CREST penetration testing – Explore guide and methodology

CREST, a non-profit, multi-tiered membership body, enables professionals and organisations to build trust in the digital world by raising professional standards and providing measurable quality assurance for the worldwide cybersecurity industry, especially in the data and technical information security market.

Penetration testing is an essential component of any organisation’s security strategy. A well-conducted pen test can help IT teams ensure their defences are up to par and protect businesses and organisations against cyber security attacks.

What is CREST penetration testing?

A CREST penetration test is an attack simulation authorised by the customer organisation to test their cyber security resilience. Qualified ethical hackers carry out this assessment.

This assessment is carried out by a CREST penetration testing service provider against a computer system or network to identify vulnerabilities and weaknesses in security measures.

CREST-approved penetration testing is the gold standard for penetration testing companies. Every member has to undergo rigorous checks and accreditation processes that are independently audited and endorsed. Only cybersecurity companies with high technical ability, procedures, and controls are passed as CREST certified companies.

As a CREST member organisation, we adhere to a strict code of conduct, meaning you can trust us to deliver a world-class service. Our CREST certified penetration testers are highly skilled and experienced professionals well-equipped to conduct comprehensive and practical tests. This gives businesses peace of mind that their assets, including web applications and operating systems, are secure and their data is safe.

CREST member companies sign a professional code of conduct and demonstrate their skill set, quality control, processes, and delivery process. Every CREST member company goes through rigorous checks. These requirements are defined as must-have prerequisites to be a member of the CREST accreditation body.

Why is CREST accredited penetration testing important?

Having CREST certification for your business demonstrates your commitment to high technical standards and adherence to the CREST code and conduct.

CREST, the ‘ Council of Registered Ethical Security Testers’, is the international accreditation and certification authority for technical information security professionals. It sets and maintains the high standards of capability and professional practice in information security that are essential for providing confidence to information system users.

There are several related topics we have covered extensively you might want to explore: 

Learn about the CREST Defensible Penetration Test (CDPT) and business benefits
What is a CREST-approved provider, and why is it important?
Understanding the CREST Penetration Testing Maturity Model
Your guide to CREST vulnerability assessments
CREST and CHECK Penetration Testing Explained – Which is Right for Your Business?
CREST Certification benefits, cost, OSCP equivalent and other details

CREST approved penetration testing for your business

Procuring third-party penetration testing is essential for your business because it provides an unbiased and independent assessment of your security posture.

A third-party pen tester from CREST-approved companies will have no affiliation with your organisation, nor with any product solution selling motives, and will be looking at your systems with fresh eyes, which can often lead to identifying security flaws and vulnerabilities you may not have been aware of.

Benefits of Cyphere’s CREST Penetration Testing 

• Reduced Risk: Identify and eliminate vulnerabilities before they are exploited, significantly reducing the risk of costly data breaches.
• Enhanced Security Posture: Validate the effectiveness of existing security controls, leading to a more robust overall security posture.
• Improved Employee Security Awareness: Increase employee awareness of security risks and best practices, minimising the chance of human error.
• Faster Time to Market: Test new technologies and software in a safe environment, streamlining deployment and reducing time to market.
• Continuous Improvement: Establish a baseline for future testing, enabling ongoing monitoring and improvement in security posture.
• Compliance Assurance: Meet regulatory requirements (PCI DSS, ISO 27001, Commission Audits, HIPAA, and GDPR) and demonstrate commitment to data security.
• Increased Customer Confidence: Gain peace of mind and a competitive edge by showcasing a proactive approach to security, potentially attracting new business.

CREST approved penetration testers and sector-specific experience

The testers conducting assessments carry their registered ethical security testers’ qualifications beyond CREST’s certifications. These may include certifications from the CREST certification body, offensive security, ISC2, Microsoft, AWS and other organisations.

Our certified penetration testers have professional certifications around various security domains, including but not limited to:

• OSCP (Offensive Security Certified Professional)
• CREST registered penetration testers certifications such as CRT, CPSA, and CCT.
• Certified Ethical Hacker (CEH) from EC Council
• CISSP from ISC2
• Burp-certified security practitioner
• Kubernetes and cloud security associates
• AWS-certified security speciality
• Other internationally recognised accreditations are related to penetration testing, cyber incident response, and threat intelligence.

