CSTM Engagement, Lifestyle & Risk
Please click on the following tabs to reveal the knowledge depth required for a successful pass of the CSTM exam.
You will be given a random selection of questions. Please note exam content is subject to change due to circumstances beyond our control – use this as a guide and email us if you have any queries.
- Understand the penetration testing lifecycle, from initial client contact, to the delivery of the final report and subsequent consultancy work.
- Understand the structure of a penetration test, including all relevant processes and procedures.
- Understand penetration testing methodologies and follows these when required. These include methodologies defined by the testers' employer, together with recognised standards, such as CHECK.
- Can articulate the benefits a penetration test will bring to a client.
- Can accurately convey the results of the penetration testing in a verbal de-brief and written report.
- Understanding of the different types of testing (blackbox, whitebox, etc)and their relative advantages and disadvantages.
- Understand client requirements and can produce an accurate and adequately resourced penetration testing proposal.
- Understand scoping in Cloud environments, and the impact of IaaS vs PaaS vs SaaS.
- Understand the legislation pertaining to penetration testing and can give examples of compliance/non-compliance. This legislation includes: Computer Misuse Act 1990 and its amendments; Data Protection Act 2018; Human Rights Act 1998; Police and Justice Act 2006; Police and Criminal Evidence Act 1984; Investigatory Powers Act 2016.
- Awareness of sector-specific regulatory issues, including NIS B4.d (Vulnerability management).
- Understand the risks associated with a penetration test(e.g. account lockout, denial of service) and how these can be mitigated.
- Understand the importance of availability and how the risk of denial of service can be reduced.
- Understand the importance of client confidentiality.
- Understand the role/function of customer emergency contacts.
- Understand the impact legislation has on the penetration testing process.
- Understand the ethical issues associated with penetration testing.
- Understand non-disclosure agreements and complies with their requirements.
- Identify false positives and false negatives and operate within the constraints of the scope of testing whilst keeping risk of disruption to an acceptable level.
- Produce proof-of-concept scripts to demonstrate issues.
- Can chain together separate vulnerabilities to form more complex attack chains.
- Understand the reporting requirements mandated by internal and external standards.
- Understand the importance of keeping accurate and structured records during a penetration test, including the output of tools.
- Keep accurate records of changes made to the systems during an assessment.
- Understand the security requirements associated with record keeping, both during the penetration test and following the delivery of the final report.
- Can write a report from the information gathered during a penetration test.
- Understand how to categorise vulnerabilities with respect to recognised methodologies e.g. CVE, BID, CVSS.
- Ability to prepare the required hardware and software for a penetration test.
- Take steps to avoid data cross-contamination e.g. by sanitising a hard disk prior to deployment or taking an image from a master build.
- Ensure all operating system and testing tools are relevant and up-to-date.
- Ensure all commercial software is suitably licensed.
- Ensure sufficient Anti-Virus software is installed and is sufficiently up-to-date.
- Ensure all necessary hardware is available, including laptops, switches, media-converters, wireless devices and cabling.
- For any given issue or group of issues, ability to convey:
1. A detailed description of the problem
2. A list of affected components
3. Possible sources of further information
4. A description of the risk posed in terms of confidentiality, integrity and availability of the system and its data
5. The cause of the issue
6. Which type of attacker would most likely exploit the issue
7. The difficulty and likelihood of a successful exploit
8. The potential impact to the customer's information systems and data preferably in terms of CIA
9. Detailed recommendations for remediation, drawing upon extensive product specific knowledge where possible and providing suitable general recommendations where not (senior or principle responsibility).
- Ability to convey both verbal and written summary of a security test to technical and non-technical audiences.
- Ability to classify/rank findings using numerical and/or distinct risk levels (High, Medium, Low etc) in line with how the client interprets risk within its business.