The road to CREST

Hey, Dave here.. I’ve recently sat the CREST Australia exams which in turn resulted in Asterisk becoming one of the first Australian CREST member organisations. This has been a long (and difficult) journey and I wanted share a few of my experiences, thoughts and comments.

First, a bit of background. CREST is the Council of Registered Ethical Security Testers. The organisation was formed in the UK in 2007 / 2008 [1,2] with an aim to standardise ethical penetration testing and to provide professional qualifications for testers. By most accounts CREST has been a big success in the UK; the accreditation was adopted by the UK government, who now require that all penetration testing is performed by CREST certified testers from CREST approved organisations.

In 2011, the Australian Attorney Generals Department provided one-off seed funding to establish CREST in Australia, and in 2012 CREST Australia was created as a non-profit organisation [3]. Like the UK, the Australian government’s goal, was to provide Australian businesses and government agencies with a means of assuring that security testing work is performed… “with integrity, accountability and to agreed standards.

July this year I was invited to become part of the technical establishment team for CREST Australia. This was a real honour for me, but at the same time a bit daunting when I considered the calibre of the other individuals and organisations that were to be involved. When I’d first started hearing about CREST Australia, I suspected that it might end up being comprised of organisations at the big end of town. I like to think that Asterisk were invited as a representative presence for the many excellent niche information security providers in the market.

The next few months involved a lot of preparation and planning; licensing for the exam IP was obtained from the UK, and hardware for the testing rig was procured, configured and shipped to Australia. Also, July to September involved a lot of study and preparation for me personally. Although I have been doing pen-testing in one form or another since 1997, the CREST syllabus covers a lot of ground, and unless you’re testing regularly on a wide variety of platforms, these exams are no walk in the park.

At the end of September the technical establishment team descended on the bustling metropolis that is Canberra to sit the three exams that CREST Australia offer: CREST Registered Tester (CRT), CREST Certified Tester – Applications (CCT App) and CREST Certified Tester – Infrastructure (CCT Inf). We all sat these three exams over a period of three days; to be brutally honest, this was a horrendous experience – 15+ hours of the hardest exams that I’ve ever experienced in the space of 3 days. I can’t remember being so stressed in my entire life. Pro tip: don’t try to do all the exams back-to-back.

In the end somehow I pulled the rabbit from the hat and achieved the CCT certification necessary to go on to become an assessor.  We spent the next few days learning the ins and outs of exam invigilation (yup, this is a real word), then closed out the week by running the very first CREST Australia exams for a packed house of candidates.

Who knows what the future holds for CREST Australia. Asterisk are hoping that the various arms of government, regulators and corporations will recognise the value of CREST certification and will incorporate it into their evaluation process for pen-testing providers. While there is absolutely no assertation that a pen-testing company needs to be CREST certified in order to deliver quality results, we believe that CREST certification provides clients with a degree of confidence that pen-testing will be performed to a high, repeatable standard.

Personally, I’d really like to see more niche providers in the game. There are a few of us and I think we do great work. I’d like to break down some of the ingrained corporate mentality that for security testing to be done well, it needs to be done by a Big 4 company / IBM.  Maybe CREST is a way for us to start competing on more of a level footing.

TLDR; CREST exams are really hard; don’t think that you can pass without extensive prep and/or experience. If you’re from a client organisation, CREST certified testers & organisations know what they are on about.

Published by

David Taylor

Twitter: @dave_au

4 thoughts on “The road to CREST”

  1. Thanks for the post Dave. I’m a CREST supporter and will be doing the exams soon. I’d love to create a study guide for others wanting to sit the exams too, to maximise their chance of passing as well as generally improve the quality of penetration testers. Any tips on preparing for the CREST exams?

  2. Thanks Robert.

    The CREST candidate declaration prevents me from discussing specific exam content. The declaration also has a provision that prevents candidates from attempting to advise, train or guide future candidates about specific exam content. (The penalties for breaching the declaration are severe).

    I think this pretty much rules out a study guide. If you hadn’t sat the exam, you wouldn’t know what to put in the guide. If you had sat the exam, you wouldn’t be allowed to create a guide…

    The only advice that I could provide on exam prep is:
    1. Be familiar with all of the content covered in the CREST technical syllabus (http://www.crestaustralia.org/docs/crest-australia-technical-syllabus-v1.0.pdf)
    2. Have a comprehensive set of tools on your laptop, and know how to use the tools well and quickly.

  3. Thanks Dave. I guess a study guide is out. Although it seems weird to me that CREST hinders training people to get the skills and knowledge that CREST believes they should have.

Leave a Reply

Your email address will not be published. Required fields are marked *