Our experience involves serving organisations globally at various business stages; these scenarios include contextual knowledge around sectors and verticals:

• M&A due diligence
• Business as usual assessments (annually or upon change)
• Advanced digital transformation
• Multi-cloud security strategy reviews
• Supply chain due diligence
• Sector-specific cyber health checks
• SaaS solution onboarding security reviews

CREST Penetration testing guide to help you effectively conduct penetration tests

A pen testing guide is a detailed and explanatory resource based on our understanding of CREST’s official pen testing document. It provides security consultants, ethical hackers and penetration testers with a step-by-step process for conducting a successful and comprehensive pen test. It also enables organisations to prepare for a CREST penetration testing exercise and perform actual tests effectively and competently.

The CREST penetration testing service covers a broad spectrum of domains such as web applications, cloud, wireless, mobile applications, IoT networks and devices, external and internal network infrastructure pen testing, stealth campaigns, phishing and social engineering.

Penetration testing (CREST Certified) for various security disciplines

The following are the different CREST penetration testing services offered by Cyphere:

Network Pen Testing

Our comprehensive network penetration testing services are designed to assess your network’s internal and external security.

By identifying and exploiting vulnerabilities, we can help you identify and fix critical security issues before attackers can use them. This type of assessment includes external penetration testing and internal penetration testing.

Firewall Security Assessment

We take a comprehensive and holistic approach to firewall security assessment. We understand that to provide truly effective security, your firewall must be configured and deployed in the most optimum way possible.

Web Application Pen Testing

We use various techniques to pentest web applications and identify API security vulnerabilities, including manual testing, scanning, and fuzzing. Our experienced Web pen testers are well-versed in identifying cyber security issues.

Cloud Penetration Test

Our cloud pentest service is the best in the business because we have a team of experienced and certified professionals who identify emerging threats and known vulnerabilities and demonstrate how to exploit vulnerabilities in cloud-based systems safely. We extensively cover Azure pen testing, AWS penetration testing, GCP pen testing, SaaS penetration testing and Office 365 security reviews. 

Mobile Penetration Test

Our mobile application pentest service is the most comprehensive coverage of device-level and mobile application vulnerabilities. We use various assessment methods and tools to identify all potential vulnerabilities in your mobile apps, including those that traditional security tests may not detect.

Red Team Operations

Red teaming operations is the process of assuming the role of an adversary to identify an organisation’s vulnerabilities and potential weaknesses. Our team of experienced CREST approved penetration testers provide red team assessments to help clients anticipate, prevent and mitigate risks.

Threat Intelligence Assessments

This offering includes carrying out checks without providing prior information to the customer’s Security Operations Centre staff. It aims to measure the current attack surface and validate the effectiveness of an organisation’s logging, monitoring and alerting mechanisms.

Why choose Cyphere for CREST approved penetration testing?

Cyphere, a CREST accredited company, offers an alternative approach to the industry’s standard report and run’ penetration services. This is based on our experience across various sectors and understanding customer problems regarding scheduling collisions, detailed reports addressing varying audiences, reporting deadlines, challenges to remediate risks and the correct language for the right audience.

• We’re an independent security provider, so you can be confident that our findings are objective and unbiased. As a CREST pen testing services provider, we ensure that our approach is independent and not influenced by third-party reselling or product push interests. We also have a proven track record of success. We have helped businesses across multiple sectors strengthen their cyber security posture and understand sector-specific threat landscapes through our pen testing and threat intelligence services.
• No retest & cancellation fees We pride ourselves on providing a no-retest policy so you know your system is secure. In addition, we charge no cancellation fees, so you can be sure that you are getting the best possible value for your money. With our commitment to providing the best possible service, you can be sure that you are making the right choice when you choose Cyphere.
• Free debrief calls: To give you peace of mind, we offer free debrief calls after each engagement so that you can ask your questions and get insights from our team of experts. With Cyphere on your side, you can rest assured that your network is as secure as possible.
• Risk Remediation Plans We provide comprehensive data protection and risk remediation plans to help you mitigate the risks associated with your digital assets. In addition, our team of experts is constantly updated on the latest vulnerabilities and exploits, so you can be confident that your systems are secure.
• No-muss, no-fuss approach: Our no-muss, no-fuss approach will do the job without hassle. Our team is experienced and knowledgeable, and we’ll ensure your system is secure from any potential threats.

