Sword and Shield ( A )

Sword and Shield Enterprise Security ("SSES") offers a wide range of quality Professional Security Services that include Enterprise Security, Compliance/Governance, Penetration Tests, Payment Card Data Security, Incident Handling/Forensics, and Managed Services. When we browsed through their website, we found it to be accurate, well written and truthful.

In fact, we were so impressed with the technical depth and content of their website that we decided to call them while posing as a prospective customer to see what kinds of services they could truly deliver and to see if we could stump them. This usually works because websites often advertise services that can't be delivered in full, but this was not the case with Sword and Sheild. They were actually more impressive on the telephone than they were on the web!

Not only were we impressed by their service offerings, but we were also impressed because of the technical depth of the conversation that we were able to have with the Sword and Sheild Account Manager. (Its not often that you get a technically capable Account Manager.) We called them asking to remain anonymous, claiming that we were trying to decide on three vendors of interest. This anonymity would turn most vendors off, but not Sword and Shield. They treated us in a respectful manner answered all of our questions quickly and honestly, including pricing questions! In fact, they even sent us sample reports (which looked pretty good).

When we threw terms at them like evasive testing, distributed metastasis, etc, they didn't even blink. They knew what we were talking about immediately which is far more than we can say for most Professional IT Security Service Providers. They also have their terminology right. When we asked them for a price quote for a Penetration Test they asked "Are you sure that you want a penetration test? Penetration tests will actually compromise computers." This amazed us because they are the first vendor that we've talked to that properly differentiates Penetration Testing and Vulnerability Assessments. Most vendors sadly don't know the difference.

When focusing on the Sword and Sheild homepage we noticed that the writing was professional, clear, technical and accurate. Again that is more than we can say for most of the Professional IT Security Service Providers. Many providers try to use complex and unclear sentences mixed with technical jargon so that they sound like they know what they are talking about when they really don't. Sword and Sheild don't do that, they actually know what they are talking about and take the time to educate their customers and prospects.

The only gripe that we have with Sword and Sheild is that they did not fully respect our request to remain anonymous. Shortly after we talked with them and received their sample reports, we received a second email from the Account Manager. He made an attempt at identifying us by searching for "vocovi" on google, ebay and other places. While we appreciate the fact that he's technical enough to do that, he should have done more homework before jumping to conclusions about who he thought we were. That being said, he did give us another good company to review, which we'll do later.

All in all, we'd recommend Sword and Sheild despite their almost impulsive attempt to figure out who we are. They are a capable security company that offers real services and they have the ability to deliver. So Sword and Sheild, keep up the good work!

Score Card (Click to Enlarge)

RA Security Systems ( F )

RA Security Systems (http://www.rasecurity.com) offers Managed Information Security Services for Business, Government and Law Enforcement. We found their website the same way that we found the others, with Google.

At first glance our initial opinion of the RA Security Systems website was that it was poorly organized, was written in a very unclear manner, and didn't describe much about the services being offered in any technical way. In fact, the descriptions that we did read either didn't make much sense to us or didn't appear to have much value with respect to IT Security.

For example, when we click on the "Products & Services" tab on the RA Security Systems website, the first thing that we see is a triangle, a list of strange product names on the right, and an opening sentence that reads "The extensive vulnerabilities inherent in today's networked economy require technical and operational infrastructures aligned to unique business environments." We want to ask, does anyone have any idea what that means?

When we decided to review the "Products" to the right of the RA Security Systems website, we didn't feel that much more impressed. For example their "Log File Analysis" product called "RaBox" doesn't really perform an analysis of your log files. In fact, all that it seems to based on the website description is record your log files. Isn't that what syslogd will do if you set it to run without the -s flag and syslogd is free? So why would anyone buy that? We'd rather use splunk!

Here's another odd service offering that RA Security Systems offers. They offer a "Host Intrusion Detection" service with the following description. "RSS maintains the ability to detect files system changes on both Windows, UNIX and Apple hosts (> OSX). This service will not be performed regularly rather on an ad-hoc basis during times of attack mitigation or digital investigation." The service will not be performed regularly? If anyone from RA Security Systems reads this blog, would you be kind enough to explain this to all of us? What do you mean by "not be performed regularly."

Lastly, when reading the front page on the RA Security Website we noticed that they said that they were founded in 1994, back in the day when the movie "Hackers" was cool (well not really). When we decided to do a "whois rasecurity.com" we saw that the domain was created on April 10th 2003. How could an IT Security Services Provider that has been in business since 1994 just register its domain in 2003? Just doesn't add up.

