<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.3243" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>Exactly. Your 'grading' is based on your personal
opinion.<BR><BR>Do us all a favour and get a proper job.<BR><BR>----- Original
Message ----- <BR>From: "guiness.stout" <<A
href="">guinness.stout@gmail.com</A>><BR>To: <<A
href="">full-disclosure@lists.grok.org.uk</A>><BR>Sent: Thursday, December
20, 2007 2:05 PM<BR>Subject: Re: [Full-disclosure] [Professional IT Security
Providers -Exposed] <BR>Cybertrust ( C + )<BR><BR><BR>> I'm not really clear
on how you are grading these companies. I've had<BR>> no personal
experience with them but I don't decide a companies<BR>> quality of work
simply by their website and what information I get<BR>> from some customer
support person. These "grades" seem pointless and<BR>> frankly
unfounded. You should reword your grading system to specify<BR>> the
ease of use of their websites and not the service they provide.<BR>>
Especially if you haven't ordered any services from them. I'm not<BR>>
defending anyone here just pointing out some flaws in this
"grading."<BR>><BR>> On Dec 20, 2007 12:11 AM, secreview <<A
href="">secreview@hushmail.com</A>> wrote:<BR>>> One of our readers
made a request that we review Cybertrust<BR>>> ("<A
href="">http://www.cybertrust.com</A>"). Cybertrust was recently acquired by
<BR>>> Verizon<BR>>> and as a result this review was a bit more
complicated and required a lot<BR>>> more digging to complete (In fact its
now Cybertrust and Netsec). Never <BR>>> the<BR>>> less, we managed
to dig information specific to Cybertrust out of Verizon<BR>>>
representatives. We would tell you that we used the website for <BR>>>
information<BR>>> collection, but in all reality the website was useless.
Not only was it<BR>>> horribly written and full of marketing fluff, but
the services were not<BR>>> clearly defined.<BR>>><BR>>> As an
example, when you view the Cybertrust services in their drop down <BR>>>
menu<BR>>> you are presented with the following service offerings:
Application<BR>>> Security, Assessments, Certification,
Compliance/Governance, Consulting,<BR>>> Enterprise Security, Identity
Management Investigative Response <BR>>> /Forensics,<BR>>> Managed
Security Services, Partner Security Program Security Management<BR>>>
Program, and SSL Certificates. The first thing you think is "what the
<BR>>> hell?"<BR>>> the second is "ok so they offer 12
services".<BR>>><BR>>> Well as you dig into each service you quickly
find out that they do not<BR>>> offer 12 services, but instead they have
12 links to 12 different pages <BR>>> full<BR>>> of marketing fluff.
As you read each of the pages in an attempt to wrap <BR>>>
your<BR>>> mind around what they are offering as individually packaged
services <BR>>> you're<BR>>> left with more questions than answers.
So again, what the hell?<BR>>><BR>>> Here's an example. Their
"Application Security" service page does not<BR>>> contain a description
about a Web Application Security service. In fact, <BR>>> it<BR>>>
doesn't even contain a description about a System
Software/Application<BR>>> security service. Instead it contains a super
high level, super vague and<BR>>> fluffy description that covers a really
general idea of "Application"<BR>>> security services. When you really
read into it you find out that their<BR>>> Application Security service
should be broken down into multiple <BR>>> different<BR>>> defined
service offerings.<BR>>><BR>>> Even more frustrating is that their
Application Security service is a<BR>>> consulting service and that they
have a separate service offering called<BR>>> Consulting. When you read
the description for Consulting, it is also <BR>>> vague<BR>>> and
mostly useless, but does cover the "potential" for Application <BR>>>
Security.<BR>>><BR>>> So, trying to learn anything about Cybertrust
from their web page is like<BR>>> trying to pull teeth out of a possessed
chicken. We decided that we would<BR>>> move on and call Cybertrust to see
what we could get out of them with a<BR>>> conversation. That proved to be
a real pain in the ass too as their <BR>>> website<BR>>> doesn't
list any telephone numbers. We ended up calling verizon and after<BR>>>
talking to 4 people we finally found a Cybertrust
representative.<BR>>><BR>>> At last, a human being that could
provide us with useful information and<BR>>> answers to our questions
about their services. We did receive about 2mb <BR>>> of<BR>>>
materials from our contact at Cybertrust, but the materials were all<BR>>>
marketing fluff, totally useless. That being said, our conversation with
<BR>>> the<BR>>> representative gave us a very clear understanding
of how Cybertrust <BR>>> delivers<BR>>> there services. In all
honesty, we were not all that impressed.<BR>>><BR>>> Cybertrust does
perform their own Vulnerability Research and Development <BR>>>
(or<BR>>> so we were told) under the umbrella of ICSAlabs which they own.
