With a legacy spanning over a decade, CRESTCon Europe stands as the premier conference and exhibition within the technical cybersecurity industry. Hosted by CREST, the esteemed international accreditation and certification body, this event brings together experts who represent and support the dynamic landscape of technical information security.
On May 18th, our Zitec colleagues Adina Nichitean, Security & Data Protection Director, and Vlad Marinache, Senior Business Developer, had the privilege to attend CRESTCon 2023 held at the Royal College of Physicians.
As we unravel the insightful highlights from the conference, we turn our attention to one of the focal points that captured the industry's attention: penetration testing. In this article, we delve into the core takeaways from the first CRESTCon stream, unearthing the significance of pentesting as a paramount firewall against the ever-evolving realm of cyber threats.
CRESTCon Europe 2023 - an event with a tradition in security
CRESTCon Europe 2023 provided its audience with an amalgam of conference streams, a CTF (Capture the flag) room, an exhibition and demo area, and a student demo room. The agenda included 3 stream sessions and panel discussions, each with its delegated speaker:
- Penetration testing (techniques, tools and war stories)
- Threat intelligence & Incident response
- Industry & Regulators
In today’s digital world, the threat level has become significant. So, now more than ever is the time for the players in the cybersecurity industry to actively collaborate to secure digital assets. CRESTCon offered an unparalleled opportunity to meet high level influencers and cybersecurity experts, as well as to share initiatives, measures and techniques to improve security postures and showcase products, solutions or services.
Security & Data Protection Director
Penetration testing: the solution that discovers the security issues raised during CRESTCon
Council of Registered Ethical Security Testers (CREST) acknowledges and certifies professionals in the fields of threat intelligence, Security Operations Center (SOC) services, vulnerability assessment, cyber incident response, and penetration testing.
A company that has earned the CREST accreditation is recognized for offering top-notch cybersecurity services, hiring employees with the necessary skills, and adhering to the strictest regulatory and technological requirements.
In addition, the accreditation confirms that the experts have up-to-date skills and techniques to perform the best penetration tests that assess businesses' cybersecurity posture. According to Zitec’s comprehensive ebook, Exposing the weakness, testing and auditing a business’ infrastructure alleviates many of the risks before the attacker does their job.
For more insights regarding the benefits of a pentest and the exposed areas, download our ebook. Find out how a well-performed pentest can help.
Key cybersecurity takeaways from CRESTCon
During the first stream, 14 speakers addressed the main security issues and ways to better secure information and prevent unauthorized access to business systems or networks.
Open standards addressing the issue of data trust
- Several open standards have lately emerged to address the issue of trust in digital operations. Coalition for Content Provenance and Authenticity (C2PA), Content Authenticity Initiative (CAI), and the Internet Engineering Task Force (IETF) Supply Chain Integrity, Transparency and Trust (SCITT) Working Group are just few of these standards that focus their efforts towards bringing more trustworthy data to the internet.
- As people rely more and more on automated decisions, being aware of open standards for authenticating data has become crucial for securing digital trust.
Physical security vs. cybersecurity
While cybersecurity is often addressed, there is a lack of demand for physical security testing, although physical attacks prevail in organizations.
If vulnerabilities to physical security are overlooked, adversaries can compromise and impact digital assets from within.
Remote exploitation of cars
- There is an emergence in the use of mobile apps that enable remote management of vehicles. The issue is that sometimes these applications are not compliant with the latest security standards. Not being security compliant means vulnerabilities and security gaps that can be exploited.
- By exploiting gaps in the application API, cyber attackers can gain remote access to connected vehicles.
- Via its application, Honda allows Honda City 5th Gen car users to manage their cars remotely. The case study presented during the event depicted the risks Honda faced for not implementing appropriate security controls in its mobile application.
Attacks against educational institutions
- Educational institutions are considered a soft target; hence, the emerging rise of cyber attacks in schools and breaches in the education establishments.
- Although the security posture of the education sector needs to be improved, implementing security measures within schools is challenging and often regarded as a common mistake.
- During the event, the speakers made a claim to redefine the security approach in the educational system. The solution for assessing the attack surface is penetration testing. A case study of a simulated attack was also presented by the panel of experts.
Increased attack surface in ICS and OT
- In 2022, technology associated with Industrial Control Systems (ICS) and Operational Technology (OT) faced more than 2000 common vulnerabilities and exposures (CVE’s).
- To safeguard the industrial control systems, businesses must implement mitigation techniques against cyber attacks.
Weak computers and passwords in Active Directory
- Pentests are paramount for businesses because they can depict weak computers and the risks from trust passwords located in Active Directory. Passwords are prone to attacks, even if they are randomly generated.
- During the event, attendees were provided with recommendations to defend their systems in the face of these new attack avenues.
In addition to these presentations, CRESTCon offered the opportunity for networking, on the spot lessons and questions asked in two panel sessions:
Ask the assessor
- The audience, ranging from technical experts to business executives, had the chance to receive strategic consultancy services customized to their specific needs.
- Experienced security professionals shared their valuable insight regarding complex security concepts and how organizations can enhance their security posture.
Diversity & inclusion
- In this panel session, the speakers highlighted the reasons why diversity and inclusivity in cybersecurity are important.
- Individuals and organizations emphasized upon the work they had conducted to promote diversity for the underrepresented groups in the industry.
The right CREST-certified partner can protect digital assets at risk
Zitec is a CREST-certified company, which ensures that our processes and controls cover the entire circle of preparedness in preventing potential malicious attacks:
- effectiveness of the current controls, configuration and implementation
- control mechanisms that address weaknesses at the infrastructure, applications, processes or people level
- improved incident response time and procedures
- audits of the security updates, new software installment, system configurations, vulnerabilities in the operating systems, and security training for the employees
Leveraging penetration testing is a proactive approach that helps to strengthen businesses’ security posture. However, implementing this approach can be challenging. This is why a CREST-certified security partner can address complex infrastructures, expose vulnerabilities, and implement defense mechanisms. Contact us to discuss your security posture.