Cybertrust ( C )

One of our readers made a request that we review Cybertrust ("http://www.cybertrust.com"). Cybertrust was recently acquired by Verizon and as a result this review was a bit more complicated and required a lot more digging to complete (In fact its now Cybertrust and Netsec). Never the less, we managed to dig information specific to Cybertrust out of Verizon representatives. We would tell you that we used the website for information collection, but in all reality the website was useless. Not only was it horribly written and full of marketing fluff, but the services were not clearly defined.

As an example, when you view the Cybertrust services in their drop down menu you are presented with the following service offerings: Application Security, Assessments, Certification, Compliance/Governance, Consulting, Enterprise Security, Identity Management Investigative Response /Forensics, Managed Security Services, Partner Security Program Security Management Program, and SSL Certificates. The first thing you think is "what the hell?" the second is "ok so they offer 12 services".

Well as you dig into each service you quickly find out that they do not offer 12 services, but instead they have 12 links to 12 different pages full of marketing fluff. As you read each of the pages in an attempt to wrap your mind around what they are offering as individually packaged services you're left with more questions than answers. So again, what the hell?

Here's an example. Their "Application Security" service page does not contain a description about a Web Application Security service. In fact, it doesn't even contain a description about a System Software/Application security service. Instead it contains a super high level, super vague and fluffy description that covers a really general idea of "Application" security services. When you really read into it you find out that their Application Security service should be broken down into multiple different defined service offerings.

Even more frustrating is that their Application Security service is a consulting service and that they have a separate service offering called Consulting. When you read the description for Consulting, it is also vague and mostly useless, but does cover the "potential" for Application Security.

So, trying to learn anything about Cybertrust from their web page is like trying to pull teeth out of a possessed chicken. We decided that we would move on and call Cybertrust to see what we could get out of them with a conversation. That proved to be a real pain in the ass too as their website doesn't list any telephone numbers. We ended up calling verizon and after talking to 4 people we finally found a Cybertrust representative.

At last, a human being that could provide us with useful information and answers to our questions about their services. We did receive about 2mb of materials from our contact at Cybertrust, but the materials were all marketing fluff, totally useless. That being said, our conversation with the representative gave us a very clear understanding of how Cybertrust delivers there services. In all honesty, we were not all that impressed.

Cybertrust does perform their own Vulnerability Research and Development (or so we were told) under the umbrella of ICSAlabs which they own. Usually we'd say that this is great because that research is often used to augment services and enhance overall service quality. With respect to Cybertrust, we couldn't find out what they were doing with their research. They just told us that they don't release advisories and then refused to tell us what they did with the research.

When we asked them about their services and testing methodologies, we were first told that they couldn't discuss that. We were told that their methodologies were confidential. But after a bit of Social Engineering and sweet talking we were able to get more information...

As it turns out, the majority of the Cybertrust services rely on what they say are proprietary automated scanners which were developed in-house. Their methodology is to run the automated scanners against a specific target or set of targets, and then to pass the results to a seasoned professional. That professional then verifies the results via manual testing and produces a report that contains the vetted results.

This methodology doesn't really offer any depth and doesn't do much to raise the proverbial security bar. In fact, it is only slightly better than running a Qualys scan, changing the wording of the report, and delivering that. Quality methodologies should contain no more than 20% automated testing and no less than 80% manual testing. Vulnerability discovery should be done via manual testing, not just via automated testing.

In defense of Cybertrust, they did say that they would test in accordance with the customers requirements. They also did say that if the customer wanted 100% manual testing that they would do it. If they want 100% automated "rubber stamp of approval" testing they would do that too. Saying it is a lot different than doing it though and we weren't impressed with their standard/default testing methodology as previously mentioned.

It is important to note that Cybertrust is also a full service security provider. They offer a wide range of services from supporting secure product development services, to security testing, and even forensic services. With that said, their services do not seem to be anything special. In fact, they seem to be just about average short of their horrible website and overwhelming marketing fluff.

