Established in 2006, CREST, or Council of Registered Ethical Security Testers is a non-profit membership body.
It aims to vet both cybersecurity-providing organizations and security-testing individuals on their capacities, processes, and the standard of services provided.
One of the accreditations provided by CREST is vulnerability assessments provided by companies. They are then differentiated as CREST vulnerability assessments.
CREST vulnerability assessments are the method of assessing your cyber security features and measures by CREST-certified VAPT providers for vulnerabilities, risks, or threats before they are exploited.
This article will detail the various aspects of CREST and CREST vulnerability assessments in length for your benefit.
CREST History and Mission
The CREST membership body aims for the exponential growth of the cybersecurity industry internationally. Their multi-tiered organization does this through the creation of a secure digital world by providing quality assurance for its members. Another approach is through delivering professional certifications to individuals and organizations in the cybersecurity field.
Companies with membership initially undergo a rigorous accreditation process that vets them to ensure their services are of top quality. Initially, however, the membership was solely available to organizations in the UK and worked closely with the UK government.
It initially worked with civil aviation, finance, telecommunications, and national infrastructure to support cybersecurity frameworks and standards.
The availability of memberships and its chapters have expanded to Europe, the Middle East and Africa (EMEA), the Americas, Australasia, and the UK.
CREST was established with a mission to build capability, capacity, consistency, and collaboration in the cybersecurity industry internationally through services that nurture, measure, and enhance the performance of individuals and organizations.
With over 300 quality-assured members including world-famous cybersecurity companies, their combined assured services offer an industry-leading quality of service that is tested and assured against CREST audits and accreditation processes.
This enables thoroughly vetted cyber security organizations to work with governments, national security agencies, and regulatory bodies internationally to support and safeguard their confidential information from individuals with ill intent.
Such information includes personal details, information that concerns national security, and infrastructures.
With the number of cyber threats increasing exponentially by the day, the need for competent cybersecurity professionals is also on the rise.
CREST-qualified individuals undergo rigorous professional examinations that test their knowledge, skills, and competency thoroughly at an application level.
These hard-earned certificates are internationally recognized and respected thus bolstering an individual’s career professional standards.
Accreditation by CREST is an internationally recognized badge of quality and trust for member companies.
All member companies are required to submit policies, processes, and procedures relating to their services as a part of the accreditation process.
This is then critically analyzed by the accreditation committee before CREST membership is approved for the organization. Once this is carried out, companies are required to renew their accreditations in a lighter process annually.
Customers who choose CREST-accredited services are assured that they are dealing with a trustworthy company that offers high-quality services through professional technical staff.
CREST draws on its extensive international network to collaborate and bring about a wide range of unique content to inform and support other members globally.
This is done by conducting multiple events, webinars, and workshops that allow member interactions to bring about conversations around cyber security to mold it to higher efficiency.
CREST Vulnerability Assessment
CREST vulnerability assessments are services offered by organizations that have been assessed, vetted, and accredited by the CREST body.
The CREST vulnerability assessments provided by such companies are extremely trustworthy and are even employed for assessing governmental assets and for testing the security of other confidential information.
You can expect quality services with CREST vulnerability assessments as it does not compromise on any facet involved with testing your security. From carrying out a thorough scope to final rescans, these vulnerability assessments do not leave your assets unprotected.
Initial CREST-approved vulnerability scans were only available for the UK and the governmental organization within the UK, this even included critical infrastructure.
However, now CREST-accredited vulnerability assessments can be carried out by an organization that wishes to test, assess and bring up their security to standards to a truly global level.
Steps in CREST Vulnerability Assessment
Here are the steps taken in a pentest provided by a trusty CREST-accredited vulnerability assessment provider for a CREST vulnerability assessment.
During the initial phase, a scope is agreed upon by the vulnerability assessment providers and the customer. which details the number of assets to be audited, the rules of assessment, and the understanding of the needs of the client.
Proper scoping is required for a thorough CREST vulnerability assessment, to avoid scope creep and legal troubles in the future.
The second phase of the CREST assessment is where the assets are scanned and audited for any vulnerabilities or areas of non-compliance that endanger data safety by the CREST-accredited vulnerability assessment provider.
