Script The June 2013 THE NEWSLETTER KEEPING YOU CONNECTED WITH CREST Cyber Security incident Response Also Inside Update from Ian Glover CrestCon & IISP Congress CrestCon from another perspective Updated Membership process Cyber Security Incident Update New Members CCP Scheme update LIAG is recruiting Getting to know you Member focus Happy Birthday CREST CCIAS
AN UPDATE FROM IAN GLOVER It has been a busy few months since the last newsletter, with new members on board (see page 8) and more on the horizon. CREST is certainly getting its name on the map and going from strength to strength in 2013. Our first joint event with IISP CRESTCon & IISP Congress was a great success and it was wonderful to see so many of you there. We are already starting to look at next year s event, so thank you to everyone that provided us with feedback. You can rest assured we are taking it all on board in the plans for 2014. We were pleased that almost unanimously people could see the benefit in having a joint event and one of the things we are looking at for next year is ways to have more integration between the streams. My personal thanks to everyone involved in making sure the event ran smoothly. Our work with Cyber Security Challenge continues. CREST helped with the Face-to-Face finals set up for Bristol in March, which involved helping with the prize pool and how it should be allocated. It was great that 40% of the 30 finalists requested CREST examinations or attendance at our conference as their prize. It is good to see CREST s social media activities increasing Twitter followers are growing every day and conversations are increasing. The Penetration Testing Procurement Guides are now available; all member companies should have received a copy by now. They were also made available to all those who attended CRESTCon. Additional copies are available on request email adriana@crest-approved.org. These guides are designed to help the buying community define a structured test programme and to assist them to construct invitations to tender that have a meaningful and relevant selection criteria. The project to create a Cyber Incident Response guide is underway more on this on page 7 CREST has continued its work with eskills on professional development pathways and training initiatives. The learning objectives, based on the CREST syllabus have also been distributed for consultation and training course assessments will begin very soon. We are already seeing a wide range of CVs from students looking for internship opportunities. If you would consider taking on a student please make sure that your details are registered with CREST. We have been asked by BIS and IAAC to participate in a wider initiative. The results of this will be used to form the basis of a programme that will provide a stronger link between students and employers. Changes have been made to the academic partner programme to incorporate CRESTX. This will be an online resource that enables partner universities to use material from CRESTCon to run their own conferences. They will also film their own content at the event and make it available on the CREST YouTube channel to other academics. A number of universities are on board and the feedback has been that we are the only organisation that really understands educational needs and providing tangible benefits for the students. Membership continues to grow as more companies recognise the benefit of membership and we have closer links to the buying community. Membership in Australia is also increasing. There is a great deal of interest in the Cyber Security Incident Response membership category, from both members and influencers andthere is significant pressure to provide this by the buying community. CREST is also leading discussions on the definition of the Senior Cyber Security Incident response role. All of the CREST examinations are increasing in popularity, as people continue to view them as important milestones in their careers. The Security Architect exam is very popular and is seen by many as being the most relevant technical qualification in this area. Sincerely, Ian Glover CREST President
CON CRESTCon & IISP Congress The first joint CRESTCon & IISP Congress was a great success and we are already looking at how we can build on this first event to make it even better value for you next year. Delegate numbers hit 300 and feedback has been extremely positive. If you haven t already filled out the online feedback form, which also gives you the opportunity to make suggestions for next year, there is still time to do so at https://www.surveymonkey.com/s/bmt5wfl. Videos of most of the speakers talking about their presentations, along with interviews with Ian Glover and Alastair MacWillson are available to view now on the CREST Advocate YouTube channel: http://www.youtube.com/crestadvocate Pictures can be found at www.flickr.com/photos/crestadvocate/ Excellent choice of speakers, very well delivered A big thank you to all of the speakers and, of course, to the event sponsors HP, PerspecSys,Nettitude, Activity, Security Alliance, PwC, LIAG, Gotham Digital Science, Cyber Security Challenge, Symantec, Semafone, IET, Royal Holloway, Liverpool University and White Hat Rally without you it wouldn t have been possible. And most of the presentations from Stream 1 are now online: Jamie Riden, PTP, Honeynets http://www.crestcon.co.uk/presentations/ jamieriden.pdf A good idea to combine IISP and CREST - much greater variety of presentations, covering both technical and information assurance aspects Melissa Augustine, McAfee, Memory Forensics http://www.crestcon.co.uk/presentations/ MelissaAugustine.pdf Jermaine Ellis, GDS, P0wining click cycles http://www.crestcon.co.uk/presentations/ JermaineEllis.pdf Kevin O Reily, Context, A cloud of bugs http://www.crestcon.co.uk/presentations/ KevinOReily.pdf Andy Davis, NCC Group, To dock or not to dock http://www.crestcon.co.uk/presentations/ AndyDavis.pdf By the next issue of The Script, we should have a date for your diary for CRESTCon & IISP Congress 2014 and it won t be long before the call for papers goes out. In the meantime, if you are interested in presenting or sponsoring next year you can contact crest@prpr.co.uk Very good considering it was the first joint session. Good synergy between both organisations
