Australia. CREST in. The THE NEWSLETTER KEEPING YOU CONNECTED WITH CREST. September Also Inside

Transcription

1 Script The September 2013 THE NEWSLETTER KEEPING YOU CONNECTED WITH CREST CREST in Australia Also Inside Update from Ian Glover CESG and CPNI launch new schemes CRESTCon 2014 The CCP Report New Members CRESTx initiative Cyber Security Incident Response Getting to know you Member focus

2 The Script JUNE 2013 AN UPDATE FROM IAN GLOVER Some really significant things have happened since the last CREST newsletter. The Cyber Security Incident Response (CSIR) Scheme was formally endorsed by CESG and CPNI and the government Cyber Incident Response (CIR) scheme was launched; we have booked the Royal College of Surgeons on 19th March for CRESTCon 2014; the upgraded website went live; and the first ever CRESTx event was held at Lancaster University. The launch of the CSIR Scheme is a really significant step forward. I have been in the industry for more years than I now admit to and I have never seen government and industry jointly launching such an initiative and really demonstrate the close collaboration that is now in place. In relation to the launch of the schemes, CREST has been featured in a host of publications including the FT, Computer Weekly, Computer Business Review and Infosecurity. I have also been interviewed for the Password Radio show, IT Adviser and Contrarisk and taken part on panels for SC Magazine and Infosecurity, as well as providing comments for other features. So we are continuing to spread the word. We are seeing a significant number of companies apply for CREST CSIR membership. We have agreed an FAQ with CESG on the two schemes (CSIR and CIR) which we will shortly include on the website. In the meantime if you have any questions about the schemes please do not hesitate to contact me. Workshops have been held to define the syllabus for the assessment of cyber security incident managers. Once the examination behind this has been launched by CREST, CESG will give CIR companies a year to obtain this qualification. To further build on the provision of research information, the first draft of the new Cyber Security Incident Response Guide has been produced and is currently being reviewed in detail. I think it is a really useful document and provides more detail than I have seen anywhere else. This will be supported by a cyber security incident response buyers guide and a management overview. These guides will support the launch of the CIR and CSIR schemes. We are working with e-skills to define the National Occupational Standards for penetration testing roles. These are almost completed and will be supported by professional development and training pathways. We have also started the process of assessing training courses against these National Occupational Standards. The combination of these initiatives will provide individuals with a way of assessing their skill and knowledge and to develop a programme of activities to take them to the next level in their career. Elaine Luck has done a really good job of improving our policies, processes and standards. Although this does not sound very exciting it is essential as we move towards the professionalisation of the industry. The first CRESTx event was run in Lancaster University, one of the CREST Academic partners. They took 25% of the content recorded from CRESTCon and augmented it with their own content to run an internal conference for students. They recorded their presentations and these will be hosted on the CRESTx YouTube channel for others to access. The channel is already starting to become a really good source of research material available to all CREST members. And finally, take a look at the new CREST website: Sincerely, Ian Glover CREST President CESG and CPNI launch CREST led cyber incident response scheme In collaboration with CREST, CESG and CPNI launched two schemes in August that provide access to industry expertise to respond effectively to the consequences of cyber security attacks. The Cyber Incident Response schemes follow on from the successful National Cyber Security Programme pilot that started in November The pilot concluded that the objectives of the National Cyber Security Strategy to provide greater resilience to Critical National Infrastructure (CNI) companies as well as wider public and private sector organisations, is best met by adopting a complementary twin-track approach for certified Cyber Incident Response services: A broad based scheme led by CREST and endorsed by GCHQ and CPNI, which focuses on appropriate standards for incident response aligned to demand from all sectors of industry, the wider public sector and academia. A focused Government run Cyber Incident Response scheme certified by GCHQ and CPNI responding to sophisticated, targeted attacks against networks of national significance. CREST has worked with industry and government to define standards that companies providing Cyber Security Incident Response (CSIR) services should have in place to protect client information. CREST will audit the service providers against these standards and ensure compliance through codes of conduct. This, combined with professional qualifications for individuals, will provide the buying community with confidence in the integrity and competence of the companies with whom they are contracting. The CREST standard for the industry-led segment will act as a foundation to establish a strong UK cyber incident response industry, able to tackle the vast majority of cyberattacks. This will enable service providers to establish a track record and, if they so choose, apply for certification under the CESG/CPNI-led scheme for the most sophisticated cyber-attacks. Any organisation providing cyber security incident response services is able to apply to join the scheme; but to become a member they must pass a stringent assessment process. Through this process they must demonstrate knowledge and application, the ability to protect client based information and willingness to sign up to a comprehensive code of conduct. CREST has already had a number of submissions and those companies are currently going through the audit process. There has also been an increase in the number of people who want to sit the intrusion analysis examinations. It is planned to formally announce the first wave of memberships at the end of September.

