Script The July 2014 THE NEWSLETTER KEEPING YOU CONNECTED WITH CREST CREST helps roll-out of Cyber Essentials ALSO INSIDE Update from Ian Glover CRESTCon & IISP Congress New Members New Members CREST helps roll-out Cyber Essentials Exams Member Focus CREST helps BoE Getting to know you
AN UPDATE FROM IAN GLOVER This has been one of the most important periods in the short life of CREST. We have in place a new and invigorated Executive, which I believe will allow us to continue to improve the services provided to member companies and those holding CREST qualifications. CREST is now widely recognised in the technical information security industry as being thought leaders and the place to go to get things done quickly and to a very high professional standard. This is reflected by our involvement in the development of the CREST STAR (Simulated Target Attack and Response) and CBEST on behalf of the Bank of England. The CBEST scheme is run by CREST on behalf of the Bank. One of the prerequisites for CBEST is membership of the CREST STAR scheme. The separation of these two will provide the ability to introduce other sector or country specific schemes with specific requirements with STAR acting as the focus point. At the same time we were working with CESG and BIS on the Cyber Essentials scheme. Although the scheme has been designed to meet the requirements of the SME community, it is already generating a great deal of interest from large corporates as a pre-requisite for their supply chain or to prove the security of their smaller divisions and departments. Both of these schemes have required a huge amount of work to design and implement and there are too many people to thank for all their hard work. These people are working on behalf of your industry and contributing significantly to the common good. CRESTCon was also fantastic and we have a great team in place and a great community from which to draw some of the very best presentations in the industry. We have not been able to concentrate enough effort in the promotion of the Cyber Security Incident Response scheme. We have been talking to BIS and CPNI to develop a marketing plan to promote the services and this will start at the end of this Summer. Despite this, there has been significant interest in scheme. The guidance available and the services provided under the scheme have been really well received and we are pleased to say that there is no additional membership fee for being part of the scheme. In fact, CREST has not put up its membership fees at all since its inception, which is all part of our overall aim to make CREST membership accessible to any company or individual that meets our stringent levels of entry and to raise the bar across the security testing industry without raising the price. The number of candidates going through the examination process is very healthy demonstrating that the CREST qualifications are viewed as being of great value in the market place. There are new mandates coming from CESG in relation to Green Light status under the CESG CIR scheme. We have developed new examinations to support the Bank of England CBEST scheme in the areas of both penetration testing and threat intelligence. We are also just about to launch a Practitioner level qualification which will provide an entry point to the vulnerability analysis and penetration testing industry. It will additionally support those responsible for intrusion analysis. This exam will be available to take at our Slough centre but we are also working with a number of academic partners to establish whether we can run the examinations from other locations, providing a much better geographic spread and easier opportunities to internationalise. CREST has also received approval from BIS, along with funding, for the production of additional day-in-thelife videos. The existing films have been really well received, with more than 7,500 views registered on the YouTube channel. We are looking for a wide variety of people from different backgrounds and disciplines. Any member companies that would like to get involved please contact me (ian.glover@crest-approved.org) or Allie Andrews (allie@crest-approved.org). If you don t already, please follow us on Twitter - @crestadvocate and join the CREST Advocate LinkedIn group. Anyone involved in recruitment is also welcome to join our CREST for Recruiters LinkedIn group. It is a challenging and exciting time for our industry and I am looking forward to seeing what the rest of 2014 brings for CREST. Ian Glover CREST President CON CRESTCon goes from strength to strength CRESTCon has gone a long way since the early events and while this year s conference retained the same ethos and level of enthusiasm, it also reflected the growth in CREST as an organisation and focus on professionalisation. CRESTCon and IISP Congress was the second event held in partnership with the IISP, the Institute of Information Security Professionals that share the same goals to raise the standards of professionalism in the industry and promote the growth of the talent pool. The conference brought together over 300 business and technical information security professionals from the CREST and IISP communities to debate many of the most critical issues facing our industry today and into the future. The conference was once again hosted in the grand rooms and lecture theatres at the Royal College of Surgeons in London. These impressive surroundings were matched by the quality of our speakers and our sponsors, who we must of course thank for making the event possible. The large exhibition hall was a focal point for meetings and discussions between sessions and we were delighted with the support from HP as our headline sponsor and Ernst and Young as silver sponsor. The impressive list of other sponsors included Acuity Risk Management, Bolden James, BT,Checksec, Gotham Digital Sciences, Infosecure, IT Governance, Nettitude, OWASP, Royal Holloway, Security Alliance and Titania. If you did not get a chance to talk to them at the Congress or were