.

CREST Information

<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Tue Feb 05, 2013 5:05 pm

Re: CREST Information

No problem, if you're already working in penetration testing, I suggest you aim for CRT (or CCT) as soon as possible, as it is as you say, no CREST, no contract a lot of places. When I had interviews over the phone for jobs in England, I was often asked for CHECK and/or CREST as if it would be normal for me to have them, despite never having been there before. (And since CREST only existed in the UK at that time afaik, why would anyone else have the cert when there's no need. Most people I've met that didn't come from England, had never heard of CREST.)

There are some pentest jobs in certain countries, that does require a high clearance. Well, they require it at least in Denmark and Australia for doing special type of government work naturally.

But it wouldn't surprise me if a NATO clearance will be required soon, meaning it will be even harder for newbies to get into ethical hacking. I can understand that for certain projects (when you are already having the job), e.g. here, that you're getting an extensive background check.
I'm an InterN0T'er
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Tue Feb 05, 2013 9:13 pm

Re: CREST Information

Update:
After more and more friends have taken the exam, the picture is becoming quite clear about e.g. CRT.

For the first part, you have a lot of multiple choice questions about theory, you have 30 seconds for each question.

The next part, which most people fail, is the practical part, where you have 2 minutes for each test (total of 50 right now), in a block with 512 IP's, meaning you don't have time to scan the entire block if you want to scan all ports.

Some of these questions are e.g., there is a vulnerability on this IP, find and exploit it. You got 2 minutes.

The best part is, these questions both pratical and theoretical, are generally not that hard. They are around OSCP level, except the practical questions are a lot easier.

In fact, multiple persons have said all of the test is noob easy, but the problem is that it's almost impossible to do in the time allocated. Let me give you a hint, 3 hours in total, and there's over 170 questions in total, 120 theoretical (1 hour) and 50 questions (2 hours).

Assume you have everything open, even Metasploit.
- Read and understand the question: 15-30 seconds
- Figure out what tool to use: 0-15 seconds
- Can't remember the flags? Read the man page: 0-120. (It's easy to loose time here.)
- Run e.g. nmap with a script scan: 30 - 240+ seconds
- Run nmap again because it failed or you used the wrong switch(es): 30 - 240+ seconds
- Perform additional work which may be included in the question: 0-240+ seconds.

Does anyone else see the problem? Even an experienced pentester is not able to do all practical questions in time. It's simply almost impossible, unless you got some sort of automation and perhaps AI on your side.

If you can remember everything, you may be able to get everything right, but you have to be fast typing too, and know everything about everything including exactly how long tools and scripts takes to run.

When you do a real penetration test, does this matter? No, unless a tool is taking way too long to execute, or if you're doing an internal pentest and you only got 1 day, or an external vulnerability assessment and you have +1024 IPs, you have to plan, accordingly, what are the best ways to scan, and you may even use a distributed scanning network.

Can you use multiple laptops during CRT (CREST)? No.

I hope that they will make the questions harder, as a colleague of mine said anyone could do it, it's just time you need, and that if they make the questions harder, they either remove some of the questions, or increase the time-limit.


Another insane thing, is that if you fail CRT (1000$), or CCT (3000$), you have to, pay 1000$ or 3000$, again! A lot of pentesters have a yearly budget of 5000$. Yeah, a retest for the same price as the original certification is very reasonable, not lol.

And fyi, CREST is apparently, non-profit. Imagine a guy fails CCT x3? 9'000$, sure, non-profit. I can agree to the extremely unreasonable prices, which ONLY includes certification, there's no course-ware whatsoever. But a re-test, costing the exact same amount of money, now that's just grotesque. (i.e. super lame)


I haven't even done this exam yet, but many friends have attempted and most have failed, and I am disappointed in that CREST hasn't been shut out from the industry yet or forced to improve, as there's a lot of people complaining.

