We made an attempt to call security metrics and as a result sat bored listening to a horrible soft rock song for about 10 minutes. After which point we were asked by a soft male voice to "Please leave a message". That makes us questions how big of a company security metrics is. Mind you, the size of a company does not always impact the caliber of their deliverables, only sometimes.
One thing for certain is that Security Metrics does make an effort to "look" bigger than they really are. When you click on their "Contact Us" link you are given options for numbers all over the world. How is it that a company that "appears" to be global doesn't even answer their phone, especially their sales line? Doesn't seem too global to us.
On the Security Metrics home page there's a tab of what look like services to the right. This tab shows Site Certification, Audits, MasterCard PTS, Appliance, and Acquirers. The only things that we understand off the bat from the tab are Audits, MasterCard PTS and Site Certifications. But what the hell are Acquirers? (the description for acquirers reads "Use our proven methodology and Merchant Compliance Console for PCI compliance").
When clicking on the products tab our suspicions are confirmed. We are presented with a list of products and services. The first section of the services is "Scanning", which gives us the impression that Security Metrics relies heavily on automation for service delivery. We don't like automated security tests because they are not effective in raising the proverbial security bar. In fact, we feel that automated tests are pretty much useless from a security perspective short of making sure that the right patches are in place. Unfortunately for Security Metrics, their apparent heavy use of automation negatively impacts our opinion of them.
With that being said, we did notice that some of the Security Metrics offerings appear to have manual components to them, but from what we can tell there's only a light manual touch being added. In fact, this is something common to watch out for. Many times a security company will claim that they use a combination of Automated and Manual tests to perform security services. Be careful because often tims those manual tests are as simple as "telnet host 25" to make sure that the service is actually running. If it is then they call the test a positive, if it is not, then its a false positive. That is not manual testing!
Something that we thought was funny about Security Metrics was the text at the bottom of their consulting page. It reads:
Security Crisis Response
If you have a security emergency such as a website defacement, attacker intrusion, internal employee computer misuse, data theft, data destruction, etc. we can help you resolve these incidents. Contact us at 801.705.5665 for immediate assistance with your urgent security issues.
The reason why we think its funny is because we tired to call them and nobody answered. So much for "Security Crisis Response".
Anyway, Security Metrics does not appear to be the hardcore security company with hardcore security offerings, but at the same time they are not a joke. We feel that Security Metrics falls right in the middle as far as capabilities and their service offerings. They are not going to be able to do much to significantly raise the proverbial security bar, but they will be able to provide you with a light weight checkup on a regular scheduled basis.
Score Card (Click to Enlarge)
5 comments:
So you're "reviewing" security consultancies by looking at their web sites?
Aside from the obvious explanation - that you're not serious, you're broke, or both - why wouldn't you at least evaluate their actual work and deliverable?
Hell, if you can get any of these companies' sales guys out to lunch, you can usually see staff resumes and sample deliverables for free (plus free lunch!) If you're going to call out security companies for being half-assed, the least you could do is not be half-assed in calling them out.
Incorrect, the website is only a small aspect of what we review. Our standard practice is to read the website, research any names that might exist on the website, call the business and speak with sales or account managers, examine network addresses, search for posts from the companies domains, etc, etc. If we only read the website then we wouldn't be doing much justice.
On the other hand, if you actually read this blog you wouldn't have asked us this question. The answers are in previous posts.
acquirers is Payment Card Industry (PCI) talk for acquiring banks.
Anonymous, thank you for the clarification. We'll make sure to modify the blog post with your comments. Very much appreciated!
As the comment above noted acquirers are Visa / MasterCard acquiring institutions. These are the financial underwriters of Visa / MasterCard merchant accounts. Acquirers are responsible for the compliance of their merchants with the Payment Card Industry Data Security Standard.
Security Metrics offers a compliance management solution and other services to acquirers. An acquirer will give Security Metrics a list of the merchants on their program. Security Metrics loads these merchants into a database that tracks PCI compliance. Either the employees of the acquirer or Security Metrics will contact merchants in order to inform them of their obligations under the PCI Data Security Standard. The merchants are then persuaded to use Security Metrics to perform vulnerability assessments (aka scans) and complete an online version of the PCI Self Assessment Questionnaire (as required by Visa and MasterCard). The Security Metrics "Merchant Compliance Console" allows the acquirer to document the compliance of merchants using alternate Visa / MasterCard approved security services.
This service offering is focused on acquirers with merchants who fall in levels 2 through 4 (especially lots of level 4 merchants). The system will send automated emails to merchants who need to service their compliance. This could be merchants that fail scans or need to complete their questionnaires. The system allows acquirers to generate reports showing compliance statistics of their merchant base.
Security Metrics are providing a service that has been mandated by the credit card associations. Writing a scathing article about how the PCI Data Security Standard is worthless because of a reliance on automated scanning would seem more appropriate.
Security Metrics does offer on site audits as well as software application audits. I have no experience with these service offerings. I can say that John Bartholomew, vice president of Security Metrics, is an intelligent and honest business man. I found their service offering superior to similar companies in the PCI standard space, such as ScanAlert.
I used to work for an acquirer that used Security Metrics' "Merchant Compliance Console." It met our requirements as a Visa / MasterCard member institution. One could find faults with it but they could generally be traced back to the PCI Data Security Standard. The console was a good tool for centralizing compliance data and their scanning engine met Visa / MasterCard requirements.
You can basically copy this review and reuse it for the following companies:
- Ambiron Trustwave
- ScanAlert
- ControlCase
I'm sure there are more companies that offer this service to acquirers but I have been out of the electronic payment industry for a while now.
Post a Comment