A guide to CREST penetration testing
When searching for a penetration test, you need to have complete confidence in the credentials of your chosen assessment provider. CREST accreditation is a good place to start – a ‘stamp of approval’ for a high-quality penetration test. But what does it mean to be CREST-approved, and what differentiates CREST penetration testing from other assessments? Read on to find out. What is penetration testing? Penetration testing (also referred to as pen testing) is a type of ethical hacking engagement designed to identify and address security vulnerabilities in networks, systems and applications. The scope and scale of a test will vary depending on the buyer’s requirements, but not all penetration testing companies work to the same standards, and there can be an inherent risk in allowing a provider to access important assets and data. A CREST penetration test is an assessment conducted by a CREST-registered penetration tester. CREST certification demonstrates that a pen testing company conducts and documents penetration testing in accordance with the highest legal, ethical and technical standards. Who is CREST? The Council for Registered Ethical Security Testers (CREST) is an international not-for-profit accreditation and certification body which represents and supports the technical information security market. CREST certification is an internationally recognised accreditation for organisations, as well as a professional level certification for penetration testers, as well as providers of other services such as cyber incident response, threat intelligence and Security Operations Centre (SOC) services. To achieve CREST certification, companies must undergo a rigorous assessment of business processes, data security and security testing methodologies. What is a CREST-certified company? All CREST members are required to submit policies, processes and procedures relating to their service provision to CREST for assessment. Achieving and maintaining CREST certification is an ongoing process rather than a one-time step – member organisations are required to submit an application annually, with a full reassessment required every three years. Each CREST member company signs up to a binding and enforceable company code of conduct, a mandate that includes processes for resolving potential complaints. Why choose a CREST-accredited pen testing provider? “There are many benefits in procuring penetration testing services from a trusted, certified external company who employ professional, ethical and highly technically competent individuals. CREST member companies are certified penetration testing organisations who fully meet these requirements, having been awarded the gold standard in penetration testing, building trusted relationships with their clients.” – CREST CREST-certified pen testing services provide assurance that the entire pen testing process will be conducted to the highest legal, ethical and technical standards. The CREST pen testing process follows established best practices in key areas such as scoping, reconnaissance, preparation, execution, technical delivery, reporting and data protection. GET A QUOTE TODAY CREST penetration testing benefits CREST-accredited pen testing offers several advantages, including: 1. Highly trained security experts CREST penetration testing is carried out by, or at least supervised by, CREST-registered penetration testers. CREST-registered or certified penetration testers are required to pass a series of rigorous exams to prove their skill, knowledge and competence and must re-sit them every three years. CREST pen testers also have to complete between 6,000 hours (CREST-registered) and 10,000 hours (CREST-certified) of professional pen testing experience. 2. Improved customer assurance Organisations are often tasked by their customers to demonstrate the security and safety of their confidential data. Using a CREST-accredited penetration testing provider enables them to prove that they are adhering to security best practices to protect their data. Commissioning a CREST member company may also provide a commercial advantage when bidding for contracts. 3. Supports regulatory compliance A CREST pen test supports information security requirements such as the GDPR, DPA 2018, ISO 27001, NIS Regulations and PCI DSS. Some of these standards directly specify that a penetration test must be conducted, while others do so indirectly via the requirement to assess and evaluate the effectiveness of technical and organisational controls. Learn more about the requirements for penetration testing in our compliance guide. 4. Globally recognised accreditation CREST is UK-based, but its accreditation is valid and recognised around the world. This provides valuable assurance for companies with a global presence or for those working with overseas customers. Using a pen testing provider which lacks accreditation or whose certification is limited to the UK may limit outcomes and credibility. 5. Up-to-date expertise The threat landscape is in a state of flux, with new threats constantly appearing, so pen testing programs need to keep pace. To ensure that adversarial knowledge is kept up to date, the organisational and individual CREST certification process is repeated periodically. Member organisations are regularly updated by CREST about the latest developments in technical information assurance and participate in member workshops and events. GET A QUOTE TODAY Why choose Kroll for CREST penetration testing? Kroll is an award-winning provider of cyber security penetration testing services, conducting over 100,000 hours of security assessments every year. With over 100 security qualifications, including CREST CRT, STAR, CC SAM and many more, we’re one of the highest accredited security companies in the business. Our range of CREST penetration testing engagements helps organisations to effectively manage cyber security risk by identifying, safely exploiting and helping to remediate vulnerabilities. Our global team of pen testers experts have extensive experience of working with organisations of all sizes, across a wide range of industries. Our Chief Research Officer, Mark Nicholls, was awarded a prestigious lifetime CREST Fellowship Award in 2019 in recognition of his outstanding level of commitment to the profession and achieving the highest level of excellence in CREST examinations. In January 2020, Redscan became one of only a few organisations worldwide to achieve CREST SOC accreditation.
