Penetration testing

Understanding CREST

Daniel Brecht
December 23, 2016 by
Daniel Brecht

Pentesting is becoming more and more an important part of the IT security plans of businesses in all industries. Pentesters can help companies identify, quantify and mitigate risks targeting their infrastructure, applications, and users. Whether using an internal team of pen testers or outsourcing to a reputable company, choosing the right pen-test (PT) provider is paramount, as these professionals are often entrusted with complete access to the systems and most sensitive data in place at the target company. With plenty of suppliers that offer penetration testing services, how does one find the right PT provider? What's more, not all penetration testing services are created equal, from proprietary methodologies and toolsets to risk management and compliance; with so many penetration testing service vendors available, it can be difficult for companies to choose the most appropriate for their IT environment to assess the resilience to threats that could leave infrastructure and network operations at risk of data breaches. Therefore, it is important to engage security providers who are qualified and compliance-certified so as to ensure standards are followed to provide safety to the systems and client's data.

One of the ways to ensure the professionals hired for pentesting can test following standard methodologies to minimize risks to the organization is verifying a recognized body certifies the professionals. CREST (Council of Registered Security Testers) provides organizations, wishing to buy penetration testing services from reliable sources, the assurance that the company or professional has passed a demanding assessment. As a standards-based organization, CREST can provide its members with a framework of guidance, including standards, methodologies, and recommendations, aimed at ensuring the very highest standards of cutting-edge security testing.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Why acquire penetration testing services?

Any business susceptible to cyber-related system attacks could benefit from a PT provider to ensure its information security measures are working. Through a cyber-threat analysis, a pen-tester is capable of discovering if a workplace is susceptible to cyber-hacks and can advise clients on how to protect themselves and their workplace. Pen-testers can identify an organization's weaknesses the same way an attacker would: by hacking it and replicating real attacks. They will apply exploitation techniques in ways that resemble an attacker at work and identify ways to detect, respond, and defeat advanced persistent threats (APTs). The penetration is done with the system owner's permission to verify the resilience and efficacy of the security controls are in place. Pen testing is "the most effective way of demonstrating that exploitable vulnerabilities within the company's Internet-facing resources have been identified, allowing suitable patches to be applied," says IT Governance Ltd., a CREST member company.

This method of security testing, of course, requires the internal security expert or outsourced vendor offering the services the ability to take full control of computers on the network so they can fully understand the threat impact of the hacking attempts against the client's organization and provide realistic ethical hacking and penetration testing results. A pen test and vulnerability risk assessment incorporates a wide range of attack methodologies, tools, techniques and sources to evaluate the security measures in place that, if not effective, could compromise the confidentiality, integrity or availability (CIA) of information held on that IT system and put the business assets at risk; this security practice can provide a greater level of assurance if performed according to a defined code of conduct to deliver a consistent quality service. Those acquiring penetration testing (PT) services from companies with accreditations both at a corporate and individual level (like those offered by CREST) can be provided with the assurance of having entrusted their resources to someone who is certified to be technically and ethically competent in the field.

About CREST

According to the official website, "CREST is the not-for-profit certification body representing the technical information security industry. CREST provides internationally recognized accreditation for organizations and individuals providing penetration testing, cyber-incident response and threat intelligence services."

CREST's value is in offering a number of exams that can validate the technical abilities and knowledge level of member organizations and professionals as well as recognizable career and development paths. The association has been making available, since 2006, internationally recognized accreditation for organizations and individuals that offer pentesting services, cyber-incident response and threat intelligence services. In short, CREST provides a competency baseline for practicing professionals and service providers for penetration testing as well as cyber-security incident response services.

As noted on the organization's website, "CREST provides organizations wishing to buy penetration testing services with confidence that the work will be carried out by qualified individuals with up to date knowledge, skill and competence of the latest vulnerabilities and techniques used by real attackers... They will also know that the penetration testers are supported by a company with appropriate policies processes and procedures for conducting this type of work and for the protection of client information." Their uniqueness is also in the fact that they not only certify individuals but also entire organizations.

CREST is important for clients to verify the competence of the professionals they hire, but it is also a point of reference for professionals to progress in their field. In fact, it provides them with a clear pathway that can guide them in their career progression as well as with opportunities to maintain and develop their knowledge and competence. The penetration testing path, for example, includes three steps from vulnerability assessor (practitioner 1,800 hours) to penetration tester (6,000 hours and two years of experience) to certified (10,000 hours and five years of proven experience). CREST, then, has specific testing for professionals in all stages of their career.

The organization has also been named, more than once, as one of the finalists in the annual prestigious SC Magazine Awards, in the category for 'Best Professional Training or Certification Programme' category. Although CREST does not provide training itself, it works with training partners who do "encourage aspiration and career development for individuals" and are "working with academic institutions in building their undergraduate and postgraduate programs [with syllabus development] to align better with the needs of industry." The effort is geared towards forming new professionals who are better equipped, through theoretical and practical knowledge, to face real-life challenges in the IT world.

