Studying for and taking the CREST CPSA Exam

Summary

First things first though is I would like to highlight that the CPSA exam is under both the Code of Ethics , and has a NDA over it. This post is NOT about the actual content of the exam. It is merely my experience with the examination process, and the Technical syllabus. A copy of the notes for candidates covering the exam type, question examples and such is available from here and the technical syllabus is available here. Please check the CPSA Page on the crest website for the most up to date version of the notes for candidates and the Technical Syllabus. If anything on this page is deemed against the Code of Ethics or the Non-Disclosure agreement or section 1.2 of the notes for candidates then please contact me and so we can discuss what needs removing. As of the 03rd of April 2015 no content has been removed.

A quick TL;DR for this is that personally I found the exam syllabus interesting and a good intro into the CREST way of doing exams. The hard part of this exam for me was the time management for the 240 questions in the time allocated!. I found it less focused on Exploiting, more focused on Finding.

EDIT : 04/17 : This was made pre exam change. The two main differnces now are that you are no longer able to take reading lists into the exam, and that the exams are took inside a Pearson View training centre. This means the questions are just multipul choice from the exam sylabus! Apart from that, most of this applies, Good Luck!

What is the CPSA Exam?

So what is the CPSA And who should take it? The Crest Certified practitioner security analyst is the minimum required exam for being a crest team member. It sits beneath the CRT exam and looks at your core concepts of Information Security, Networking and System Administration. Focused less around further exploitation and more around being able to locate some pretty basic common security issues such as SQL injection. If you have any background in Info Sec (such as a degree, previous work experience, or just a working interest) you shouldn't find the exam too hard to get through. Its aimed at people starting in the infosec industry, so if you have already been working as a tester for a while you may want to skip straight to the CRT exam.

A Look at the Technical Syllabus

Crest exams give you the required information different from some of the other ones out there, rather than giving you a set resource list and reference material they give you a syllabus to follow and that's about it. The syllabus has 6 sections for the CPSA as quickly outlined below. There's quite a lot of cross over between this, CISSP, OSCP and CCNA so if you have done any of those before then you will find this quite easy.

Core Networking	This section covers your basic networking and network services, Do you know your IP address from your MAC address, how routing and networking works, Which IP address are non-routable? You should be familiar with this section if you have worked with networks before and you should be relatively OK here. RTFM has a nice network lookup table, and ipcalc is your friend for getting a broadcast and network address.
Security Architecture and Design	Covering some of the more common topics around security. Firewalls, Encryption and Architecture, should be second nature for any tester. You also need to be familiar with problems with BYOD and you also need to be aware of the Laws of England and how they impact your job as a tester.
Windows systems	The most common operating system you will encounter everyday, knowing which version of windows server shipped with what version of IIS and kernel can be useful from time to time when nmap or nessus cant make up its mind what OS your target is, and knowing what OS windows no longer supports is also good to know. Knowing how windows works, How and what the different functions of AD do and what the most common weaknesses you will encounter are. Also knowing how to harden and fix the problems you find is good to know. Knowing what SID's and RID's are, knowing how file permissions and ACL's work, and knowing about the SMB/CIFS protocol is also a must, and whats a Null session in this context?. Do you know what the difference between LM and NTLM is? And where does Kerberos fit into windows authentication?
Unix Systems	Although they usually number less in work environment, you can do much much more with a Linux server. Being familiar with both RPM based and DEB based systems is a must. Again knowing how UID's and GID's are used, how file permissions work and are controlled (do you know your chmod from chown). Knowing about NFS, X and GUID and SUID bits are, difference between SSH and Rlogin and Telnet, and all the problems among with all the problems with these services. If you have ever managed Linux servers you should be good to go with this section.
Penetration testing	The more fun topic for most people. This is at a basic level though and is more aimed at do you know the most common web-app problems, when you see id= what do you instantly think? Do you know the characters that commonly trigger XSS, Sql Injection and command injection? Do you know how to sweep systems with nmap or your vulnerability scanner of choice, query information from database servers, brute force both HTTP simple and HTTP form authentication, brute SNMP and get information from it. How can you find content on web servers, and how do you get valid users from NFS, DB's, SMTP ,Windows, and finger services?
Incident response and analysis	Don't let the title fool you, this is about reading logs, PCAPS and knowing how to use strings and hexdump. Can you read the reports from Linux and Windows and can you understand what the reports are telling you?