3 SAVE THE DATE CON Announcing CRESTCon & IISP Congress bringing together professional expertise in information security Following on from last year s highly successful first joint event that attracted over 300 delegates from the information security industry, the date for next year s CRESTCon & IISP Congress has been set: Wednesday 19th March 2014, at the Royal College of Surgeons, London. CRESTCon & IISP Congress aims to bring together leading technical, business and academic experts to address some of the most critical information security threats and challenges and to harness industry knowledge and experience. Attendance is open to members of CREST and IISP as well as delegates from the wider information security community. We are in the process of putting together the programme and will give you more information and let you know when booking opens as soon as we can. Latest information will be made available on For videos from last years event please go to CRESTCon 2014 Call for papers Deadline: 30 November 2013 The 5th annual CRESTCon for the security testing and incident response industry - will be held at Royal College of Surgeons, London WC2 on the 19th March CRESTCon 2014 is being hosted once again in partnership with the IISP Congress. All CRESTCon presentations must be technical in nature to suit the audience, which is primarily security consultants, researchers and those on the front line, ethically attacking and defending information systems. Speakers get the opportunity to showcase on-going security research projects, highlight advances in security testing techniques and announce new tools or methodologies to a professional audience. We are particularly looking for submissions that focus on recent high profile breaches and vulnerabilities and include analysis of the compromise vectors and the impact of attacks, as well as the lessons learned for the formulation of offensive and defensive strategies. With permission, we also film presentations for the CREST YouTube channel or CRESTx events at our academic partner universities; so you have the potential to reach an even wider audience. For more information on the CRESTx cyber security information exchange initiative go to If you have a proposal for a presentation, please a synopsis and your biography to crest@prpr.co.uk for consideration by the CREST conference review committee before 30 November Preference will be given to presentations that relate to new or innovative techniques or tools relevant to professional security testing activities, particularly in the following areas: 1. Application testing 2. Infrastructure testing 3. Wireless testing 4. Code reviews 5. Network forensics 6. Intrusion analysis 7. Reverse engineering and malware analysis 8. New areas of research within the security field Speakers will be given a 45 minute or 30 minute session and talks should take no longer, including Q&A. TheCCP Report Spencer Lamb, CCP Scheme Manager at CESG provides a review and update Since the CESG Certified Professional Scheme was introduced, a total of 793 certificates had been awarded to 595 certified professionals as of the end of May. Reflecting the level and rigour of the certification process, there has been a 7% failure rate along with 43 applicants who have been certified at the level below the one applied for. The CESG is using CCP in place of core internal skills assessments to ensure that its IA experts work to a recognised CCP standard and keep their IA expertise up to date. That even includes Deputy Director for the National Technical Authority for IA, Chris Ensor, who has recently been certified as a Lead Practitioner in the Security & Information Risk Advisor role. EPSRC Research Council announced the second virtual academic research institute in late March. Six teams from six universities, hosted by Imperial College London, will collaborate to investigate new ways of automatically analysing computer software to reduce its vulnerability to cyber threats. A third research institute is in the pipeline, to be led by CPNI. Chris said: I felt it was really important for me to experience the scheme first hand and test myself through the certification process. If I d had any thoughts that my role in the scheme was going to afford me any special treatment I was quickly disabused! The interview was challenging and thorough, covering the full spectrum of skills needed for the job and requiring me to dig deep for those I hadn t used for a while. It certainly felt like a true test of competence and not a tick-box exercise. I encourage all my colleagues within the community to get themselves certified. GCHQ is funding 30 Doctoral Studentships at the ACECSRs over a period of three years. Four contracts have been let so far for this year and a calling notice has recently been issued for research topics for next year s doctoral students. The majority of certifications issued are for the Security and Information Risk Advisor role at Practitioner level and the growing number of CESG Certified Professionals provides access to a growing community of competent IA professionals to deliver the expertise needed to manage information risk. An updated version 3.0 of the CESG Certification for IA Professionals will be issued shortly and available through