CREST, does not test a real penetration tester's skills. OSCE will test some of a penetration tester's skills, even though I must agree that I have yet to see any of the scenarios in real life, but it does force you to think outside the box and be creative, which is important as a pentester.
I'm an InterN0T'er
<<

Amidamaru

User avatar

Newbie
Newbie

Posts: 14

Joined: Wed Jan 05, 2011 10:55 am

Post Wed Feb 06, 2013 3:54 am

Re: CREST Information

Nice hints mate and again, very interesting details into the big picture. I really appreciated your help into this matter. THANKS!

I've spoken with my boss and I've let him knows that in this CREST job failure ain't an option so I need some preparation.

I've succeeded to obtain an slight delay into pursuing CRT with an intermediate goal thought, Penetration Testing with BackTrack (PWB) as a start.

Unfortunately, the company won't cover the exam expenses to I'll need to cover it with my earnings, maybe some OninePoker nights will help me out. But, as Bill Gates said, life is a bitch and military teach me very well this aspect :)

-j
"A genius is one percent inspiration and ninety nine percent perspiration." Thomas EDISON
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Wed Feb 06, 2013 6:58 am

Re: CREST Information

If you're a new in the infosec industry, don't even attempt CRT. You need to know theory by heart, and know the most common switches for several tools as well, and be able to solve a lot of problems fast.

Doing PWB first is a good idea, as you learn the tools, and also to use other tools than the default ones, including a bit of scripting, and to think outside the box.  ;D
I'm an InterN0T'er
<<

Amidamaru

User avatar

Newbie
Newbie

Posts: 14

Joined: Wed Jan 05, 2011 10:55 am

Post Wed Feb 06, 2013 7:23 am

Re: CREST Information

I won't say new into InfoSec after 9+ years but yes, a little more than new into Pentest field.

I've already played and won with ECSA and CEH but these are just as appetizer starters into the field. I wanna move up step by step to the "Premier league".

Scripting, yes, so far I love Python.

However, I've still have a drawback about PWB training due of their new announced release of BT, KALI. Then some course changes will take place and so.

'till then I've decided to practice on the free platforms as hack.me and hackademia.us

Thanks,

-J
"A genius is one percent inspiration and ninety nine percent perspiration." Thomas EDISON
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Wed Feb 06, 2013 2:13 pm

Re: CREST Information

MaXe wrote:- How hard is the exam? Almost impossible, at one point you have e.g. 50 practical questions where each often requires a hack of a custom application. (CCT Web App.)
[...]
- Is it realistic? Not really. People with 10 years of experience within information, where 5 may be penetration or even the whole 10 years, fail this certification. Despite that I can personally vouch for their skills. Some people come from extreme hacker backgrounds, with so much knowledge you wonder if they are even human, as they have come up with amazing hacks, unreleased research, etc, yet, these people fail too.


I haven't taken the exam myself yet, but from what I was told by people who sat for the exam, not a single one described it nearly as extreme as you did. It will certainly take quite a time before I attempt it, if at all, but I'm curious how difficult it will be.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Wed Feb 06, 2013 9:29 pm

Re: CREST Information

The thing is, it isn't hard questions from what I heard. It's simply the time being allocated that's extreme and these are facts just a couple of days old. The time being allocated, may variate between Australia and the UK. Also, despite that a friend thought he failed recently, he actually passed. (He didn't complete everything.)
I'm an InterN0T'er
<<

Strawp

Newbie
Newbie

Posts: 5

Joined: Wed Mar 27, 2013 10:17 am

Post Wed Mar 27, 2013 10:32 am

Re: CREST Information

This is a very interesting thread - I've been looking at getting into InfoSec and I was recommended by an experienced professional I met at an event to get a CRT cert and the job offers would come knocking on my LinkedIn profile.

My current work (I'm a developer currently) have provisionally signed off on paying for the CRT exam but now I'm thinking one of Offensive Security's courses might be a more sensible bet?

Background: I've competed in the UK Cyber Security Challenge the last couple of years and last year my prize for getting to the final was a place on 7safe's Certified Application Security Tester (CAST) course, which was great fun and I completed it with full marks. I really can't afford to resit CRT with my own money at the moment and this thread is about the most information I've found out about what kind of level the syllabus is set at. The whole thing just seems very opaque and not very helpful for someone in my position.