CREST penetration testing framework for running an effective security programme

A penetration testing process typically includes the following steps:

• Defining the scope
• Conducting research and gathering intelligence about the in-scope assets
• Identifying vulnerabilities 
• Exploiting vulnerabilities
• Reporting findings
• Remediating issues

Pen testing should be placed in the context of security management. It covers the technical risk assessment as a primary input into an organisation’s risk management regime.

Outline of the pentest programme

A good CREST penetration test should cover all the critical activities required to prepare for a penetration test. It includes a suitable and relevant set of assessments in a logical, rational, well-defined and managed way. It ensures that such tests are followed effectively. The CREST pentesting guide revolves around three main steps, and each of these steps is further divided into 22 detailed levels, which are discussed later in this section.

Detailed penetration testing programme process 

Here’s the deal:

A pen test isn’t a replacement for firewall protection. Your company shouldn’t carry out pen tests before implementing basic security measures like:

• Firewall protection
• Installing anti-malware
• Security controls around internal and external networks
• Operating system hardening measures
• Conducting vulnerability assessment and efficient patch management

Implementing such controls significantly improves an organisation’s security posture. However, it does not promise to offer a solution to protect against every form of cyber security risk, such as more advanced and targeted attacks not being prevented by implementing such defensive mechanisms. Therefore, organisations must develop a more sophisticated approach to protect against such threats. This refined approach is a penetration testing security assessment.

💡Suggested Read: wireless penetration testing

A. Preparing for a penetration test

The first step before carrying out a penetration test is to prepare for it. According to the CREST pentesting guide, the preparation phase ensures that the penetration testing programme includes all relevant aspects of preparing for penetration tests and carrying them out safely and effectively. It ensures that the follow-up activities, such as mitigating vulnerabilities and improving security, are defined and considered. The necessary steps needed as a part of the preparation phase are discussed below:

A1. Maintain a technical security assurance framework

The organisation should maintain an approved technical security assurance framework whose main objective is to protect your most critical systems, information, and IT infrastructure. A technical security assurance framework usually includes various testing environments, security architecture, and a security logging, detection, and monitoring team, such as SOC. It may also include testing preventative, detective, and reactive security controls, skilled and certified resources, adequate tools and technology, and a cyber security risk management framework or programme.

A2. Establish a penetration-testing governance structure

The organisation should establish an appropriate governance structure to supervise and coordinate a regular penetration testing programme. A good penetration testing governance structure would typically cover all central systems in the organisation while focusing on the most critical ones, penetration testing processes and methodologies, vendor or third-party security services selection criteria, and a cyber assurance management framework. It should be supported by a joint management and technical team to decide on a testing scope for penetration testing, an effective change management process and a set of key performance indicators for the results of the penetration tests.

A3. Evaluate drivers for conducting penetration tests

Organisations may have many reasons for conducting penetration tests of their critical business applications or IT infrastructure. Whatever the drivers for testing, deciding what the organisation wishes to accomplish through the activity is essential. Drivers for carrying out penetration tests usually are a compliance requirement, the impact of severe security attacks on other similar organisations, the introduction of new critical operational processes, business applications or IT infrastructure or a significant update in the existing ones, etc.

A4. Identify target environments

A good penetration testing programme should identify target environments that need to be tested for security vulnerabilities. Essential business processes, critical applications, sensitive IT infrastructure components, and specialised equipment such as mobile devices and industrial control systems usually identify target environments for penetration testing.

A5. Define the purpose of the penetration tests

A penetration testing programme should clearly define why this penetration test is needed and what could be achieved by the penetration test. The purpose of penetration tests should include determining whether these tests can help the organisation identify weaknesses in the implemented security controls and reduce the frequency and impact of security incidents. It should also include complying with legal and regulatory requirements like PCI/DSS, NERC, ISO 27001, HIPAA, etc., assuring third parties that business applications can be trusted and that customer data protection is a top priority.

