Script January 2014 Incident Response coordinators Update from Ian Glover CRESTCon & IISP Congress Careers New Members CSIR coordinators First CSIR certified companies have been announced Put into Context CSIR Procurement Guide
CON Script JUNE 2013 AN UPDATE FROM IAN GLOVER We have had a really good response to the request for nominations to the CREST Executive from member companies. Combined with the new Executive, the updated Memorandum of Agreement and Byelaws that will be announced at the AGM reflect the huge progress that CREST has made over a relatively short period of time. I would like to take this opportunity to thank all those that have supported CREST and look forward to continuing to work with you to make CREST the recognised authority in the area of technical security. CON CRESTCon & iisp Congress 2014 London, 19 March 2014 Royal College of Surgeons Bringing together professional expertise in information security CRESTCon & IISP Congress Registration for CRESTCon & IISP Congress 2014 is open - Register now at www.crestandiisp2014.eventbrite.co.uk to secure your place - CRESTCon & IISP Congress is on 19th March 2014 at the Royal College of Surgeons in London. With four new members on board during November and December and our announcement of the first four certified CSIR companies, it was a great end to a very busy 2013. cyber security incident response coordinator examination will be beta trialled this month. As we have previously stated this will become a mandatory requirement for the Government s CIR scheme to become green light within a year. Given the importance of this role, CREST is also looking at how this can be introduced as a requirement for the CSIR membership. Those members providing cyber security incident response services should start to plan to put key members of staff through this examination. re has already been some very positive feedback on the Incident Response Guides and I hope you have had your copy. Following the success of these reports and the Procurement Guides last year, further research projects are in the pipeline for 2014. We have been working with some of the financial services regulators on the provision of intelligence based penetration testing services. This could be a major initiative for 2014 and we may be making calls for help to define the service soon, so if you are interested please look out for the request. initial request for information for the CESG proposed Training course assessment scheme has been completed and in line with the CCP scheme, we have entered a consortium with the IISP. We hope to be able to provide you with more information on this in the next issue of Script. This will be an important step forward for CREST as it will align with the training course assessment work we have been doing with e-skills UK. It will also start to complete the picture of learning pathways for those entering the industry through a degree or higher apprenticeships and for those already in the profession or those who want to cross train into it. This will also allow us access to additional funds to help member companies develop their staff. For example, the potential offer of 50% refund on training courses from e-skills still applies; all we need is a submission from the member company describing and costing their training programme for this year and then CREST will make the request for funding. Plans for CRESTCon 2014 are progressing well. call for papers is now closed and has brought in a good selection of interesting presentations. Registration has opened and it is already clear that the event will sell out so make sure you book your place as soon as possible! We are still actively looking for sponsors for the event and more information is available at http://www. crestcon.co.uk/partnerbrochure.pdf CREST website continues to develop and improve in terms of content. It is now becoming exactly what it needs to be - a really useful source of information - and is already helping with enquiries. Wishing you all a very happy and prosperous 2014. Ian Glover CREST President Exhibiting and sponsorship opportunities Partner with CREST, the professional body for ethical security testing and incident response, and IISP, the industry association for professional information security practitioners Attendance is open to members of CREST and the IISP, as well as the wider information security community. Spaces are limited and available only to those working in the industry. Tickets cost 120, however CREST members are entitled to two free tickets and further tickets at a 50% discount. For more information on this please contact allie@crest-approved.org or to register go to www. crestandiisp2014.eventbrite.co.uk re are two speaker tracks and delegates are free to move between them: Stream 1 - Technical presentations aimed at security consultants, researchers and those on the front line, ethically attacking and defending information systems or providing cyber security incident response services. Presentations will focus on new or innovative techniques or tools relevant to professional security testing activities, along with recent high profile breaches, analysis of compromise vectors and the impact of the attacks, along with lessons learned to formulate offensive and defensive strategies Stream 2 - Aimed at a cross section of the information security profession, especially those involved in security management, risk and compliance from both the private and public sectors. Security professionals must adapt if they are to meet the ever changing challenges over the next five to 10 years. Technical security skills will simply not be enough and tomorrow s professionals will also need business acumen, legal awareness and the ability quickly embrace new trends such as the cloud, big data and the increasingly mobile enterprise. But with demand already outstripping supply, what can be done to fill the talent pool with the right knowledge and skills? Exhibiting and sponsorship at CRESTCon & IISP Congress 2014 We are delighted that HP is our headline sponsor again this year. Other sponsors include Acuity, BT and Gotham Digital Science For information on the range of exhibiting and sponsorship opportunities at CRESTCon & IISP Congress, please contact Marc Callaway at marc@crestandiisp.com or download the partnership brochure at http://www.crestcon.co.uk/partnerbrochure.pdf
