What kind of grading scale will you use? A through F or maybe a 1 to 10 type scale? I am very interested in your services!
On Dec 20, 2007 10:09 AM, Kurt Dillard <[EMAIL PROTECTED]> wrote: > > > > > Because its absurd to write a review for a service without actually > experiencing the service. The original poster's messages have only had > entertainment value, they've had no value from an information security > perspective. If you'd like to provide a link to your MSN profile and > facebook pages I'll write up a resume for you. Does that sound like a good > idea? > > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Epic > Sent: Thursday, December 20, 2007 11:56 AM > To: c0redump > Cc: full-disclosure@lists.grok.org.uk > > > Subject: Re: [Full-disclosure] [Professional IT Security Providers > -Exposed] Cybertrust ( C + ) > > > > > > Isn't ANY review subjective to opinion? I do not understand the basis of > this flame. It appears to me that a lot of the reviews on this site offer > some great insight into the companies being presented. Granted it is an > opinion, but that is what a blog is isn't it? > > > On 12/20/07, c0redump <[EMAIL PROTECTED]> wrote: > > Exactly. Your 'grading' is based on your personal opinion. > > Do us all a favour and get a proper job. > > ----- Original Message ----- > From: "guiness.stout" <[EMAIL PROTECTED]> > To: <full-disclosure@lists.grok.org.uk > > Sent: Thursday, December 20, 2007 2:05 PM > Subject: Re: [Full-disclosure] [Professional IT Security Providers > -Exposed] > Cybertrust ( C + ) > > > > I'm not really clear on how you are grading these companies. I've had > > no personal experience with them but I don't decide a companies > > quality of work simply by their website and what information I get > > from some customer support person. These "grades" seem pointless and > > frankly unfounded. You should reword your grading system to specify > > the ease of use of their websites and not the service they provide. > > Especially if you haven't ordered any services from them. I'm not > > defending anyone here just pointing out some flaws in this "grading." > > > > On Dec 20, 2007 12:11 AM, secreview <[EMAIL PROTECTED]> wrote: > >> One of our readers made a request that we review Cybertrust > >> ("http://www.cybertrust.com"). Cybertrust was recently acquired by > >> Verizon > >> and as a result this review was a bit more complicated and required a > lot > >> more digging to complete (In fact its now Cybertrust and Netsec). Never > >> the > >> less, we managed to dig information specific to Cybertrust out of > Verizon > >> representatives. We would tell you that we used the website for > >> information > >> collection, but in all reality the website was useless. Not only was it > >> horribly written and full of marketing fluff, but the services were not > >> clearly defined. > >> > >> As an example, when you view the Cybertrust services in their drop down > >> menu > >> you are presented with the following service offerings: Application > >> Security, Assessments, Certification, Compliance/Governance, Consulting, > >> Enterprise Security, Identity Management Investigative Response > >> /Forensics, > >> Managed Security Services, Partner Security Program Security Management > >> Program, and SSL Certificates. The first thing you think is "what the > >> hell?" > >> the second is "ok so they offer 12 services". > >> > >> Well as you dig into each service you quickly find out that they do not > >> offer 12 services, but instead they have 12 links to 12 different pages > >> full > >> of marketing fluff. As you read each of the pages in an attempt to wrap > >> your > >> mind around what they are offering as individually packaged services > >> you're > >> left with more questions than answers. So again, what the hell? > >> > >> Here's an example. Their "Application Security" service page does not > >> contain a description about a Web Application Security service. In fact, > >> it > >> doesn't even contain a description about a System Software/Application > >> security service. Instead it contains a super high level, super vague > and > >> fluffy description that covers a really general idea of "Application" > >> security services. When you really read into it you find out that their > >> Application Security service should be broken down into multiple > >> different > >> defined service offerings. > >> > >> Even more frustrating is that their Application Security service is a > >> consulting service and that they have a separate service offering called > >> Consulting. When you read the description for Consulting, it is also > >> vague > >> and mostly useless, but does cover the "potential" for Application > >> Security. > >> > >> So, trying to learn anything about Cybertrust from their web page is > like > >> trying to pull teeth out of a possessed chicken. We decided that we > would > >> move on and call Cybertrust to see what we could get out of them with a > >> conversation. That proved to be a real pain in the ass too as their > >> website > >> doesn't list any telephone numbers. We ended up calling verizon and > after > >> talking to 4 people we finally found a Cybertrust representative. > >> > >> At last, a human being that could provide us with useful information and > >> answers to our questions about their services. We did receive about 2mb > >> of > >> materials from our contact at Cybertrust, but the materials were all > >> marketing fluff, totally useless. That being said, our conversation with > >> the > >> representative gave us a very clear understanding of how Cybertrust > >> delivers > >> there services. In all honesty, we were not all that impressed. > >> > >> Cybertrust does perform their own Vulnerability Research and Development > >> (or > >> so we were told) under the umbrella of ICSAlabs which they own. Usually > >> we'd > >> say that this is great because that research is often used to augment > >> services and enhance overall service quality. With respect to > Cybertrust, > >> we > >> couldn't find out what they were doing with their research. They just > >> told > >> us that they don't release advisories and then refused to tell us what > >> they > >> did with the research. > >> > >> When we asked them about their services and testing methodologies, we > >> were > >> first told that they couldn't discuss that. We were told that their > >> methodologies were confidential. But after a bit of Social Engineering > >> and > >> sweet talking we were able to get more information... > >> > >> As it turns out, the majority of the Cybertrust services rely on what > >> they > >> say are proprietary automated scanners which were developed in-house. > >> Their > >> methodology is to run the automated scanners against a specific target > or > >> set of targets, and then to pass the results to a seasoned professional. > >> That professional then verifies the results via manual testing and > >> produces > >> a report that contains the vetted results. > >> > >> This methodology doesn't really offer any depth and doesn't do much to > >> raise > >> the proverbial security bar. In fact, it is only slightly better than > >> running a Qualys scan, changing the wording of the report, and > delivering > >> that. Quality methodologies should contain no more than 20% automated > >> testing and no less than 80% manual testing. Vulnerability discovery > >> should > >> be done via manual testing, not just via automated testing. > >> > >> In defense of Cybertrust, they did say that they would test in > accordance > >> with the customers requirements. They also did say that if the customer > >> wanted 100% manual testing that they would do it. If they want 100% > >> automated "rubber stamp of approval" testing they would do that too. > >> Saying > >> it is a lot different than doing it though and we weren't impressed with > >> their standard/default testing methodology as previously mentioned. > >> > >> It is important to note that Cybertrust is also a full service security > >> provider. They offer a wide range of services from supporting secure > >> product > >> development services, to security testing, and even forensic services. > >> With > >> that said, their services do not seem to be anything special. In fact, > >> they > >> seem to be just about average short of their horrible website and > >> overwhelming marketing fluff. > >> > >> It is our recommendation that you choose a different provider if you are > >> looking for well defined, high quality services. Cybertrust is cloaked > in > >> a > >> thick layer of marketing fluff and frankly doesn't seem to be very easy > >> to > >> work with. That being said, they were also not easy to review. If you > >> disagree with this post or have worked with Cybertrust in the past, then > >> please leave us a comment. We're going to give Cybertrust a "C" but if > >> you > >> can convince us that they deserve a different grade then we'll revise > our > >> opinion. > >> > >> Thanks for reading. > >> > >> -- > >> Posted By secreview to Professional IT Security Providers - Exposed at > >> 12/19/2007 07:32:00 PM > >> _______________________________________________ > >> Full-Disclosure - We believe in it. > >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >> Hosted and sponsored by Secunia - http://secunia.com/ > >> > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/