Vulnerability assessment exercises help organisations identify vulnerabilities in their systems before threat actors can take advantage of them and also provide risk mitigation to reduce the attack surface.
CREST is a non-profit certification and accreditation body in the technical information security industry that certifies companies that offer penetration testing, vulnerability assessments, threat intelligence, and cyber incident response services.
In this article, we’ll talk about what CREST accreditation means in the context of vulnerability assessment services, what they involve, and why they are essential to any organisation’s cyber security strategy.
What are vulnerability assessments?
A vulnerability assessment is a cyber security testing exercise carried out to detect weaknesses in an organisation’s systems, networks, and applications. The main objective of these assessments is to assist organisations in comprehending the security status of their systems and identify potential security vulnerabilities that cybercriminals could take advantage of.
By identifying potential known security vulnerabilities in an organisation’s IT infrastructure, vulnerability assessments aim to provide guidelines for their mitigation, which ultimately enhances cyber resilience and incident response. The assessment report can also include a risk assessment that assigns a risk score to each identified vulnerability based on its severity and potential impact on the organisation.
Vulnerability assessments (VA) and penetration testing seem similar to many businesses. However, they are separate services with separate objectives. Vulnerability assessment involves identifying vulnerabilities in systems and applications to minimise cyber threats. In contrast, penetration tests involve exploiting vulnerabilities. In addition, intelligence-led penetration testing involves chaining up multiplied identified vulnerabilities to dig deeper into the systems or other IT infrastructure assets to steal sensitive data, establish an initial foothold or pivot internally in the organisational network.
What is CREST?
CREST stands for the Council of Registered Ethical Security Testers, a not-for-profit accreditation and certification body established in 2006 to represent the technical information security industry.
The main objective of CREST is to raise the standards by delivering intelligence-led penetration testing, vulnerability assessments, cyber incident response, and threat intelligence services. It provides rigorous accreditation processes for companies that offer such kinds of services, often known as CREST accredited under CREST membership and for individuals who obtain CREST certifications.
A company may hold multiple CREST accreditations around various disciplines, such as Penetration Testing, Incident Response, and Vulnerability assessments.
There are several related topics we have covered extensively you might want to explore:
- Your guide to CREST approved penetration testing
- CREST penetration testing guide and methodology
- Learn about the CREST Defensible Penetration Test (CDPT) and business benefits
- What is a CREST-approved provider, and why choosing a CREST-certified company is important?
- Understanding the CREST Penetration Testing Maturity Model
- CREST and CHECK Penetration Testing Explained – Which is Right for Your Business?
- CREST Certification benefits, cost, OSCP equivalent and other details
CREST has become one of the leading and most trusted names in the cyber security industry, and its accreditation is globally recognised as a mark of quality and professionalism. CREST works closely with the UK government, organisations such as the UK National Cyber Security Centre (NCSC) and the Bank of England to ensure that its standards remain pertinent and up-to-date.
CREST vulnerability assessment
CREST vulnerability assessment services are cybersecurity assessments designed to identify vulnerabilities in an organisation’s systems, networks, and applications. CREST vulnerability assessments are conducted by accredited companies certified by CREST to provide this type of cyber security service.
A CREST vulnerability assessment typically involves a comprehensive review of an organisation’s systems, networks, applications and other IT infrastructure to identify any vulnerabilities that threat actors could exploit.
After the assessment, an organisation with CREST vulnerability assessment accreditation will issue a comprehensive report detailing the vulnerabilities found and recommended mitigation measures. The report may also feature a risk assessment, which assigns a risk score to each vulnerability based on the severity and potential impact on the organisation.
Steps involved in a CREST vulnerability assessment
Like every other cyber security assessment, vulnerability assessment follows a standardised approach and methodology. Following are the steps that a CREST-accredited pen testing company follows while performing a vulnerability assessment:
The first step in a CREST vulnerability assessment is scoping, where the scope of the assessment is defined. This includes identifying the systems, networks, and applications that will be included in the assessment, as well as any specific testing requirements or constraints.
2. Information gathering
The next step involves gathering information about the systems and applications being assessed. This includes identifying the operating system, applications, services, and network topology.
This step involves testing the assets defined in the scope for potential weaknesses and vulnerabilities or areas of non-compliance, which may render an organisation weak from a cyber security point of view. This involves scanning the in-scope assets using automated tools and then employing a manual testing approach.
4. Evaluation and risk assessment
After identifying the vulnerabilities in the previous step, they are assessed and sorted based on the level of threat they pose and the risk they might have. The sorting is done using the Common Vulnerability Scoring System (CVSS), which rates vulnerabilities on a scale of 0 to 10.
Those with a score of 8-10 are considered critical, those with a score of 5-7 are medium-level, and those with a score of 1-4 are low-level vulnerabilities.
5. Documentation and reporting
Upon completing the assessment, a comprehensive report is created for the clients.
This report includes information on the assessment methods, identified vulnerabilities, and recommended risk remediation measures. The CREST vulnerability assessment report aims to provide clients with a clear understanding of the assessment process. It also equips them with the knowledge necessary to improve their security posture, do better risk management and provide risk remediation.
6. Remediation and fixation
In this step, the recommended fixes and mitigation measures provided in the formal vulnerability assessment report are to be implemented. This step is crucial as it strengthens the organisation’s security posture.
After the remediation steps are taken, and the security patches are implemented, the applied security fixes are revalidated to ensure that the remediation activity was done properly. The organisation maintains a strong security posture and protects itself against potential cyber threats.
Cyphere’s CREST-accredited vulnerability assessment and penetration testing services
CREST member companies have highly skilled and experienced professionals. Cyphere’s CREST penetration testing and vulnerability assessment services are among the best ways to ensure that your organisation’s security posture is up-to-date and meets industry regulations and standards.
Regular vulnerability assessments help organisations stay on top of potential security risks and ensure that their systems and data remain protected, comply with regulatory bodies, and improve their overall cybersecurity posture.
You can engage Cyphere to procure regular vulnerability assessment services, organisations can significantly reduce their risk of being targeted by cyberattacks, ensure the security of their critical assets and improve overall cyber resilience.
Harman Singh is a security professional with over 15 years of consulting experience in both public and private sectors.
As the Managing Consultant at Cyphere, he provides cyber security services to retailers, fintech companies, SaaS providers, housing and social care, construction and more. Harman specialises in technical risk assessments, penetration testing and security strategy.
He regularly speaks at industry events, has been a trainer at prestigious conferences such as Black Hat and shares his expertise on topics such as ‘less is more’ when it comes to cybersecurity. He is a strong advocate for ensuring cyber security as an enabler for business growth.
In addition to his consultancy work, Harman is an active blogger and author who has written articles for Infosecurity Magazine, VentureBeat and other websites.