Careers Internships Internship programme continues to develop and we are delighted to see an increasing number of CREST member companies taking up full internships and junior placements. One member has taken on an impressive 10 interns. If you would like to know any more about internships or would be willing to offer an internship between six weeks to a year please contact Ian Glover. Higher apprenticeships CREST believes that Higher Apprenticeships will become increasingly important. Pay as You Learn model is good for students and also many employers believe that Apprenticeships can create a better work ethic than the University route. With this in mind, CREST has been working with e-skills and in particular QinetiQ to create a syllabus for Higher Apprentices. This has now been agreed and will provide an excellent platform for those entering the penetration testing and intrusion analysis industry. It is hoped that this will help to provide a career route for network operators into intrusion analysis and cyber security incident response. If you would like to know any more about the scheme or would be willing to consider offering a young person the opportunity of a Higher Apprenticeship, please contact Ian Glover. E-skills will also now be engaging with training providers to provide access to training material. CREST educational videos first CRESTx material from CRESTx Lancaster is live on the CREST YouTube channel http://www.youtube.com/user/crestadvocate. In addition to this material and the videos from CRESTCon, the day-in-the-life films are proving popular. We plan to develop this content further so that it becomes a rich source of careers information for those looking to enter the industry. Members New Dell SecureWorks listens to customers and delivers worldwide innovative technology and business solutions they trust and value. Recognised as an industry leader by top analysts, Dell SecureWorks provides world-class IT security services to help organisations of all sizes protect their IT assets and comply with regulations and reduce security costs. Craig Lambert, Security Testing Practice Lead, EMEA, said: Dell SecureWorks is delighted to become part of the CREST community. CREST has made a significant contribution in providing a benchmark for security testing excellence, which has reduced barriers to entry and improved the profile of security testers and the security testing industry. Dell SecureWorks looks forward to working with and supporting CREST for the continued benefit of customers and security professionals alike. http://www.secureworks.co.uk IT Governance Ltd is a fast-growing cyber security services business and an acknowledged leader within the IT governance, risk management and compliance (IT-GRC) field. We offer our corporate clients end-to-end solutions from books and tools to training and consultancy services to help them secure themselves against today s cyber threats. As a major IT-GRC provider, we also deliver a comprehensive range of penetration testing services, including: network testing, web application testing, wireless network testing and PCI QSA services. Our in-house team of qualified pen testers is passionate about their job and delivering the best possible results. team has experience in working with organisations of different types and sizes and is able to draw on the company s wide range of related resources to deliver bespoke and cost-effective services. This adds real value to our penetration testing services. Alan Calder, Founder and Executive Chairman of IT Governance, says, Our company has long been delivering penetration testing services through qualified pen testers to clients internationally. By becoming a CREST member, we can better demonstrate our credentials to our clients. In the context of constantly emerging cyber threats it is ever more important for customers to be able to trust their pen testing providers. We appreciate that being part of the CREST community reinforces the quality of our services and we look forward to working with CREST to keep the high standards in the future. www.itgovernance.co.uk If you would like to feature in one of our day-in-the-life-of videos please contact allie@crest-approved.org for more information.
C REST s CSIR ( Incident Response) scheme was one of two schemes launched following the successful National Programme funded pilot that concluded a complementary twin track approach for certified cyber incident response services was needed: broad based CSIR scheme led by CREST and endorsed by GCHQ and CPNI that focuses on appropriate standards for incident response aligned to demand from all sectors of industry, the wider public sector and academia. A smaller focused Government run Cyber Incident Response (CIR) scheme certified by GCHQ and CPNI, responding to sophisticated, targeted attacks against networks of national significance. Incident Response coordinators CREST worked with industry and Government to define standards that companies providing CSIR services should have in place to protect client information. CREST standard for the industryled segment is the foundation for establishing a strong UK cyber incident response industry that is able to tackle the vast majority of cyber-attacks. In support of the schemes, CREST is in the process of developing an examination for Incident Response coordinators at the CREST Certified level. This examination will be beta tested early in 2014. Once the examination has been reviewed by CESG it will form a mandatory part of the CESG CIR scheme within one year providing a green light status for companies in the same way as CHECK services. CREST has written a comprehensive set on the two schemes. If you would like a copy, please contact Elaine.luck@crest-approved.org. For CSIR membership information contact Adriana.Costa- McFadden@crest-approved.org. A number of CREST companies have or are working through the process of obtaining membership of the CSIR scheme. Membership will provide a significant differentiator in the marketplace.