CRESTCon CON from a student perspective A couple of months ago, there was an email sent out looking for students to attend CRESTcon and film the event. As a student doing a degree in Cyber Security this looked like a great opportunity - Free entry to a conference full of people in the industry I m studying to go into, and an excuse to ask them what it is like to work in the sector day-to-day! To my surprise, I found that on film everyone who we interviewed said they loved the job, but admittedly hated the reporting. Not a surprise there, I suppose. What stood out to me though was the enthusiasm for the job; everyone who I spoke to sounded just as enthusiastic about their job even after the camera stopped rolling. This was pretty inspiring, especially for me as I start out in the industry. The interviewing and general filming made for a good day s work so whenever I got the chance to sit down and listen to a few seminars it was great to hear interesting talks, and especially to listen to some of the questions raised at the end of them. Thanks to Ian and the rest of the CREST & IISP team for inviting us students, and to all the people we interviewed - I hope to meet you again in future! Ben Harris, Staffordshire University The CRESTCon &IISP Congress Seminar took place on 20 March in London and was my first information security seminar. The opportunity to attend was perfect because my area of interest is Web and Cloud Penetration Testing and CREST is the UK information security standard. I decided to volunteer because it would enable me to contribute in my own small way, as well as provide ample opportunity to network. On the day of the event I was filled with a mixture of butterflies and nerves! Butterflies because I was to going actually be able to talk with professionals already working in these fields, which is priceless and also provide an opportunity to see what I was studying in action. I was nervous because I was worried that I might end up finding the event too technical for my level of knowledge, or even worse, dull. I am happy to say that the event turned out to be more fascinating than I imagined, and a number of the themes covered in the day- long seminars covered topics that interested me, which was an added bonus. What I gained most from attending the event was the opportunity to see that you don t have to be a total techie to be in this industry and the positive career guidance that I received. I left the event feeling more passionate about information security and focussed on completing my studies. Tayo Oshinowa
Membership process gets an update CREST mission statement: To serve the needs of a global information security marketplace that increasingly requires the services of a regulated and professional technical security industry Historically, CREST has provided services to benefit the penetration testing sector, but as the industry evolves, driven by the changing threat landscape, CREST is rising to meet these new challenges by expanding its services. The first of these focuses on Cyber Security Incident Response (CSIR). In order to ensure that our CREST membership criteria applied to potential CSIR members was sufficiently robust, we consulted the industry and devised a suite of relevant questions to provide a clear indication of what good looks like from the perspective of a company providing services in this area. This exercise also provided an ideal opportunity to review the entire content of the membership application form and to bring it in line with current requirements. The consultation is now complete and all potential new members will be sent the new version of the form. We have also looked at the renewal process for company membership. It has always been the case that on renewal, CREST members are invited to re-submit their application; principally, to ensure that our records are up to date. But this is a laborious process, so we have listened to your comments and devised a substantially reduced form to complete on renewal. This will ask you to submit only the information that is likely to have changed (points of contact, quality accreditations, etc.), together with validation that important aspects, such as the codes of conduct, are being complied with. We are confident that it will be a much quicker and simpler process. If you provide cyber security incident response services, please request a copy of the new application form from Adriana. There is already a great deal of interest from the buying community and a number of key influencers, so early adoption will provide a significant differentiator in the market place. If you would like early sight of the renewal form to allow you to prepare in advance, please also ask for a copy from Adriana. CSIR membership is only the start of further planned expansions, which you ll read about in future editions of The Script.
