Certifying Australia's best pen testers

Powered by SC Magazine
 
Page 1 of 4 | Single page

An alliance of top security professionals across Australia and New Zealand are planning to introduce certifications that will split the penetration testing industry in two. Darren Pauli investigates how this effort attempts to separate the sector’s wheat from chaff.

This article first appeared in SC Magazine's March edition

Penetration testing is a mystery to many businesses. Organisations seek ethical hackers to identify vulnerabilities in their systems before criminals do but they often can’t see the line that differentiates a green tester from a veteran.

Price isn’t a reliable indicator of quality, nor is the size of a pen testing business. And because inexperienced testers can impress clients by breaking into some systems, substandard tests may appear good – at least until the client is hacked.

Now a group of security professionals, industry personalities and customers from both sides of the Tasman want to identify skilled penetration testers with the CREST (Council of Registered Security Testers) certification, founded in Britain in early 2008.

To earn it, testers will have to pass a gruelling hacking test and may pay thousands for the privilege. In return, CREST Australia promises to promote certified professionals to the country’s largest and wealthiest corporations as the best in the business, able to seek out every nook and cranny that hackers might use to steal sensitive data and cause chaos.

CREST Australia has bold objectives, hopeful supporters and quiet critics. Its supporters are influential, and include some of the most experienced and successful penetration testers, wealthy corporations and the Australian Federal Government.

The non-profit group began taking shape some years ago through informal conversations within security industry circles but it only came to life late last year when its then-unofficial board was formed. That board pitched the certification to CERT Australia, an information security clearing house within the Federal Attorney-General’s Department, which offered to bankroll the initiative.

CREST Australia was registered with the Australian Securities and Investments Commission on 15 February.

When it launched in 2008, Britain’s CREST had 15 member organisations, including Ernst & Young and the British National Health Service (NHS). At the time, a CREST advisor from the NHS described it as a means to ensure organisations avoided “getting someone off the street who ends up crashing the system”.

By September last year, CREST became the official certification body of the Communications-Electronics Security Group (CESG), the British Government’s information assurance authority. CESG is responsible for supplying penetration testers for the most sensitive jobs – classed up to the ‘Secret’ classification – for government agencies, the military, law enforcement and critical national infrastructure providers like energy and water utilities. Britain now has some 28 CREST-certified organisations.

The Australian Attorney-General’s Department did not return repeat phone calls and emails to discuss its support of CREST Australia. The value of the Federal Government’s monetary contribution is unknown, and it was yet to be issued at the time of writing.

CREST testers are likely to appeal to the department’s CERT Australia, which is positioned as an information-sharing hub and data breach guardian of the same high-end and critical infrastructure organisations that the certification is designed to target.

“Where I see CREST positioned is to companies who may be targeted by pretty sophisticated criminals or nation states. Those companies have a position in our economy, so that if their security is poor, it is bad for the country,” CREST Australia chief executive officer Alastair MacGibbon says. “That is ultimately where the government will be most interested.”

CREST Australia will serve the top-end of town, MacGibbon says, describing big ASX-listed and private companies that are prepared to pay good money for the right test, and not to the numerous basement pen testers. “They want more assurance of the quality and skills of pen testers, and the ethics of the companies they work for,” MacGibbon says.

Paul McKitrick, chair of the New Zealand Internet Task Force that houses the working group to establish CREST New Zealand, agrees. “We are concerned that as the information assurance space grows, new players will enter and the high standard of the current market won’t be maintained. We are fortunate to have some quality boutique firms with talented people and we want that level to be maintained.”

Next: Known and unknown

Copyright © SC Magazine, Australia


Certifying Australia's best pen testers
 
 
 
Top Stories
Innovating in the sleepy super industry
There’s little incentive to be on the bleeding edge, so why is Andrew Todd fighting so hard?
 
How technology will unify Toll
The systems headache formed through 15 years of acquisitions.
 
Immigration breached Privacy Act with data leak
Pilgrim slams "copy and paste" of asylum seeker data.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  7%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 782

Vote