Penetration testing is the cyber equivalent of letting someone break into your house and rummage through your drawers to see how easy it would be to steal everything. Your valuables are in that house, and your underwear is in those drawers.
The same rules apply to Penetration Testing. You’re permitting someone to try to find your deepest, darkest secrets. Data, money, intellectual property – if your security isn’t good enough, it’s all up for grabs. And it’s not just the fear that it could be misappropriated – what if it is damaged? What if it is accidentally erased? What if everything you ever worked for is lost at the hands of cowboy testers?
These fears are exactly why certification schemes exist for penetration testers: to reassure customers that the service they will received meets certain standards.
Penetration Testing originates in the kind of war games that armies have ‘played’ for centuries to work out where their weaknesses lie. In more recent history, first the tech industry and then the US military began using a kind of penetration test to assess the security of their systems, giving rise to the Computer Fraud and Abuse Act of 1986. Ethical hacking has been gaining prominence ever since, with the first set of best practices established in 2003.
Since 2006, CREST has provided internationally recognised accreditation's for organisations and individuals providing penetration testing and other cyber security services.
CREST certification applies to companies and individual testers, reassuring service users that their chosen test provider has demonstrated their ability to perform to CREST’s high standards. But we’re getting ahead of ourselves… Let’s go back a few steps.
The Council for Registered Ethical Security Testers (CREST) is an independent, not-for-profit organisation recognised worldwide as the cyber assurance body for the technical security industry.
CREST defines best practice methodologies for penetration testing, threat intelligence services and cyber security industry response. It was also instrumental in the development of the technical assessment and certification framework for the UK government’s Cyber Essentials Scheme.
Every company and individual awarded accreditation/certification must sign up to a strict and enforceable Code of Conduct that defines requirements around ethics, integrity, disclosure and confidentiality. It’s a shortcut to knowing which companies you should trust with your underwear drawer.
A stamp of approval from CREST guarantees that your chosen pen-test provider has the necessary skills and methodologies to give you an accurate and thorough assessment of your cyber security strategy. You can be confident that they’re not only a legitimate organisation, but they have had to pass stringent controls to achieve CREST accreditation, which means they are highly skilled. On top of that, they have access to industry-leading resources and events, so their knowledge is continually updated.
You bet your bottom dollar we are. It’s not only a question of reassuring our customers that we know our stuff; there’s a lot of value in being part of a community of people who are always learning, always developing.
It means we can give our customers the very best level of service – such as the most rigorous testing methodologies at the forefront of the latest and best practice hacking techniques.
Because Penetration Testing is not a one-size-fits-all exercise, we direct all this learning into a tailored programme to precisely fit your business needs. By adapting the CREST-approved methodologies to your infrastructure, industry and risks, we can discover just how susceptible your organisation is. With this approach and our highly skilled CREST-certified penetration testers, we can deliver a real-world test that puts you on the path to greater cyber security.
Penetration testing is a great way to identify risks and vulnerabilities within your organisation and objectively assess the current state of your cyber security controls. Simulating the behaviour of a real cyber criminal, a penetration test will uncover your systems' critical security issues, how these vulnerabilities were exploited, and the steps required to fix them (before they are exploited for real).