Cyber Security Incident Response
W ork is progressing well on the Cyber Security Incident Response guide, with much of the initial research completed. This includes desktop research using a wide range of information resources, telephone interviews with key stakeholders (CREST Members, academia, CESG, CPNI and ENISA) and responses to the project questionnaire. The results of all this research has been analysed to create the initial highlevel project findings. Key issues and requirements were also discussed further at the project workshop that took place recently. Through the research, it is clear that consumer organisations in particular would like a Cyber Security Incident Response guide to help them to gain senior management support to establish a cyber security incident response capability and learn how to be better prepared for an incident. To give you a flavour of the findings, project research has indicated that consumer organisations believe they will gain the most assurance from outsourcing incident response activities to CREST Members because they will: project update Use staff who act in a professional, ethical manner, according to a code of conduct Provide reliable, effective and proven cyber security incident response services Be up to date with the latest cyber threats, adversaries, techniques and countermeasures Respond to cyber security incidents in a fast, effective manner Provide advice on how to reduce the likelihood of a similar incident from taking place Protect client information and systems both during and after the event Keep the investigation itself confidential Have achieved the highest possible standards in cyber security incident response Adhere to processes and procedures that have been subject to independent vetting.
Members The Script JUNE 2013 New Digital Assurance Cyberis is an independent vendor-neutral security consultancy founded in 2006 by experienced security professionals to bring comprehensive, effective and flexible information security services to market. The company develops and delivers a range of security testing, information assurance and security training products and services to reduce the cost and complexity of mandatory and regulatory compliance for clients. These range from large blue-chip multi-nationals through to government agencies. Digital Assurance also takes an active role in the security community, conducting research on emerging technologies, exposing vulnerabilities and developing the security tools necessary to combat these threats. is an independent information security consultancy, providing a wide range of services. From simple vulnerability assessments to in-depth targeted attacks, Cyberis helps identify and manage technical risks in systems and applications before they become a threat to the organisation. For us, and our clientele, CREST accreditation is one of the hallmarks that embodies security best practice in ethical hacking and penetration testing, said Mark Osborne, executive director, Digital Assurance. Achieving CREST certification as a security consultancy testifies to our established technical expertise and validates the quality of our testing across the business. CREST is rapidly emerging as a key standard by which information security testing companies want to be measured and we re delighted to be part of the scheme and make contributions to help shape the CREST standards as they develop in the future. Cyberis is committed to providing high quality services and we are proud to be members of the CREST community, said Geoff Jones, director at Cyberis. Our membership of the CREST scheme underlines our commitment to providing professional and comprehensive services to our clients. Digital Assurance has delivered security assessments, products and services to many of the world s largest organisations spanning the financial, petrochemical, retail, government, communications and defence industries. http://www.digitalassurance.com Cyberis is able to assist in all information security requirements, including standard penetration tests, bespoke system assessments, staff training, incident response, network analysis and the creation and implementation of tailored information security management frameworks. Cyberis is also a company of the CESG IT Health Check Service. http://www.cyberis.co.uk
The Script JUNE 2013 CCPScheme Update Since the introduction of the new CESG Certified Professional scheme (CCP) last year, the IISP and CREST partnership has issued over 550 CCP Certificates, covering a majority of the CCP defined roles and across all three levels. We particularly want to congratulate John Hughes of Infosec Skills, who has achieved 3 Lead levels, which includes the IA Architect Role where John successfully passed the CREST CESG Certified IA Specialist (CCIAS) examination. A new version of the CESG Certification for IA Professionals is expected to be released around June 2013 and will include a Pen Testing role. Avoiding the pitfalls We would like to take this opportunity to point out a few of the common problems we are seeing when individuals are completing the IISP CCP Application form, which inevitably delays the process. The first thing we advise is that you read the Guidance documents: CESG Certification for IA Professionals which is available from the CESG CLAS web pages or the IISP How to Apply or FAQs web pages. IISP CCP Guidance for completing your application form, available from the IISP members area of the IISP website Part 1 of the IISP CCP Application form will ask you to confirm you have read the documents. The key elements are the Role definitions, including the Role Headline Statement; the