ScriptMAY 2017

The

BulletinUPDATES:

CREST’s AGM 2017CREST’s 2017 AGM took place on 10th May at the Royal College of Surgeons in London.

Rowland Johnson (Nettitude Ltd) was re-elected and Greg Jones (Digital Assurance Consulting Ltd) was elected to the CREST Executive.

Pictured is CREST Chairman, Mark Turner, NCC Group

SOC Accreditation Scheme project – how you can help As you may be aware, CREST has been running a series of workshops as part of a wider project to look at the creation of an industry SOC Accreditation Scheme. This project has been broken down into a number of areas including the development of the scheme itself and a technical accreditation project.

As part of the latter, CREST is looking for your help with two areas.

1. Volunteers to join a SOC Technical Group that will help establish the required processes, means and methods by which SOCs could/will be technically assessed, and

2. Organisations to bid for a paid project to create a SOC Assessment Platform and associated processes.

If you are interested in either of these, please contact Elaine Luck on Elaine.Luck@crest-approved.org for the background documents and information on next steps.

Please note, this is not only open to existing CREST members but other organisations who operate and have experience with SOCs too. The deadline to reply is June 1st 2017.

This is a great opportunity to be involved in developing a key part of our industry and CREST is very keen to get the right group of people together. Please do seriously consider applying for either the initial technical working group, or to put forward a proposal to help create the assessment platform.

CREST WorkshopsCREST Events Industry Events

UPDATES:Infosecurity Europe - 6/7/8 June “Infosec has always proved a great success for CREST, enabling us to meet with potential new member companies and allowing us the opportunity to describe what we do and the benefits. It also helps us to generate brand awareness by providing us with the opportunity to speak to the buying community and influencers. CREST exists to support the industry and the range of people attending both domestic and international allows us to soundboard issues with industry peers ensuring that we are addressing the real issues. Exhibiting provides a focal point for people to come and find us and allows us to catch up with all those people we have wanted to see but have not found the time or the reason. Networking is an overworked term but Infosec really provides networking opportunities at scale. In addition to our attendance, it is encouraging to see so many CREST logos on other stands. Obviously, many of our CREST member companies are also seeing the benefits of attending and exhibiting at the event”

Ian Glover, President at CREST

You will find CREST on stand A60 so please come along and say hello.

CREST position paper highlights the need to improve cyber security in Industrial Control Systems There is a pressing need to improve cyber security in Industrial Control System (ICS) environments to avoid future breaches that could impact critical national infrastructure concludes CREST in its latest position paper, ‘Industrial Control Systems: Technical Security Assurance’. The report highlights a number of challenges and suggests that more technical security testing has a significant role to play in ensuring higher levels of security assurance are met.

The report draws on the diverse views of the Industrial Control Systems and technical security communities and proposes a model for gaining greater assurance in ICS environments. It was based on the findings of a research project, which looked to set out the main challenges and possible solutions for protecting Industrial Control Systems, many of which are based on legacy technologies.

To read the full paper: http://www.crest-approved.org/wp-content/uploads/CREST-Industrial-Control-Systems-Technical-Security-Assurance-Position-Paper.pdf

Cyber Security Careers Day – De Montfort University CREST took part in a Cyber Security Careers Day at De Montfort University on Monday 8 May. The event was attended by around 40 Masters and PhD students in Cyber Security and related disciplines.

Ian Glover gave a presentation on cyber security careers and ethics, Member companies NCC and PA Consulting/7Safe also attended. It was great to talk to those potential new recruits for the future.

IP Expo Manchester CREST had a very successful two days on 26th/27th April at IP EXPO Manchester at the Manchester Central Convention Centre Complex. It was great to bump into so many members as always, but also to meet so many new people interested in examinations and company accreditation. In particular there was significant interest in CREST entry level exams with the exam booklets flying off the stand. We look forward to next year’s event on 25th/26th April 2018.

UPDATES:CRESTCon 2017

With over 500 delegates and 34 exhibitors, CRESTCon & IISP Congress was the biggest ever this year. Feedback on the event has also been excellent so we are very sad to have to say goodbye to the Royal College of Surgeons while it closes for three years for refurbishment. We are looking for a new venue and are about to sign on the dotted line….so watch this space! Thank you very much to all of our sponsors this year, without you this event simply would not be possible.

We would also like to thank those who took part in the silent auction. We raised over £600 for Barnardo’s.

Some of the slides from the day are available here: http://www.crestandiisp.com/delegates/presentations-2017/

Filmed presentations and interviews are available from the CREST YouTube Channel: www.youtube.com/crestadvocate

Bitesized interviews filmed on the day by BrightTalk are available on the CREST Brighttalk Channel: https://www.brighttalk.com/channel/13519/crest

Thank you to our sponsors:

Partners

Even

t D

iary

CRESTCon 2018 Date for your diary3rd May at Royal College of Physicians, London

Email debbie@prpr.co.uk for early bird discount sponsorship packages. Very special offers available to the first 5 sponsors to sign up.

SOC project validation workshop 24th May 2017, NCC, Kings Court, Kingston Road, Leatherhead KT22 7SL

The aim of this workshop is to validate the key findings identified during the research and analysis phases to help shape the final set of project deliverables.

Project background: CREST is running a project that is looking at the development of an accreditation scheme for the certification of Security Operations Centre (SOC) functions and professional specialists. The main objective is to establish the processes, procedures and supporting

documentation required to operate an effective SOC accreditation scheme. Many of the accreditation scheme documents will be released for use in the public domain to help promote the understanding of SOCs and the need for an authoritative, independent scheme.