First CSIR certified companies have been announced Put into CONTEXT Founder CREST member Context Information Security was founded in 1998 by a group of security managers and consultants whose experience of working in blue-chip companies led them to identify the need for a truly holistic and product-agnostic security services consultancy. Today, Context employs over 110 people with offices in London, Cheltenham, Düsseldorf and Melbourne and has a client base that includes some of the world s most high profile blue chip companies and government organisations. Congratulations to BAE Systems Detica, Deloitte LLP, MWR InfoSecurity, PwC and Verizon UK Ltd who have met the stringent standards and have been accredited under the CREST CSIR ( Incident Response) scheme. scheme, which was launched earlier in the year in collaboration with CESG and CPNI, provides private and public sector organisations with access to the industry expertise they need to respond effectively to cyber security attacks. CSIR scheme aims to give the buying community confidence in the integrity and competence of CREST certified companies when they need help following an attack. Becoming accredited is not a trivial matter and rightly so. bar has to be set high to provide that level of confidence and ensure that cyber security incidents are dealt with properly and effectively. first companies to be accredited under the Government run CIR have also been announced - BAE Systems Detica, Context, Dell SecureWorks, Mandiant and MWR An exceptional level of technical expertise underpins Context services, while attention to detail helps clients to gain a deeper understanding of security vulnerabilities, threats or incidents and to implement tailored, preventative measures. In addition to providing technical assurance, incident response and investigation services, Context is at the forefront of research and development in security technology. As well as publishing white papers and blogs addressing security threats and trends, Context consultants frequently present at open and closed industry events around the world including Black Hat, 44Con and CRESTCon. With a wide variety of technical and business backgrounds and qualifications, Context consultants understand the business perspectives as well as the technical challenges. As a Green Light CESG CHECK Service provider, all Context consultants have achieved a minimum level of CESG CHECK team member status and a number hold team leader status. And as a CREST member, many also hold CREST Application Certification or CREST Infrastructure Certification professional qualifications, or are CREST Registered Testers (CRT). As a founder CREST member, we have always recognised the need for a regulated and professional security testing industry to serve the information security marketplace, said Mark Raeburn, CEO at Context. CREST also provides its members with a framework of guidance including standards, methodologies and recommendations aimed at ensuring the very highest standards of leading-edge security testing. In November, Context became one of the first companies to be certified by CESG CPNI as an approved supplier of cyber incident response services to UK organisations that have suffered attacks from the most sophisticated criminal or state-sponsored threat actors. As one of only four companies involved in the Cyber Incident Response (CIR) pilot scheme launched last year, Context had to pass further rigorous examinations of its cyber incident response skills, experience and methodologies before being given approval by CESG and CPNI to carry out work on their recommendation as part of the full CIR scheme. Context has also developed a range of powerful security testing and forensic tools including Canape, a network testing tool for arbitrary protocols, but specifically designed for binary ones. It contains builtin functionality to implement standard network proxies and provides the user with the ability to capture and modify traffic to and from a server. Its main strength is reducing the amount of development effort usually associated with effectively testing a new protocol. For more information about Context, visit www.contextis.com James Forshaw scoops $100,000 bounty In November, James Forshaw, head of vulnerability research at Context became the first recipient of a Microsoft $100,000 Bounty for New Mitigation Bypass Techniques. bounty program was one of three introduced by Microsoft in June this year to pay for techniques that bypass built-in OS mitigations and protections, for defences that stop those bypasses and for vulnerabilities in Internet Explorer 11 Preview.