table listing the competency levels; and Annex A, which provides information in relation to the Skill Definitions. The Role Headline Statement has to be inserted in a box at the start of Part 3, but often the wrong wording is inserted. The Role Headline statement can be found under the Green Role Heading in bold. For example, the following is for the Practitioner. Represents security requirements in the design and implementation of IS architectures The right skills For every role applied for we require at least two pieces of evidence for every skill group. This should provide sufficient detail to show the what, how and why you did something. Alternatively we recommend use of the STAR Model (Situation, Task, Action, Result) as this provides the Assessor with the detail they are looking for to establish that you are competent to do the role at the level being applied for. We are also looking for you to insert your self-assessed competency level for each of the Skill Groups and these should match or exceed those listed in the CESG Certification for IA Professionals. Assessors, interviewers and processing time All of our IISP Interviewers give up their own time unpaid to conduct the assessments and interviews. Due to the requirement put on us by CESG that we have to use individuals who have achieved CCP Certification in the role they are assessing or interviewing, it does mean that processing time of an application can take 12-14 weeks to complete. However as the process becomes more established and more interviewers meet the criteria this period will be reduced. CLAS Scheme Achieving CCP Certification is just one of the prerequisites for CLAS and you will still need to apply via CESG if you wish to become a CLAS member. If you are an existing CLAS member, ensure you get your application in in plenty of time to complete the process and meet CESG s deadline. Further Information For more detail on the CCP Scheme in general contact ccp@iisp.org or for details of the CCIAS Examination for the IA Architect role which is required for Senior and Lead applications contact Adriana adriana@crest-approved.org
LIAG is recruiting The Land Information Assurance Group (LIAG), Royal Corps of Signals, is a Specialist Territorial Army unit that provides Information Assurance and IT security skills to the Ministry of Defence in support of its armed forces. LIAG was established in 1999 to recruit experienced IT security professionals into the Royal Signals. The unit recruits nationally and each officer has an annual minimum commitment of 19 days. LIAG s Officers perform specific tasks throughout the UK, overseas and in support of current military operations in Afghanistan. LIAG is currently recruiting technical specialists with 10 years practical experience in a security discipline: Web Application Testing Database Security Testing Network Traffic Analysis Computer Forensics Penetration testing Incident Handling Firewall configuration Wireless Network Scanning Intrusion Detection Systems Selection Process Suitably qualified and experienced applicants are invited to attend a LIAG Initial Selection Board, held over a weekend, which comprises: Presentation on an IA subject; Fitness test; A group team building task; A Technical Test; An interview by the Selection Board If successful, candidates then go on to the Army Officer Selection Board at Westbury, Wiltshire. Application Process: If you are ready for the responsibility of becoming a Territorial Army Officer, and meet the following criteria: Hold British Citizenship; if a Commonwealth Citizen, 5 years residence in the UK; Have in excess of 5 years practical IT security experience; Hold a professional IT security qualification; Are prepared to undergo military training; Serve at least 19 days per year; Are willing to undergo Her Majesty s Government Security Clearance; Are medically and physically fit Then send your CV with a covering letter by e-mail or post to: LIAG SO2 Recruiting CVHQ Royal Signals, MoD Corsham, Westwells Road, CORSHAM Wiltshire, SN13 9NR E mail: CVHQRSIGNALS-GROUPMAILBOX@mod.uk Tel: 01225 847377
Getting know to you Name: Elaine Luck Company: CREST Job Title: Operations Manager What has been your biggest professional achievement to date and why? I spent 28 years with the then leading trade association in the defence and public security sector. I started off as a secretary and took on various promotions culminating in the last 17 years as a Director and Company Secretary. It is a very male oriented industry and I was chuffed to have got to the level I did! What are the biggest challenges in your new role at CREST? At the moment it s knowledge, volume and priorities! There s just so much to do and I really love it, but it s hard sometimes to know which priority is higher than another! Where do you see yourself in 5 years? I d love to still be working for CREST and to have become the go-to person. There s a lot for me to learn before I get to that position but hopefully I ll get there. How do you see the industry developing in the future? I believe that the information security industry will expand, commensurate with the world s passion and hunger for evermore smart and interactive information technology. In parallel, I can only see CREST expanding to match the increase in threats and I look forward to being a part of it and helping to expand CREST s sphere of influence. And finally. Do you have any pets? I have an absolutely stunning bearded collie (beardie) called Ollie. He s our fourth and has the most beautiful character. Quite a chore to groom as he s full-coated, but I m qualified so it s easier and so worth it. Just gorgeous!