It is our recommendation that you choose a different provider if you are looking for well defined, high quality services. Cybertrust is cloaked in a thick layer of marketing fluff and frankly doesn't seem to be very easy to work with. That being said, they were also not easy to review. If you disagree with this post or have worked with Cybertrust in the past, then please leave us a comment. We're going to give Cybertrust a "C" but if you can convince us that they deserve a different grade then we'll revise our opinion.

Score Card ( Click to Enlarge)

Thanks for reading.

Audit Serve, Inc. ( F+ )

We found Audit Serve, Inc., run by Mitchell H. Levine, by searching for "Penetration Testing" on Google. Audit Serve, Inc. offers, IS Auditing, Integrated Auditing, Sarbanes-Oxley Implementation Services, Sarbanes-Oxley Ongoing Compliance Services, PCI, Security and
Internet Vulnerability Assessment & Penetration Testing Services.

Our first impression of Audit Serve, Inc. was that they were a "rubber stamp of approval" shop that offers services that will do nothing to truly raise your proverbial security bar but will let you fill in your security checklist. This impression was made so quickly because of the $495.00 price quote on their main page. It reads "Internet Vulnerability Assessment & Penetration Testing starting at $495". (Just as an FYI, it is impossible to perform any human driven professional security services for that price. The cost of talent is simply too high.)

When digging into their services we quickly realize that our initial impression of Audit Serve was accurate. They are in fact a "rubber stamp of approval" shop. Their security service deliverables appear to be the product of automated scanners (QualysGuard) and not the product of human talent. This also coincides with them being able to offer "Internet Vulnerability Assessment & Penetration Testing" services starting at $495, as no human element is incorporated into the deliverable based on what we saw.

If you do not care about the security of your IT Infrastructure, and only want to get the "rubber stamp of approval" then Audit Serve, Inc. is your one stop shop. If on the other hand you do care about the security of your IT infrastructure, then we'd suggest finding a different provider.

Grade Note:
We're giving Audit Serve an F- for two reasons. The first reason is that they appear to be in the Information Security business to make a buck by providing people with the "rubber stamp of approval". In doing so they are actually doing a disservice to the IT community, and the IT Security Community. The second reason why we are giving them an F- is because their security services appear to use no human element and rely strictly on automated scanning (QualysGuard). If you feel that this grade is too harsh, let us know.


Score Card ( Click to Enlarge )

Denim Group ( A - )

The Denim Group located at http://www.denimgroup.com is Security Services Provider that focuses strictly on Web Application Security Services. We asked them why they chose the name Denim Group and they said that it was a marketing idea that enables them to stand out from the rest of the providers. (the name was actually thought up by a founders X wife) As it turns out, it was a good idea and it works! When we think Denim Group the first thing that comes to mind is Clothing and what the hell does that have to do Application Security? Can't forget the name and the total lack of correlation.

Aside from the name, we are actually pleased with what we found when we reviewed the Denim Group. When we spoke with John Dickson we learned a lot about their methodology. We learned that the Denim Group does use automated tools such as WebInspect to perform preliminary scans against target applications. They also use tools like fortify to perform source code reviews. That being said, automation only covers about 20% of the workload for the services that they deliver.

The remaining 80% of the workload is done by high talent Web Application Security Specialists that truly understand how to harden a Web Application. They not only look for the common issues like Cross Site Scripting (No Sacure, its not called Cross-Site Shipping) , Cross Site Request Forgery, Remote File Inclusion, etc. but they also look for logic issues and other types of design flaws.

The Denim Group does use tools to help them perform their manual testing, as do most worthy security providers. The tools that they use are special interception proxies that enable them to view and manipulate conversations between client and server, amongst other similar manually intensive tools. This enables the Denim Group to truly impact the quality of their deliverables with strong manual testing.

All in all, if you are looking for a provider to perform Web Application Security type services, we think that the Denim Group is a great fit. If you are looking for a full service Professional Security Services shop, well you'll probably have to look somewhere else because they do not offer Network Penetration Testing Services, Vulnerability Assessments, etc. That being said we were so impressed with the Denim Group and the caliber of their service offerings, that we decided to give them an A-. The only reason why they didn't get an A or an A+ is because they are technically not a full service shop. So, we recommend using the Denim Group, they kick ass!