A6. Produce requirements specifications

The penetration testing programme should include defining requirements for penetration testing carried out in an organisation. Requirements for penetration testing should consider essential business applications, critical IT infrastructure and confidential data, and the validation that tests are authorised and will not compromise personal data. Most of the time, there will be a solid reason that forms a foundation for carrying out a penetration test, which frequently includes a need for compliance or a result of an incident affecting the organisation.

A7. Select suitable suppliers

The pen testing programme should define the criteria for procuring penetration testing by selecting suitable third-party penetration testing organisations. This selection criterion should first consider the requirements of a penetration test, identify potential service providers, and then have a technical evaluation and selection criteria. This selection should be made based on the reputation and history of the vendor, value for money, research and development abilities, the number of highly technically competent individuals, and a strong professional accreditation of both the technical team and the provider.

B. Conducting the penetration tests

The testing phase is responsible for executing the penetration test and determining and deciding the process, techniques, and procedures for a penetration testing assessment. This phase involves the following steps:

B1. Agree to a testing style and type

Before conducting a penetration test, it is essential to agree on the appropriate testing style and type that will be used. This involves considering factors such as the organisation’s cyber security goals, the nature and criticality of the systems and networks being tested, and the potential impact of a successful attack and deciding what type of testing methodology, either black, grey or white box penetration testing method is to be employed.

B2. Identify testing constraints

It is essential to identify any obstructions or hindrances that may affect the execution of the penetration test, such as regulatory compliance, technical or resource limitations, or legal restrictions. Identifying these constraints will help ensure the pen test is appropriately scoped and focused on addressing the organisation’s security requirements.

B3. Produce scope statements

This phase ensures the penetration test is appropriately scoped and targeted to address the organisation’s security needs. It is essential to produce well-defined scope statements highlighting the systems, networks, or applications to be tested, testing goals and objectives. It should also include the follow-up exercises and should be signed off by all relevant parties before commencing the penetration test.

B4. Establish a management assurance framework

To ensure that organisations carry out penetration testing effectively and consistently, it is necessary to decide upon a management assurance framework. A reasonable assurance framework defines roles and responsibilities for the client and the consultancy and provides oversight and accountability for the entire pen testing process.

B5. Implement management control processes

Such processes ensure the previously decided assurance framework conducts the assessment. These should include procedures for quality assurance, risk management, change control, and incident response.

B6. Use an effective testing methodology

A practical and solid penetration testing programme should be based on a robust testing methodology that ensures the test is conducted in a structured and systematic manner. This methodology should include all the essential penetration testing steps, such as reconnaissance, enumeration, vulnerability analysis, and exploitation. It should be based on proven approaches for conducting a comprehensive penetration test.

B7. Conduct sufficient research and planning

Before starting the activity, appropriate research and planning should ensure that the pentest is scoped correctly and focused on addressing the organisation’s cybersecurity needs and requirements. This phase should include gathering information on the in-scope systems, networks, or applications, identifying potential attack vectors, and determining the appropriate testing methodologies.

B8. Identify and exploit vulnerabilities

During the execution of the exercise, CREST pen testers should be able to identify and exploit vulnerabilities in a target system, network, or application in a safe and controlled manner. This involves using various testing techniques and tools to discover and exploit vulnerabilities, such as:

• Injection flaws
• Flawed business and application logic
• Broken access controls 
• Buffer overflow attacks

B9. Report key findings

Once the assessment is complete, the penetration testing team should produce a comprehensive report that describes the essential findings and highlights recommendations for mitigating and addressing any identified vulnerabilities. It is then presented to stakeholders and subject matter experts.

A good penetration testing report should include a high-level summary of the testing methodology and the key findings, an executive summary explaining the current security posture, and a dashboard showing the number of vulnerabilities identified according to the severity levels. A detailed and comprehensive technical report that includes proper evidence of a successful penetration and then, finally, the recommendations and remediation steps to mitigate the identified issues.

C. Follow up

Once a CREST pen test is complete and any identified vulnerabilities have been addressed, reducing risks in the long term and across the organisation is essential. Hence, follow-up activities are carried out to improve the organisation’s overall cyber security posture. These follow-up post-technical delivery activities include taking the following steps:

C1. Remediate weaknesses

The penetration testing programme should specify that remediating weaknesses found during the testing process is to be done. This should align with a comprehensive and approved remediation process solution to reduce the risk of the identified vulnerabilities being exploited again. Appropriately qualified, experienced technical security professionals should carry out this process.

