I recently met with an organisation keen to prove themselves in the accreditation space as an approver for ethical testers.
Speaking with chairman Ian Glover, he told me that in its five years the Council for Registered Ethical Testers (CREST) has placed 25 people in jobs in the last six months, with 190 having gone through the process already.
A not-for-profit organisation, CREST provides globally recognised certifications for organisations and individuals providing penetration testing and network forensics services.
For security testing companies, CREST provides a validation of security testing methodologies and practices; while for individuals CREST offers an industry leading qualification and career path.
Glover said that the purpose of the organisation was to ‘increase the professionalism of the industry' and to ‘raise the profile of the industry'. “We are trying to energise people into IT and information assurance and professionalise it. It is all about organisations asking questions that they do not ask and certifying organisations,” he said.
Backed by CESG, Glover told me that CREST has already audited 28 businesses and those audited include both public and private sector businesses. He said that for financial services companies, for example, it was ‘almost impossible' for them to exist without being CHECK certified or having been tested by a CHECK-certified tester.
Glover also said that of its first five years, the first two were spent ‘getting organisations to trust us enough.
So I asked him, what does it take to become an approved CREST member? Glover said that to be able to apply, a person has to demonstrate that they are competent to take an exam, and it will often look to someone who has an ethical hacker qualification and at least two years experience. They are then re-tested every three years.
Glover said: “Often people will get jobs with security companies and they keep up with the knowledge but not with the competence. It is not about whether they are acceptable in front of a client, it is whether they can do the job.
“All exams are certified by CESG so that a qualified member can do penetration testing inside government. I currently lecture at four universities on ethics and careers, the industry is maturing and it is becoming more professional.”
CREST approved tester Lawrence Munro talked to me about his experience with the body. He told me that he first heard about CREST though his job as a security consultant in a company that did some penetration testing.
He said: “I was one of two pen testers and we started looking into getting the company CHECK and CREST registered. I became familiar with through a colleague of mine who was a more experienced tester, but in the UK penetration testing market, everyone wants CHECK testers and CREST is one of the two routes to becoming certified.”
I asked him what encouraged him to become accredited by CREST, he said: “My desire was largely driven by the market and becoming more familiar with how the public sector market was driven. The market rates for CHECK testers is a lot higher as it opens up a lot more projects that you can work on, also as a web application focussed tester, CREST are the best choice as currently they are the only body that will certify you in a web application specific exam to CTL (check team leader) level. Tiger scheme only covers an infrastructure exam to CTL level.”
In terms of finding work, I asked Munro if he had found that this level of accreditation had increased his capability to find work. He said: “Yes and no. As pen testing is a very small and incestuous industry, so a lot goes by recommendation. However, having your CTL or CTM (whether by CREST or Tiger) is more or less a must.
“It means two things: you're security cleared; and you can jump through hoops and have at least the basics (or in some areas advanced skills) of pen testing. Almost every interview you do as a pen tester involves a practical assessment of skills (normally based on the environments you get in CREST/Tiger exams) and lots of techie questions, so it's not just about the piece of paper.
“That said, it really does revolve around CTL or CTM status in the industry and if you don't have the qualification (unless you're a well-known tester/researcher) you're not taken as seriously. Compared to most security certifications though, I would say it's certainly one of the tougher ones and does actually mean something.”
Looking to the future, CREST will open its Australian section next February with the backing of the Australian government and its current project with the UK Government is to improve standards in the network forensics industry by validating methodologies, practices and qualifications.
Glover said: “With the continued rise in cyber security threats and breaches, there is clearly an increasing need for the same level of assurance in network forensics to identify intrusions and gather forensically sound evidence after a breach. The bar will be set high and the backing of organisations such as CPNI and CESG will help in delivering the CREST scheme and getting wide acceptance from the buying community.”
With many instructions to penetrate your own network to ensure its security and revelations that companies regularly stress-test their networks, and even internet giants hiring varying level of hacker, it pays to know your status.
Glover told me that CREST was keen to improve the professionalism of security, ethical hacking and penetration testing, it may be in its infancy compared with other accreditation schemes, but if it succeeds in providing a critical service and turning the next generation to the white hat side, it will be worth the effort.