If you'd like to comment on this, please visit http://secreview.blogspot.com and post a comment. If you feel that this post is inaccurate, please let us know why and we'll consider your opinion for a review. Thanks for reading!

Score Card ( Click to Enlarge )

Cyberklix ( F - )

NOTICE

We will not publish any comments that contain confidential and/or sensitive information about Cyberklix. Recently we rejected multiple comments from ex-Cyberklix employees. These comments contained VPN configuration files that would enable anyone to access the Cyberklix corporate networks and customer information. Publishing such information would be irresponsible as it would allow an attacker to gain access to the Cyberklix customer data and would put those customers at risk. We love your comments, but please, refrain from posting sensitive and confidential data.

END NOTICE

We discovered Cyberklix by searching for "Penetration Testing" on Google, as usual. When we first saw their website we thought that it looked very professional. We were actually under the impression that they might end up being An A- or a B+ company. But, we were wrong and here's why...

Over the course of two days and a dozen calls we were unable to contact a human at sales. Every time we tried we were directed to a woman's voice mail. We decided to skip sales and call the Cyberklix Security Operations Center and were successful. We had a wonderful conversation with a very smart person in heir Security Operations Center, and as a result, here is what we learned.

The Cyberklix Manged Security Services, with respect to IDS/IPS is nothing special. They are using third party technology and tying it all together with the RSA Envision Engine. Specifically the technologies that they are using are Cisco technologies, McAfee IPS technology, and RSA's Envision engine for correlation. (We would have used ArcSight instead as we think its much better.) Frankly, if we wanted to choose a provider of Managed IDS/IPS services, we'd want to see them using at least some proprietary technologies. How else are they supposed to have a competitive advantage?

We also weren't very impressed with their alerting capabilities. When we asked them how they alert people about Events of Interest we were told that they create a ticket in a system. Once the ticket is created then the customer needs to log into the system to evaluate the ticket. We're sure that there's more to it than that, but thats what we were told. Yes the system also has the ability to block or shun attacks, but thats only if it can detect them. We think that we could probably attack a Cyberklix customer and evade detection... wanna challenge us?

Anyway, enough on their Managed Security Services. As previously mentioned we were unable to contact anyone in sales. So, our opinion of the Cyberklix Professional Service Capabilities are being forged strictly from their website and information that we can collect from Google and other sources. We'd be happy to update our opinion if someone would provide us with useful information about Cyberklix. So here it is...

Cyberklix offers Information Security Consulting, Security Policy Design & Review, Vulnerability Assessment & Remediation, Penetration Testing, Network Security Architecture & Design, Security Audit, Project Management Services, Implementation Services, and Computer Forensics. So, the first thing that struck us as odd was "Project Management Services". What the hell does that mean, right?

Upon review of their services we discovered that we could eliminate two of them. We eliminated their Information Security Consulting Service and their Project Management Services. The Consulting service offering isn't actually an offering its just a repeat of the services that they offer, and the Project Management service is not a security service, it is something that should be offered by staffing companies. So... what the hell?

When we reviewed the services as presented on the Cyberklix website we realized that they were nothing special, just like their Managed Security Services. In fact, we're willing to bet that their services are what we would call "rubber stamp" services and are based on automation as opposed to true Ethical Hacker talent. We saw no indication anywhere that Cyberklix was following any sort of strong testing methodology like the OSSTMM, etc. and as a result are not impressed at all.

All in all our opinion is that Cyberklix services will do little to nothing to raise the proverbial security bar and protect you from real world malicious hackers. They might help you to identify common or known issues but you could do that yourself by downloading nessus. (Oh and you could also create a better IDS/IPS solution by combining OSSEC with Prelude and snort =] for free. ) So, we'd recommend spending your hard earned money with someone else. Sorry Cyberklix...

Oh and one last thing. The Cyberklix website is SQL Injectable. So why would anyone hire a company to protect them if they can't even protect themselves?