Usually <BR>>> we'd<BR>>> say that this is great because that
research is often used to augment<BR>>> services and enhance overall
service quality. With respect to Cybertrust, <BR>>> we<BR>>>
couldn't find out what they were doing with their research. They just
<BR>>> told<BR>>> us that they don't release advisories and then
refused to tell us what <BR>>> they<BR>>> did with the
research.<BR>>><BR>>> When we asked them about their services and
testing methodologies, we <BR>>> were<BR>>> first told that they
couldn't discuss that. We were told that their<BR>>> methodologies were
confidential. But after a bit of Social Engineering <BR>>> and<BR>>>
sweet talking we were able to get more information...<BR>>><BR>>> As
it turns out, the majority of the Cybertrust services rely on what <BR>>>
they<BR>>> say are proprietary automated scanners which were developed
in-house. <BR>>> Their<BR>>> methodology is to run the automated
scanners against a specific target or<BR>>> set of targets, and then to
pass the results to a seasoned professional.<BR>>> That professional then
verifies the results via manual testing and <BR>>> produces<BR>>> a
report that contains the vetted results.<BR>>><BR>>> This
methodology doesn't really offer any depth and doesn't do much to <BR>>>
raise<BR>>> the proverbial security bar. In fact, it is only slightly
better than<BR>>> running a Qualys scan, changing the wording of the
report, and delivering<BR>>> that. Quality methodologies should contain no
more than 20% automated<BR>>> testing and no less than 80% manual testing.
Vulnerability discovery <BR>>> should<BR>>> be done via manual
testing, not just via automated testing.<BR>>><BR>>> In defense of
Cybertrust, they did say that they would test in accordance<BR>>> with the
customers requirements. They also did say that if the customer<BR>>>
wanted 100% manual testing that they would do it. If they want 100%<BR>>>
automated "rubber stamp of approval" testing they would do that too.
<BR>>> Saying<BR>>> it is a lot different than doing it though and
we weren't impressed with<BR>>> their standard/default testing methodology
as previously mentioned.<BR>>><BR>>> It is important to note that
Cybertrust is also a full service security<BR>>> provider. They offer a
wide range of services from supporting secure <BR>>> product<BR>>>
development services, to security testing, and even forensic services.
<BR>>> With<BR>>> that said, their services do not seem to be
anything special. In fact, <BR>>> they<BR>>> seem to be just about
average short of their horrible website and<BR>>> overwhelming marketing
fluff.<BR>>><BR>>> It is our recommendation that you choose a
different provider if you are<BR>>> looking for well defined, high quality
services. Cybertrust is cloaked in <BR>>> a<BR>>> thick layer of
marketing fluff and frankly doesn't seem to be very easy <BR>>>
to<BR>>> work with. That being said, they were also not easy to review. If
you<BR>>> disagree with this post or have worked with Cybertrust in the
past, then<BR>>> please leave us a comment. We're going to give Cybertrust
a "C" but if <BR>>> you<BR>>> can convince us that they deserve a
different grade then we'll revise our<BR>>>
opinion.<BR>>><BR>>> Thanks for reading.<BR>>><BR>>>
--<BR>>> Posted By secreview to Professional IT Security Providers -
Exposed at<BR>
<DIV><FONT face=Arial size=2></FONT> </DIV></BODY></HTML>