If you are looking to book your next penetration test and your prime consideration is getting the cheapest and quickest one available, simply because you need to tick a box, then this blog piece isn’t for you.
If, on the other hand, your main concern is gaining a comprehensive picture of the security of your networks, web instances, mobile applications, systems or IoT connected devices then please, read on.
In this blog post, I’m going to explain what CREST accreditation is, the requirements a company needs to achieve to gain it and the benefits of using a pen-testing service that has gained the accreditation.
What is CREST Accreditation?
So firstly, some background on the accreditation itself. Not all pen-testing services are created equal – pretty much anyone with access to an internet connection and open source scanning & testing tools can market themselves as offering penetration testing services. Genuine accreditations, issued by certification bodies represent an excellent first step in sorting the wheat from the chaff. And when it comes to pen-testing accreditations, CREST is pretty much universally seen as the gold standard.
CREST is an acronym for The Council of Registered Ethical Security Testers, a Not-for-Profit accreditation and certification body in the field of Cyber Security. CREST is incredibly well seasoned, they’ve been in this space since 2006 and have access to some of the brightest minds on the planet, varied and many peer-reviewed resources and a proven learning and examination track that encapsulates this combined knowledge and confirms practitioners have been through a rigorous process to achieve accreditation.
How does a company gain CREST Accreditation?
Becoming a member company is not a task that is undertaken lightly, and rightly so – if it was easy to achieve it would defeat the objective somewhat!
Firstly, the accrediting body needs to verify that the company in question has all the essentials covered, this includes general company information, insurance, policy & procedures, standards certifications, terms & conditions and most importantly – has testers that have undertaken and passed the relevant CREST training and examinations – you can see more information on these on the CREST website HERE.
Once all this has been ascertained there follows a detailed examination of the backbone behind the delivery of the company’s pen-testing services to ensure that it meets the strict criteria demanded by the accreditation. This includes:
- Language capability
- Assignment preparation & scope
- Assignment execution
- Technical methodology
- Tools & resources
- Event analysis & response
- Data storage and transmission controls
- Information sharing
- Reporting
- Deliverables
- Post technical delivery
- Asset/Information/Document Storage, Retention and Destruction
You can see more detail on the specifics against each discipline HERE
Why should organisations use a CREST Accredited penetration testing service?
You may recall that right at the start of this post I mentioned that if anyone is requiring a pen-test purely because they have to and not because they understand the value behind a high-quality penetration test then they should not bother reading the rest of the piece.
Unfortunately, it remains the case that many organisations simply don’t understand the importance of properly testing their cyber security (or lack of) precautions. These are generally the type of organisations that pen-test just because they have to (for example, as part of a service-level agreement). It’s of no coincidence that these are also the type of companies that are most likely to suffer a cyber attack.
It’s also not a simple twist of fate, having suffered an attack that these same companies suddenly start taking penetration testing much more seriously!
Once a company has concluded that they need a professional and comprehensive testing service then as already mentioned, using a CREST accredited service means:
- A proven framework of penetration testing principles
- A guarantee of testers’ veracity
- The knowledge that the service provider has been through a rigorous application process
In saying all this though and at the risk of contradicting myself, just having a CREST accreditation isn’t the full picture. The testing service you choose should also be able to demonstrate a long history of successful and well-received testing undertakings – backed up with client references. They should be able to clearly outline whether they have a pure in-house resource, or whether they use the services of contractors.
One final thought
This one is possibly the hardest one to fully articulate. Penetration testers are often referred to as being able to think like a hacker. I disagree with this, great penetration testers are hackers. Right to their core, they have an innate ability and indeed, need to open something up, work out how it works and see if it can be circumvented and exploited.
Throughout history, it’s the hackers that have advanced technology, challenged the status quo and implemented change. It’s only in relatively recent times that some of society has falsely demonized hackers. Just like in any walk of life some people are criminals, so it is for hackers.