Score Card (Click to Enlarge)

Immunitysec ( A- )

We received a request directly from Dave Aitel to review his company, Immunity. We thought that this request was a bit odd as Immunity appears to be a Software Provider and not a Consultancy. We normally only review Professional Security Service Providers. At any rate, we decided to make good on the request and as such reviewed the Immunity website and placed a call into Immunity and spoke with Dave's wife (very nice, polite woman). Here's how we feel about Immunity.

Immunity is for all intents and purposes a Security Software company. They sell a very powerful tool called CANVAS, which is an advanced framework for penetration testing. CANVAS is particularly useful for Professional Security Service Providers (consultants) who perform penetration testing services. Other companies like Core Security compete with CANVAS. Core Security has another very powerful tool called Core Impact.

Immunity does have a software research and development team, or at least that is what we were told. The team does not release any advisories for any of the issues that they discover, and they only add the issues to CANVAS if they are discovered by a third party first. If not, it is our understanding that the issues remain 0-day and held by Immunity (or potentially sold to legitimate exploit brokers, but we don't know that for a fact.) We do know that Immunity will purchase vulnerability information from brokers. This information is mostly incorporated into CANVAS from what we understand.

One thing that we are fairly certain of is that Dave Aitel is a high talent individual. As a result we automagically assume that he surrounds himself with other high talent people. We couldn't picture Dave surrounded by idiots, it would drive him nuts. Anyway, we feel that its safe to say that Immunity has a very capable team with very advanced skills that could be very useful for performing Professional Security Services. Having said that, they really don't offer much in the way of Professional Security Services on their website... and we think we know why.

While talking to Dave's wife we secretly realized that it would be a conflict of interest for Immunity to offer Professional Security Services in conjunction with selling software used by Professional Security Service Providers. In short, if they offer Professional Security Services then most providers wouldn't buy their Professional Security Service testing software (CANVAS). On the other hand, if they sell the software and do not fully flaunt their services, then they'll probably make a good buck.

We think that is why the Immunity website is so focused on CANVAS and not on the offering of Consulting Services. There is a tab on their website that talks about their service offerings, but it is very, very, very, lame. The entire services page is literally one paragraph long. You can check it out here. With that said, we are certain that Dave has an A+ team that is very capable of offering seriously hardcore services... but we can't give them an A+.

One reason why we can't give them an A+ is because they are a software vendor and are not focused strictly on the offering of services. The other reason is because of the aforementioned conflict of interest, their technology is purchased by Service Providers. In conjunction with that they do not release advisories to the public, and their core focus is not protecting their customer networks, but instead is building CANVAS.

So, our opinion is that while we have a great amount of respect for Dave Aitel and the folks at Immunity, we need to be honest and give them a B. We think that their software is totally kick ass, we love reading Daily Dave, and we know that Dave could probably crack anything... but we just can't give Immunity an A.

Oh and hey... GO BUY CANVAS!!! We did and we love it!!

Score Card ( Click to Enlarge)

Netragard ( A + )

Netragard ("http://www.netragard.com") is a Professional IT Security Services Provider that offers a wide range of services including by not limited to, Vulnerability Assessments, Penetration Tests, Web Application Assessments, Computer Forensics, etc. At first glance we were expecting to poke holes in Netragard because of their "Got Milk" like introductory page. Theirs reads "Got Hacked" and we thought it was a bit dorky.

As it turns out, their website is actually very well written. On the first page of their website in the lower right hand corner you see a "Security Advisories and Articles" section. Under that section we see security advisories that were released by, and authored by Netragard. In fact, those advisories are the product of Netragard's own research performed by their SNOsoft Research Team. This is more than we can say for most Professional IT Security Service Providers as most of them host third party advisories and news. Netragard seems to make their their own news.

We also noticed that some of the articles that were referenced under the news section were directly linked to Forbes, e-week and other similar high profile magazines. After reading some of the articles we realized that Netragard wasn't being written about in the same manner as other security companies. In fact, most of the articles were fairly bleeding edge. For example, this article from SC Magazine thanks Netragard's Kevin Finisterre for finding a bug in Apple's X Code Tools. While this article talks about Adriel T. Desautels, Netragard's CTO and exploit brokering as well as historical HP/SNOsoft/DMCA issues.