not there, please give these companies your support throughout the year ahead. We were also delighted that we could provide a free platform for the White Hat Rally charity, who were busy drumming up interest for their latest fund raising adventure in Holland this September. We wish them every success in beating last year s incredible 45,000 raised for Barnardo s. Other organisations represented in the main hall area included. The Land Information Assurance Group (LIAG), the Specialist Territorial Army unit, along with the CESG, e-skills and the Information Security Forum. We were also pleased to see so many members come along to our own CREST stand. Parallel Tracks The conference once again featured two tracks. Stream 1 was the more technical track focused on analysing high profile breaches, compromise vectors and the impact of attacks; while Stream 2 was aimed at a wider cross-section of information security professionals. Following a welcome address by our president Ian Glover and IISP chairman Alastair MacWilson, Stream 1 was kicked off by Mike Sloss from Thales with his look at the risks posed by networked CCTV security systems that are becoming so ubiquitous. Mike
CRESTCon goes from strength to strength - Continued demonstrated how a single miss-configured device could provide unauthorised access to the internal network from the Internet. His talk started with connecting to a vulnerable device through to having control of a camera botnet secured and acting against the company that installed them. Second on was Paul Pratley from Verizon. Based on forensic evidence collected while investigating some of the largest data breaches in history, Paul gave a rare view into the world of cyber crime and espionage and delved into the people, methods and motives that drive it today. The research has already been used by law enforcement agencies around the world to prosecute criminals as well as by numerous organisations to assess and improve their security programs. After the coffee break and some networking, Andy Davis from NCC Group presented Zulu, an interactive, mutation-based proxy fuzzer that can be used to fuzz either ASCII or binary protocols; while for more complex functionality the tool can be extended using ZuluScript. Andy described the motivations behind the development of Zulu, demonstrated why it is an easy approach to start in the world of fuzzing and explained how Zulu has been successfully used to discover high profile bugs such as CVE-2012-0870. Staying technical, Simon Clow from Context looked at exploiting hardware management subsystems or as he called it, ilo, ilo, it s off to work we go! Simon reviewed common remote management interfaces; identified their effect on systems security; looked at how to establish a common framework of understanding; and presented typical testing actions. It went down well and many of the audience stayed on for more rather than head for lunch. After sustenance and the chance to talk to the exhibitors, Penny Allen from Detica addressed the topic of targeted attack evolution. Penny talked about the widespread movement from spear-phishing emails to watering hole attacks and how some groups perform these attacks - in and out - in hours or days, where it often used to be weeks. She also said that it is also no longer the domain of just state-sponsored attackers; organised crime and hactivists are also starting to use these advanced, targeted, techniques. Kyriakos Economou from Portcullis followed with a talk on MalWar Z, providing an insight into a variety of techniques used to make it harder to analyse hostile code in Windows based environments, and how to document things beyond the ordinary anti-reversing tricks. After more coffee and chat, Robin Fewster from Selex ES kicked off the final session with a 360 degree view on penetration testing with his own tips and techniques to achieve better ROI. Last on was James Campbell from PWC who related his own cyber war stories from the front line, recounting his personal experience in responding to a successful APT intrusion and how, in just 6 hours, an attacker can make their mark on a network. In an hour-byhour break down of the incident, James presented the intrusion in detail, explaining the tools, tactics and procedures used by the adversary, and gave an insight into the actions of the hackers as the battle to contain the intrusion was being fought. A fascinating end to the formal part of the day. One thing was the same as the first CRESTCon event - the conference ended with drinks, in this case kindly sponsored by PwC, and a final opportunity to network and discuss the issues of the day. If you were not able to attend, we can offer you the next best thing. You can see short interviews with most of the speakers and videos of the full sessions at www.youtube.com/ crestadvocate. And to make sure you are there for next year, put the 18th March in your diary now and we look forward to seeing you there. Members New CREST IN VIENNA Cognosec GmbH based in Vienna has become the first indigenous CREST member from German-speaking Europe. Cognosec is one of the leading IT Security, GRC and PCI specialists in the DACH region. The company has grown incredibly over the last few years and attaining CREST membership helps to solidify our position as an IT Security front-runner in Europe, said Oliver Eckel, Cognosec CEO and 20-year IT Security veteran. This recognition verifies that our technical expertise, policies, methodologies and processes have been rigorously examined at the highest levels. CREST is, in my opinion, the most important certification body in IT security and we look forward to future cooperation with CREST to help establish the standards of tomorrow. Other Cognosec achievements include QSA and ASV certification from the Payment Card Industry Security Standards, allowing them to audit international payment platforms. IT Security is not a field in which the process of trial and error can be used. It requires a highly structured approach and great foresight, added Oliver.