the CESG web site - awarenesstraining/ia-certification/pages/index.aspx and the new Penetration Tester role will be introduced at the end of We are proactively promoting the scheme to government departments and most recently have had discussions with CPNI and the CNI and have aspirations to take the scheme into industry. As part of its on-going commitment to the Cyber Security Challenge, GCHQ hosted 25 finalists from the 2012 Cyber Security Challenge on 5 and 12 July Finalists may apply to work at GCHQ for a guaranteed placement as summer students in GCHQ is also keen to contribute to the Challenge games and our second Cyber Security Challenge game is currently open for registration. In tandem with the CCP scheme roles, we are developing a learning pathway guide book. The intention is that the guide will highlight the building blocks needed to acquire a specified role. It s work in progress and the aim is that it should be suitable for any person wishing to join the cyber security profession - be it as a school leaver, a change of profession, or attainment of another IA role. The first learning pathway role to be developed will be the Accreditor, planned for the Autumn. In connection with the CCP scheme, the Strategic IA Training Assurance initiative aims to create a flexible and scalable assurance service for IA training courses to support professional development. A reminder that all CESG Listed Advisor Scheme (CLAS) consultants will have to have certification from October 2013 if they wish to continue working as members of the CLAS community. GCHQ is in the early stages of investigating the feasibility of a scheme to recognise Academic Centres of Excellence in Cyber Security Education. A first step towards this is identifying how Master s degree courses in Cyber Security could be certified. Education, education, education Spencer Lamb, CESG 11 universities have now been recognised as Academic Centres of Excellence for Cyber Security Research (ACECSRs) and GCHQ academic liaison officers have recently been appointed to ensure that the partnership is a close and productive one. Furthermore, BIS, GCHQ and the For more information on CCP Scheme certification offered by the CREST, IISP and Royal Holloway ISG consortium go to

4 An update on Australia T he inaugural CREST (Aust) Ltd annual general meeting was held in June, an important milestone as it was the first time that member companies could influence the makeup of the Australian board of directors, with two of the seven Board positions declared vacant. CREST Australia now has 14 member companies with a number more in the process of completing applications. We have reached critical mass in terms of penetration testing service providers and our focus will now be to grow the number of certified individuals within those companies to ensure an effective capacity service to the market. We have been running penetration certification examinations in Australia every couple of months for almost a year. We have also seen several people with CREST UK certifications here in Australia and welcome their involvement and contribution to filling market demand. The CREST brand is growing in Australia and we are starting to hear of companies seeking penetration testing services asking for CREST membership as a condition of winning work. We expect this trend to continue. The Australian Signals Directorate (formerly the Defence Signals Directorate) is revamping the IRAP scheme and we hope CREST certification will be a requirement for IRAPers offering services in the penetration testing space. More on this soon. Now that we are confident we have the penetration testing certifications bedded down we are actively working towards introducing CREST UK s Intrusion Analysis certifications and we believe this will be an exciting next step in CREST Australia s development. We continue to look to our UK colleagues for support but hope that we are now in a position to offer reciprocal help in some areas. Again, we welcome CREST UK certified individuals (and accredited companies) here in the Australian market...don t forget as it starts getting cold there, it s warming up here :) Alastair MacGibbon

5 Member JUMPSEC JUMPSEC is a young New company dedicated to helping to raise the bar for penetration testing and other cyber security services. Although still in its first year of business, JUMPSEC has already completed a number of highly complex and bespoke projects for some very interesting, high profile clients. JUMPSEC s success is thanks, in part, to the dedication and loyalty of its staff and their passion for continual improvement and innovation. Another key factor in JUMPSEC s success has been joining the CREST scheme. When we sat down at the beginning of this process to set about building a penetration testing business, there was never any doubt that CREST was a need to have rather than a nice to have, explains Sam Temple, director at JUMPSEC. We have been extremely pleased with the level of support we have received from CREST in the early stages of our business, and the level of self-regulation that CREST brings to the industry as a whole. We are looking forward to working with CREST and its member companies to continue raising the standards in our industry for many years to