Top 5 penetration testing methodologies
Hidden vulnerabilities in an organisation’s computer networks, systems and applications can lead to significant security risks, but how do pen testers go about uncovering them? Penetration testing plays a key role in identifying and addressing vulnerabilities by simulating the behaviour of a potential attacker. A range of penetration testing methodologies have been developed to enable security professionals to achieve this safely and effectively. In this blog post, we discuss the leading pen testing methodologies, including OSSTM, OWASP, NIST, PTES, and ISSAF, what they involve and the aspects they cover. Why are pen testing methodologies important? As an ethical cyber security assessment that helps organisations strengthen their cyber security posture, penetration testing is a complex process with the potential, if poorly executed, to miss important vulnerabilities and leave an organisation exposed. Completing pen testing in alignment with structured frameworks and methodologies ensures that it meets specific goals and covers all the required areas. However, a one-size-fits-all approach to pen testing is not appropriate, as every organisation and environment is different. Pen testing methodologies – the top 5 It’s important to carefully consider whether a pen testing methodology provides the appropriate level of assessment for your organisation. This is achieved by gaining an understanding of the main types of methodologies, which include: OSSTMM The Open Source Security Testing Methodology Manual (OSSTMM) aims to provide a scientific process for defining operational security, with the focus on verified facts. The OSSTMM covers the majority of the ten security domains identified by the International Information System Security Certification Consortium (ISC)². The domains are divided into five channels or security areas to enable organisations to assess how well their security processes function. Continuously updated, the OSSTMM methodology is peer-reviewed and maintained by the Institute for Security and Open Methodologies (ISECOM). A key point to note about the OSSTMM is that it was developed as a security auditing methodology to assess against regulatory and industry requirements, rather than being intended as a standalone penetration testing methodology. It is intended as a basis for a pen testing methodology geared towards the required regulations and frameworks. This means it is not as comprehensive as, for example, the Information System Security Assessment Framework (ISSAF), and it doesn’t provide tools or approaches for completing modules. However, it is a valuable resource that can help organisations meet regulatory requirements when used by specialists with the right level of technical knowledge. OWASP Recognised by developers and security professionals around the world, the OWASP Top Ten outlines key vulnerabilities that affect web application security. It was created by the Open Web Application Security Project (OWASP), a not-for-profit foundation that supports organisations to improve the security of their web applications. First published in 2003, the OWASP Top 10 is updated every three years. It provides a hierarchy of the most common web application security issues to help organisations to identify and address them according to prevalence, impact, method of exploitation by attackers, and ease or difficulty of detection. OWASP pen testing covers the assessment of web applications to identify vulnerabilities outlined in the OWASP Top Ten. An OWASP pen test is designed to identify, safely exploit and help address these vulnerabilities so that any weaknesses discovered can be quickly addressed. The OWASP Testing Guide (OTG) is divided into three key sections: the OWASP testing framework for web application development, the web application testing methodology, and reporting. The web application methodology can be used on its own or with the testing framework, while the framework can be used to build a web application focused on security, followed by a pen test (web application methodology) to test the design. A key difference between OWASP and other penetration testing methodologies is that the OTG is solely focused on web application security throughout the whole software development lifecycle, unlike the ISSAF and the OSSTMM for example, which are aimed at security testing and implementation. Another difference is that the OWASP addresses controls while the OSSTMM does not. PTES The penetration testing execution standard (PTES) was created to offer a structured framework to outline what organisations should expect from a penetration test. Apart from being one of the most recently developed pen testing methodologies, it is argued that the PTES is one of the most comprehensive. Made up of seven main sections covering all aspects of a pen test, it aims to create a baseline for penetration tests to give security practitioners and/or organisations a reference point for what to expect in relation to penetration testing requirements. It also seeks to give organisations and security service providers a common language and scope for performing tests. A second version of the PTES is currently in development, with the aim of taking a more granular approach to the level of intensity at which each of the elements of a penetration test can be performed. This will help organisations to define the level of sophistication they anticipate from their adversary, and it will allow the tester to increase the intensity accordingly in the related areas. While the PTES standard does not provide any technical guidelines around how to execute an actual pen test, there is an additional technical guide to accompany the standard. This makes the most of other available resources by referencing methodologies such as OWASP. ISSAF The Information System Security Assessment Framework (ISSAF) is supported by the Open Information Systems Security Group (OISSG). It links individual pen testing steps with specific tools and aims to provide a complete guide to conducting a penetration test and enable organisations to develop their own pen testing methodology. The ISSAF divides the pen testing process into three key phases: planning and preparation, assessment and reporting, cleanup and destroying artefacts. The key defining characteristic of the ISSAF is that it provides comprehensive technical guidance on testing, unlike other methodologies, such as the OSSTMM, which is mainly an auditing methodology. However, while it is a valuable reference source that provides foundational and comprehensive guidance for individuals in the industry, it is no longer maintained, and is likely to become increasingly out-of-date. NIST The National Institute of Standards