F ollowing the success of the CREST managed pilot assessments; the UK Government has launched its Cyber Essentials Scheme. Details of the first companies accredited by CREST to deliver Cyber Essentials assessment services are available at: http://crest-approved.org/crest-membercompanies/member-companies/index.html The Cyber Essentials Scheme is part of UK Government s National Cyber Security Strategy and provides an independent assessment of the essential security controls that organisations need to have in place to mitigate risks from internet-based threats. Going through Cyber Essentials assessment means organisations not only lower their risk of serious data and financial loss, but by displaying the Cyber Essentials badge they demonstrate to customers that they have taken steps to be cyber safe. CREST worked closely with CESG to develop the assessment framework for the Scheme. CREST defined the policy, procedures and requirements for companies that will provide certification services under Cyber Essentials and produced the syllabus areas and examination structures that underpin the Scheme. There are two levels of certification available under the new scheme: CREST helps roll-out of Cyber Essentials Cyber Essentials: An organisation completes a questionnaire and an authorised person attests its accuracy. It is independently verified and a technical verification is performed (external vulnerability scan). Cyber Essentials PLUS: In addition to the Cyber Essentials activities a review of a representative set of desktop builds / BYOD builds is performed. Ian Glover explains: Not all organisations have the resources available to invest in the most rigorous levels of information security and compliance. Cyber Essentials addresses this by creating a baseline for UK cyber security. By assembling and working with a forum of industry and technical experts, CREST has built an assessment framework optimised for the Cyber Essentials Scheme that will ensure organisations of all sizes and from all sectors can be properly and independently assessed to have the key technical controls in place to manage cyber risks. Launching the Scheme, Universities and Science Minister, David Willetts said: The recent GOZeuS and CryptoLocker attacks, as well as the Ebay hack, shows how far cybercriminals will go to steal people s financial details, and we absolutely cannot afford to be complacent. We already spend more online than any other major country in the world, and this is in no small part because Britain is already a world leader in cybersecurity. Developing this new scheme will give consumers further confidence that business and government have defences in place to protect against the most common cyber threats.
Exams To augment our work in both the financial services sector and in support of the Government s Cyber Essentials Scheme, a number of new examinations have been developed. For the financial services sector, three new specialist examinations have been created: CREST Certified Simulated Attack Manager (CC SAM) CREST Certified Simulated Attack Specialist (CC SAS) CREST Certified Threat Intelligence Manager (CC TIM) The CCSAM examination tests candidates knowledge and expertise in leading a team that specialises in Simulated Attacks. Candidates will be expected to have a good breadth of knowledge in all areas of simulated attack and proven experience in managing incidents, penetration tests and simulated attack exercises. The CCSAS examination tests candidates knowledge and expertise in delivering the technical components of a simulated attack. This examination is considered a specialism to the existing CREST CCT Infrastructure certification, which is a mandatory pre-requisite for all candidates taking it. The syllabuses for these two of these examinations are available on the CREST website and the CC TIM examination will be available shortly. To deliver the Cyber Essential scheme, a further two examinations have been developed: CREST Practitioner Security Analyst CREST Practitioner Intrusion Analyst These latter examinations will also provide an earlier entry point into the technical information security industry (around 2,500 hours) and CREST is working towards developing a mobile platform for their delivery via selected academic partners in order to make them more widely available to the IA community. The CREST Practitioner Security Analyst Exam is now live and available for bookings. A copy of the Syllabus and the Notes for Candidates are available at http://www.crest-approved.org/informationsecurity-testers/practitioner-security-analyst/index.html. Finally, the examination supporting the Cyber Security Incident Response sector is now available. The CREST Certified Incident Manager (CCIM) examination tests a candidate s knowledge across a range of areas wider than traditional intrusion analysis. For more information go to: http://crest-approved.org/ information-security-testers/certified-incident-manager-2/index.html. From 2015, the UK Government will mandate that companies seeking to supply cyber security incident response services to industry, the public sector and academia will be required have at least one qualified CCIM qualified individual on their team. This is seen as a critical role in the makeup and leadership of any response team. Members will be advised as soon as the Syllabus for the CCIM examination is available. Member focus Nettitude CREST member, Nettitude, was founded in 2003 by CEO, Rowland Johnson, and provides cyber security and risk management consultancy solutions for organisations across the world. Starting initially as a network security integrator, Nettitude has evolved into a services consultancy that is focused on delivering cyber assurance services to both public and sector organisations alike. The consultancy delivers services across the UK, Europe