NCSC, CREST, IASME… just another list of meaningless acronyms on a website or brochure footer? Think again.
Penetration testing – otherwise known as pen testing or ethical hacking – has become mainstay of cyber security measures for many organisations. If your infrastructure or data can be breached, you want to know about it before someone with malign intentions lets you know in a disruptive or even catastrophic way. The pen testing sector is booming – there are many different providers eager to help you test out whether your security is up to the job of withstanding today’s cybercrime threats.
Penetration testing can carry more risk than other routine IT services
Pen testing is no different from any other service you need for your business, in that you’re looking for a trustworthy, reliable and high-quality provider who can deliver what you want within the budget available. Plenty of companies will likely seem to fit the bill. But the big difference is the level of risk in actively encouraging a third party to hack your systems and get inside your data, apps, hardware and business-critical technology tools.
There are myriad offshore testing firms who claim to deliver what looks like incredible value on paper. And it’s no surprise that they can be competitively priced, with lower wage costs and expenses in overseas markets. Wherever they’re based, you need to know who you’re trusting with access to your critical systems.
If your pen testing team is made up of crowdsourced freelancers, it’s inevitably harder to tell whether they are trustworthy and genuine. We’re aware of specialist pen testing firms who have recently had to scale back their activities because of their reliance on Russian testers. In the current political climate, that’s a no-no in terms of cyber security risk for many US and west European firms.
So how can you tell who you’re dealing with and clearly establish their authenticity and reputation, when most penetration testing vendors present a convincing and credible proposition?
One way to find out who’s talking the talk and who’s actually walking the walk too is to scrutinise your shortlisted pen testing providers’ credentials and certifications. Anyone can throw a list of acronyms and logos at you; it’s well worth making sure you understand exactly what they mean, who issues them and what kind of assurance they provide. Not all certifications and accreditations are equal, in penetration testing or in any other sector or specialism! The quality is far more important than the quantity in this instance.
For penetration testing in the UK market, there are five widely recognised marks of authority to look out for. Look for accreditation for the organisation as well as certification of individual testers.
1. NCSC CHECK accreditation (organisations)
The NCSC is the National Cyber Security Centre, a UK Government organisation that provides advice and support for the public and private sector in how to avoid computer security threats. CHECK is NCSC’s scheme that approves companies and their methodologies to conduct authorised penetration tests of public sector and CNI (critical national infrastructure) systems and networks. Accreditation is reviewed every year to make sure firms keep up their qualifications and practices. CHECK assures a standard of reporting that will make sense as well as the quality and rigour of pen testing work. It includes overseeing and scoping the testing as well as delivering it. You can search for a CHECK accredited service provider on the organisation’s website.
2. CREST certification (individuals)
To qualify for the NCSC CHECK scheme, firms need to employ individuals who hold at least one of two qualifications. One of these is CREST Certified level in penetration testing, which sets a benchmark for senior professionals. CREST is an international not-for-profit membership body that represents the global cyber security industry. You can verify a practitioner’s digital CREST exam certificate on the CREST website.
3. Cyber Scheme certification (individuals)
The Cyber Scheme Team Leader (CSTL) certification is the other qualification accredited and recognised by NCSC. At Six Degrees, we actively ensure that our team includes a mix of specialists who are certificated by Cyber Scheme and CREST, because the qualifications are slightly different, so this gives us the best range of penetration testing skills and capabilities. We are active sponsors of Cyber Scheme – we contribute to their levels of testing and provide information to help keep the certification current and relevant to the real world and industry.
4. CREST accreditation (organisations)
As well as being a certification body for individual practitioners, CREST accredits organisations that offer penetration testing services. Firms that are members of CREST must maintain a certain number of certifications in their team, representing a high level of cyber security qualification. They also have to meet compliance standards for their own internal business, including quality standards like the ISO 27000 family and Cyber Essentials. They must also hold a high level of liability insurance.
5. IASME Cyber Essentials
IASME Consortium is the governing body and deliverer of Cyber Essentials – a security standard in the UK that is generally required by government organisations. It sets out minimum measures for confidentiality, vetting, qualification, insurance and processes to deal with sensitive data and technology.
UK Government security clearance is also a valuable trust mark. Organisations need it to qualify for the NCSC CHECK and CREST accreditations. Security clearance includes background checks on individual testers, to confirm that they are trustworthy and have a clean reputation.
There are many other niche and specialist qualifications and certifications in the complex field of penetration testing. Don’t take anything at face value though. If a provider offers a list of credentials that you’re not familiar with, look them up and find out about the issuing body and the process of testing or certificating – satisfy yourself that you’re looking at rigorous and genuine standards in pen testing.
Six Degrees’ Penetration Testing services are NCSC and CREST accredited. We only use certificated, qualified and experienced in-house testers, who deliver expert manual pen testing alongside automated vulnerability scanning. We have an exceptional track record of helping clients to optimise their cyber security through effective penetration testing. Get in touch if you’d like to find out more about our reputation and how we can support you.
About the Author
Andy Swift is Technical Director of Offensive Security at Six Degrees. At Six Degrees, we’ve been helping organisations confront cyber security challenges for over 15 years. While cyber threats are always developing, our experience and industry presence are testament to our ability to stay ahead of emerging threats.
Subscribe to the newsletter today
Our Cyber Security Practice Director Chris Cooper talks…