CREST has chosen Pearson Vue as its global partner for delivering written examinations across many locations throughout the world to include the UK, mainland Europe, Asia, Africa, Australasia and the Americas. Anyone interested to book a CREST exam can do so by filling out the info on the booking form (found online) and sending it to the email at exambookings@crest-approved.org; All exams are being held every month throughout the year. For questions regarding examination, email

admin@crest-approved.org.

Penetration testing related examinations

  • CREST Practitioner Security Analyst (CPSA) examination tests a candidate's knowledge in assessing operating systems and common network services at a basic level below that of the main CRT and CCT qualifications.
  • CREST Registered Penetration Tester (Infrastructure elements) examination tests a candidate's technical knowledge of penetration testing methodology and skills against reference networks, hosts, and applications.
  • CREST Certified Web Applications Tester examination tests candidates' knowledge on a variety of web application platforms.
  • CREST Certified Infrastructure Tester (CCT INF) examination tests candidates' ability to assess a network for flaws and vulnerabilities at the infrastructure's network and operating system layer.
  • CREST Certified Wireless Specialist / CREST Registered Penetration Tester (wireless elements) examination tests a candidate's technical knowledge of performing traditional wireless security reviews.
  • CREST Certified Simulated Attack Manager (CC-SAM) examination tests the candidates' ability to conduct Simulated Attacks in a realistic, legal and safe manner.
  • CREST Simulated Attack Specialist (Red Teaming) (CC SAS) examination is much like that of CC-SAM with "specifically exploitation of client vulnerabilities through Trojanised files, phishing campaigns, implant development, evasion skills and lateral movement within a compromised network."
  • CREST Registered Intrusion Analysis (CRIA) examination tests a candidates' knowledge and skills needed for intrusion detection.
  • CREST Certified Malware Reverse Engineer (CCMRE) examination tests candidates' knowledge to find security weaknesses and vulnerabilities for indications of malware.

CREST Examination Details

CREST exams are designed for assessing the competence of penetration test consultants, and they are regularly re-examined to ensure that they have retained and maintained this capability. The tests comprise of multiple choice questions and may include written response questions. CREST Examinations are highly valued and globally known in the industry and recognized as challenging. (See new examination changes here.)

The Examinations Overview gives information on each examination. A number of training courses that align with elements of the syllabuses for CREST examinations can be easily found online and provide current and relevant skills relevant to the profession. CREST professional qualifications cover a number of topics and a mixture of application theory and practical knowledge needed by any professionals in penetration testing and other IT security sectors.

Why become a CREST registered tester and a CREST member company?

The CREST (Council of Registered Ethical Security Testers) Registered Tester (CRT) qualification and examination has been developed to provide a professional development pathway for those wishing to progress. A CREST CRT is an entry-level examination and is suitable for learners who begin a career in vulnerability assessment and penetration testing. Being a CRT can show potential employers as well as clients the ability to provide a consistent service, with competency and sufficient legal and regulatory knowledge. Registered Penetration Testers have proven themselves able to provide solutions in all areas of security, from professional and managed services tailored to meet the needs of each organization by doing one or more of the following:

  • Applying the perspective of an outsider to guarantee the assurance in the security of an infrastructure
  • Testing and validating the readiness of a company's technical security staff
  • Investigating the current operational risks
  • Assuring confidentiality and data security while still thoroughly testing the infrastructure in a way that is tailored to the needs of the client

To date, CREST has helped to achieve a competency baseline across the penetration testing practice and today acts as guarantor for other cyber-assurance services in UK, Australia, Hong Kong, Malaysia, and the USA. This Summer, it opened its first chapter in Singapore, first in Asia, in collaboration with Singapore's Cyber-Security Agency and the Association of Information Security Professionals. The CREST website provides a listing of accredited companies with professionally qualified consultants based on the technical assessment and certification framework, and that are bound by the ethical conduct it both adopts and enforces.

Conclusion

Penetration testing is something an organization should undertake on an ongoing basis as part of security plans and vulnerability assessment programs to test the security of their information systems environment. Pen testers are security testing specialists with varying degrees of knowledge and professional development who can perform a range of assessments that simulate real-life attack scenarios and eventually convey strategic recommendations to ensure that an organization's systems are secure against possible malicious attacks. The key is to find a reliable security testing company that can keep up with industry best practices and can identify and employ skilled members with the expertise to do what is asked of them while not putting the client at risk.

CREST has built a meaningful framework that spans across countries and regions for Governments, Regulators, and Buyers to identify capable suppliers that can deliver technical security services in a competent and safe manner. CREST member companies have the appropriate standards (relating to ethics, methodologies, and technical capability), proven through an accreditation and certification process, to meet security testing requirements within the industry. The organization "helps buyers to distinguish organizations from one another based on skills and competencies" as well as to identify those that "employ professional, ethical and highly technically competent individuals [and that are then able to build] a trusted relationship with their clients." CREST also offers guidance to professionals entering this in-demand field those wishing to progress with professional development and learning pathways.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Sources

Daniel Brecht
Daniel Brecht

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.