Types of Penetration Testing: Black Box, White Box & Grey Box
With so many types of penetration testing on offer, it can be difficult to ascertain which assessment meets the needs of your business. Cyber security pen testing can vary widely, covering applications, wireless, network services and physical assets. These could include internal and external infrastructure testing, web or mobile application testing, API testing, cloud and network configuration reviews, social engineering and even physical security testing. This blog attempts to cut through the industry jargon to provide all the information you need to identify the right pen test/VAPT for your organisation, including the important question of whether you require a black box, white box or grey box testing style. What is pentesting? A pen test is a form of ethical cyber security assessment aimed at finding, investigating and remediating vulnerabilities in a company’s network or applications. Pen testing harnesses the same tactics, techniques and procedures (TTPs) as cyber criminals to simulate a genuine attack against an organisation, enabling them to understand whether their security controls are robust enough to withstand different kinds of threats. Pen testing can simulate a range of attack vectors, depending on whether it is performed externally or internally. The goals and results of each pen test is defined by the needs of the organisation being tested. The level of information given to the penetration tester about the environment or systems they are due to test is determined by the type of assessment. In brief, while in white box penetration testing, the tester will have all of the network and system information, with grey box penetration testing, the tester is only given a limited amount of information. In a black box penetration test, the tester receives no information at all, to simulate the approach of a real-life attacker. Types of penetration testing Before selecting a suitable provider, it’s important to be familiar with the types of cyber security pen tests available, as engagements vary in focus, depth and duration. Common ethical hacking engagements include: 1. Internal & External Network Penetration Testing An assessment of on-premise and cloud network infrastructure, including firewalls, system hosts and devices such as routers and switches. Can be framed as either an internal penetration test, focusing on assets inside the corporate network, or an external penetration test, targeting internet-facing infrastructure. To scope a test, you will need to know the number of internal and external IPs to be tested, network subnet size and number of sites. 2. Wireless Penetration Testing A test that specifically targets an organisation’s WLAN (wireless local area network), as well as wireless protocols including Bluetooth, ZigBee and Z-Wave. Helps to identify rogue access points, weaknesses in encryption and WPA vulnerabilities. To scope an engagement, testers will need to know the number of wireless and guest networks, locations and unique SSIDs to be assessed. 3. Web Application Testing An assessment of websites and custom applications delivered over the web, looking to uncover coding, design and development flaws that could be maliciously exploited. Before approaching a testing provider, it’s important to ascertain the number of apps that need testing, as well as the number of static pages, dynamic pages and input fields to be assessed. 4. Mobile Application Testing The testing of mobile applications on operating systems including Android and iOS to identify authentication, authorisation, data leakage and session handling issues. To scope a test, providers will need to know the operating system types and versions they’d like an app to be tested on, number of API calls and requirements for jailbreaking and root detection. 5. Build and Configuration Review Review of network builds and configurations to identify misconfigurations across web and app servers, routers and firewalls. The number of builds, operating systems and application servers to be reviewed during testing is crucial information to help scope this type of engagement. 6. Social Engineering An assessment of the ability of your systems and personnel to detect and respond to email phishing attacks. Gain precise insight into the potential risks through customised phishing, spear phishing and Business Email Compromise (BEC) attacks. 7. Cloud Penetration Testing Custom cloud security assessments to help your organisation overcome shared responsibility challenges by uncovering and addressing vulnerabilities across cloud and hybrid environments that could leave critical assets exposed. 8. Agile Penetration Testing Continuous, developer-centric security assessments designed to identify and remediate security vulnerabilities throughout the entire development cycle. This agile approach helps to ensure that every product release, whether it is a minor bug fix or a major feature, has been vetted from a security perspective. GET A PEN TEST QUOTE TODAY White box vs black box vs grey box pen testing The amount of information shared prior to an engagement can have a huge influence on its outcomes. Testing style is usually defined as either white box, black box or grey box penetration testing. White box penetration testing White box penetration testing, sometimes referred to as crystal or oblique box pen testing, involves sharing full network and system information with the tester, including network maps and credentials. This helps to save time and reduce the overall cost of an engagement. A white box penetration test is useful for simulating a targeted attack on a specific system utilising as many attack vectors as possible. Black box penetration testing In a black box penetration test, no information is provided to the tester at all. The pen tester in this instance follows the approach of an unprivileged attacker, from initial access and execution through to exploitation. This scenario can be seen as the most authentic, demonstrating how an adversary with no inside knowledge would target and compromise an organisation. However, this typically makes it the costliest option too. Grey box penetration testing In a grey box penetration test, also known as a translucent box test, only limited information is shared with the tester. Usually this takes the form of login credentials. Grey box testing is useful to help understand the level of access a privileged user could gain and the potential damage they could cause. Grey box tests strike a balance between depth and efficiency and can be used