With the rise in cybercrime, Ian Glover, president of CREST, explains why more firms are turning to penetration testing to check out their defences.
In the last few years, we have experienced cybercrime on a scale never seen before. WannaCry, an extremely virulent outbreak of ransomware began to infect organisations across the world and within several hours, over 75,000 victims were reported in 90 countries from telecommunications companies in Spain to a Russian ministry. In total, some 200,000 organisations were affected in over 150 countries. In the UK, the NHS felt the full force of attack across 48 health trusts in England.
Ransomware, as the names suggests, is a malicious program that locks a computer's files until a ransom is paid, usually in the form of the online currency, Bitcoins. But WannaCry ransomware attacks were different from any outbreak previously seen. WannaCry used a vulnerability in Microsoft Windows operating systems to spread to neighbouring computer systems over networks once it had infected its original host.
While WannaCry and Petya delivered a serious wake-up call for many companies and organisation, they also reflect a general increase in more sophisticated cyberattacks from sources ranging from lone-hackers and hacktivist groups to organised criminal gangs and state-sponsored cyber terrorists. And the rise of ransomware-as-a-service has lowered the barrier to entry and made cybercrime accessible to anyone.
The result is that no sector is immune from these targeted or indiscriminate attacks. Most large firms have a specialist security team and achieve the security basics very well. Some conduct more proactive threat detection to identify threats that anti-virus and other traditional security products may not find. But an IT department needs to understand what data is attractive to an attacker and protect it effectively.
It is more important than ever that all businesses discover where their security weaknesses are and how to fix them before someone else finds and exploits them. The best way to discover where vulnerabilities lie is to simulate a malicious attack, from inside or outside of the organisation, in order to see how easy it is to break into a network or computer system and steal valuable data or deny access to critical assets. This is called penetration testing and the demand for this very skilled, technical and clearly very sensitive investigation and analysis has seen a rapid rise in demand. While penetration testing has traditionally been associated with government organisations and large financial institutions and corporations, it is now commonplace among medium-sized companies, NGOs and the wider public sector.
But this is sensitive work and companies need to be very clear who they are dealing with and have confidence in professionally qualified and skilled individuals with the appropriate processes and methodologies to protect data and integrity. There needs to be confidence trust in these specialist companies regarding how information is handled and processed. It is a common misconception that the security industry is simply made up of ex-hackers, who let’s face it, most organisations would be reluctant to trust.
This is why CREST was established in 2006 by the technical security industry with the support of the UK Government. CREST is a not-for-profit body representing the technical information security industry that provides internationally recognised accreditation for organisations and certification of individuals providing penetration testing, cyber incident response and threat intelligence services. All CREST member companies undergo a stringent accreditation process every year and sign up to a strict and enforceable code of conduct; while CREST qualified individuals must pass the most challenging and rigorous examinations in the industry worldwide, to demonstrate the highest levels of knowledge, skill and competence.
For example, CREST Practitioner entry-level examinations are aimed at individuals with typically 2,500 hours relevant and frequent experience, while candidates for CREST Registered Tester examinations should have at least 6,000 hours - three years or more - and at a certified level 10,000 plus. All these individuals have to re-sit the examinations every three years reflecting the fast-moving nature of the industry.
This means that organisations wishing to buy penetration testing services have the confidence that the work will be carried out by trusted companies with the appropriate policies, processes and procedures for the protection of client information, using qualified individuals with up to date experience and understanding of the latest vulnerabilities and techniques used by real attackers.
CREST Members work particularly closely with the UK’s critical national infrastructure providers where cyberattacks could do the most damage - from energy and utility companies to major financial institutions. Working alongside the Bank of England, Government and industry, CREST developed a new framework to deliver controlled, bespoke, intelligence-led cybersecurity tests for the UK’s most important financial institutions.
Getting the basics right
With recent reports and experiences demonstrating that companies of all sizes are under threat from cyber attacks, CREST has also helped to develop the technical assessment and certification framework for the UK Government’s cybersecurity standards, Cyber Essentials and Cyber Essentials Plus. These set down baseline requirements for cyber hygiene and are now mandated for some government contracts dealing with sensitive data.
The scheme provides organisations with clear guidance on implementation, as well as offering independent certification for those companies who want to demonstrate to their customers that their data is adequately protected and that they take cybersecurity seriously. CREST accredits companies to deliver Cyber Essentials certifications and following the recent WannaCry and Petya ransomware attacks it was shown that organisations that had achieved this basic level of cyber hygiene had not been affected. For more information on Cyber Essentials, go to www.cyberessentials.org
Incidents will happen
Despite best endeavours, it is impossible to be 100% secure and if your business does fall victim to a malicious cybersecurity incident, your immediate task is to act as quickly as possible to limit the impact and damage. You are effectively working in a crime scene and the requirement for evidential integrity can conflict with the need to resume business as usual, let alone budgetary and time constraints.
The CREST Cyber Security Incident Response scheme focuses on appropriate standards for incident response to help companies have in place effective policies, processes and procedures to plan for, manage and recover from significant cybersecurity-related incidents. Law firms face a major risk of reputational damage in the aftermath of an attack and clients will want assurances that their data is not compromised.
The Data Protection Act has now been updated and its replacement – the General Data Protection Regulation – has been designed to protect the privacy of consumers entrusting their data with businesses more effectively. Businesses in all sectors are required to demonstrate transparency in their processing of personal data and to have in place levels of technical and organisational processes appropriate to the level of risk their data collection afford them.
Businesses experiencing a data breach are required to report it to the national authorities within 72 hours of discovery. If affected individuals are considered to be at significant risk, the company will be required to notify them of the breach within the same timeframe. Legal firms that are unable to demonstrate that adequate measures have been put in place to safeguard the personal information they hold in digital form, will be subject to penalties of up to 4% of their global turnover, or 20 million euros, whichever is the greater.
As client organisations significantly improve the security of their networks, businesses must ensure they do not become the weak link in the protection of data. As we have seen, the results of a successful cyber attack can be devastating for business and individuals, so companies need a professional cybersecurity industry they can trust and rely on.
For more information, please visit www.crest-approved.org
By Ian Glover, President, CREST