.

CREST Information

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Wed Sep 01, 2010 8:55 am

CREST Information

As many of you may know, CREST is a UK non-profit offering credentials in ethical security testing. They are making attempts to move out of just providing credentials in the UK and are moving into the US market and eventually go global.

I'd like to talk to any EH-Net reader about their thoughts and experiences with CREST. Please PM me with your thoughts on the org and their offerings.

For those who don't know, here is the about section:


CREST is a not for profit organisation and is governed by a formal Memorandum of Association (MOA) as a company limited by guarantee. Under this MOA, companies are invited to join a trade association as members, subject to certifying that they meet the minimum standards of ethics, methodologies, and technical capability.

In contracting a CREST member organisation to perform a security test, a client can feel secure in the knowledge that the work will be carried out to rigorous standards by qualified, knowledgeable individuals.

Penetration testing is a widely accepted method of assuring information security and has become an integral part of many organisations operational and technology risk management programs. Yet despite the widespread use of penetration testing, there has historically been a definite lack of agreed standards and practices.

CREST (Council of Registered Ethical Security Testers) was created in response to the need for regulated and professional security testers to serve the global information security marketplace. CREST`s main aim is to represent the information security testing industry and offer a demonstrable level of assurance as to the competency of organisations and individuals within those approved companies.

CREST is a standards-based organisation for penetration test suppliers incorporating a best practice technical certification programme for individual consultants. Additionally CREST provides its members with a framework of guidance including standards, methodologies and recommendations aimed at ensuring the very highest standards of leading-edge security testing



For more info:
http://www.crest-approved.org/

Don
CISSP, MCSE, CSTA, Security+ SME
<<

charliemong

User avatar

Newbie
Newbie

Posts: 27

Joined: Wed Aug 25, 2010 10:49 am

Location: UK

Post Thu Sep 02, 2010 9:00 am

Re: CREST Information

Hi Don,

I would be interested it what you find about these guys as a company. The seven safe guys have mentioned that they do 2 courses that get you CREST qualified. Would just be out of interest now though.
If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
- Sun Tzu
<<

T_Bone

Full Member
Full Member

Posts: 199

Joined: Sat Feb 21, 2009 7:11 am

Post Sat Sep 04, 2010 1:47 pm

Re: CREST Information

Yes, I have also heard the same thing from Ian Glover at a conference here in the UK recently.  I am hoping we get some answers to this one as CREST CCT Infastructure exam also gives you CHECK Team Leader status which is pretty much the certification Pen Testers in UK want to have.  They have also released an intermediate level CRT which is next on my list!
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Thu Sep 16, 2010 4:06 pm

Re: CREST Information

NBISE is now accepting registration for beta CREST exams

http://nbise.org/certifications.php
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

impelse

Hero Member
Hero Member

Posts: 585

Joined: Mon Feb 16, 2009 3:40 pm

Post Thu Sep 16, 2010 8:36 pm

Re: CREST Information

I always see that certification. It looks interesting and pricy too.
CCNA, Security+, 70-290, 70-291
CCNA Security
Taking Hackingdojo training

Website: http://blog.thehost1.com/
<<

JrGong

Newbie
Newbie

Posts: 3

Joined: Wed Sep 22, 2010 9:15 pm

Post Wed Sep 22, 2010 9:28 pm

Re: CREST Information

I am scheduled for the Oct. 18th to take the CRT in Orlando.  I currently hold a CCNA, CWNA, OSCP, Security+.  I have been looking around for study material for the CREST exams and it seems to be non-existent.  If anyone else is taking it and are interested in studying please feel free to drop me a pm.

Also for a little background, to be able to touch a .gov systems in the UK you have to be CHECK certified by CESG (guessing it's similiar to NSA here).  CREST certs are a requirement to become CHECK certified, so from what I understand CESG helped defined the objectives, etc.

http://www.gchq.gov.uk/about_us/cesg.html  <-- Info about CESG
http://www.cesg.gov.uk/products_service ... ndex.shtml  <-- Info about CHECK

*Disclaimer*  This is just from what I have read and gather from talking to people in the UK
Last edited by JrGong on Wed Sep 22, 2010 9:56 pm, edited 1 time in total.
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Fri Sep 24, 2010 12:31 pm

Re: CREST Information

I'm also scheduled for the CRT in Orlando. I'm still debating this week whether I'm actually willing to pony up 600.00 for an exam I don't know much about or if I'd be better off paying for that GCIH challenge I keep meaning to take (Am a class alumni but never took exam and will need for GSE). If anyone has more info I'd appreciate it. The following link may help in preparation.