Anyway and as usual, we're not here to bash anyone. We're here to expose the truth about Professional IT Security Service Providers so that you don't find out the hard way. Our reviews will always be honest, direct, and at times harsh or even complimenting. If you end up getting reviewed by us and do not agree with our review, please leave us a comment and we'll listen to what you have to say. Thanks for reading!

Sacure Corporation ( F - )

The Sacure Corporation, run by Todd Michael Cohan, claims to be “a leading trusted provider of Managed Security and Professional Security Consulting Services.” Their corporate website can be found at http://www.sacure.com.

According to their web page their service offerings include Managed Security Services, Professional Services, and Consulting Services. Last time we checked Professional Services and Consulting Services were synonymous, so the layout of the Sacure Website seemed a bit strange to us.

That wasn’t the only strange thing. The more we researched Sacure, the more questions we had. For example, most Managed Security Service Providers have a customer portal, especially if they are industry leaders. But when we first started to look into secure we only found a fake customer portal. Their fake portal was simple Java Script code that would display “Access Denied” every time someone tried to login. Here’s a copy of the actual code:

input name="Submit" value="Login" 
onclick="alert('Access Denied!')" ;="" type="submit"

When we asked Sacure about their fake portal, they told us it was under construction. Shortly there after they changed the customer portal and replaced it with a fake PHP based customer portal! This time when anyone tried to login they saw a mySQL error instead of a graceful Java Script error.

Sacure had similar, higher exposure issues with their news page. In fact, Google has caches of the news page and the SQL errors that were displayed when a user tried to view it. Based on our research, the Sacure news page had been broken since at least early August 2007. When we asked Sacure about it they said that they were aware of it and that it had only been broken for about a week. They also said that it was down because it was under construction.

The problem is that we know Sacure was notified about the issue on Fri Oct 26 2007 because we have a chat transcript of them being notified. Why didn’t they fix the issue then? Why did they lie about their site only being broken for a week? This wasn’t a complicated issue to fix, you’d think that they could do it quickly.

So this makes us ask, How can “a leading trusted provider of Managed Security and Professional Security Consulting Services” have so many issues with their own website and not know it without being told? How can they possibly protect their clients if they can’t detect issues on their own systems? Why does it take them so long to fix such simple issues if they have so much talent? And why do they keep on telling lies?

According to the Sacure Corporation website, Sacure has a “Security Operations Center” that is state of the art. In conjunction with this, their SOC is located in a highly secure environment. Why is it then that they host their website at GO-DADDY and not from their secure SOC? We think its because Sacure lied about their SOC.

Name: sacure.com
Address: 64.202.163.180
CIDR: 64.202.160.0/19
NetName: GO-DADDY-SOFTWARE-INC

After our conversation with Sacure yesterday, Sacure removed the link to their fake customer portal, sort of. If you browse to here and you click on the black space between “Careers” and “Live Help” you’ll see that they didn’t entirely remove the link (but they tried). You’ll see that the link to http://www.sacure.com/customerPortal.php still exists, but that the page its self has been removed.

Anyway, enough of that, lets dig into the content on their website. We won’t go through all of it because that would be overkill at this point. But we will go through enough to make our point (again).

On their first page: http://www.sacure.com, the introductory content reads:

“Sacure is dedicated to protecting its customers valued assets and resources through a combination of managed, monitored and professional security services. Our highly credentialed security experts apply security disciplines across networks, systems, applications and policies to continually improve our customers security postures. Our proprietary methodology employs a wide range of tools and third party products that can be delivered from our Security Operations Center (SOC) or anywhere in the world.”

We’re not to sure about what they are trying to say here. How does one “apply security disciplines across networks”? And when we asked Sacure about who their “highly credentialed security experts” they only had one name to give us which was “Tibi Tajts”. When we Googled Mr Tajts we couldn’t find anything that showed us that he was an expert, in fact we found the contrary.

According to the following post from Mr. Tajts, he was unable to solve basic file location issues with snort. Mr Tajts is supposed to be Sacure’s lead talent (according to what we were told by Sacure).

