Penetration testing is an important component of the security strategy of any organisation. A well-conducted pen test can help IT teams ensure that their defences are up to par and are capable of protecting businesses and organisations against cyber security attacks.
CREST Penetration testing guide to help you effectively conduct penetration tests
A pen testing guide is a detailed and explanatory resource based on our understanding of CREST’s official pen testing document. It provides security consultants, ethical hackers and penetration testers with a step-by-step process for carrying out a successful and comprehensive pen test. It also enables organisations to prepare for a CREST penetration testing exercise and conduct actual tests effectively and competently.
What are CREST pen testing services?
CREST is an internationally recognised accreditation and non-profit certification body that sets technical standards in the technical information security market for different cyber security services such as cyber incident response, penetration testing and threat intelligence.
A pen test (also known as ethical hacking) is a technical cybersecurity exercise aimed at finding security weaknesses in a company’s internal and external networks, web applications or systems. This type of security assessment provides absolute cybersecurity assurance to an organisation’s assets against any existing vulnerabilities and potential cyber-attacks or cyber threats.
The CREST-approved penetration testing service covers a broad spectrum of domains such as web applications, cloud, wireless, mobile applications, IoT networks and devices, external and internal network infrastructure pen testing, stealth campaigns, phishing and social engineering.
CREST penetration testing framework for running an effective security programme
A penetration testing process typically includes the following steps:
- Defining the scope
- Conducting research and gathering intelligence about the in-scope assets
- Identifying vulnerabilities
- Exploiting vulnerabilities
- Reporting findings
- Remediating issues
Pen testing should be placed in the context of security management as a whole. It covers the technical risk assessment aspect that acts as a primary input into an organisation’s risk management regime.
Outline of the pentest programme
A good CREST penetration test should cover all the key activities that are required to prepare for a penetration test. It includes a suitable and relevant set of assessments in a logical, rational, well-defined and managed way. It ensures that such tests are followed effectively. The CREST pentesting guide revolves around 3 main steps, and each of these steps is further divided into 22 detailed levels, which are discussed later in this section.
Secure code is an essential element for business growth
Show your customers and supply chain you can manage application risks with secure coding practices.
Positioning the penetration testing programme
Here’s the deal:
A pen test isn’t a replacement for firewall protection. In fact, your company shouldn’t carry out pen tests before implementing basic security measures like:
- Firewall protection
- Installing anti-malware
- Security controls around internal and external networks
- Operating system hardening measures
- Conducting vulnerability assessment and efficient patch management
Implementing such controls significantly improve an organisation’s security posture. However, it does not promise to offer a solution to protect against every form of cyber security risk, such as more advanced and targeted attacks are not prevented by implementing such defensive mechanisms. Therefore, organisations have to come up with a more sophisticated approach to protect against such threats. This sophisticated approach is a penetration testing security assessment.
A. Preparing for a penetration test
The first step before carrying out a penetration test is to prepare for it. According to the CREST pentesting guide, the preparation phase is responsible for ensuring that the penetration testing programme includes all relevant aspects of preparing for penetration tests and carrying them out safely and effectively. It ensures that the follow-up activities, such as mitigation of vulnerabilities and improving security, are defined and considered. The necessary steps needed as a part of the preparation phase are discussed below:
A1. Maintain a technical security assurance framework
The organisation should maintain an approved technical security assurance framework whose main objective is to protect your most critical systems, information, and IT infrastructure. A technical security assurance framework usually includes various testing environments, security architecture, and a security logging, detection, and monitoring team, such as SOC. It may also include testing preventative, detective, and reactive security controls, skilled and certified resources, adequate tools and technology, and a cyber security risk management framework or programme.
A2. Establish a penetration-testing governance structure
The organisation should establish an appropriate governance structure to supervise and coordinate a regular penetration testing programme. A good penetration testing governance structure would typically cover all main systems in the organisation while focusing on the most critical ones, penetration testing processes and methodologies, vendor or third-party security services provider selection criteria, and a cyber assurance management framework. It should be supported by a joint management and technical team to decide on a testing scope for penetration testing, an effective change management process and a set of key performance indicators for the results of the penetration tests.
A3. Evaluate drivers for conducting penetration tests
Organisations may have many reasons for conducting penetration tests of their critical business applications or IT infrastructure. Whatever the drivers for testing, it is important to decide what the organisation wishes to accomplish through the activity. Drivers for carrying out penetration tests usually are a compliance requirement, the impact of serious security attacks on other similar organisations, the introduction of new important operational processes, business applications or IT infrastructure or a major update in the existing ones etc.
