Ian Glover, CREST
Ian Glover, president of CREST — the UK-based Council of Registered Ethical Testers — expects his organisation to certify a growing number of penetration and threat intelligence testing companies in 2016 as demand for their services grows.
CREST, a not-for-profit organisation whose objective is to represent the information security industry by demonstrating the competence of security testers. It is working with the Bank of England, among other regulators, and certified 13 new security test providers in 2015. Glover said a further 15 are likely to be approved just in the South East Asia region in 2016, and he highlighted pressure for certification from local governments and market regulators as a key driver of demand.
However the number could be higher, Glover added, given the level of interest from Hong Kong, Singapore and Malaysia.
Last October CREST signed a memorandum of intent with the Cyber Security Agency of Singapore (CSA), with the aim of providing improved quality assurance for penetration testing services at Singapore banks.
Glover also told QA Financial that he expected higher demand for CREST certification for threat intelligence providers. Threat intelligence services has been a less mature marketplace than penetration testing and: “The number of companies providing true threat intelligence services, rather than those who say they do in brochure ware, is limited but growing,” said Glover.
Only six companies are currently approved by CREST for the supply of threat intelligence services under the CBEST programme: BAE Systems Applied Intelligence, Control Risks Group Ltd, Dell SecureWorks, Digital Shadows Ltd and PwC, and since the beginning of March, Nettitude.
Chris Oakley, managing principal security consultant at Nettitude, expects to see growth in demand for threat intelligence in the financial sector on the back of more frequent DDoS attacks and phishing scams. “With the stakes so high, the focus should be on educating users around the evolving threats and ensuring that appropriate technical controls are in place to defend against those threats. Implementing a Response-in-Depth plan will also enable financial services organisations to respond immediately and effectively, significantly reducing the impact of a data breach.”
CREST has been working with the Bank of England on two major projects in 2015: the CBEST shared framework for testing the vulnerability of major financial firms to cyber attacks, and STAR – Simulated Targeted Attack and Response – a broader penetration testing simulation for banks.
CBEST was launched in June 2013 as a testing project for firms considered to be core to the stability of the financial system following the advice of the Bank’s independent Financial Policy Committee (FPC), which is charged with identifying and acting on systemic risks to protect the resilience of the UK financial system.
Andrew Gracie, the Bank of England Executive Director for Resolution, whose responsibilities include operational resilience and cyber-security in the UK banking system, said last year that: “It’s clear we need to place cyber on a more permanent footing. This is why the FPC has replaced its existing cyber recommendation with a recommendation targeted at completing the current set of CBEST tests and making them a regular part of supervision.”
Up to now, the CBEST testing framework has only been applied to firms that the Bank of England considers to be core to the financial system. The framework was designed by the Bank along with CREST and Digital Shadows, a London and San Francisco-based consultancy that specialises, it says, in analysing risks from “an attacker’s eye view”. The British security services have also been advising on the CBEST project.
The CREST STAR — Simulated Targeted Attack and Response — scheme was also developed in cooperation with the Bank of England. According to CREST it is, unlike traditional penetration testing, intelligence-led and aims to provide a more comprehensive assessment of a company’s cyber-security defences.
Unlike the CBEST test, STAR reports are not circulated among financial regulators, and STAR testing does not have access to government cyber threat intelligence.
STAR certification is a prerequisite for CBEST accreditation, but CREST’s Glover notes that it is increasingly being sought on its own merits. “The number of penetration testing companies that have met the requirement to become a member of the CREST STAR scheme has been steadily increasing,” he said. “Interestingly not all of these companies have requested to be considered for the BoE CBEST scheme and therefore there are penetration testing companies that believe that there is a much wider applicability to the processes.”
Although there been some concern among customers in the security marketplace that the number of CREST-certified providers would not keep pace with demand, Glover said that these fears continue to prove unfounded. “The very best people in the industry are stepping up to take the examinations and the numbers are meeting the current demand,” he said.
For a video interview with Ian Glover, please visit here.