and the Middle East from its headquarters in Warwickshire, UK. Nettitude s North American offices provide a platform of services for its clients in the US, Canada, Asia Pacific and further afield. Providing worldwide coverage allows Nettitude to respond to the intricate regulatory nuances required in today s interconnected environment. With every engagement, Nettitude aims to provide tailored and pragmatic consultancy services that are designed to meet the unique challenges of its customers. As well as having some of the strongest technical skills in the market, Nettitude has an absolute focus on its communication skills. We strive to be the trusted advisors for all things cyber in the boardroom. To be credible in this space, our security consultants have to have some of the best communication skills in the industry. Our consultants need to understand bits and bytes, but be able to communicate fluently in terms of risk management said Rowland Johnson, CEO of Nettitude. Rowland goes on to state: We are extremely proud to be a full and active member of CREST. We firmly believe that the UK has a strong cyber capability and are proud to support CREST in its mission to provide a regulated professional services industry in the ever evolving cyber threat landscape.we believe that UK Cyber is thriving and is a vibrant contributor to this arena. We also believe that the CREST brand has an ever strengthening reputation and provides its member companies with an opportunity to demonstrate their capabilities on a global stage. In the past six months, Nettitude has introduced an MSSP service called Threat2Alert, combining log, event and deep packet analysis with 24/7 threat intelligence feeds. This has been launched as a complimentary service to Nettitude s rapidly developing incident response capability. As an early member of the CREST cyber incident response scheme, Nettitude has a strong focus on supporting organisations that have experienced cyber incidents and require host and network based intrusion analysis services. Supporting the next generation Nettitude is proud to partner with a number of leading colleges and universities in the UK and North America, such as Warwick University. The consultancy recognises that improved information security awareness is an important part of modern education, and offers placement and gap year opportunities for high quality students with a flair for information security. For more information about Nettitude, please visit: http://www.nettitude.co.uk/
CBEST Implementation Guide CBEST was launched on 10 June and is designed to help the boards of financial firms, infrastructure providers and regulators to improve their understanding of the types of cyber attack that could undermine financial stability in the UK. It will also focus on the extent to which the UK financial sector is vulnerable to attacks and how effective their detection and recovery processes are. CBEST also puts in place measures to ensure that controlled, targeted and intelligence-led tests can be conducted on critical assets without harm. CBEST differs from other security testing currently undertaken by the financial services sector because it is threat intelligence based, is less constrained and focuses on the more sophisticated and persistent attacks against critical systems and essential services. The inclusion of specific cyber threat intelligence will ensure that the tests replicate as closely as possible the evolving threat landscape and therefore will remain relevant and up to date. CREST has helped to develop the new accreditation standards for CBEST penetration testing, based on the already stringent standards for assessing the capabilities, policies and procedures that CREST member companies have to CREST helps Bank of England to deliver cyber-security framework CREST has been working with UK Financial Authorities - Bank of England (BoE), Her Majesty s Treasury, and the Financial Conduct Authority - to develop the CBEST framework for sharing detailed threat intelligence and delivering cyber security tests and benchmarking for UK financial services providers. achieve. CBEST accredited professionals also need to demonstrate extremely high levels of technical knowledge, skill and competency. CBEST has the full support of the UK Financial Authorities and will provide significant benefits to the UK s financial sector. These include: access to advanced and detailed cyber threat intelligence; access to knowledgeable, skilled and competent cyber threat intelligence analysts who have a detailed understanding of the financial services sector; realistic penetration tests that replicate sophisticated, current attacks based on current and targeted cyber threat intelligence; access to highly qualified penetration testers that understand how to conduct technically difficult testing activities whilst ensuring that no damage or risk is caused; confidence in the methodologies utilised by the companies within CBEST for conducting these sophisticated and sensitive tests; confidence that the results and the information accessed by the testers will be protected; standard key performance indicators that can be used to assess the maturity of the organisation s ability to detect and respond to cyber attacks; access to benchmark information, through the key performance indicators that can be utilised to assess other parts of the financial services industry; a framework that is underpinned by comprehensive, enforceable and meaningful codes of conduct administered by a specialist professional body. Details of the CREST approved cyber threat intelligence service suppliers and penetration testing companies can be found at: http://crest-approved.org/ crest-member-companies/membercompanies/index.html These organisations will be described as being CREST STAR members to allow the scheme to be