http://www.crest-approved.org/crest-notes-for-candidates-CRT-v1.1.pdf

Feel free to hit me up in you want to coordinate study. For pentesting certs I have GPEN and GAWN only (in addition to CISSP, CISA and some other GIAC and other industry certs)
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

JrGong

Newbie
Newbie

Posts: 3

Joined: Wed Sep 22, 2010 9:15 pm

Post Fri Sep 24, 2010 1:21 pm

Re: CREST Information

Thought I would just also add that the pilot exam is the EXACT same exam as the one in the UK.  So if you take it you will be 'officially' CREST certified, regardless of what becomes of NBISE.
<<

T_Bone

Full Member
Full Member

Posts: 199

Joined: Sat Feb 21, 2009 7:11 am

Post Sat Sep 25, 2010 7:26 am

Re: CREST Information

@ JrGong - There is indeed no "official" reading or training for the CREST certification. I know a few people whom have performed the CCT level certifications and they have confirmed that as long as you know the information on the syllabus and have a few years experience pen testng you should be ok.  It certainly IS NOT an easy certification and is very far from CEH level.  I am intending to do the CRT (intermediate level) here in the UK at the end of the year  :)

http://www.crest-approved.org/crest-tec ... s-v1.3.pdf
<<

JrGong

Newbie
Newbie

Posts: 3

Joined: Wed Sep 22, 2010 9:15 pm

Post Sat Sep 25, 2010 5:28 pm

Re: CREST Information

Thanks for the info T_Bone.  I think I have most of the knowledge that is on the syllabus but I do not have any experience doing pentesting so I m brushing up on methodologies etc.
<<

trighger

Newbie
Newbie

Posts: 2

Joined: Sun Dec 10, 2006 4:46 pm

Post Sat Oct 30, 2010 9:37 am

Re: CREST Information

Having researched a lot of options I decided to take the CAST course because I wanted to prep for the CREST application tester exam and it is a hands on course aligned with CREST.

Having gained the CSTA and CSTP certs with 7Safe previously (I am in the UK), I found the CAST exam to be a major step up in terms of the learning level.  It is designed to make you think, and our instructor was an experienced pen tester. The exam was a series of challenges - and in the end about 30% of us managed a pass.

I understand this is being offered in the US as well, what with CREST becoming an international standard. 

http://www.7safe.com/application_security_training_course.htm
<<

T_Bone

Full Member
Full Member

Posts: 199

Joined: Sat Feb 21, 2009 7:11 am

Post Mon Nov 15, 2010 5:44 pm

Re: CREST Information

@ trighger

Wow that course does sound pretty difficult if only 30% passed. Sounds like it would be good prep for the CREST CCT level if this is the case :)
<<

Amidamaru

User avatar

Newbie
Newbie

Posts: 14

Joined: Wed Jan 05, 2011 10:55 am

Post Mon Feb 04, 2013 10:27 am

Re: CREST Information

Hi guys,

Any thoughts about what kindda study requirements are need for CREST Registered Tester Certification Examination, CREST entry level certification?

Today I was informed that I must aim for if I want to make an extra buck for my family.

Also, if I don't ask for too much, which might be the study papers that should be used for "acquire the target"?

I mean I'm trying get "intel" about how difficult it will be based on "know your enemy" before anything else concept :)

Thanks much,

-Johnny
"A genius is one percent inspiration and ninety nine percent perspiration." Thomas EDISON
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Mon Feb 04, 2013 6:40 pm

Re: CREST Information

They have indeed and somewhat unfortunately come to Australia as well.

This is the reaction from most information security professionals down under:
http://securityreactions.tumblr.com/pos ... 7872/crest


What are the extremely fair examination fees? (GST means "tax".)
- CREST Registered Tester - $1,000 + GST (GST = ~100$)
- CREST Certified Tester (Certified Web Application Tester) - $3,000 + GST (GST = ~300$)
- CREST Certified Tester (Certified Infrastructure Tester) - $3,000 + GST (GST = ~300$)

These fees, only include the certification (and examination process), for this non-profit company.

As they have a hand in the government, CREST may become mandatory in Australia.