A4. Identify target environments
A good penetration testing programme should identify target environments that need to be tested for security vulnerabilities. Important business processes, critical applications, sensitive IT infrastructure components, specialised equipment such as mobile devices and industrial control systems, etc., usually identify target environments for penetration testing.
A5. Define the purpose of the penetration tests
A penetration testing programme should clearly define why this penetration test is needed and what could be achieved by the penetration test. Identifying the purpose of penetration tests should include determining whether these tests can help the organisation identify weaknesses in the implemented security controls and reduce the frequency and impact of security incidents. It should also include complying with legal and regulatory requirements like PCI/DSS, NERC, ISO 27001, HIPAA etc., assuring third parties that business applications can be trusted and that customer data protection is a top priority.
A6. Produce requirements specifications
The penetration testing programme should include defining requirements for penetration testing carried out in an organisation. Requirements for penetration testing should include consideration of important business applications, key IT infrastructure and confidential data, and the validation that tests are authorised and will not compromise confidential data. Most of the time, there will be a solid reason that forms a foundation for carrying out a penetration test which frequently includes a need for compliance or a result of an incident affecting the organisation.
A7. Select suitable suppliers
The pen testing programme should define the criteria for procuring penetration testing services by selecting suitable third-party penetration testing organisations. This selection criterion should first consider the requirements of a penetration test, identify potential service providers, and then have a technical evaluation and selection criteria to move forward with one of the third-party service providers. This selection should be made based on the reputation and history of the vendor, value for money, research and development abilities, the number of highly technically competent individuals, and a strong professional accreditation of both the technical team and the service provider.
B. Conducting the penetration tests
The testing phase is responsible for the execution of the penetration test and determines and decides the process, techniques, and procedures to be used in a penetration testing assessment. This phase involves the following steps:
B1. Agree to a testing style and type
Before conducting a penetration test, it is important to agree on the appropriate testing style and type that will be used. This involves considering factors such as the organisation’s cyber security goals, the nature and criticality of the systems and networks being tested, and the potential impact of a successful attack. Deciding what type of testing methodology, either black, grey or white box penetration testing method is to be employed.
B2. Identify testing constraints
It is important to identify any obstructions or hindrances that may affect the execution of the penetration test, such as regulatory compliance, technical or resource limitations, or legal restrictions. Identifying these constraints will help ensure the pen test is appropriately scoped and focused on addressing the organisation’s security requirements.
B3. Produce scope statements
This phase ensures the penetration test is appropriately scoped and targeted to address the organisation’s specific security needs. It is important to produce well-defined scope statements highlighting the systems, networks, or applications to be tested, testing goals and objectives. It should also include the follow-up exercises and should be signed off by all relevant parties before commencing the penetration test.
B4. Establish a management assurance framework
To ensure that organisations carry out penetration testing effectively and consistently across the organisation, it is necessary to decide upon a management assurance framework. A good assurance framework defines roles and responsibilities for both the client and the service provider and provides oversight and accountability for the entire pen testing process.
B5. Implement management control processes
Such processes are implemented to ensure that the previously decided assurance framework conducts the assessment. These should include procedures for quality assurance, risk management, change control, and incident response.
Cyber attacks are not a matter of if, but when. Be prepared.
Box-ticking approach to penetration tests is long gone. We help you identify, analyse and remediate vulnerabilities so you don’t see the same pentest report next time.
B6. Use an effective testing methodology
An effective and solid penetration testing programme should be based on a strong testing methodology that ensures that the test is conducted in a structured and systematic manner. This methodology should include all the essential penetration testing steps, such as reconnaissance, enumeration, vulnerability analysis, and exploitation, and should be based on proven approaches for carrying out a comprehensive penetration test.
B7. Conduct sufficient research and planning
Before starting the activity, appropriate research and planning should be done to ensure that the pentest is properly scoped and focused on addressing the organisation’s specific cybersecurity needs and requirements. This phase should include gathering information on the in-scope systems, networks, or applications, identifying potential attack vectors, and determining the appropriate testing methodologies.
B8. Identify and exploit vulnerabilities
During the execution of the exercise, CREST pen testers should be able to identify and exploit vulnerabilities in a target system, network, or application in a safe and controlled manner. This involves using various testing techniques and tools to discover and exploit vulnerabilities, such as:
- Injection flaws
- Flawed business and application logic
- Broken access controls
- Buffer overflow attacks
B9. Report key findings
Once the assessment is complete, the penetration testing team should produce a comprehensive report that describes the key findings and highlights recommendations for mitigating and addressing any identified vulnerabilities. It is then presented to stakeholders and subject matter experts.