extended beyond financial services to other parts of the critical national infrastructure. Additional information and supporting documents are available on the CREST website www.crest-approved.org Getting know to you Professional: What was your first role in information security and how did it come about? My first role in infosec was at Admiral Management Services Ltd., working in their CLEF (Commercial Licensed Evaluation Facility). I was an ITSEC (IT Security Evaluation Criteria, a forerunner of the Common Criteria) evaluator. This was back in 1994; the role was my second after graduating. Prior to it I was working in the defence industry. At what point did you realise you wanted a career in infosecurity? When I realised it was fun. It s a great career for those with an inquisitive nature. I consider myself very lucky to have such an interesting job. It s a career where your opinions really do count. What has been your biggest professional achievement to date and why? With apologies to my current employer my proudest moment so far was IRM winning the SC Award for Information Security Consultancy of the Year in 2013 whilst I was Consultancy Director. It was recognition of the effort put in by the whole company. What is your best advice to anyone entering a career in infosecurity? Have a sense of curiosity; understand that this is a relatively new industry and we are still figuring it out. There is always something new to learn, it really is a battle of wits between the good guys and the bad guys. Be adaptable, and don t give up. Name: Paul Midian Company: PwC Job Title: Director (Cyber Security) Chairman of the CREST Executive How do you see the industry developing in the future? I think we are at a point now where most organisations know they need to manage their cyber risks. Cyber risk management will become embedded into operational risk management strategy - ultimately it s just risk management for the digital age. We will learn a lot more about the real cost of suffering a data breach because unfortunately more organisations will be breached. This knowledge will be applied to enable better risk management decisions. Unfortunately after 20 years in this industry experience tells me that the bad guys will continue to be a nose ahead, but on the other hand we will get a lot better at catching them. Personal: What is your biggest weakness? French wine. Preferably from Pomerol. Sweet or savoury Savoury. Perhaps cheese to go with the wine. If you could have dinner with anyone, past or present, who would it be and why? Alan Turing, naturally. What is your favourite film? Brief Encounter. What is your ideal holiday destination? Bordeaux. I ve never been.
A Day-in-the-Life After the success of our original day-inthe-life of a pentester videos, CREST has been working with BIS to develop these careers videos to encompass a much wider range of information assurance roles and types of organisations. This work is part of our commitment to provide better careers advice and more up to date information to people entering the information assurance industry. These videos aim to provide an insight into the typical working day of a range of people working in information security and can be viewed on the CREST YouTube channel: www.youtube.com/ crestadvocate. A big thank you to all of the people who have taken part so far. We are still looking for volunteers to be interviewed - if you are interested please contact allie@crest-approved.org BIS Guide CREST has contributed to a guide produced by BIS (The Department for Business, Innovation & Skills) that looks at the opportunities available for businesses to engage with cyber security skills and capability initiatives. In some cases these initiatives are designed to directly benefit businesses and cyber security professionals, while others have the principle aim to help grow the pipeline of new talent into the industry that is so essential for the future of our industry. The guide groups the current initiatives that businesses can both assist with and benefit from, into three categories: Initiatives supporting schools Initiatives supporting vocational and higher education Initiatives supporting new or existing cyber security professionals A copy of the guide is available from the CREST website at: Cyber Security Skills: a guide for business Getting involved with skills, knowledge and capability initiatives http://www.crest-approved.org/wp-content/uploads/cybersecurity-skills-a-guide-for-business.pdf March 2014 Internships CREST is receiving a number of enquiries from students on summer internships. It would be great for CREST and its member companies to be seen to support people on their first steps in our industry. Member companies interested in taking on an intern please contact adriana@crest-approved.org for information. We would also like to start promoting internship successes so please let us have your stories - for a piece in Script and, where appropriate, a video interview for the YouTube channel. New ebooks The CREST Penetration Testing Procurement Guides are now available in ebook format for a number of different platforms. They are delivered as a package so when the Buyers guide is downloaded, the guide for suppliers is included at no additional cost. They can be purchased via the CREST website at http:// crest-approved.org/guidance-and-standards/index.html CREST has a number of ebook vouchers available for members to give to their current and potential clients and for CREST to circulate at events. Please contact Elaine.luck@crest-approved.org for further details. We expect the Cyber Security Incident Response Guides to be the next ebook project and will let you know when they are available. 522 Uxbridge Road, Pinner, Middlesex, HA5 3PU. CREST is a not for profit company registered in the UK with company number 06024007.