Security Testing Comes of Age CREST Eyes Expansion into New Global Markets
Ian Glover, president of the UK's Council of Registered Ethical Security Testers, has a message for people who want to enter the security testing profession today: No hackers allowed, thank you.

"My advice to them is they've got to be very careful what they do," Glover says. "In the past there was the opportunity in this industry to be a hacker, to do inappropriate things and then people would employ you. I think in the future that's not going to be the case."

The industry has matured, he says, and because of that the bar of entry is much higher for prospective testers. Glover's advice to up-and-comers: Gain experience in a controlled environment.

"They should be knowledgeable about the tools and the operating systems," he says. "If they want to look at applications, they need to be very knowledgeable about how web applications are. But they need to do this in a very controlled way. It's not going to be the case in the future that they can hide away in terms of things that they done when they were young because of social networking and both active and passive information that is held and sticks out on the internet."

CREST Comes of Age

Four years ago, CREST began as an organization to bring standardization to the penetration testing industry. Today, the group's scope is expanding across industries and global regions, says Glover.

"Since we've been established, we've already got pressure from a number of areas to cover things like wireless applications and network forensics, so in other words malware analysis, reverse engineering and those types of disciplines," Glover says.

Not only does CREST test the security of an organizations systems and processes, but it also validates the skills and competencies of the information security staff. CREST also works with industry groups and government organizations to address broader issues related to information assurance.

Up to now, CREST has been UK-centric, but is strategizing to grow throughout Europe, Asia and North America. "In a very short period of time, we've grown from nothing to being a sort of de facto standard," Glover says.

In an exclusive interview about CREST and security testing, Glove discusses:

  • The evolution of security testing;
  • Today's top threats, and how CREST is evolving to tackle them;
  • Advice to anyone seeking a career in security testing.

Glover has 34 years experience in information technology and has specialised in professional services for the last 28 years.

CREST is a not for profit organization. It was established to help develop professionalism within the information technology security testing community and provide a development path for individual testers. The Register is used by private sector organizations to gain a level of assurance that the security testers are competent and that the organizations they work for have appropriate processes and controls in place. The CREST qualifications have been assessed and are recognised by the UK government. The qualifications are a mandatory requirement for individuals carry out penetration testing work on government system. Ian is currently running a project to develop a set of professional network forensics qualifications with the support of the UK Centre for the Protection of National Infrastructure Industry. All the CREST qualifications have been evaluated by NBISE (National Bureau of Information Security Examiners) in the USA and a strategy for their implementation is being planned.

TOM FIELD: Ian, what can you tell us about CREST for people that don't know the organization? Give us some background on how long the organization has been around and what its objectives are, please?

IAN GLOVER: CREST has been around now for round about four years. I'd say we have been in true operation for round about two-and-a-half years. So, it took us probably 18 months to get a number of the competing penetration testing companies in the UK.

The goal with the organization was initially to represent the information security penetration testing industry, but since we've been established we've already got pressure from a number of areas to cover other things like mobile applications and network forensics, so in other words, malware analysis reverse-engineering and those types of disciplines. Our goal, really, is to provide a demonstrative level of assurance of the processes and procedures in the company. So what we do is we carry out audits of the companies that are providing these types of services, which provide a much greater level of assurance of those people buying our services. We also validate the competencies and skills of the individual security testers through both multiple choice, a long full written examination, and a really difficult set of practical examinations.

We work in the industry as well, which is trying to influence the standards with the future direction of the industry itself. So, for example we work with software vendors at the moment looking at responsible reporting, and we are working with a number of governments looking at the future direction of information assurance from a professionalization perspective.

Growth of 'Ethical' Testing

FIELD: Ian, how would you say the organization's objectives have been met so far?

GLOVER: Being in the UK, we represent about 25 of the major penetration testing organizations. We've probably got at the moment around about 12 organizations that would like to join, of which two are going through the process. They're mature organizations with good security controls, good personnel controls, and they understand how to scope a line of appropriate penetration testers. We've probably got another set that need coaching, so in other words they need to mature their processes and procedures to become more mature in this marketplace to provide a better service. Then there is another set of organizations which are really inappropriate in terms of the level of professionalization they have within their organization.

We specifically decided to stay UK-centric for the first year or so in the organization. We now have a very clear view and a strategy of how we can implement CREST overseas, and certainly there have been a number and variety of countries that are requesting our services, and to try to work out how best to implement them within country is increasing quite significantly. So I think in a very short period of time, we've gone from sort of nothing to being a sort of de facto standard, and then moving towards being sort of choice area for both professional service organizations and the people you work for.