While digging into the Netragard services, both on the phone and via their website, we also noticed a significantly different edge than we've seen in most Professional IT Security Service Providers. For example, they advertise and clearly explain Penetration Testing Techniques
that are used by real world hackers such as Distributed Metastasis, Stealth Penetration, Blind Penetration, and Directed Penetration (most commonly offered by providers.). They also use (and we verified this by looking at sample deliverables) very deep testing methodologies that are versions of the OSSTMM and OWASP which are augmented by their own Vulnerability Research and Development methodologies.

One last thing that we should mention is that Netragard's SNOsoft Research Team has been around for quite a while. They gained international recognition in 2001 when they performed Research HP's Tru64 Operating System. According to articles and emails, HP tried to quash their research by threatening them with the DMCA and other similar things. SNOsoft did not back down and in the end actually prevailed!

All in all we are very impressed with Netragard and would recommend Netragard to anyone that is serious about their security. So far, they are the most "hardcore" security company that we've reviewed. They have minimal marketing fluff, and they seem to live on the bleeding edge of information security. Based on what we've seen, Netragard can do a lot to help you raise your proverbial security bar.


Score Card ( Click to Enlarge)

Security Metrics ( C )

Security Metrics (http://www.securitymetrics.com) has a rather strange website. Their services are grouped under the products tab on their website, and don't appear to be all that advanced in nature. In fact, from looking at their website we get the feeling that they have "bit hat and no cattle". Which means, they can talk the talk but it doesn't look like they can walk the walk.

We made an attempt to call security metrics and as a result sat bored listening to a horrible soft rock song for about 10 minutes. After which point we were asked by a soft male voice to "Please leave a message". That makes us questions how big of a company security metrics is. Mind you, the size of a company does not always impact the caliber of their deliverables, only sometimes.

One thing for certain is that Security Metrics does make an effort to "look" bigger than they really are. When you click on their "Contact Us" link you are given options for numbers all over the world. How is it that a company that "appears" to be global doesn't even answer their phone, especially their sales line? Doesn't seem too global to us.

On the Security Metrics home page there's a tab of what look like services to the right. This tab shows Site Certification, Audits, MasterCard PTS, Appliance, and Acquirers. The only things that we understand off the bat from the tab are Audits, MasterCard PTS and Site Certifications. But what the hell are Acquirers? (the description for acquirers reads "Use our proven methodology and Merchant Compliance Console for PCI compliance").

When clicking on the products tab our suspicions are confirmed. We are presented with a list of products and services. The first section of the services is "Scanning", which gives us the impression that Security Metrics relies heavily on automation for service delivery. We don't like automated security tests because they are not effective in raising the proverbial security bar. In fact, we feel that automated tests are pretty much useless from a security perspective short of making sure that the right patches are in place. Unfortunately for Security Metrics, their apparent heavy use of automation negatively impacts our opinion of them.

With that being said, we did notice that some of the Security Metrics offerings appear to have manual components to them, but from what we can tell there's only a light manual touch being added. In fact, this is something common to watch out for. Many times a security company will claim that they use a combination of Automated and Manual tests to perform security services. Be careful because often tims those manual tests are as simple as "telnet host 25" to make sure that the service is actually running. If it is then they call the test a positive, if it is not, then its a false positive. That is not manual testing!

Something that we thought was funny about Security Metrics was the text at the bottom of their consulting page. It reads:

Security Crisis Response

If you have a security emergency such as a website defacement, attacker intrusion, internal employee computer misuse, data theft, data destruction, etc. we can help you resolve these incidents. Contact us at 801.705.5665 for immediate assistance with your urgent security issues.

The reason why we think its funny is because we tired to call them and nobody answered. So much for "Security Crisis Response".

Anyway, Security Metrics does not appear to be the hardcore security company with hardcore security offerings, but at the same time they are not a joke. We feel that Security Metrics falls right in the middle as far as capabilities and their service offerings. They are not going to be able to do much to significantly raise the proverbial security bar, but they will be able to provide you with a light weight checkup on a regular scheduled basis.

Score Card (Click to Enlarge)