Home page logo

fulldisclosure logo Full Disclosure mailing list archives

[Professional IT Security Providers - Exposed] Cybertrust ( C + )
From: secreview <secreview () hushmail com>
Date: Wed, 19 Dec 2007 21:11:09 -0800 (PST)

One of our readers made a request that we review Cybertrust
("http://www.cybertrust.com";). Cybertrust was recently acquired by
Verizon and as a result this review was a bit more complicated and
required a lot more digging to complete (In fact its now Cybertrust and
Netsec). Never the less, we managed to dig information specific to
Cybertrust out of Verizon representatives. We would tell you that we
used the website for information collection, but in all reality the
website was useless. Not only was it horribly written and full of
marketing fluff, but the services were not clearly defined.As an
example, when you view the Cybertrust services in their drop down menu
you are presented with the following service offerings: Application
Security, Assessments, Certification, Compliance/Governance,
Consulting, Enterprise Security, Identity Management Investigative
Response /Forensics, Managed Security Services, Partner Security
Program Security Management Program, and SSL Certificates. The first
thing you think is "what the hell?" the second is "ok so they offer 12
services".Well as you dig into each service you quickly find out that
they do not offer 12 services, but instead they have 12 links to 12
different pages full of marketing fluff. As you read each of the pages
in an attempt to wrap your mind around what they are offering as
individually packaged services you're left with more questions than
answers. So again, what the hell?Here's an example. Their "Application
Security" service page does not contain a description about a Web
Application Security service. In fact, it doesn't even contain a
description about a System Software/Application security service.
Instead it contains a super high level, super vague and fluffy
description that covers a really general idea of "Application" security
services. When you really read into it you find out that their
Application Security service should be broken down into multiple
different defined service offerings.Even more frustrating is that their
Application Security service is a consulting service and that they have
a separate service offering called Consulting. When you read the
description for Consulting, it is also vague and mostly useless, but
does cover the "potential" for Application Security.So, trying to learn
anything about Cybertrust from their web page is like trying to pull
teeth out of a possessed chicken. We decided that we would move on and
call Cybertrust to see what we could get out of them with a
conversation. That proved to be a real pain in the ass too as their
website doesn't list any telephone numbers. We ended up calling verizon
and after talking to 4 people we finally found a Cybertrust
representative.At last, a human being that could provide us with useful
information and answers to our questions about their services. We did
receive about 2mb of materials from our contact at Cybertrust, but the
materials were all marketing fluff, totally useless. That being said,
our conversation with the representative gave us a very clear
understanding of how Cybertrust delivers there services. In all
honesty, we were not all that impressed.Cybertrust does perform their
own Vulnerability Research and Development (or so we were told) under
the umbrella of ICSAlabs which they own. Usually we'd say that this is
great because that research is often used to augment services and
enhance overall service quality. With respect to Cybertrust, we
couldn't find out what they were doing with their research. They just
told us that they don't release advisories and then refused to tell us
what they did with the research.When we asked them about their services
and testing methodologies, we were first told that they couldn't
discuss that. We were told that their methodologies were confidential.
But after a bit of Social Engineering and sweet talking we were able to
get more information...As it turns out, the majority of the Cybertrust
services rely on what they say are proprietary automated scanners which
were developed in-house. Their methodology is to run the automated
scanners against a specific target or set of targets, and then to pass
the results to a seasoned professional. That professional then verifies
the results via manual testing and produces a report that contains the
vetted results.This methodology doesn't really offer any depth and
doesn't do much to raise the proverbial security bar. In fact, it is
only slightly better than running a Qualys scan, changing the wording
of the report, and delivering that. Quality methodologies should
contain no more than 20% automated testing and no less than 80% manual
testing. Vulnerability discovery should be done via manual testing, not
just via automated testing.In defense of Cybertrust, they did say that
they would test in accordance with the customers requirements. They
also did say that if the customer wanted 100% manual testing that they
would do it. If they want 100% automated "rubber stamp of approval"
testing they would do that too. Saying it is a lot different than doing
it though and we weren't impressed with their standard/default testing
methodology as previously mentioned.It is important to note that
Cybertrust is also a full service security provider. They offer a wide
range of services from supporting secure product development services,
to security testing, and even forensic services. With that said, their
services do not seem to be anything special. In fact, they seem to be
just about average short of their horrible website and overwhelming
marketing fluff.It is our recommendation that you choose a different
provider if you are looking for well defined, high quality services.
Cybertrust is cloaked in a thick layer of marketing fluff and frankly
doesn't seem to be very easy to work with. That being said, they were
also not easy to review. If you disagree with this post or have worked
with Cybertrust in the past, then please leave us a comment. We're
going to give Cybertrust a "C" but if you can convince us that they
deserve a different grade then we'll revise our opinion.Thanks for

Posted By secreview to Professional IT Security Providers - Exposed at
12/19/2007 07:32:00 PM
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]