an
> > opinion, but that is what a blog is isn't it?
> >
> >
> > On 12/20/07, c0redump <c0redump () ackers org uk> wrote:
> >
> > Exactly.  Your 'grading' is based on your personal opinion.
> >
> >  Do us all a favour and get a proper job.
> >
> >  ----- Original Message -----
> >  From: "guiness.stout" <guinness.stout () gmail com>
> >  To: <full-disclosure () lists grok org uk >
> >  Sent: Thursday, December 20, 2007 2:05 PM
> >  Subject: Re: [Full-disclosure] [Professional IT Security 
> Providers
> > -Exposed]
> >  Cybertrust ( C + )
> >
> >
> >  > I'm not really clear on how you are grading these companies.  
> I've had
> >  > no personal experience with them but I don't decide a 
> companies
> >  > quality of work simply by their website and what information 
> I get
> >  > from some customer support person.  These "grades" seem 
> pointless and
> >  > frankly unfounded.  You should reword your grading system to 
> specify
> >  > the ease of use of their websites and not the service they 
> provide.
> >  > Especially if you haven't ordered any services from them.  
> I'm not
> >  > defending anyone here just pointing out some flaws in this 
> "grading."
> >  >
> >  > On Dec 20, 2007 12:11 AM, secreview <secreview () hushmail com> 
> wrote:
> >  >> One of our readers made a request that we review Cybertrust
> >  >> ("http://www.cybertrust.com";). Cybertrust was recently 
> acquired by
> >  >> Verizon
> >  >> and as a result this review was a bit more complicated and 
> required a
> > lot
> >  >> more digging to complete (In fact its now Cybertrust and 
> Netsec). Never
> >  >> the
> >  >> less, we managed to dig information specific to Cybertrust 
> out of
> > Verizon
> >  >> representatives. We would tell you that we used the website 
> for
> >  >> information
> >  >> collection, but in all reality the website was useless. Not 
> only was it
> >  >> horribly written and full of marketing fluff, but the 
> services were not
> >  >> clearly defined.
> >  >>
> >  >> As an example, when you view the Cybertrust services in 
> their drop down
> >  >> menu
> >  >> you are presented with the following service offerings: 
> Application
> >  >> Security, Assessments, Certification, Compliance/Governance, 
> Consulting,
> >  >> Enterprise Security, Identity Management Investigative 
> Response
> >  >> /Forensics,
> >  >> Managed Security Services, Partner Security Program Security 
> Management
> >  >> Program, and SSL Certificates. The first thing you think is 
> "what the
> >  >> hell?"
> >  >> the second is "ok so they offer 12 services".
> >  >>
> >  >> Well as you dig into each service you quickly find out that 
> they do not
> >  >> offer 12 services, but instead they have 12 links to 12 
> different pages
> >  >> full
> >  >> of marketing fluff. As you read each of the pages in an 
> attempt to wrap
> >  >> your
> >  >> mind around what they are offering as individually packaged 
> services
> >  >> you're
> >  >> left with more questions than answers. So again, what the 
> hell?
> >  >>
> >  >> Here's an example. Their "Application Security" service page 
> does not
> >  >> contain a description about a Web Application Security 
> service. In fact,
> >  >> it
> >  >> doesn't even contain a description about a System 
> Software/Application
> >  >> security service. Instead it contains a super high level, 
> super vague
> > and
> >  >> fluffy description that covers a really general idea of 
> "Application"
> >  >> security services. When you really read into it you find out 
> that their
> >  >> Application Security service should be broken down into 
> multiple
> >  >> different
> >  >> defined service offerings.
> >  >>
> >  >> Even more frustrating is that their Application Security 
> service is a
> >  >> consulting service and that they have a separate service 
> offering called
> >  >> Consulting. When you read the description for Consulting, it 
> is also
> >  >> vague
> >  >> and mostly useless, but does cover the "potential" for 
> Application
> >  >> Security.
> >  >>
> >  >> So, trying to learn anything about Cybertrust from their web 
> page is
> > like
> >  >> trying to pull teeth out of a possessed chicken. We decided 
> that we
> > would
> >  >> move on and call Cybertrust to see what we could get out of 
> them with a
> >  >> conversation. That proved to be a real pain in the ass too 
> as their
> >  >> website
> >  >> doesn't list any telephone numbers. We ended up calling 
> verizon and
> > after
> >  >> talking to 4 people we finally found a Cybertrust 
> representative.
> >  >>
> >  >> At last, a human being that could provide us with useful 
> information and
> >  >> answers to our questions about their services. We did 
> receive about 2mb
> >  >> of
> >  >> materials from our contact at Cybertrust, but the materials 
> were all
> >  >> marketing fluff, totally useless. That being said, our 
> conversation with
> >  >> the
> >  >> representative gave us a very clear understanding of how 
> Cybertrust
> >  >> delivers
> >  >> there services. In all honesty, we were not all that 
> impressed.