It can look a bit daunting if you don't recognise everything on there, but it doesn't take that long to read up on everything. Around a month would be plenty of time to get comfortable with it, depending on how long you spend reading and how much you already know of course. Don't get bogged down in knowing everything around every topic either, remember this is a higher level exam then the CRT. For example you need to know how to find an SQL injection, how to (ab)use it, and what tool you could use to exploit it further. On the windows side you may need to know what the different versions of IIS Microsoft launched along with what platforms along with the major security changes, but not all the nitty gritty details about how IIS works.

Generic Exam Tips and Tricks

CPSA is an open book exam, don't be afraid to take in your condensed revision notes or a book or two. Although its open book time is very tight so you won't want to be having to look through pages and pages of notes and a few books so only take in things that you will need! Going into the exam make sure that your laptop is set up how you use it every day. The laptop gets wiped at the end of the exam, (make sure you can take the drive out!) so it may be tempting to just stick something like Kali or the Fedora security spin on there and be done with it, but keep in mind, that this may not have all the tools on or set up and ready to use (why did they take finger and r login out by default!).

The CPSA page suggests some of the books to read before the exam, and there is one on their list I like to keep around for quick reference and that is the Red Team Field Manual Rtfm: Red Team Field Manual), over time working as a tester you will probably write your own version of this anyway, but its a great starting point covering some common tools, networking, generic Windows / Linux "stuff", and a couple of common old CVE's that you may still see on engagements.

Keep an eye on your time in the exam, Crest recommend up to a hour on the questions then the rest of the time on the practical exercise, how you use your time is up to you but keep in mind the practical is over double the size of the questions as it's not just recall of which answer is correct. Don't spend too long on questions, if you don't know an answer mark it with a star, colour, flag or whatever and come back to it on your second pass of the paper, if you still don't know, take an educated guess, there is no negative marking so apply your brain and pick what looks right.

With the practical make you have all the information gathering done at the beginning as you don't want to get halfway through and realise you have not got a clue where the web servers are! Also, don't be afraid to ask your examiner questions if something seems "wrong", for example if a service you are meant to be querying is being super super slow or not replying at all, ask, your heavy-handed scanning at the beginning may have made the service slow or unresponsive.

And lastly Keep Calm don't panic, its easy really! And once you've finished start revising for the CRT ;)

Resource	Whats it good for?
Wikipedia pages	Wiki'ing the topic in question is the quickest way to learn about it. Wikipedia has loads of well written tech pages to read through and digest
Cambridge AD Information	Cambridge University publishes information about setting up and managing windows domains. Although this is aimed at the university systems the information is generic and helped me wrap my brain around Windows Domains
Other peoples Blogs	Other people that have taken the Crest exams usualy blog about it, some people make useful snippet guides so have a Google and see what you can find.
Technet	If you ever need more information around windows systems technet will have have the answers for you
OWASP	The Open Web Application Security Project covers as the name says common web app problems. Knowing the top ten is always good to know, and the testing guide has a wealth of information to absorb
MIT Open Courseware	MIT recently open sourced their CS undergrad course. I highly recommend at least watching the youtube series, its great for the unix security part of cpsa
Other course materials	MIT isnt alone in opening up learning materials many other universities do the same!

Studying for and taking the CREST CPSA Exam

Summary

What is the CPSA Exam?

A Look at the Technical Syllabus

Generic Exam Tips and Tricks

Further Reading | Other Resources | Revision Notes