Incident Response Getting know to you Name: Zia Rehman Company: Perspective Risk Job Title: Senior Security Consultant Procurement Guide Incident Response Procurement Guide is now complete and has been sent out to all member companies, along with a separate brochure that acts as an introduction to the main guide. If you are not a CREST member company but would like a copy please email elaine.luck@crestapproved.org or request one through the website and we will send you a copy free of charge. This offer is also available for the Penetration Testing procurement guides. se are an excellent resource for member companies to distribute to their clients or for organisations establishing a cyber incident response capability, developing a penetration testing programme or preparing an invitation to tender. A PDF version is also available and we will shortly be publishing e-book versions. Following the extensive research project, CREST s Procurement Guide for Incident Response services will help improve the purchasing process for current and potential buyers of CSIR services and help organisations to meet all the requirements for responding effectively to a cyber security incident. In summary, the guide helps to: Define what cyber security is Compare different types of attack Analyse the anatomy of a cyber security attack Summarise the main challenges in responding to incidents Show how organisations can take a structured approach to CSIR Outline how organisations can determine their own state of risk, capability and readiness Explain how employing expert professional suppliers of CSIR services enables a faster and more effective response Highlight what to look for when selecting a supplier and what questions to ask internally Demonstrate how to implement good practice. guide has been written for IT or information security managers and cyber security specialists. It will however, be of interest to a much wider audience such as business continuity experts, business managers, risk managers, procurement specialists and auditors, which is why we also developed the separate introduction to the guide. What was your first role in information security and how did it come about? After leaving university I was employed as a Penetration Tester for BT Syntegra. I knew I wanted to work in information security after developing a keen interest in cryptography and penetration testing seemed a good place to start. What degree or other qualification (if any) did you do and how did it help get you into info security (if at all)? My degree was in Physics, which I think helped quite a lot, particularly with regards to penetration testing. It helps to develop a methodical and meticulous approach, which I believe has been invaluable throughout my career. What has been your biggest professional achievement to date and why? Setting up a CREST Approved penetration testing company, has been both the most challenging and biggest professional achievement to date. It has not only meant keeping up to date with latest information security but also becoming well versed in the day to day running of a business. What is your best advice to anyone entering a career in info security? I would have to say variety. Try and get as much experience in every facet of the field before becoming more specialised. Being well versed in a number of information security disciplines will not only help your career progression but will make you a more well rounded security professional. What surprised you the most when you started working in this field? What surprised me was how much work goes into keeping up to date with latest information security developments. re are a large number of very talented and committed professionals in this industry and it takes a great amount of time to keep at the cutting edge. What is your claim to fame? Once tried to drive to Australia - did not go as planned! What is your biggest weakness? Interview questions!
White Hat Rally: the Rise of the Dark Net This year s White Hat Rally - Rise of the Dark Net - will take place from 19th to 21st September moving through France, Belgium and the Netherlands. Teams of information security professionals will be getting together to decipher the route, participate in spooky activities and solve ghoul themed challenges. puzzles will also challenge the participants on their information security knowledge and skills. But as well as having fun, the purpose of the annual event is to raise money for Barnado s to help their work with vulnerable children and teenagers. Last year s rally raised an amazing 43,341 and a cheque was presented to Barnardo s at the 2014 Rally launch event on 21 January. White Hat Rally committee are looking for as many teams as possible to register for this year s rally at www.whitehatrally.org so they can continue to support Barnardo s work. Tell us what you want to see... Script Script Script NOVEMBER 2012 June 2013 FEBRUARY 2013 New cyber security skills certification incident Response CREST member focus Security Alliance Update from Ian New skills certification Update from Ian Glover Incident Update Update from Ian 5th Annual White Hat Rally NEEDS YOU CRESTCon update CREST defines path to academia DFM CrestCon & IISP Congress New Members Member focus Crest Con & IISP Congress Member Focus Security Alliance New members CREST Procurement guide Government launches cyber security guidance We want your news CrestCon from another perspective CCP Scheme update Happy Birthday CREST CCIAS Thanks to the sponsors Crest Partner CREST international Updated Membership process LIAG is recruiting CCP Update Internship HP Showcase We are always looking for new and interesting content for SCRIPT so if you have something you want to shout about, a topical issue you want to discuss or just something you want to get off your chest, please get in touch. You can send your company news and article ideas to crest@prpr.co.uk or call Allie Andrews on 01442 245030 to discuss and we will look at including it. Also, please let us know if you would like to be featured in the Getting to Know You section or would like your company to be profiled. 522 Uxbridge Road, Pinner, Middlesex, HA5 3PU. CREST is a not for profit company registered in the UK with company number 06024007.