A good penetration testing report should include a high-level summary of the testing methodology and the key findings, an executive summary explaining the current security posture, and a dashboard showing the number of vulnerabilities identified according to the severity levels. A detailed and comprehensive technical report that includes proper evidence of a successful penetration and then, finally, the recommendations and remediation steps to mitigate the identified issues.
C. Follow up
Once a CREST pen test is complete and any identified vulnerabilities have been addressed, it is important to reduce risks in the long term and across the organisation. Hence a series of follow-up activities are carried out, which finally improves the overall cyber security posture of the organisation. These follow-up post-technical delivery activities include taking the following steps:
C1. Remediate weaknesses
The penetration testing programme should specify that remediating weaknesses found during the testing process is to be done. This should align with a comprehensive and approved remediation process solution to reduce the risk of the identified vulnerabilities being exploited again. Appropriately qualified, experienced technical security professionals should carry out this process.
C2. Address the root cause of weaknesses
This phase helps identify the root cause of the vulnerabilities rather than just addressing the findings themselves. This helps prevent the same vulnerabilities from reappearing in the future. Root cause analysis should include identifying the actual root causes of security issues, not just the symptoms of an attack, and determining the potential risks and threats to the business.
C3. Initiate improvement programme
Initiating the improvement program is based on the lessons that are learned from the activity. The improvement program should focus on improving the organisation’s security posture rather than just dealing with and fixing the vulnerabilities. This relies heavily on the lessons learned, applying cyber security practices organisation-wide, creating strong cyber security policies, and deciding and agreeing to future testing.
C4. Evaluate penetration testing effectiveness
This phase is responsible for evaluating the penetration testing program’s effectiveness to identify improvement areas. This evaluation should consider factors such as determining if the requirements were met, the scope and objectives of the pentesting exercise, the methodologies used, and the effectiveness of the results and decide if the value for money is obtained from the service provider.
C5. Build on lessons learned
Building on the lessons learned from the penetration testing activity is important to improve the organisation’s security posture continuously. This encompasses implementing changes to policies and procedures and implementing necessary security controls based on the identified vulnerabilities and root causes.
C6. Create and monitor action plans
Creating action plans to address the discovered vulnerabilities and root causes and monitoring progress helps ensure the necessary changes are being implemented.
There are several CREST related topics we have covered extensively you might want to explore:
- Learn about the CREST Defensible Penetration Test (CDPT) and business benefits
- What is a CREST-approved provider, and why choosing a CREST-certified company is important?
- Understanding the CREST accredited penetration testing
- Your guide to CREST vulnerability assessments
- Get to know the CREST penetration testing maturity model
- CREST Certification benefits, cost, OSCP equivalent and other details
- CREST penetration testing maturity model, tools and management guide
How to acquire registered ethical security testers?
CREST offers a wide variety of cyber security certifications that are designed to assess the technical skills and knowledge of individuals working in the cyber security industry. These certifications offered by CREST are a great way for cyber security professionals to showcase and prove their skillset and expertise in the community. Each certification offered by CREST is valid for three years, after which the registered ethical security tester has to take the exam again to renew their credential.
CREST covers cyber security certifications in three domains, i.e. penetration testing, threat intelligence and incident response. Each of these domains has its own sets of certifications according to the skillset, expertise and relevant, professional field experience.
Penetration testing is a comprehensive and rigorous assessment that leaves no stone unturned and provides in-depth visibility of the current cyber security posture of an organisation.
With CREST-accredited pentesting services, an organisation can greatly improve its current state of cyber security, protecting itself from potential cyber threats and cyber attackers, eventually improving cyber resilience.
CREST-certified penetration testing organisations (also called CREST member companies or companies that achieve CREST accreditation) are among the best pen testing services providers globally, especially in the UK.
The pen testing guide provided by CREST gives organisations a holistic view of how a comprehensive pentesting assessment should be carried out.
Cyphere is a CREST-certified company that offers CREST penetration testing and vulnerability assessment services. Get in touch with us at Cyphere and schedule a free call to discuss more about the CREST pen testing guide, penetration testing maturity model, the cyber security certifications that CREST offers, and which CREST certification you should choose.
Harman Singh is a security professional with over 15 years of consulting experience in both public and private sectors.
As the Managing Consultant at Cyphere, he provides cyber security services to retailers, fintech companies, SaaS providers, housing and social care, construction and more. Harman specialises in technical risk assessments, penetration testing and security strategy.
He regularly speaks at industry events, has been a trainer at prestigious conferences such as Black Hat and shares his expertise on topics such as ‘less is more’ when it comes to cybersecurity. He is a strong advocate for ensuring cyber security as an enabler for business growth.
In addition to his consultancy work, Harman is an active blogger and author who has written articles for Infosecurity Magazine, VentureBeat and other websites.