Inside Australia's CREST proposal

This article first appeared in SC Magazine's March edition

Penetration testing is a mystery to many businesses. Organisations seek ethical hackers to identify vulnerabilities in their systems before criminals do but they often can’t see the line that differentiates a green tester from a veteran.

Price isn’t a reliable indicator of quality, nor is the size of a pen testing business. And because inexperienced testers can impress clients by breaking into some systems, substandard tests may appear good – at least until the client is hacked.

Now a group of security professionals, industry personalities and customers from both sides of the Tasman want to identify skilled penetration testers with the CREST (Council of Registered Security Testers) certification, founded in Britain in early 2008.

To earn it, testers will have to pass a gruelling hacking test and may pay thousands for the privilege. In return, CREST Australia promises to promote certified professionals to the country’s largest and wealthiest corporations as the best in the business, able to seek out every nook and cranny that hackers might use to steal sensitive data and cause chaos.

CREST Australia has bold objectives, hopeful supporters and quiet critics. Its supporters are influential, and include some of the most experienced and successful penetration testers, wealthy corporations and the Australian Federal Government.

The non-profit group began taking shape some years ago through informal conversations within security industry circles but it only came to life late last year when its then-unofficial board was formed. That board pitched the certification to CERT Australia, an information security clearing house within the Federal Attorney-General’s Department, which offered to bankroll the initiative.

CREST Australia was registered with the Australian Securities and Investments Commission on 15 February.

When it launched in 2008, Britain’s CREST had 15 member organisations, including Ernst & Young and the British National Health Service (NHS). At the time, a CREST advisor from the NHS described it as a means to ensure organisations avoided “getting someone off the street who ends up crashing the system”.

By September last year, CREST became the official certification body of the Communications-Electronics Security Group (CESG), the British Government’s information assurance authority. CESG is responsible for supplying penetration testers for the most sensitive jobs – classed up to the ‘Secret’ classification – for government agencies, the military, law enforcement and critical national infrastructure providers like energy and water utilities. Britain now has some 28 CREST-certified organisations.

The Australian Attorney-General’s Department did not return repeat phone calls and emails to discuss its support of CREST Australia. The value of the Federal Government’s monetary contribution is unknown, and it was yet to be issued at the time of writing.

CREST testers are likely to appeal to the department’s CERT Australia, which is positioned as an information-sharing hub and data breach guardian of the same high-end and critical infrastructure organisations that the certification is designed to target.

“Where I see CREST positioned is to companies who may be targeted by pretty sophisticated criminals or nation states. Those companies have a position in our economy, so that if their security is poor, it is bad for the country,” CREST Australia chief executive officer Alastair MacGibbon says. “That is ultimately where the government will be most interested.”

CREST Australia will serve the top-end of town, MacGibbon says, describing big ASX-listed and private companies that are prepared to pay good money for the right test, and not to the numerous basement pen testers. “They want more assurance of the quality and skills of pen testers, and the ethics of the companies they work for,” MacGibbon says.

Paul McKitrick, chair of the New Zealand Internet Task Force that houses the working group to establish CREST New Zealand, agrees. “We are concerned that as the information assurance space grows, new players will enter and the high standard of the current market won’t be maintained. We are fortunate to have some quality boutique firms with talented people and we want that level to be maintained.”

Next: Known and unknown

Copyright © SC Magazine, Australia