The vulnerabilities discovered during the vulnerability assessment are evaluated, and categorized based on the threat’s severity. This is done according to CVSS (Common Vulnerability Scoring System) scores in which 8-10 represents critical vulnerabilities, 5-7 medium-level vulnerabilities, and 1- 4 low-level vulnerabilities.
Once the assessment is complete, a detailed report is generated for the customers to help them understand the measures taken, vulnerabilities found, remediation measures that can be opted for, and help with good documentation of security.
The report will contain remediation measures for the vulnerabilities found on them. These vulnerabilities are to be remediated and patched based on criticality, the ones with high criticality should be patched immediately.
Once the patches are made the assets are scanned again to verify the airtightness of the fixes made and to make sure there are no further vulnerabilities.
Pros Of CREST Vulnerability Assessments Over Pentests
Regular CREST vulnerability assessments or pentests form the backbone of maintaining the security and protection of your sensitive data and assets.
However, when opting between the two, CREST vulnerability assessments do have a few pros over penetration tests as listed below.
- Vulnerability assessments are a quick and easy solution.
- It is also far more affordable when compared to the traditional methods of penetration testing which can weeks based on the size of scope and manpower.
- Vulnerability assessments can be automated which saves copious periods of time and energy.
- Automated CREST vulnerability assessments can also be carried out continuously like weekly, monthly, or quarterly unlike pentests which are carried out far more sporadically.
- Vulnerability assessment results are vetted by professionals to weed out the false positives, thus saving your time considerably.
Here are some of the cons of vulnerability assessments over pentests:
- Vulnerability assessments aren’t as comprehensive as pentests.
- Doesn’t confirm the exploitability of a vulnerability.
- False positives are a possibility that needs to be vetted.
Benefits of CREST Vulnerability Assessment
Here are some of the benefits of carrying out vulnerability assessments by CREST-vetted providers:
- Improvement in your technical environment would help reduce support calls.
- A reduction in incident expenses.
- Allows one to have greater confidence in the cyber security of your assets.
- Increases awareness of the need for regular automated vulnerability scans and periodic vulnerability assessments for the continuous upkeep of cybersecurity.
- Professionals who work to test your asset security will be a skilled, component, and knowledgeable in vulnerability assessments.
- Members of CREST have an insider track on keeping up with the evolving cyber threats and the constantly shifting needs of cybersecurity.
- CREST accreditation is a gold standard certification that provides a sense of security and trust in services provided by member companies.
Areas Reviewed For CREST Vulnerability Assessment And Pentesting Accreditation
The whole application made for the accreditation of your organization for CREST vulnerability assessments or pentests is divided into the following general categories:
- General company details
- Human Resource Management, including vetting
- Use of contractors
- Quality policies and procedures
- Information Security policies and procedures
- Contract management
- Complaint handling
Areas that are reviewed specifically for vulnerability assessments and penetration test providers look slightly different:
- Vulnerability Assessment Providers
- Preparation, planning & scoping
- Tools & resources
- Scan execution
Some of the CREST accreditations have additional steps like in the case of vulnerability assessment accreditation where a final technical assessment is carried out to test the capability of provider and their use of tools.
- Penetration Test Providers
- Preparation & scope
- Assignment execution
- Post technical delivery
- Asset/Information/Document Storage, Retention, and Destruction
It is evident that the criteria for both processes look quite different as they have different objectives to fulfill from their functioning.
Vulnerability assessment CREST accreditation requirements focus more on the tools and resources used, and the execution of the scan itself.
Whereas, accreditation for pentests focuses on scanning and exploitation, its post-technical delivery, and document storage and destruction to ensure that no sensitive vulnerability-related information is leaked.
CREST Requirements For Accreditation
CREST has 4 major requirements that need to be met by potential companies in order to achieve CREST certifications. These requirements are applicable to both penetration testing and vulnerability assessment providers.
- Companies operating processes, procedures, and standards.
- Personnel security and development
- Testing approaches and methodologies
- Security applied for data protection.
Interested organizations and individuals in cyber security can not only apply to CREST vulnerability assessments alone but rather to CREST penetration testing, cyber security incident responses, and SOC as well.
Information and data are constantly on the move or stored digitally by most public and government agencies.
This makes regular CREST vulnerability assessment a priority for such organizations to ensure the safety of their systems from any vulnerabilities, risks, or threats.
Thus, it is wise to conduct CREST- vulnerability assessments from CREST-member companies that make the job of security easier for you.