Impact on Industry

FIELD: You talked about wanting to have an impact on the profession. What impact would you say CREST has had so far in information security?

GLOVER: If you look at penetration testing ... it was difficult to regulate. It was quite a difficult area to manage. It was extremely a difficult area to recruit good people in. So it was in a very immature marketplace at that time.

I think in the time that we've been established, we've really moved ahead in terms of the overall professionalization, and we've got ahead of the number of the other areas in the information security domain. So the qualifications we have are really professional qualifications, and the combination of having a validated skill and competence of the individual, and then knowing that the individual works within an organization that supports and structures the work, I think has moved it ahead significantly.

Challenges to Growth

FIELD: Ian, what would you say are the biggest challenges, which may be threats, to CREST today, and how is the organization responding to these challenges?

GLOVER: In terms of threats, and it is a very interesting question, because we have a number of threats, we can almost suffer from our success. And I'm very glad we made the decision to make sure that all of our processes, procedures, and the way we operate in that business was done to a controlled way within the UK first. In other words, we looked at this in a very careful way and a very specific way to make sure that we had everything in place. We believe that we've got an extremely good model now that we can roll it out to some other countries, which includes the company membership in audit and the also the ability to move on to a remote access for our examinations. And then once the trust is there to move our technical leads over to different countries, so that they can run them in the right. I think there is always a risk with growth, and if you don't get those procedures right, then anything could jeopardize the quality of the services that we provide. So we could almost suffer with a success of trying to drive these things too fast too quickly, but I believe that we try to manage that by taking a very considered and conservative approach and then trying to roll it out in a very considered manner.

From the other sides, I don't see too many other qualifications coming around in this area. So from a competitive stretch, because we're a not-for-profit organization, we are not directly associated with any organization, and really we make the decision about whether or not somebody passes or fails purely on their ability.

Growth Markets

FIELD: A couple of times now you've spoken about growth. Where do you see the organization's greatest growth potential as you look to expand from the UK?

GLOVER: We have an original strategy, which was to go to South Africa. Inside Africa there is a mature penetration testing market. There are service providers out there.

We'll probably to go into Germany because there is an awful lot of interest in Germany in terms of what we do. Then probably drop into Holland to cover NATO and up into the northern regions because of the number of penetration testers, and probably drop back down in Luxemburg because of the financial regulator marketplace.

I think the United States is a long way off. I've worked with NIST in the past. and I think that those types of organizations they provide an excellent service and really are at the forefront of driving some of these things forward.

What we found is that while some people are looking at some standards in their area, they really haven't got the type of professional qualification that we are running at the moment. So I really think that if there is enough drive from the US government, in concerns of professionalization, and there is enough emphasis put behind the international companies that we provide our services too, then the United States will take off extremely quickly. That is really a messy market in terms of the professional service.

I think that some of the people in the US that have taken our exam have been extremely surprise about how difficult it is. If you compare it to the other qualifications that are available in this space, they are interrupted qualification where we are looking at true professionals. People who have been doing this, seasoned professionals that have got a track record. So still I think that there is going to be a significant growth in the States.

Starting a Career

FIELD: A final question for you Ian. For somebody that wants to enter this profession today, what advice would you give to them?

GLOVER: We've started to put together a program for universities, and I'm trying to put a bit more technology around that to make it easier to roll out. So we are currently talking to right about four different universities who offer network security or have specific models in their first degree course or their master's degree courses on penetration testing.

My advice to them is they've got to be very careful what they do. In the past there was the opportunity in this industry to be a hacker, to do inappropriate things and the people would employ you. I think in the future that's not going to be the case.

So I'm really telling them that they should be working in a controlled environment. They should be knowledgeable about the tools and the operating systems. If they want to look at applications, they need to be very knowledgeable about how web applications are. But they need to do this in a very controlled way. It's not going to be the case in the future that they can hide away in terms of things that they done when they were young because of social networking and both active and passive information that is held and sticks out on the internet. So if they do things wrong early, then I think that is going to cause them some quite big problems.

If you are trying to get into the industry, then things like the Cybersecurity challenge, which I know runs in the US and we've got an excellent version of it in the UK, provides people with the opportunity to see what sorts of careers and things are available. In addition to that, I think that if somebody wants to get into this domain, it is a really exciting place to be. and if they wanted to find out anything about this industry as a particularly area of interest for their careers, then they contact request through our website, or they can call me in the UK and certainly we will provide them with advice and guidance. We will try to put them in touch with what I call mentors, where people are at different points of their careers in penetration testing. I think that will give them a really good insight to know just what an exciting place this is to work and how it exhilarating it is to work in this type of research environment, which is really what it is.




Around the Network