come. CRESTx Cyber Security Knowledge Exchange initiative launches Last month CREST launched CRESTx ( an initiative that provides our academic partner universities with high quality information and video material to run their own version of the annual CRESTCon event. The CRESTx information exchange gives students the unrivalled opportunity to get the most up-to-date information and ideas in cyber security by providing them with access to the latest professional presentations. At the same time it gives them a platform to showcase their research to a wider academic community, the cyber security industry and in particular potential employers. As well as video material provided by CREST from its annual conference, universities running a CRESTx event will also feature live presentations from invited speakers. These will be filmed and added to the repository of content hosted and shared by CREST, for other academic partners to use. CRESTx is the latest initiative in CREST s ongoing knowledge transfer and professional development activities. Current availability of up to date information for students on trends within the industry and details on exploits and threats is not great, said Ian Glover, President of CREST. There is very little published material and it s often woefully out of date. The aim of the CRESTx information exchange is to provide students with access to topical content and help to share resources and information between universities. In addition to this, it provides exposure for universities, allowing potential employers to see the quality of students, teaching and research. Students, businesses, researchers and academics share cyber security knowledge at first CRESTx at Lancaster University Lancaster University hosted the first CRESTx at the beginning of July. This successful event featured live presentations from local businesses, students and academics, along with recorded presentations from this year s CRESTCon and provided the opportunity to share and discuss the most up-to-date issues, challenges and ideas in cyber security. Our first CRESTx was certainly a huge success with a great mix of attendees from Lancaster University and local businesses, said Ian Glover, President of CREST. The important difference with CRESTx is that it kick-starts communication and encourages closer relationships between the academic community and industry. We are also creating a library of video content for future CRESTx events and students have the opportunity to present their research to prospective employers. This sort of free exchange of knowledge is essential to fill the gap in quality research material and helps the universities deliver the caliber of students needed to help fill the skills gap. It also helps to raise awareness of a wide range of information assurance and IT security subjects. CRESTx Lancaster took place on 3rd July hosted by Security Lancaster, an EPSRC-GCHQ Academic Centre of Excellence in Cyber Security. CRESTx Lancaster featured 20 speakers and highlighted the multi-disciplinary research of Security Lancaster and its key partners in industry. Conference talks were split over 4 sessions: (1) Privacy and Personal Security; (2) Critical Infrastructure Protection; (3) Governance, Risk Management and Compliance; (4) The Human Element of Cyber Security. For more information:

6 Cyber Security Incident Response A survey of the main challenges faced by the cyber security incident response buying community Collaboration with UK Government departments including CESG, CPNI, GovCertUK and the Cabinet office; the Bank of England; international bodies such as NIST and ENISA; and academia and members of the buying community An exclusive workshop for CREST members and selected guests, helping to identify best practice in the provision of cyber security incident response services Presentation to highlight the key findings from the project Presentation of findings to international information security membership organisations, including ISF and ISACA The final deliverables from the project will be the following set of reports, due late Autumn: Cyber Security Incident Response Guide This guide provides organisations with practical advice on how to prepare for, respond to and follow up a cyber security incident. Presented in an easy-to-use format, it gives a useful overview of key concepts organisations need to understand to handle cyber security incidents effectively, including a definition of cyber security incidents; a comparison of different types of cyber security attack; the anatomy of a cyber security attack; a summary of the main challenges in responding to cyber security incidents; project nears completion The CREST cyber security incident response project has been a great success and so far the project has delivered: and how they can respond and the need to employ third party experts to help respond in a faster, more effective manner. It then provides more details about how to establish an appropriate cyber security capability, considering key requirements for people, processes, technology and information. Cyber Security Incident Response Supplier Selection Guide This helps organisations to select an appropriate provider of specialist cyber security incident response services. The guide explains