Introducing the CREST Defensible Penetration Test
Published: 16th November 2023 | In: Insights
The true cost of suffering from a data breach for a given organisation is difficult to forecast, but it is expensive. Loss of revenue due to disruption of business continuity, legal fees, regulatory fines such as UK GDPR, incident response – all could contribute towards the total cost of a breach.
Proactively addressing an organisation’s security posture is a much cheaper solution. To increase an organisation’s resilience to a breach, security testing services have been an excellent tool that can be leveraged by an organisation to identify weaknesses, allowing them to implement remediation efforts or apply compensation controls of any risks identified.
Penetration testing is an effective security testing method whereby an evaluation of implementation, configuration and maintenance of an application, service or infrastructure can be performed. This provides the organisation with oversight into weaknesses, where remediation or compensating controls can be applied.
That said, the budget available for investment in security will be capped and security testing only represents a small subset amongst other investments within the budget. As such, it is important to ensure that procurement of services is spent efficiently.
Quorum Cyber, as a CREST accredited provider, offers the CREST Defensible Penetration Test (CDPT) to organisations. This gives them the opportunity to select a penetration testing vendor that will perform a commercially recognised engagement that requires competent individuals to be involved with all aspects of the project, as an alternative to the cheapest or most available vendor.
Scoping
The CDPT does not dictate a scope as a requirement and, instead, the scope must be discussed during consultation from a suitably skilled, certified tester. After providing guidance on the attack surface associated with the technology to be tested, the goals and objectives of the penetration test will be agreed which is tailored towards the specific needs of the organisation.
An engagement can include testing typical technologies such as infrastructure, thick client, web and mobile applications, mobile devices, or cloud security architectures, or something slightly more bespoke.
Delivery
During the testing phase, our team of certified professionals use a variety of tools and techniques to identify vulnerabilities in the organisation’s systems and networks. We use a combination of automated and manual testing to ensure that the possible attack vectors are explored.
At Quorum Cyber, we are proud to be a CREST-accredited provider of penetration testing services. Our team of experienced professionals has undergone extensive training and certification to ensure that we deliver high-quality and defensible penetration tests that meet the needs of our customers.
Sign-off
Finally, during the reporting phase, we provide a detailed report that outlines the vulnerabilities that were identified, steps to reproduce, as well as recommendations for remediation. Our reports are designed to be easily understood and actionable, so that our customers can take immediate steps to improve their security posture.
The report must be validated against the original scope, ensuring that all elements have been tested, accompanied by a statement of totality. The sign-off phase must be undertaken by a tester of a certified level or equivalent, ensuring quality assurance.
CREST is a globally recognised organisation that provides accreditation to companies that deliver penetration testing services. CREST accreditation ensures that the provider has met rigorous standards for technical expertise, methodology, and quality assurance.
By choosing Quorum Cyber as your security partner, you can be confident that your organisation is receiving a defensible penetration test that meets industry best practices.
If you require consultation regarding a requirement, we are here to help. Please contact your account manager if you would like to discuss this service.
Author
Miguel Marques
Head of Offensive Security. With over 25 years’ experience in cyber security, computer and network security, he has multiple industry certifications from different organisations like CREST, SANS, Microsoft and Offensive Security. Prior to joining Quorum Cyber, Miguel held roles with Commissum (Eurofins Cyber Security UK), 7 Elements, SysValue, LASEF, Rede das Novas Licenciaturas, and TropicalNET. Miguel is also the organiser of Edinburgh's Defcon Group, DC44131.