Portcullis Computer Security, information security specialist, has assisted CREST, the not-for-profit organisation that represents and certifies the technical information security industry, Bank of England, and Her Majesty’s Treasury and Financial Conduct Authority in developing the new CBEST penetration testing standard.

The standard was created to address the security testing requirements of firms demanding more than could be delivered through traditional assurance services, and to improve and test resilience to the increasingly sophisticated threats and attackers. As such, CBEST currently represents the top tier of services within the penetration testing industry, sitting above the normal CHECK and CREST services.

Security specialists and testing organisations must achieve the new CREST Simulated Target Attack & Response (STAR) certification in order to deliver services to the CBEST standard. As an organisation certified under the new CREST STAR, Portcullis is amongst the first that can undertake CBEST tests for its clients.

“One of the key features of the framework is an agreed approach to testing high value systems,” says Tim Anderson, commercial director, Portcullis. “Historically, the fear of downtime made it challenging to test key systems, which is counter productive because these systems are considered key for a reason and therefore likely to be targeted. There has also been a move to break the constraints of typical assurance projects, which were often focused around particular systems rather than particular threats.

“By taking a more threat-centric approach and reviewing the same systems that would be involved in a real-world attack, including high value systems, it is possible for organisations to get a better understanding of their current security posture in relation to sophisticated, persistent attacks.”

To help shape the test scopes, there is access to an intelligence feed which provides a commentary on the nature of the latest attacks, such that the testing can closely mimic the live situation.

While the scheme has been primarily created for the benefit of financial services companies, as they have traditionally been one of the most targeted sectors, these principles can be applied to tests for any sector.

“Standardisation of this type of testing is excellent for the industry and underlines the approach that Portcullis has been using over the last few years. We have been working with clients to overcome the limitations of a traditional approach to information assurance by using threat intelligence in order to focus on risk and subsequently prioritising those systems most likely to be targeted. In terms of the testing itself, taking a more scenario based approach has allowed Portcullis to evaluate real-world exposures across a range of interconnected systems rather than just reviewing systems in isolation,” concludes Anderson.