CREST Information

[don]

As many of you may know, CREST is a UK non-profit offering credentials in ethical security testing. They are making attempts to move out of just providing credentials in the UK and are moving into the US market and eventually go global.

I'd like to talk to any EH-Net reader about their thoughts and experiences with CREST. Please PM me with your thoughts on the org and their offerings.

For those who don't know, here is the about section:

CREST is a not for profit organisation and is governed by a formal Memorandum of Association (MOA) as a company limited by guarantee. Under this MOA, companies are invited to join a trade association as members, subject to certifying that they meet the minimum standards of ethics, methodologies, and technical capability.

In contracting a CREST member organisation to perform a security test, a client can feel secure in the knowledge that the work will be carried out to rigorous standards by qualified, knowledgeable individuals.

Penetration testing is a widely accepted method of assuring information security and has become an integral part of many organisations operational and technology risk management programs. Yet despite the widespread use of penetration testing, there has historically been a definite lack of agreed standards and practices.

CREST (Council of Registered Ethical Security Testers) was created in response to the need for regulated and professional security testers to serve the global information security marketplace. CREST`s main aim is to represent the information security testing industry and offer a demonstrable level of assurance as to the competency of organisations and individuals within those approved companies.

CREST is a standards-based organisation for penetration test suppliers incorporating a best practice technical certification programme for individual consultants. Additionally CREST provides its members with a framework of guidance including standards, methodologies and recommendations aimed at ensuring the very highest standards of leading-edge security testing

For more info:
http://www.crest-approved.org/

Don

[charliemong]

Hi Don,

I would be interested it what you find about these guys as a company. The seven safe guys have mentioned that they do 2 courses that get you CREST qualified. Would just be out of interest now though.

[T_Bone]

Yes, I have also heard the same thing from Ian Glover at a conference here in the UK recently.  I am hoping we get some answers to this one as CREST CCT Infastructure exam also gives you CHECK Team Leader status which is pretty much the certification Pen Testers in UK want to have.  They have also released an intermediate level CRT which is next on my list!

[tturner]

NBISE is now accepting registration for beta CREST exams

http://nbise.org/certifications.php

[impelse]

I always see that certification. It looks interesting and pricy too.

[JrGong]

I am scheduled for the Oct. 18th to take the CRT in Orlando.  I currently hold a CCNA, CWNA, OSCP, Security+.  I have been looking around for study material for the CREST exams and it seems to be non-existent.  If anyone else is taking it and are interested in studying please feel free to drop me a pm.

Also for a little background, to be able to touch a .gov systems in the UK you have to be CHECK certified by CESG (guessing it's similiar to NSA here).  CREST certs are a requirement to become CHECK certified, so from what I understand CESG helped defined the objectives, etc.

http://www.gchq.gov.uk/about_us/cesg.html  <-- Info about CESG
http://www.cesg.gov.uk/products_services/iacs/check/index.shtml  <-- Info about CHECK

*Disclaimer*  This is just from what I have read and gather from talking to people in the UK

[tturner]

I'm also scheduled for the CRT in Orlando. I'm still debating this week whether I'm actually willing to pony up 600.00 for an exam I don't know much about or if I'd be better off paying for that GCIH challenge I keep meaning to take (Am a class alumni but never took exam and will need for GSE). If anyone has more info I'd appreciate it. The following link may help in preparation.

http://www.crest-approved.org/crest-notes-for-candidates-CRT-v1.1.pdf

Feel free to hit me up in you want to coordinate study. For pentesting certs I have GPEN and GAWN only (in addition to CISSP, CISA and some other GIAC and other industry certs)

[JrGong]

Thought I would just also add that the pilot exam is the EXACT same exam as the one in the UK.  So if you take it you will be 'officially' CREST certified, regardless of what becomes of NBISE.

[T_Bone]

@ JrGong - There is indeed no "official" reading or training for the CREST certification. I know a few people whom have performed the CCT level certifications and they have confirmed that as long as you know the information on the syllabus and have a few years experience pen testng you should be ok.  It certainly IS NOT an easy certification and is very far from CEH level.  I am intending to do the CRT (intermediate level) here in the UK at the end of the year 

http://www.crest-approved.org/crest-technical-syllabus-v1.3.pdf

[JrGong]

Thanks for the info T_Bone.  I think I have most of the knowledge that is on the syllabus but I do not have any experience doing pentesting so I m brushing up on methodologies etc.

[trighger]

Having researched a lot of options I decided to take the CAST course because I wanted to prep for the CREST application tester exam and it is a hands on course aligned with CREST.

Having gained the CSTA and CSTP certs with 7Safe previously (I am in the UK), I found the CAST exam to be a major step up in terms of the learning level.  It is designed to make you think, and our instructor was an experienced pen tester. The exam was a series of challenges - and in the end about 30% of us managed a pass.

I understand this is being offered in the US as well, what with CREST becoming an international standard. 

http://www.7safe.com/application_security_training_course.htm

[T_Bone]

@ trighger

Wow that course does sound pretty difficult if only 30% passed. Sounds like it would be good prep for the CREST CCT level if this is the case

[Amidamaru]

Hi guys,

Any thoughts about what kindda study requirements are need for CREST Registered Tester Certification Examination, CREST entry level certification?

Today I was informed that I must aim for if I want to make an extra buck for my family.

Also, if I don't ask for too much, which might be the study papers that should be used for "acquire the target"?

I mean I'm trying get "intel" about how difficult it will be based on "know your enemy" before anything else concept

Thanks much,

-Johnny

[MaXe]

They have indeed and somewhat unfortunately come to Australia as well.

