Certifying Australia's best pen testers

Powered by SC Magazine
 
Page 1 of 4 | Single page

An alliance of top security professionals across Australia and New Zealand are planning to introduce certifications that will split the penetration testing industry in two. Darren Pauli investigates how this effort attempts to separate the sector’s wheat from chaff.

This article first appeared in SC Magazine's March edition

Penetration testing is a mystery to many businesses. Organisations seek ethical hackers to identify vulnerabilities in their systems before criminals do but they often can’t see the line that differentiates a green tester from a veteran.

Price isn’t a reliable indicator of quality, nor is the size of a pen testing business. And because inexperienced testers can impress clients by breaking into some systems, substandard tests may appear good – at least until the client is hacked.

Now a group of security professionals, industry personalities and customers from both sides of the Tasman want to identify skilled penetration testers with the CREST (Council of Registered Security Testers) certification, founded in Britain in early 2008.

To earn it, testers will have to pass a gruelling hacking test and may pay thousands for the privilege. In return, CREST Australia promises to promote certified professionals to the country’s largest and wealthiest corporations as the best in the business, able to seek out every nook and cranny that hackers might use to steal sensitive data and cause chaos.

CREST Australia has bold objectives, hopeful supporters and quiet critics. Its supporters are influential, and include some of the most experienced and successful penetration testers, wealthy corporations and the Australian Federal Government.

The non-profit group began taking shape some years ago through informal conversations within security industry circles but it only came to life late last year when its then-unofficial board was formed. That board pitched the certification to CERT Australia, an information security clearing house within the Federal Attorney-General’s Department, which offered to bankroll the initiative.

CREST Australia was registered with the Australian Securities and Investments Commission on 15 February.

When it launched in 2008, Britain’s CREST had 15 member organisations, including Ernst & Young and the British National Health Service (NHS). At the time, a CREST advisor from the NHS described it as a means to ensure organisations avoided “getting someone off the street who ends up crashing the system”.

By September last year, CREST became the official certification body of the Communications-Electronics Security Group (CESG), the British Government’s information assurance authority. CESG is responsible for supplying penetration testers for the most sensitive jobs – classed up to the ‘Secret’ classification – for government agencies, the military, law enforcement and critical national infrastructure providers like energy and water utilities. Britain now has some 28 CREST-certified organisations.

The Australian Attorney-General’s Department did not return repeat phone calls and emails to discuss its support of CREST Australia. The value of the Federal Government’s monetary contribution is unknown, and it was yet to be issued at the time of writing.

CREST testers are likely to appeal to the department’s CERT Australia, which is positioned as an information-sharing hub and data breach guardian of the same high-end and critical infrastructure organisations that the certification is designed to target.

“Where I see CREST positioned is to companies who may be targeted by pretty sophisticated criminals or nation states. Those companies have a position in our economy, so that if their security is poor, it is bad for the country,” CREST Australia chief executive officer Alastair MacGibbon says. “That is ultimately where the government will be most interested.”

CREST Australia will serve the top-end of town, MacGibbon says, describing big ASX-listed and private companies that are prepared to pay good money for the right test, and not to the numerous basement pen testers. “They want more assurance of the quality and skills of pen testers, and the ethics of the companies they work for,” MacGibbon says.

Paul McKitrick, chair of the New Zealand Internet Task Force that houses the working group to establish CREST New Zealand, agrees. “We are concerned that as the information assurance space grows, new players will enter and the high standard of the current market won’t be maintained. We are fortunate to have some quality boutique firms with talented people and we want that level to be maintained.”

Next: Known and unknown

Copyright © SC Magazine, Australia


Certifying Australia's best pen testers
 
 
 
Top Stories
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
Negotiating with the cloud email megavendors
[Blog post] Lessons from Woolworths’ mammoth migration.
 
Qld govt to move up to 149k staff onto Office 365
Australia's largest deployment, outside of the universities.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  21%
 
Bankwest
  9%
 
CommBank
  11%
 
National Australia Bank
  17%
 
Suncorp
  24%
 
Westpac
  19%
TOTAL VOTES: 1457

Vote