Home page logo

fulldisclosure logo Full Disclosure mailing list archives

[Professional IT Security Providers - Exposed] Pivot Point Security ( A )
From: secreview <secreview () hushmail com>
Date: Sat, 5 Apr 2008 17:49:48 -0700 (PDT)

Pivot Point Security, whose website can be found at
http://www.pvtpt.com, is a provider of Information Security Auditing,
Security Event Management, and Penetration Testing services. We found
them by doing yet another search for “Penetration Testing” on Google.
Unlike some other providers who are afraid to have us look under their
hood, Pivot Point let us right in.The first thing that we are going to
say is that we would recommend Pivot Point over most of the other
companies that we’ve reviewed to date. They are honest about their
capabilities, they do not hide behind a colorful storm of pretty
marketing fluff, and they will not lead you down the wrong path. They
also properly differentiate their services and use the appropriate
terminology in their reports, during telephone conversations, and on
their website. While they do not have most technically advanced
kung-fu, and are not comprised of a team of super hackers, they are
able to deliver services that will help to increase their customers
overall security posture.During the telephone interview that we had
with Pivot Point they told us that they do not have a Vulnerability
Research and Development team. We feel very strongly that providers
should perform Vulnerability Research and Development if they are going
to be offering services like Penetration Testing and Vulnerability
Assessments. This type of research can be used to enhance the quality
of the services being delivered.We can’t however say that Pivot Point
performs no research. According to what we were told during our
telephone call, Pivot Point performs very interesting and useful
research that is focused on security events (firewalls, IDS, VPN,
system logs, proxy logs). Their research is intended to improve the
ability to detect “significant or anomalous” security events out of the
large number of events that most enterprises generate While we know
that most hackers worth their salt can bypass IDS and avoid detection,
we appreciate anyone that is making an effort to further enhance it.Ok,
so we’ve been nice so far and we do like Pivot Point, but we’re going
to be taking a jab at them soon. During our telephone call Pivot Point
made it very clear to us that their primary line of business was not
Penetration Testing or Vulnerability Assessments, but that it was
auditing. Pivot Point views Penetration Testing as a substantiative
form of controls auditing. . Pivot Point acknowledged that they are not
“super hackers” and that there are a limited number of instances where
they will refer a customer to a provider that can provide those types
of services. They will not lie like some providers and offer an
advanced service while delivering a standard service just for the
buck.With that in mind, we did review a sanitized penetration testing
report that was given to us by Pivot Point. Don’t ask us for a copy of
the report because we were asked to keep it confidential and that is
what we plan on doing.Based on a detailed analysis of the report, it
appears that Pivot Point’s methodology for performing Penetration
Testing is as follows. First, Pivot Point will run the Nessus automated
vulnerability scanner against the network or computer being tested.
They will then digest the results from the automated scan and produce a
list of vetted vulnerabilities. Pivot Point makes use of a range of
other reconnaissance/attack tools (e.g., Nikto, Paros, App Detective,
Wire Shark, Cain & Abel, AirCrack) dependent on the project scope and
customer objectives. Once they have those results, they use open source
tools (e.g, Metasploit, pwdump, netcat, hydra) and/or custom scripting
to target the vulnerabilities and attempt to penetrate the devices. The
reports do contain screen shots, and some level of technical
description per discovery. But like Pivot Point told us initially, the
report certainly did not demonstrate an advanced capability with
respect to penetration testing.In addition to the reports we were given
a series of case studies. We don’t particularly care about most case
studies as we consider most of them to be marketing fluff. That is
after all what they are used for, isn’t it?So in closing, we would
recommend Pivot Point to anyone that doesn’t require the level of
assurance that can be provided by a vendor with super depth and
advanced services. Pivot Point will help you to identify “known
security issues”, and they will help you to make sure that you are
locked down with respect to those known issues. It is important to note
that they will not protect you from the unknown or 0-day type issues,
as their services are standard level (but high quality and honesty).
When it comes to performing research and locating 0-day type issues,
they say that they will redirect you to a quality vendor that can
deliver that level of service.As usual we're open to suggestions about
this review. If anything we've written is an untruth or does not
accurately reflect Pivot Point Security let us know (the good and the
bad).Score Card (Click to Enlarge)

Posted By secreview to Professional IT Security Providers - Exposed at
4/05/2008 03:07:00 PM
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • [Professional IT Security Providers - Exposed] Pivot Point Security ( A ) secreview (Apr 06)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]