The security industry seems to be broadly polarised by the Attorney-General's recent announcement of the formation of CREST Australia (Council of Registered Ethical Security Testers). For those who have not kept pace with this piece of news, CREST Australia has been chartered by the AG's office to certify the competency of penetration testers within Australia. Now, I've spoken with quite a few people and I am quite surprised at the variety of responses—particularly from people I would have expected to endorse it.
Looking at it from both sides, many penetration testers have a range of concerns with the idea of any kind of certification. There is potential for a certification to test only a minimum level that may be inadequate, or a lack of rigor in the testing to ensure that it remains of a high standard. Additionally, many feel—particularly long term practitioners in this field—that it is not for non-practitioners (or individuals of lesser skill) to evaluate their competency. There are also accusations that CREST Australia will become another cash cow, monopolising penetration testers and forcing them to cough up if they want to continue operating. This leads to the question of costs associated with such certification, and who should pay for it, not to overlook perhaps the greatest concern—what is the impact on my livelihood if I refuse? Quite rightly, each of these concerns has a degree of validity, and they raise many questions that CREST Australia, in conjunction with the AG's office, will need to address.
However, it’s important to remind ourselves of the reasons we've even reached this point, I think many people forget. For a long time, there have been many hucksters and spruikers selling port scans and vulnerability assessment tools as "penetration testing".
To date there's been no common benchmark agreed to by the industry about what is the definition of a penetration test, what tools and methods will be used, and the proposed impacts and outcomes of the testing. This lack of commonality means it is very much a case of "caveat emptor". Some buyers are highly educated (banks typically lead the way) while others are not. There's also been fierce debate about the competency of individual testers, and so different organisations have constructed a variety of different tests to evaluate their competency. So, it comes as no surprise that the people most keenly aware of these issues, those facing the greatest challenge in hiring reputable penetration testers, are those most fiercely advocating this accreditation.
A good friend of mine—a management consultant, trainer and performance expert—once explained that the purpose of certification is not to ensure that those who pass are perfect, but rather, to a establish a median to which people who pass fall within a relatively narrow standard of deviation. In other words, the goal of the certification should be making sure the accreditation scheme establishes a reasonable minimum expectation of competency. However, anecdotal reports (of which there are few, owing to non-disclosure agreements surrounding the UK scheme) suggest that the test aims to put the individual against the clock, while restricting Internet access to see how they perform. But is this a suitable gauge of competency?
It's all too premature at this stage. But if CREST accreditation, as it is performed in the UK, is anything to go by, it will mean a major shakeup of the industry. Applying a tax (which is effectively what this will become via a de-facto industry standard) means that individuals and companies will need to pay it. While some have argued that they can still sell penetration testing and not be accredited, the industry will gravitate towards the standard. And while banks and government will be the first clients to demand CREST accreditation of testers, eventually so will other clients. The trend has revealed itself to be true time and time again, with multiple certification schemes both within IT and outside of it mimicking this characteristic.
Ultimately, costs will be passed on to clients. Firms which are unable to raise the money to win certification, or pass the cost on to customers will close their doors, resulting in a reduced supply of penetration testing services. Similarly, penetration testers who are selling nmaps or Nessus scans as pentests will ultimately realise they have no chance of passing and choose not to undertake the accreditation. This is especially true for small shops consisting of a one or two man operations playing across everything within IT. Truth be told, the local market for penetration testing within Australia is actually quite small already. And when you consider the impact of reducing that subset further, and the relatively small list of individuals capable of passing it, it means that increased costs and reduced supply will create a new price equilibrium. My prediction is that in the long term, this means a higher pay grade for penetration testers that pass the accreditation.
On the other hand, we all expect that our doctors, surgeons, mechanics, electricians and other tradesmen are appropriately qualified. After all, we wouldn't want someone who has never even stood in an operating theatre performing open heart surgery on a family member. Do you really trust that penetration tester to evaluate the security of your main e-commerce portal? Why? Is it wrong to expect a minimum level of skill from our own profession like we do from every other? To suggest otherwise smacks of hypocrisy.
These are all just signs of an industry that is still very much in its infancy,. It highlights just how far we all have to go. This certification can be a good thing, but the burden will ultimately rest on the participants if the certification is to e shaped into something of value.
Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint
Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.
Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation
CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)
Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana