Failure is an option…

Failure is an option…

“Thank you for taking your assessment with the Cyber Scheme. Unfortunately, you haven’t been successful on this occasion”

Paul Richards, Lead Assessor for the Cyber Scheme, gives some valuable insights into how to pass an exam with us.

I have an amazing, very rewarding and somewhat unusual profession. I get to watch people who treat hacking as an artform painting their masterpieces. I assess exams for the Cyber Scheme. I also get to see some dumb, out of this world crazy stuff too, but that’s for another post. Despite many people passing Cyber Scheme assessments, I want to explore when a good, solid, penetration tester who clearly has experience, knowledge and skills manages to pull defeat from the jaws of victory. 

The words that puts fear into every CHECK team member and leader, alike? “Unfortunately, you haven’t been successful on this occasion”. 

Without giving anything away that isn’t already publicly available, here is my top ten list of being successful in a Cyber Scheme exam (unless you enjoy a day out at Eagle Tower with nothing to show for it, in which case, “as you were, nothing to see here”).

  1. You need time to prepare – you wouldn’t run a marathon without some training, you wouldn’t take a driving test without lessons, you wouldn’t dream of taking an exam that your career depends upon without a few days to prepare, right? Failing to prepare is preparing to fail – apparently, it’s a famous military saying. Take time to study, take a training course, practice the commands and flags, revise the knowledge, seek out a mentor. This is your trade craft, own it.
  2. If you can’t get on the network, the exams going to be very, very, very challenging. You might as well have stayed in bed. Every penetration tester needs to be able to connect to a network, ether via WIFI, ethernet or both. Our CSTM joining instructions say – “You will need to set a fixed IP using the command line interface”. Three seconds into the exam – “erm I’m just jumping onto Google” followed by a sheepish look from the candidate as they search for “how to connect to a network”. (That’s right you can even look things up on the internet during the assessment, just like an actual penetration test.)
  3. Keep it simple. If you are taking the CSTM (Cyber Scheme Team Member) exam or the CSTL (Cyber Scheme Team Leader) exam read your notes on the basics before the exam, 101 penetration testing. Start off with the easy stuff and work your way up to the advanced techniques. The Cyber Scheme exams are very fair and mimic an actual penetration test engagement. (I am biased, of course, but I had no hand in the CSTM or CSTL exams so credit to all those who created them). I see really good testers missing the easiest of challenges because they expected it to be harder. All the knowledge domains (syllabus) are on the Cyber Scheme web site. It’s no secret what the knowledge and skills are to be a CHECK penetration tester at CTM (CHECK team member) or CTL (CHECK team leader) level.
  4. Forget the rumour mill – I see good people failing exams because they heard from a friend of a friend’s dogs uncle second removed on their mum’s side, that the way to exploit a box was to do x, y and z. So instead of doing their day job, which they are very skilled at and spent many hours perfecting, throw all that out of the widow and waist a good part of the exam trying techniques that just don’t and won’t work.  The exams are dynamically generated, and everyone gets a unique experience.
  5. If you want to be an infrastructure CTL your pivoting game needs to be on point. I learned the existence of pivoting as a new CTM, when the elders (the CTLs) were discussing the mystical secret dark arts of tunnelling and pivoting, so why anyone would come to a CTL level assessment without a good pivoting game. See point 1…
  6. If you want to be an application CTL you need to be good. Its not CTM. I know this is a bit “Try Harder” but you need to be all over the current OWASP top 10 and very importantly don’t listen to the rumour mill. See point 4…
  7. If you want to be a CTM, you need to have many hours of penetration testing under your belt. Whether on real customer systems or on test / training networks. This is not an entry level exam; you are qualifying to be an ethical hacker to keep systems safe. The CSTM exam is not for beginners.
  8. For the love of <insert name of deity>, do some preparation (see point 1). Don’t turn up with half the internet downloaded and learn to penetration test as you go. You don’t have the time. Copy and pasting line after line of random commands with no idea what they do, how they work, what the flags do, it’s just not going to get you a pass. Yes, you can bring notes (for open book exams), yes you can look things up on the internet but that should be a back-up, a last resort, not your “A” game.
  9. Make sure you bring the correct hardware; make sure you installed all your software and you have tested that everything works. You need to be able to mirror your screen via HDMI. It’s not a great start to the day if you are flustered and stressed because the simple task of mirroring your screen turns into a big deal. You need to connect to a network, so bring your USB network card etc. Oh and don’t forget to bring your power supply, mouse, keyboard, even bring that python library you use often. The exam isn’t the correct time to try a new Linux distro or to see if the old broken laptop from the office bottom drawer will last longer than a few hours.
  10. Have faith in yourself, you are good at this. Follow your methodology. Everyone gets exam nerves but remember, “you are good at this”, you did the prep (see point 1) and you are ready. Many people tell me the only reason they failed was lack of faith in their own ability, second guessing, not trusting they can smash it. Have no regrets on the long drive home.

Paul Richards – Lead Assessor for the Cyber Scheme.

Good luck to everyone taking an exam with us – and if you’d like to benefit from our practitioner training before taking the plunge, please email us for details.