This project will build on CREST’s extensive experience in developing accreditation schemes. Input will also be used from the recently completed Cyber Security Monitoring and Logging project; the existing CREST Intrusion Analyst qualification; guidance recently issued by the National Cyber Security Centre in the UK; other international initiatives identified as part of the research and CREST regional interest in the project. The scheme will produce new and updated material that can be used to support regulators, government bodies, procurement specialists and buyers of SOC services. In particular it will help the buying community to differentiate the services provided.

CREST Events:The Script MAY 2017

Bulletin

Even

t D

iary

CREST Events:The Script MAY 2017

Bulletin

Training Provider meetingSeptember - Date to be advised BSI Group, Kitemark Court, Davy Avenue, Knowlhill, Milton Keynes, MK5 8PP

CREST would like to see extension in the training portfolio offerings. This would provide structured training pathways through the different career options. CREST would like to provide a much wider access to training at different levels- for example – to allow the larger training providers to have multiple courses on the list. Currently they do not go on existing lists because of the cost of assessment.

The meeting will discuss ways that CREST can accredit training courses without

charging training providers a significant audit fee but also without dropping standards.

One of the things the meeting will examine is the feasibility of self-evaluation against CREST syllabus areas and the ability for the candidates to provide feedback on their experience. This would create more of a modern trust model and CREST would charge a small registration fee for keeping the information up to date and creating the trust model. Other potential models may be equally interesting.

This and other options will be discussed and reviewed.

If you would like to attend please email allie@crest-approved.org

The Script MAY 2017

Even

t D

iary

CREST Workshops:Bulletin

Bug Bounty Workshop28 June, 191 Fazeley Street, Digbeth, Birmingham, B5 5SECREST is running a workshop to examine and report on bug bounties in relation to the technical security industry. The workshop is to establish a view from industry on bug bounty and how the industry deals with the wider issues. To register your place email allie@crest-approved.org

Research update event5 July, venue to be advised

We are holding an event to officially launch the new penetration testing guide, the penetration testing maturity model and the Industrial Control Systems report. The event will also report on current and future CREST research and invite input. More details will be sent out in the next couple of weeks. We are looking for a member company that would be interested in offering us a venue to hold the event. We anticipate 30-50 participants with the event timings from (9.30-1.00 with facilities for lunch or 1.30-5.00 with drinks and nibbles). Please contact allie@crest-approved.org Webinars:CREST has a BrightTalk channel for hosting webinars and other videos and we will be stepping up our program of webinars in 2017 after a successful 2016. See https://www.brighttalk.com/channel/13519/crest. BrightTalk’s summit calendar for 2017 is listed below and we are looking for CREST members to take part.

June 14–16 SECURING THE INTERNET OF EVERYTHING (IOT MONTH)

Jun 14IoT & DDoS: threats, detection & response

Jun 15Hacking the smart city Jun 16Hacking the connected car

October 17–19 THE FUTURE OF CLOUD SECURITY (CLOUD MONTH)

Oct 17Protecting against the evolving threatscape Oct 18Next generation cloud security Oct 19Cloud backup & BCDR

November 14–16 THE 2018 THREATSCAPE Nov 142017’s biggest breaches and why

Nov 15Emerging threats & technologies Nov 16: 2018Threats on the horizon

If you are interested in presenting a technical webinar or would like us to host your content, then please submit your ideas for consideration to allie@crest-approved.org. We will promote, run and record on the CREST channel.

The Script MAY 2017

Even

t D

iary

Industry Events:Bulletin

Infosecurity Europe 2017Infosecurity Europe, Olympia, London 6-8 June 2017 is the region’s number one information security event featuring Europe’s largest and most comprehensive conference programme and over 360 exhibitors showcasing the most relevant information security solutions and products to 13,500 visitors. For more information and to register here. CREST is supporting and exhibiting at the event on stand A60. If you are interested in helping at this event please contact debbie@crest-approved.org IP EXPOIP EXPO is one of Europe’s leading IT events for those looking to find out how the latest IT innovations can drive their business forward. The IP EXPO event series showcases brand new exclusive content and senior level insights from across the industry, as well as unveiling the latest developments in IT. IP EXPO events are aimed at CIOs, heads of IT, security specialists, heads of insight and tech experts. For more information and to register here.

IP Expo Europe 4/5 October 2017, ExCel, London

CREST is supporting, exhibiting and presenting at the London event. If you are interested in helping on the stand please contact debbie@crest-approved.org Cyber Security Chicago Cyber Security Chicago, 18-19 October 2017, will take place at the award-winning McCormick Place. Combining world class solutions on the exhibition floor with a strategic C-Suite level keynote conference, brought to you by the same organisers as IP EXPO. For more information and to register here.

CREST is supporting, exhibiting and presenting at the event. If you are interested in helping at this event please contact debbie@crest-approved.org

The Script MAY 2017

Even

t D

iary

Industry Events:Bulletin

Cyber Security Summit & Expo – 16th November 2017After 7 successful years as the Cyber Security Summit, this year the event is re-launching as the Cyber Security Summit & Expo and moving to the Business Design Centre. Across 6 content stages, this event offers the essential toolkit for senior leaders responsible for national cyber protection and the fight against cybercrime. Cyber Security Summit is the senior leadership event focused on taking a joined-up national response to secure technology, data and networks.

For more information and to register here.

CREST will have a stand at the event and Ian Glover will be speaking.

Black Hat Europe Black Hat Europe, 4-7 December 2017, will take place at the Excel London. One of the leading information security events in the US over the last 20 years and after the success of Black Hat in the UK last year they have moved the venue to allow more delegates to attend. CREST is supporting the event and more information is to follow.

Abbey House | 18-24 Stoke Road | Slough | Berkshire | SL2 5AG

CREST is a not for profit company registered in the UK with company number 06024007.