Oz ethical hackers to be set professional standards

Alastair MacGibbon appointed CEO of CREST Australia

Penetration testing, also known as "pentesting" or "ethical hacking", took a step away from its sometimes unruly reputation today with the establishment of an Australian branch of the Council of Registered Ethical Security Testers (CREST).

"CREST Australia will have the important role of establishing clear and agreed standards for cyber security testing," said attorney-general Nicola Roxon in a media statement.

"These standards will help the business sector be confident that the work conducted by IT professionals is completed with integrity, accountability and to agreed standards."

CREST Australia is affiliated with CREST Great Britain.

Individual members of that organisation must pass exams to validate their competence.

Currently CREST rates individuals as a CREST Registered Tester, or as one or both of two CREST Certified Tester qualifications, one for network testing and one for application testing.

Member companies must meet CREST's standards of management, integrity and accountability.

"By having this function performed by an Australian arm of a recognised body such as CREST, qualifications can be recognised internationally, promoting a recognised international standard," Roxon said.

While CREST Australia is an independent not-for-profit organisation it will "work closely with Government" — a fact reinforced by the media statement being tagged with an explanation of CERT Australia, Australia's official national computer emergency response team (CERT).

Alastair MacGibbon has been appointed as CREST Australia's first chief executive officer.

MacGibbon is well-known in the information security community. He was founding director of the Australian Federal Police's Australian High Tech Crime Centre, and director of trust and safety for eBay Australia & New Zealand.

He is currently director of the Centre of Internet Safety at the University of Canberra, as well as a consultant in the private sector through the Surete Group.

CREST is not the only certification body for penetration testers. Certifications are also offered by the Tiger Scheme, the SANS Institute and Offensive Security, amongst others.

______________________________________________________________________________________

CSO Announcement

Register Today. Hear from Rob Livingstone, Michael Barnes, Steve Quane and Dave Asprey amongst others on the Evolution, Trends, Solutions and the Future of Cloud Security, limited seats register today through CSO.

______________________________________________________________________________________

3 Comments

This is a sad joke, right?

1

Talk about empire-building.

There are two types of people in our industry; the "doers", and the "big-noters".

The doers are the quiet, hands-on people who go about their work without big-noting, but achieving.

The big-noters are those you see on the conference circuit, talking the talk, signing books, giving tv interviews as "experts", but rarely, if ever, "doing".

Its a sad reality that its often the big-noters that are appointed to positions of importance.

It is highly debatable that there is any need for a "CREST" certification. Surely the market is by far the most preferable way of deciding someone's worth in this industry, not some quasi-government body?

It is highly alarming that Mr MacGibbon and his fellow conference-circuit, book-signing buddies are now empowered to decide who is an ethical hacker & who is not.

I call on everyone in the Infosec community to lobby their MP to stop this sad joke immediately.

Matt

2

What a great post.....clearly you have an issue with Mr MacGibbon?

CREST CCT is the hardest and most sought after certification in the UK bar none.

I am not sure what conferences you have been to (if any) as the Defcon's, Black Hats, ShmooCons etc have some of the brightest talents in the field presenting & talking about their research. You dont seem to make any distinction - so assume these are the 'big noters' you are referring too. Very mis-guided.

If no one was talking about what the industry is doing - do you think you would have a job?

PS Crest is not a quasi-government body either. Do some research.

Ric

3

The market isn't always right. CEH - need I say more ?
CREST isn't just another cert, for one thing it forces your company to invest in your training.
The hands-on people are important. I used to be one. Then I realised the hands-on people have been doing the same thing over and over again, with very little improvement. To affect real change, sometime you need to think more strategically.

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Business Continuity Management Solutions

Automate business-continuity and disaster-recovery planning and enable crisis management in one solution.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.