the main reasons why organisations typically employ specialist suppliers to provide resourcing and response expertise; conduct technical investigations (including remediation and forensics); and perform cyber security analysis (including threat analysis, advanced data analytics and cyber intelligence). The main part of the guide then presents a systematic, structured process to select a supplier that can most effectively meet requirements quickly and effectively but at a reasonable cost. Cyber Security Incident Response Summary Report This short report provides a management summary of the main findings of the project. It will help organisations to understand at a high level what they need to do to prepare for, respond to and follow up an incident in a fast and effective manner and to select an appropriate provider of specialist cyber security incident services. Getting know to you What degree did you do and how did it help get you into infosecurity? I did my BSc in Computer Science and graduated in I wouldn t have said that anything I learned on the course was particularly applicable to infosecurity, other than the fact that my first employer didn t hire people without a 2:2 or above! A few years later I did an MSc in IT Security as a part time student, while still working. I was interested to see how relevant it was to Penetration Testing; and to be honest I still don t think that it s a must have. What we look for when we re hiring now is less about what degree people studied and a lot more about their extra-circular interests in security and whether they can bring any unique perspectives to the role. What is your best advice to anyone entering a career in infosecurity? You should start a career in infosecurity because it s an area that you re interested in and because you like breaking things. I think too many people try to get in because of the potential money and don t actually enjoy their work. What surprised you the most when you started working in this field? Back when I started as a Penetration Tester, I was surprised by how easy it was! There was no such thing as a personal firewall; nobody patched anything (it wasn t until 2003 with the MS exploit that security started being taken seriously); and the main way to break into networks was through password guessing. How do you see the industry developing in the future? Security innovations are constantly being created and for years I ve thought that the future of security consultation was drawing to a close. I think that as time goes on people will get better at ensuring they have the basics in place and the work will shift towards Cyber Incident Response, where businesses investigate how potential attackers could circumvent security and seek to stop similar things happening in the future. Name: Steven Bates Company: Information Risk Management Job Title: Head of Cyber Incident Response What has been your biggest personal achievement to date and why? I have two black belts - one in karate and one in kenjutsu - which I was very pleased to get! I spent a month hiking around the Canadian Rockies, which was amazing. Ultimately though, my biggest personal achievement, and the person I am most proud of is my beautiful daughter, Isabelle. Cliché I know, but there you are! What is your biggest weakness? According to my wife, without a shadow of a doubt it is my tendency to give victory speeches in whatever game I m playing. Then sure enough, there will be something that I overlooked, which my opponent will then use to beat my post victory speech. I don t know if there s a medical name for it, but I m pretty sure it should be known as, Batman baddy syndrome.

7 The Script JUNE SEPTEMBER Member focus Pen Test Partners LLP provides security testing, assurance and training to many familiar, and many not so familiar organisations. The company was born as of the desire to innovate in penetration testing and incentivise testers through genuine ownership, which is why it is an employee owned business. We commit to using senior and seasoned testers, never juniors or recent graduates. From military intelligence through to SCADA, our people have a wealth of experience. By being an employee owned company Pen Test Partners LLP effortlessly manages to be truly client-centric where the testers level of care and attention comes from ownership. It also makes for an interesting environment where research and learning are part of the fabric, adding further value for clients. The Cass Business School report Model Growth: Do employee-owned businesses deliver sustainable performance? pretty much encapsulates the ethos. Ken Munro is one of the founding partners and is a keen supporter of CREST: In many ways CREST matches and supports our goals, so it makes perfect sense to be involved. There is always going to be a requirement for a high level of quality. While many testing firms go above and beyond this, it is essential that there is a benchmark for the level of assurance that the market provides. It is critically important that we, and our industry peers, support high grade accreditations and working practices, and that is where CREST serves us all so well. 522 Uxbridge Road, Pinner, Middlesex, HA5 3PU. CREST is a not for profit company registered in the UK with company number