An assessor’s guide to exam success…
Paul Richards is Lead Assessor and Head of Education for The Cyber Scheme, and a subject matter expert in ethical hacking and security testing. During the last few months, he has seen over a thousand candidates sit our exams, both successfully and unsuccessfully. To help future candidates learn from the experiences, Paul has established his top tips to being a successful candidate.
“When candidates are unsuccessful it isn’t always due to a lack of skill, but to mistakes that are easily avoidable. There is specific essential knowledge required across all of our exams, but the following tips will help you on your road to success whichever assessment you are working towards, from CSFL to CSTL.
- Prepare, prepare, and prepare again: You need to allow yourself the time required to prepare for your exam adequately. As Benjamin Franklin’s old adage goes “failing to prepare is preparing to fail”, this is as true with your exams as it is with anything else in your career. You need to take the time to study the material, talk to mentors and revise the knowledge. To help yourself get to the level of skill required and fill knowledge gaps practice the commands and flags, do independent study, and take a training course. There is no such thing as over preparing.
- Build your knowledge on stable foundations: whatever exam you are taking start your revision off with security testing 101, ensure you have a real grasp on the very basics before moving on the more advanced elements. We have seen experienced testers missing the easiest challenges on the exams because they expect the whole endeavour to be very difficult. All of the knowledge domains are available on the syllabus on our website, we do not gatekeep what knowledge and skills are expected at the different levels of security tester.
- If you can’t get on the network, you will struggle: Every security tester needs to be able to connect to a network, ether via WIFI, ethernet or both. An example of this that we have seen repeatedly is on the CSTM Exam. Our CSTM joining instructions say: “You will need to set a fixed IP using the command line interface”. We often get frantic googling 3 seconds into the exam, with a sheepish look from the candidate as they search for “how to connect to a network”. You look things up on the internet during the practical part of the assessment, just like an actual penetration test.
- Don’t listen to rumours: What worked for your friend the next office over won’t necessarily work for you. The exams are dynamically generated, and everyone gets a unique experience. Paul has seen good people failing exams because they heard from a friend of a friend that the way to exploit a box was to do x, y and z. So instead of doing their day job, which they are very skilled at and spent many hours perfecting, throw all that out of the widow and waist a good part of the exam trying techniques that just don’t and won’t work.
- If you want to be an infrastructure CTL your pivoting game needs to be on point: Paul learned the existence of pivoting as a new CTM, when the elders (the CTLs) were discussing the mystical secret dark arts of tunnelling and pivoting, so coming to a CTL level assessment without a good pivoting game is a lack of preparation. See point 1
- If you want to be an application CTL you need to be good: It’s not CTM. This may come across as a bit “Try Harder”, but you need to be all over the current OWASP top 10, and very importantly don’t listen to the rumour mill. See point 4
- If you want to be a CTM, you need to have many hours of security testing under your belt: Whether on real customer systems or on test / training networks. This is not an entry level exam; you are qualifying to be an ethical hacker to keep systems safe. The CSTM exam is not suitable for beginners.
- Make sure your equipment is ready for the task: You need to be able to mirror your screen via HDMI. It’s not a great start to the day if you are flustered and stressed because the simple task of mirroring your screen turns into a big deal. You need to connect to a network, so bring your USB network card etc. It is essential that you bring your power supply, mouse, keyboard! Even bring that python library you use often. The exam isn’t the correct time to try a new Linux distro or to see if the old broken laptop from the office bottom drawer will last longer than a few hours.
- Have faith in yourself, you are good at this. Follow your methodology: Everyone gets exam nerves but remember, “you are good at this”, you did the prep (see point 1), and you are ready. Many people tell Paul the only reason they failed was due to a lack of faith in their own ability, second guessing, and not trusting they can smash it. Have no regrets on the long drive home”.