Can anyone recommend an alternative to CREST that would increase my employability and maybe have some actual course materials available?
<<

UKSecurityGuy

User avatar

Jr. Member
Jr. Member

Posts: 88

Joined: Wed Mar 27, 2013 10:51 am

Post Wed Mar 27, 2013 11:13 am

Re: CREST Information

Background - I'm a security engineer working in the UK, who works on government systems performing Pen tests.

It depends on what you're looking for Strawp. There are only two examinations that I know of that will allow you to work on government systems in the UK (and obtain CHECK status). One is CREST, and the other is Tiger.

If you want to do Pen testing in the UK you effectivally have to do government work, which means obtaining one of the above certifications (either junior lever or senior level).

If you're looking at jumping right in at decent money, you need to have CREST/Tiger already. The reason being is that you can't touch govenment systems without one of those certs, so the Pen testing companies can't really get you doing much for them, apart from the odd PCI check and some bank stuff.

If you don't mind being on a lower wage for a small amount of time (assuming you can pass the junior exams fairly quickly), any decent Pen testing cert (SEC560, OSCP, etc) will get your foot in the door with a Pen testing company here. From there they'll push you through the junior CREST/Tiger certs, and then the senior certs, so you can obtain CHECK Team Leader status, and perform government testing on your own (juniors are not allowed to test government systems without a team leader being present).

Hope that makes sense.
<<

Strawp

Newbie
Newbie

Posts: 5

Joined: Wed Mar 27, 2013 10:17 am

Post Wed Mar 27, 2013 11:22 am

Re: CREST Information

Is Tiger less opaque?
<<

UKSecurityGuy

User avatar

Jr. Member
Jr. Member

Posts: 88

Joined: Wed Mar 27, 2013 10:51 am

Post Wed Mar 27, 2013 11:26 am

Re: CREST Information

From what I hear from the guys that have taken it - the Tiger exams are slightly easier than CREST, but the CREST certifications are more respected.

Both of which have to be reviewed by CESG (GCHQ) to award the same status (CHECK tester) so I imagine that they're going to be fairly similar.
<<

Strawp

Newbie
Newbie

Posts: 5

Joined: Wed Mar 27, 2013 10:17 am

Post Wed Mar 27, 2013 11:29 am

Re: CREST Information

I guess this goes back to the question in the original post then: How do you prepare for the CRT exam?
<<

UKSecurityGuy

User avatar

Jr. Member
Jr. Member

Posts: 88

Joined: Wed Mar 27, 2013 10:51 am

Post Wed Mar 27, 2013 11:34 am

Re: CREST Information

Join a Pen Testing company ;)

I hear that the 7safe course is pretty good http://www.7safe.com/ethical_hacking_course-technical_hands-on.htm for prep work.

I wanted to jump directly into CHECK Team Lead (Infrastructure) status, but there wasn't much information around for that, so I went the other route and decided to go down the GPEN path, to be followed up by OSCP at a later date.
<<

Strawp

Newbie
Newbie

Posts: 5

Joined: Wed Mar 27, 2013 10:17 am

Post Wed Mar 27, 2013 11:39 am

Re: CREST Information

UKSecurityGuy wrote:Join a Pen Testing company ;)


Winky smiley noted - I wanted the cert so that I COULD join a pentest company!

Maybe I'm over thinking it and it's not that hard to get into pentesting.
<<

UKSecurityGuy

User avatar

Jr. Member
Jr. Member

Posts: 88

Joined: Wed Mar 27, 2013 10:51 am

Post Wed Mar 27, 2013 11:55 am

Re: CREST Information

Yeah - there is a lot of "join our company and we'll teach you how to pass an exam" in this industry.

Like I said previously, if you just want to get into Pen Testing, and you're not bothered at the level you first join at, then get any decent Pen Testing certification and then apply to one of the ever growing number of Pen Testing companies in the UK.
PreviousNext

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software