C2. Address the root cause of weaknesses

This phase helps identify the root cause of the vulnerabilities rather than just addressing the findings themselves. This helps prevent the same vulnerabilities from reappearing in the future. Root cause analysis should include identifying the actual root causes of security issues, not just the symptoms of an attack, and determining the potential risks and threats to the business.

C3. Initiate improvement programme

Initiating the improvement program is based on the lessons learned from the activity. The improvement program should focus on improving the organisation’s security posture rather than just dealing with and fixing the vulnerabilities. This relies heavily on the lessons learned, applying cyber security practices organisation-wide, creating cyber solid security policies, and deciding and agreeing to future testing.

C4. Evaluate penetration testing effectiveness

This phase is responsible for evaluating the penetration testing program’s effectiveness to identify improvement areas. This evaluation should consider factors such as determining if the requirements were met, the scope and objectives of the pentesting exercise, the methodologies used, and the effectiveness of the results and decide if the value for money is obtained from the consultancies.

C5. Build on lessons learned

Building on the lessons learned from the penetration testing activity is essential to continuously improve the organisation’s security posture. This encompasses implementing changes to policies and procedures and implementing necessary security controls based on the identified vulnerabilities and root causes.

C6. Create and monitor action plans

Creating action plans to address the discovered vulnerabilities and root causes and monitoring progress helps ensure the necessary changes are being implemented.

Our series of articles around CREST cyber security topics you might want to explore: 

• Learn about the CREST Defensible Penetration Test (CDPT) and business benefits
• What is a CREST-approved provider, and why is choosing a CREST-certified company important?
• Get to know the CREST penetration testing maturity model
• CREST Certification benefits, cost, OSCP equivalent and other details
• CREST penetration testing maturity model, tools and management guide

Conclusion

Penetration testing is a comprehensive and rigorous assessment that leaves no stone unturned and provides in-depth visibility of the current cyber security posture of an organisation.

With a CREST-accredited pentesting process, an organisation can significantly improve its current state of cyber security, protecting itself from potential cyber threats and attackers, eventually improving cyber resilience. CREST-certified penetration testing organisations such as Cyphere (also called CREST member companies or companies that achieve CREST accreditation) are among the best pen testing providers globally, especially in the UK.

The pen testing guide provided by CREST gives organisations a holistic view of how a comprehensive pentesting assessment should be carried out.

FAQ

What is CREST in cyber security?

CREST in Cyber Security, a global cybersecurity non-profit, fosters industry collaboration through services that improve individual and organisational cyber security performance.

Should we fix all of the vulnerabilities that are reported?

Cyphere offers free risk remediation guidance support after all our pen tests.

As tempting as it might be to try and fix every vulnerability as soon as it’s discovered, it’s not always possible – or practical. A business risk appetite must be considered before starting the never-ending ‘fix all’ cycle. Vulnerability triage and risk remediation processes require understanding asset criticality and the impact of findings from pen tests.

How do we prepare for penetration tests?

Preparation for a pentest includes the following key steps:

1. Identify the assets that will be tested and ensure any fragile purchases are noted.
2. Understand and double-check the objectives, including test basis and testing types with customer contact.
3. Exchange details around the point of contact, including escalation point of communications during the assessment.
4. Develop and share a CREST pen test project plan with the customer. It includes details about our prerequisites, various phases in the project, resourcing and scheduling details and contacts.
5. Schedule a kick-off meeting to ensure everything is in place before the pen test commences.
6. Post technical delivery; we schedule debrief calls and retests to ensure the customer is aware of possible situations and outcomes.

Get in touch to schedule a strategy call, an annual pen test or discuss security concerns with our security consultants directly.

Is pen testing disruptive to our environment?

Penetration testers take steps to minimise disruptions and environmental impact by working with clients to develop a plan and deploying safe test cases. It includes using reliable tools and manual approaches to identify security flaws. 

As a CREST-certified company, we know how simulated cyber attack scenarios may cause issues in production environments. Based on our experience, we ensure that every detail is checked to minimise the impact with excellent communication and project management skill sets. Denial of Service or low-level attacks are explicitly out of the scope of our assessments.