Syllabus
CRT - Registered Tester:
http://www.crestaustralia.org/docs/cres ... t-v1.0.pdf
http://www.crestaustralia.org/docs/cres ... s-v1.0.pdf

CCT - Certified Web Application Tester:
http://www.crestaustralia.org/docs/cres ... t-v1.0.pdf
http://www.crestaustralia.org/docs/cres ... s-v1.0.pdf

CCT - Certified Infrastructure Tester:
http://www.crestaustralia.org/docs/cres ... t-v1.0.pdf
http://www.crestaustralia.org/docs/cres ... s-v1.0.pdf


Random facts and opinions:
- Does it expire? Yes, I think it's every 4 years or so. Wouldn't be much of a non-profit if all their uhm, zero profits isn't recurring.
- What's up with the price? It's not really a non-profit company when you have to pay that much for a certification.
- How's the exam, technology wise? You're tested in both current AND seriously outdated information, some of it which a penetration tester may never see or need to hear about.
- How hard is the exam? Almost impossible, at one point you have e.g. 50 practical questions where each often requires a hack of a custom application. (CCT Web App.)
- These practical questions, what are they? Some of them are related to e.g. Blind SQL Injection, where you have to pretty much dump an entire database, where tools such as sqlmap does not work, so you end up having to do it manually, which costs you too much, so you fail and will have to take a retest, which is around 1000$ more, plus GST.
- Is it realistic? Not really. People with 10 years of experience within information, where 5 may be penetration or even the whole 10 years, fail this certification. Despite that I can personally vouch for their skills. Some people come from extreme hacker backgrounds, with so much knowledge you wonder if they are even human, as they have come up with amazing hacks, unreleased research, etc, yet, these people fail too.
- What's the best way to prepare for this exam? Check out the syllabus (region wise), and study all topics in depth. You will definitely be tested in topics you most likely don't need in your job. (i.e. how certain protocols work, oh I forgot, this is more like a computer science exam at some points.)


What do I think? I think it's bs, it's certifications like these that make the infosec industry a joke, especially if it becomes mandatory. CRT and CCT, doesn't make you a penetration tester or a true hacker, it's hard yes, just like CHECK Team Leader, but it does not prove your true skill.

True skill is proven by what you have specialised in, and what you do with that skill. If you're able to think outside the box, and perform advanced hacks and understanding the entire process, then you've got the right skills.


Who's the leaders in courses and certifications?
- Offensive Security
- Corelan
- SANS & GIAC (SOME of their advanced courses, not all of them.)
- Immunity Inc
- SensePost (I have heard they're pretty good, not 100% sure about their courses but their name pops up all the time.)
- Some BlackHat courses (I know that these are different vendors offering courses here.)
- And probably a few others I forgot to mention.


Let's take a look at the syllabus.

First I wonder, why aren't these mentioned:
- Cross-Site Request Forgery (This doesn't seem to be mentioned, or is it under the XSS category? If so, major fail, it has nothing to do with XSS even though it can be used with XSS.)
- Local and Remote File Inclusion (Any web app pentester must know about these. And no they are NOT named code injection in case CREST named them that.)
- DNS Classes (INternet, CHaos, etc.)
- Advanced Cross-Site Scripting (As this certification is aimed at "experts" it seems, it should have at least a basic module about what's possible with XSS, e.g. http://www.exploit-db.com/vbseo-from-xs ... php-shell/ )

Now here comes my "WHY GOD WHY" section:
- Token ring (When was the last time you pentested this? I know how it works, but seriously, this isn't a computer science exam.)
- Generating ICMP packets (LOL? Yes, you can use Scapy, hping3, or for that sake "ping", all of them can generate ICMP packets for you, some of them can generate one (ping), while some can be used to generate virtually all (hping3, and Scapy). But why? Why do you need to be able to prove this?
- rusers (When was the last time you were able to execute this command? 10, 20 years ago?)
- rwho (When was the last time you were able to execute this command? 10, 20 years ago?)
- finger (When was the last time you were able to execute this command? 10, 20 years ago?)
- Berkeley r* services? (When was the last time, or how often have you seen these enabled? I have seen some once or twice over the last year or so, but were they listening on the Internet? No.)
- CRLF Attacks? (LOL, seriously? Call it header injection ffs.)


As I haven't taken the exam yet, but friends have and even right now, some colleagues are taking the certification, the picture I have had drawn out by them doesn't seem pretty.
I'm an InterN0T'er
<<

Amidamaru

User avatar

Newbie
Newbie

Posts: 14

Joined: Wed Jan 05, 2011 10:55 am

Post Tue Feb 05, 2013 5:08 am

Re: CREST Information

Woaaa....THANKS so much MaXe for such detailed overview picture.

Despite the fact that I'm totally agree with your sayings, especially with the security professionals reaction, CREST became on demand for each under the Queen influence areas.

NO CREST, no contract, almost no matter what do you eventually have beside. Soon they will ask for NATO clearance as well.

However, I like their CRT syllabus. It's well structured, awesome learning guide though.

I'll check the rest of certif providers that you pointed me and I'll go with to my boss for an additional further talk.

-Johnny
"A genius is one percent inspiration and ninety nine percent perspiration." Thomas EDISON
Next

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software