As an example, when you view the Cybertrust services in their drop down menu you are presented with the following service offerings: Application Security, Assessments, Certification, Compliance/Governance, Consulting, Enterprise Security, Identity Management Investigative Response /Forensics, Managed Security Services, Partner Security Program Security Management Program, and SSL Certificates. The first thing you think is "what the hell?" the second is "ok so they offer 12 services".
Well as you dig into each service you quickly find out that they do not offer 12 services, but instead they have 12 links to 12 different pages full of marketing fluff. As you read each of the pages in an attempt to wrap your mind around what they are offering as individually packaged services you're left with more questions than answers. So again, what the hell?
Here's an example. Their "Application Security" service page does not contain a description about a Web Application Security service. In fact, it doesn't even contain a description about a System Software/Application security service. Instead it contains a super high level, super vague and fluffy description that covers a really general idea of "Application" security services. When you really read into it you find out that their Application Security service should be broken down into multiple different defined service offerings.
Even more frustrating is that their Application Security service is a consulting service and that they have a separate service offering called Consulting. When you read the description for Consulting, it is also vague and mostly useless, but does cover the "potential" for Application Security.
So, trying to learn anything about Cybertrust from their web page is like trying to pull teeth out of a possessed chicken. We decided that we would move on and call Cybertrust to see what we could get out of them with a conversation. That proved to be a real pain in the ass too as their website doesn't list any telephone numbers. We ended up calling verizon and after talking to 4 people we finally found a Cybertrust representative.
At last, a human being that could provide us with useful information and answers to our questions about their services. We did receive about 2mb of materials from our contact at Cybertrust, but the materials were all marketing fluff, totally useless. That being said, our conversation with the representative gave us a very clear understanding of how Cybertrust delivers there services. In all honesty, we were not all that impressed.
Cybertrust does perform their own Vulnerability Research and Development (or so we were told) under the umbrella of ICSAlabs which they own. Usually we'd say that this is great because that research is often used to augment services and enhance overall service quality. With respect to Cybertrust, we couldn't find out what they were doing with their research. They just told us that they don't release advisories and then refused to tell us what they did with the research.
When we asked them about their services and testing methodologies, we were first told that they couldn't discuss that. We were told that their methodologies were confidential. But after a bit of Social Engineering and sweet talking we were able to get more information...
As it turns out, the majority of the Cybertrust services rely on what they say are proprietary automated scanners which were developed in-house. Their methodology is to run the automated scanners against a specific target or set of targets, and then to pass the results to a seasoned professional. That professional then verifies the results via manual testing and produces a report that contains the vetted results.
This methodology doesn't really offer any depth and doesn't do much to raise the proverbial security bar. In fact, it is only slightly better than running a Qualys scan, changing the wording of the report, and delivering that. Quality methodologies should contain no more than 20% automated testing and no less than 80% manual testing. Vulnerability discovery should be done via manual testing, not just via automated testing.
In defense of Cybertrust, they did say that they would test in accordance with the customers requirements. They also did say that if the customer wanted 100% manual testing that they would do it. If they want 100% automated "rubber stamp of approval" testing they would do that too. Saying it is a lot different than doing it though and we weren't impressed with their standard/default testing methodology as previously mentioned.
It is important to note that Cybertrust is also a full service security provider. They offer a wide range of services from supporting secure product development services, to security testing, and even forensic services. With that said, their services do not seem to be anything special. In fact, they seem to be just about average short of their horrible website and overwhelming marketing fluff.
It is our recommendation that you choose a different provider if you are looking for well defined, high quality services. Cybertrust is cloaked in a thick layer of marketing fluff and frankly doesn't seem to be very easy to work with. That being said, they were also not easy to review. If you disagree with this post or have worked with Cybertrust in the past, then please leave us a comment. We're going to give Cybertrust a "C" but if you can convince us that they deserve a different grade then we'll revise our opinion.
Score Card ( Click to Enlarge)
Thanks for reading.
3 comments:
The only reason Verizon purchased Cybertrust was because they had a lucrative PCI-DSS contract with the Fortune 1 two years ago and they wanted it.
Speaking from personal experience, a 'C' for Cybertrust is extraordinarily generous. They have zero respect for physical security protocols; when faced with badge entry, they spent their time sneaking girlfriends in and tailgating full-timers. Not the assessment they were hired to do. They don't supply their own hardware and couldn't secure their own systems during their scans - it took pwning them three times before they begged us to stop so they could "get their work done".
Cybertrust's "custom application" is a joke. It's a stupid telnet/etc. script that they require have root/admin on all boxes in the scope. When they deploy it, it performs a cursory "security scan", then it freaks out and doesn't know when to quit. It took the windows admins 18+ months to finally clean it off of the 50k+ machines they left it on; finally had to add a custom PUP and virus signature to the enterprise AV to wipe their buggy, leak and hole-ridden app out. The only reason the UNIX side didn't fare so poorly was that those admins had a clue and insisted on cleaning up after CT themselves.
What few, poor intelligent souls they have running the back-end are grossly overrun by the l33t k1dd13z Cybertrust sends to client sites. Maybe they've cleaned up since, but they were unprofessional and made more mess than they cleaned. D-
http://www.cybertrust.com/solutions/vulnerability_threat_management/
Check the last page of this fluffy thing...
About Cybertrust
"Cybertrust is 100 percent focused on information security and 100 percent product and vendor neutral."
The very next paragraph is about nCircle. Doesn't seem very vendor neutral.
Maybe vendor neutral means "we leave our marketing language vague enough to dissuade you from looking deeply into our information."
I believe giving Cybertrust a "C" is generous, having them come onsite and conduct an internal VA was a joke. Basically, they ran nCircle and Backtrack 2. The report was a modified template from nCircle with the modification being plugging-in the BackTrack results. Took 8 days for that, which they provided a "draft" prior to going offsite (no real difference in the reports). They were basically a rubberstamp for management - they did not address real issues and their results did not impact business processes as it should. The onsite person had not heard of OSSTMM as I tried to strike up a discussion on that. I did bring up allication security methodology and he basically stated that utilize SPI Dynamics tools depending on what's requested. I was not impressed either.
Post a Comment