Taking the CPSA (Crest Practitioner Security Analyst) Exam

I've recently taken (and passed) the CPSA exam and wanted to write up some thoughts and some guidance for others taking (or thinking about taking) the exam since there's not too much information out there about what it's like.

I want to make it abundantly clear that I'm not going to breach the NDA that I had to sign in order to take the exam and I'm not going to discuss the specific content of the exam, rather the approach I took in revising for it and some of the websites and materials I found helpful.

I started off my studying with a copy of the syllabus and I worked through it researching and making notes. It's a very broad syllabus and there's no way to study every topic in depth. Some of the more specific details that I revised did actually come up, but quite a few of the questions required only a basic understanding of an area to answer (or at least have a decent guess at).

Syllabus

First topic on the syllabus is Soft Skills & Asset management which encompasses the non-technical aspects of conducting penetration testing including legal ramifications, assessment of risk and communicating with customers. There's a lot of common-sense stuff in here, the main thing that I researched was relevant legislation.

Next comes Core Technical Skills which comprises mainly networking and network scanning. Fortunately, I deal with networking regularly and I'm happy doing subnet calculations and using the OSI model. I did spend quite a bit of time learning port numbers for less common applications and services;  I put together a Quizlet quiz to help me revise these, which I feel really helped them to stick in my head.  You'll also want to know common NMAP scan types and ping types, and be able to interpret the output from them. If you already use NMAP regularly this shouldn't be anything new but it's worth making sure you're comfortable with the packets involved in SYN/TCP-Connect/UDP scans and what these reveal about the target system and how this information can be exploited to fingerprint the OS/Software running.
Cryptography is also included in this, which is a massive topic that can clearly be examined only in a fairly brief manner in an exam of such breadth. A basic knowledge of the difference between symmetric and asymmetric encryption and which common block and stream ciphers fall into each category is essential as well as an understanding of encoding, hashing and HMACs. I spent more time on the practical applications of cryptography than the underlying theory so I had a good understanding of WEP/WPA/SSH/IPSEC. (Apologies for the glut of Wikipedia links here, I found them really helpful but if anyone has better alternatives then please let me know and I'm happy to add them.)

Background Information Gathering & Open Source is the third section and covers a lot less ground than the previous one! By far the most important area of this is DNS. It's something that most people working in IT will have at least a basic knowledge of already, but getting the details of each type of DNS record and how it might reveal information pertinent to a security assessment is useful to know. Other topics covered in this section include using HTML source code, Google and NNTP(?) to do reconnaissance, these aren't mentioned in great detail on the syllabus so I didn't devote too much time to revising them.

The next section is Networking Equipment. Firstly, management protocols are mentioned and the security implications of each, which should be fairly straight forward as long as you can explain why passing administrative credentials over HTTP or TELNET is a bad idea. I made fairly high-level notes on some of the protocols that are used to keep an enterprise network running such as VRRP,BGP, OSPF,HSRP etc. VOIP also comes under this section so I went over basic scanning techniques and SIP commands that might be encountered on a pen test. Wireless security is then mentioned, although I had already been fairly detailed in my notes on this in the encryption section so I more-or-less skipped over this.

Microsoft Windows is clearly a huge area, I spent some time looking through how AD works with it's varying hash types and how it can be attacked (ATT&CK and Mimikatz Documentation are both good for this material) as well as the workings of Kerberos. I touched on Windows server and MS Exchange versions and their respective security issues, as well as SMB file shares and permissions. Some basic techniques for enumerating users/groups/shares on a windows system are handy to know and what commands you would use to do this.

Next topic is Unix Systems; I started with file permissions and how these are set and read which should be fairly familiar to any Linux user, as should using bash, basic tools and commands such as ping, traceroute, nc, etc. Web and email software can come up again here, mainly Apache and Sendmail this time, so an awareness of how they work and any security issues with them that a tester should be aware of. NFS is also covered, so I studied how it handles access control as well as tools and techniques for scanning/enumerating/exploiting a system running NFS. X11 is also on the syllabus which isn't something I've had a great deal of experience with from a security perspective, I made some brief notes around the security implications of its use on the network. SSH comes up here and again I skipped this since I'd gone into detail earlier on. The next area is Berkeley 'r' services which seemed like a very outdated technology to include, (Wikipedia explains that these protocols were developed in the early 80's and were replaced in the mid-90's by more secure alternatives). I didn't want to spend too long learning something that I was unlikely to ever come across in the real world but I wrote a high-level overview of the commands and security issues.

Back in the 21st century: Web Technologies is the 7th section. This is based on a basic understanding of the HTTP protocol and the roles of servers/clients as well as how both server-side and client side scripting languages are used and could be exploited by a tester. I studied the OWASP Top 10 for a good understanding of modern vulnerabilities and examples of how they can be exploited.

This overlaps with the next topic of Web Testing which goes into greater detail of how common vulnerabilities in web applications and misconfigurations of web servers can be identified and defended against. These are mainly fairly simple attack methods such as SQLi, XSS and parameter manipulation and how a to identify if these are possible from an application's source code or a server's HTTP response.

Finally we meet everyone's favourite topic; Databases which is divided up into the 3 main technologies: MySQL, MSSQL and Oracle. I was most familiar with MySQL, I have some familiarity with MSSQL and absolutely no experience with Oracle, so I decided learning the basics of Oracle Databases was the main priority here. Basic terminology and what user accounts exist and their purpose formed the basis of this.

Taking the Exam

The exam is administered in Pearson Vue test centres and their website provides all of the official terms and instructions that you need. The points I'd highlight are that you need to arrive ~15-20 minutes before the exam time and that you can't take a water bottle or any food into the exam so make sure you're hydrated and not too hungry before you start.

The software will take you through a code-of-conduct and an NDA before the questions start, this doesn't come out of your exam time so there's no rush to get through it. Once you've started the test you have an option to flag a particular question for review/comment as you go through, the system will explain this in detail but I found it very useful to flag all of the questions I was uncertain about as I did my first pass through and then I was able to do a second pass of just these questions. There were a few occasions that I was able to go back and answer an earlier question using information provided in a later question. I made use of the dry-wipe note taking paper for these instances to jot down question numbers and details/syntax.

I took ~40 minutes for my first pass through the 120 questions, 20 minutes to review the questions I was uncertain of and then another 20 minutes to check through all of the questions again before I submitted.

Final Thoughts

My initial reaction was that the test was more difficult than I was expecting, however on further reflection this opinion was more a result of a few particularly challenging questions for which I had not adequately revised while the majority of the questions were actually similar to how I expected. The pass mark is 60% (72/120) so it's absolutely fine to not know the answers to some of the questions, don't get stressed or worried by this.

Please feel free to get in touch via Email/Twitter if you want to chat, but please bear in mind I won't give away any specific details or questions that were on the exam I took.