Member focus IRM Founded in 1998 by CEO Charles White and Managing Partner David Cazalet, IRM is a founding member of CREST and has witnessed the severity and societal impact of cyber threats increase dramatically over the years. The company provides a range of consultancy services in Technical Assurance, Incident Response and Governance, Risk and Compliance, as well as GRC and audit solutions through its software company, Onformonics and an innovative network forensics tool called NetFACTS. IRM also delivers an extensive portfolio of training courses to both business teams and individuals. Training future Infosec professionals and furthering the knowledge and skill set of the current information security community is extremely high on the company s agenda. IRM s training courses are aimed at introducing talent into the industry and facilitating career progression and knowledge sharing. Charles says, All of our courses are taught by practicing consultants. This was a conscious decision, as we wanted to ensure that anyone attending an IRM training course is taught by the experts and has the opportunity to ask a wealth of questions, gather as much information as possible and network. Those who can t, teach is a phrase that doesn t translate well into our industry. IRM s Consultancy Director, Paul Midian, sits on the CREST Board and most recently appeared at CRESTCon as a compare. Paul says, CREST pulls together a variety of organisations and has enabled the wide range of security testing and technical companies in the Infosec industry to act and be viewed as a professional entity. The benefits of being a member company are huge clients have confidence in the accreditation, the industry remains cohesive, we maintain high standards of professionalism, educate and advise students I could go on and on! I can recall almost 10 years ago when representatives from pretty much all of the companies providing technical security services got together to discuss the need for professionalism and checks and balances within the industry. With a membership now exceeding 35 companies, and CRESTCon a regular fixture, it is incredible to think how far CREST has come since that first meeting. IRM wins an SC Award IRM has won the Information Security Consultancy Award at the SC Awards Europe 2013. Charles White, said, In a challenging economic climate, matched only by the challenges of defending our customers against the daily torrent of new cyber threats, this award is testament to the skill and loyalty of IRM s staff. After 15 years of providing innovative advice to our customers, winning this hotly contested award is a clear endorsement of our leading position in the cyber security marketplace. I m genuinely touched to have won this. Happy first birthday to the CREST CCIAS exam As the CREST CCIAS (CESG Certified IA Specialist) exam reached the end of its first year, we conducted a review. The purpose of this was to check that it has proved appropriate for the audience and that the candidate preparation provided enough detail. We also wanted to establish how the exam had been received by candidates and whether the pass mark and pass ratio provide us with confidence in the results, alongside a general look at all the candidate feedback. The results of the review were positive. The exam has been well received by candidates and considered to be at the right technical level. At present, the pass ratio is 73%, which is a reasonable reflection of the high quality candidates who have been through the exam to date. The exam passes also match up well with the results of the IISP supplementary interview process. Negative comments about the exam were very much in the minority, but have been taken into account. For example, some weaknesses in the information provided to candidates for exam preparation have been identified and the documents are being updated as part of this process. 522 Uxbridge Road, Pinner, Middlesex, HA5 3PU. CREST is a not for profit company registered in the UK with company number 06024007.