This is the reaction from most information security professionals down under:
http://securityreactions.tumblr.com/post/32935107872/crest


What are the extremely fair examination fees? (GST means "tax".)
- CREST Registered Tester - $1,000 + GST (GST = ~100$)
- CREST Certified Tester (Certified Web Application Tester) - $3,000 + GST (GST = ~300$)
- CREST Certified Tester (Certified Infrastructure Tester) - $3,000 + GST (GST = ~300$)

These fees, only include the certification (and examination process), for this non-profit company.

As they have a hand in the government, CREST may become mandatory in Australia.


Syllabus
CRT - Registered Tester:
http://www.crestaustralia.org/docs/crest-australia-notes-for-candidates-crt-v1.0.pdf
http://www.crestaustralia.org/docs/crest-australia-technical-syllabus-v1.0.pdf

CCT - Certified Web Application Tester:
http://www.crestaustralia.org/docs/crest-australia-notes-for-candidates-cct-v1.0.pdf
http://www.crestaustralia.org/docs/crest-australia-technical-syllabus-v1.0.pdf

CCT - Certified Infrastructure Tester:
http://www.crestaustralia.org/docs/crest-australia-notes-for-candidates-cct-v1.0.pdf
http://www.crestaustralia.org/docs/crest-australia-technical-syllabus-v1.0.pdf


Random facts and opinions:
- Does it expire? Yes, I think it's every 4 years or so. Wouldn't be much of a non-profit if all their uhm, zero profits isn't recurring.
- What's up with the price? It's not really a non-profit company when you have to pay that much for a certification.
- How's the exam, technology wise? You're tested in both current AND seriously outdated information, some of it which a penetration tester may never see or need to hear about.
- How hard is the exam? Almost impossible, at one point you have e.g. 50 practical questions where each often requires a hack of a custom application. (CCT Web App.)
- These practical questions, what are they? Some of them are related to e.g. Blind SQL Injection, where you have to pretty much dump an entire database, where tools such as sqlmap does not work, so you end up having to do it manually, which costs you too much, so you fail and will have to take a retest, which is around 1000$ more, plus GST.
- Is it realistic? Not really. People with 10 years of experience within information, where 5 may be penetration or even the whole 10 years, fail this certification. Despite that I can personally vouch for their skills. Some people come from extreme hacker backgrounds, with so much knowledge you wonder if they are even human, as they have come up with amazing hacks, unreleased research, etc, yet, these people fail too.
- What's the best way to prepare for this exam? Check out the syllabus (region wise), and study all topics in depth. You will definitely be tested in topics you most likely don't need in your job. (i.e. how certain protocols work, oh I forgot, this is more like a computer science exam at some points.)


What do I think? I think it's bs, it's certifications like these that make the infosec industry a joke, especially if it becomes mandatory. CRT and CCT, doesn't make you a penetration tester or a true hacker, it's hard yes, just like CHECK Team Leader, but it does not prove your true skill.

True skill is proven by what you have specialised in, and what you do with that skill. If you're able to think outside the box, and perform advanced hacks and understanding the entire process, then you've got the right skills.


Who's the leaders in courses and certifications?
- Offensive Security
- Corelan
- SANS & GIAC (SOME of their advanced courses, not all of them.)
- Immunity Inc
- SensePost (I have heard they're pretty good, not 100% sure about their courses but their name pops up all the time.)
- Some BlackHat courses (I know that these are different vendors offering courses here.)
- And probably a few others I forgot to mention.


Let's take a look at the syllabus.

First I wonder, why aren't these mentioned:
- Cross-Site Request Forgery (This doesn't seem to be mentioned, or is it under the XSS category? If so, major fail, it has nothing to do with XSS even though it can be used with XSS.)
- Local and Remote File Inclusion (Any web app pentester must know about these. And no they are NOT named code injection in case CREST named them that.)
- DNS Classes (INternet, CHaos, etc.)
- Advanced Cross-Site Scripting (As this certification is aimed at "experts" it seems, it should have at least a basic module about what's possible with XSS, e.g. http://www.exploit-db.com/vbseo-from-xss-to-reverse-php-shell/ )

Now here comes my "WHY GOD WHY" section:
- Token ring (When was the last time you pentested this? I know how it works, but seriously, this isn't a computer science exam.)
- Generating ICMP packets (LOL? Yes, you can use Scapy, hping3, or for that sake "ping", all of them can generate ICMP packets for you, some of them can generate one (ping), while some can be used to generate virtually all (hping3, and Scapy). But why? Why do you need to be able to prove this?
- rusers (When was the last time you were able to execute this command? 10, 20 years ago?)
- rwho (When was the last time you were able to execute this command? 10, 20 years ago?)
- finger (When was the last time you were able to execute this command? 10, 20 years ago?)
- Berkeley r* services? (When was the last time, or how often have you seen these enabled? I have seen some once or twice over the last year or so, but were they listening on the Internet? No.)
- CRLF Attacks? (LOL, seriously? Call it header injection ffs.)


As I haven't taken the exam yet, but friends have and even right now, some colleagues are taking the certification, the picture I have had drawn out by them doesn't seem pretty.

[Amidamaru]

Woaaa....THANKS so much MaXe for such detailed overview picture.

Despite the fact that I'm totally agree with your sayings, especially with the security professionals reaction, CREST became on demand for each under the Queen influence areas.

NO CREST, no contract, almost no matter what do you eventually have beside. Soon they will ask for NATO clearance as well.

However, I like their CRT syllabus. It's well structured, awesome learning guide though.

I'll check the rest of certif providers that you pointed me and I'll go with to my boss for an additional further talk.

-Johnny