The last point that we will focus on with Sacure is their “Pen Test Whitepaper” which is hosted on their website. This white paper has become a source of many jokes for the hacking community. Here’s just one example of a user finding a serious, but funny issue in the Sacure Whitepaper:

From: alexandre jodoin
Date: Fri, 26 Oct 2007 10:01:15 -0400
>> How can security companies protect us if they can't even configure their shit right? 
 


More on that : 
>From their "Pen Test Whitepaper" on http://www.sacure.com/index.php 
"The Web-based authentication is exploited by using XSS (cross-site shipping) or SLQ injection or MITM (Man-in-the-Middle) attacks." 
 
WTF is cross-site shipping ??? 
:) 
_________________________________________________________________ 

Are you ready for Windows Live Messenger Beta 8.5 ? Get the latest for free today! 
http://entertainment.sympatico.msn.ca/WindowsLiveMessenger

Anyway, that’s enough about Sacure. Our job isn’t to bash companies and ruin reputations. Our job is to strip away the bullshit and expose security companies for what they really are. If they have talent and integrity, we’ll write about that. If they are chalk full of lies, we’ll write about that too.

Plynt ( B+ )

Plynt (http://www.plynt.com) is an information security company who's single service offering is Web Application Penetration Tests. Plynt's services are driven by automated tools or scanners which produce high level results that are then handed off to professional Web Application testers. This type of testing is something that we'd like to see more often as nothing is more accurate and capable than the human element.

With that said, we do have a few negative things to say about Plynt's website. The first issue that we have is with their terminology. Plynt uses the term "Penetration Test" to describe its services when its services would be best described as "Web Application Security Assessment" services. Penetration Testing services usually refer to Network penetration testing services and are usually different than Web Application services. Plynt is not wrong, but they could do a better job at clearly defining their offering with a better name.

The one point where we feel that Plynt is wrong is where they guarantee absolute security. Plynt might be good at doing what they do, but anyone who guarantee's absolute security is making empty promises. It is technically impossible to find all security vulnerabilities in a particular web application especially since new methods of attack are constantly being developed.

It is important to note that Plynt is a specialized company in that they do not offer network security services. While they appear to be good at helping people harden their web applications, we're certain that they would not be the right choice for a business that wants to harden its entire IT infrastructure. If you're looking for a company with deep talent in all aspects of information security then Plynt is not your choice. If you're looking for a company that specializes in Web Application Security, then we're confident that Plynt will do a good job.

All in all, we're going to give Plynt a moderate review. We don't like the fact that they are making empty promises and we don't like the fact that they are using unclear terminology. With that said, they are focused and are offering human driven services. We give Plynt a Moderate Recommendation.

Score Card (Click to Enlarge)

Webfargo ( D )

Webfargo should be called an IT Company and not a Security Company. This becomes evident as you read through their website and study the services that they offer. At no point in their website do they demonstrate any clear security expertise, but they do demonstrate an ability to perform IT augmentation services such as firewall management and router management services.

When it comes to their Managed IDS Technologies, you'd probably be better off downloading prelude-ids from http://www.prelude-ids.org and binding it to snort with prelude-lml than using their service. The Webfargo managed IDS solution is based strictly on snort, which is a free Network Intrusion Detection Engine (download it from http://www.snort.org). Their solution does not provide any event correlation what so ever. Even more, it does not contain any log management, centralization or correlation capabilities. Frankly, its just doesn't seem to be worth the money as there are better free solutions that are readily available.

When it comes to their Professional Security Services, such as performing Assessments and other security tests, we weren't impressed at all. They confuse terminology when they say that they target the "LAN" with an "External Vulnerability Assessment". The LAN is after all the internal network and is not accessible during the performance of an External assessment. Also and oddly, they do not offer any penetration testing services. If they do, then they are not advertised on their website in any clear way.

Webfargo is also not an active participant in the security research community. We have never seen a published Webfargo security advisory (and we've looked). When choosing a Professional Security Services Provider it is important that they perform their own security research. Security research keeps a team's skill set honed and can be applied to services like Penetration Tests, Web Application Assessments, and Vulnerability Assessments. Webfargo doesn't appear to do any of that.

All in all Webfargo is not a company that we'd recommend using for the performance of professional security services; At least not if you are serious about protecting your network from real world hackers. We'd recommend finding a company with real security capabilities. With that said, Webfargo most probably does offer useful managed IT Services.

Our opinions are based on our own research and our own professional experience. If any of the comments in this post are wrong, please feel free to comment with a correction. If the correction is legitimate then we'll post a change.

Score Card (Click to Enlarge)