> >  >>
> >  >> Cybertrust does perform their own Vulnerability Research and 
> Development
> >  >> (or
> >  >> so we were told) under the umbrella of ICSAlabs which they 
> own. Usually
> >  >> we'd
> >  >> say that this is great because that research is often used 
> to augment
> >  >> services and enhance overall service quality. With respect 
> to
> > Cybertrust,
> >  >> we
> >  >> couldn't find out what they were doing with their research. 
> They just
> >  >> told
> >  >> us that they don't release advisories and then refused to 
> tell us what
> >  >> they
> >  >> did with the research.
> >  >>
> >  >> When we asked them about their services and testing 
> methodologies, we
> >  >> were
> >  >> first told that they couldn't discuss that. We were told 
> that their
> >  >> methodologies were confidential. But after a bit of Social 
> Engineering
> >  >> and
> >  >> sweet talking we were able to get more information...
> >  >>
> >  >> As it turns out, the majority of the Cybertrust services 
> rely on what
> >  >> they
> >  >> say are proprietary automated scanners which were developed 
> in-house.
> >  >> Their
> >  >> methodology is to run the automated scanners against a 
> specific target
> > or
> >  >> set of targets, and then to pass the results to a seasoned 
> professional.
> >  >> That professional then verifies the results via manual 
> testing and
> >  >> produces
> >  >> a report that contains the vetted results.
> >  >>
> >  >> This methodology doesn't really offer any depth and doesn't 
> do much to
> >  >> raise
> >  >> the proverbial security bar. In fact, it is only slightly 
> better than
> >  >> running a Qualys scan, changing the wording of the report, 
> and
> > delivering
> >  >> that. Quality methodologies should contain no more than 20% 
> automated
> >  >> testing and no less than 80% manual testing. Vulnerability 
> discovery
> >  >> should
> >  >> be done via manual testing, not just via automated testing.
> >  >>
> >  >> In defense of Cybertrust, they did say that they would test 
> in
> > accordance
> >  >> with the customers requirements. They also did say that if 
> the customer
> >  >> wanted 100% manual testing that they would do it. If they 
> want 100%
> >  >> automated "rubber stamp of approval" testing they would do 
> that too.
> >  >> Saying
> >  >> it is a lot different than doing it though and we weren't 
> impressed with
> >  >> their standard/default testing methodology as previously 
> mentioned.
> >  >>
> >  >> It is important to note that Cybertrust is also a full 
> service security
> >  >> provider. They offer a wide range of services from 
> supporting secure
> >  >> product
> >  >> development services, to security testing, and even forensic 
> services.
> >  >> With
> >  >> that said, their services do not seem to be anything 
> special. In fact,
> >  >> they
> >  >> seem to be just about average short of their horrible 
> website and
> >  >> overwhelming marketing fluff.
> >  >>
> >  >> It is our recommendation that you choose a different 
> provider if you are
> >  >> looking for well defined, high quality services. Cybertrust 
> is cloaked
> > in
> >  >> a
> >  >> thick layer of marketing fluff and frankly doesn't seem to 
> be very easy
> >  >> to
> >  >> work with. That being said, they were also not easy to 
> review. If you
> >  >> disagree with this post or have worked with Cybertrust in 
> the past, then
> >  >> please leave us a comment. We're going to give Cybertrust a 
> "C" but if
> >  >> you
> >  >> can convince us that they deserve a different grade then 
> we'll revise
> > our
> >  >> opinion.
> >  >>
> >  >> Thanks for reading.
> >  >>
> >  >> --
> >  >>  Posted By secreview to Professional IT Security Providers - 
> Exposed at
> >  >> 12/19/2007 07:32:00 PM
> >  >> _______________________________________________
> >  >> Full-Disclosure - We believe in it.
> >  >> Charter: http://lists.grok.org.uk/full-disclosure-
> charter.html
> >  >> Hosted and sponsored by Secunia - http://secunia.com/
> >  >>
> >  >
> >  > _______________________________________________
> >  > Full-Disclosure - We believe in it.
> >  > Charter: http://lists.grok.org.uk/full-disclosure-
> charter.html
> >  > Hosted and sponsored by Secunia - http://secunia.com/
> >  >
> >  >
> >
> >  _______________________________________________
> >  Full-Disclosure - We believe in it.
> >  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >  Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Regards, 
      The Secreview Team
      http://secreview.blogspot.com
      Professional IT Security Service Providers - Exposed

--
Linux Training - Click here.
http://tagline.hushmail.com/fc/Ioyw6h4dF6kmUQwjvkBnduLDmZdXT6KNdqY1JdKtqcR8b3Froa1dNG/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/