January 2016 Issue No: 2.0
Application Guidance
CCP Penetration Tester Role,
Practitioner Level
Application Guidance CCP Penetration Tester Role,
Practitioner Level
Issue No: 2.0 January 2016
The copyright of this document is reserved and vested in the Crown.
Document History
Version Date Comment
1.0 August 2014 First issue
Page 1
Application Guidance CCP Penetration Tester Role, Practitioner Level
Purpose & Intended
Readership
This document is intended as a guide on how to structure evidence when applying for certification as a CESG Certified Professional (CCP) Penetration Tester at Practitioner level and includes suggestions of what you need to learn and know before applying. It complements the ‘CESG Certification for IA Professionals’ (reference [a]]) and the ‘Guidance to CESG Certification for IA Professionals’ publication (reference [b]).
Executive Summary
CESG has developed a framework for certifying IA Professionals who meet competency and skill requirements for specified IA roles. The purpose of certification is to enable better matching between requirements for IA Professionals and the competence and skills of those undertaking common IA roles. The framework was developed in consultation with Government departments, academia, industry, the certification bodies and members of the CESG Listed Adviser Scheme (CLAS). The framework includes a set of IA role definitions and a certification process. This document provides guidance for applicants for certification as a CCP Penetration Tester at Practitioner level.
Feedback
CESG welcomes feedback and encourage readers to inform CESG of their experiences, good or bad, in respect to this document. Please email: [email protected]
Page 2
Application Guidance CCP Penetration Tester Role, Practitioner Level
Contents:
Overall Requirements for the Penetration Tester Role, Practitioner
Level ... 3
Penetration Testing ... 3
Practitioner Penetration Tester Role Headline Statement – SFIA Responsibility Level 3 ... 4
Applying for CCP Scheme Certification ... 4
Qualifications ... 4
Knowledge Requirements for the Penetration Tester Role ... 4
Knowledge ... 6
Engagement, Legislation and Risk .. 6
Core Technical Knowledge ... 8
Information Gathering ... 10
Networking ... 10
Microsoft Windows Security Assessment ... 12
UNIX Security Assessment ... 13
Databases ... 15
Web Technologies ... 15
Physical Access and Security ... 17
Web Application Security Assessment ... 18
Skills ... 19
Experience ... 25
The Certification Process – next steps ... 26
Practitioner Penetration Tester – APMG Certification Process ... 27
Practitioner Penetration Tester – BCS Certification Process ... 28
Practitioner Penetration Tester – IISP Certification Process ... 29
The CCP Scheme Certification Learning Cycle ... 30
References ... 31
Page 3
Application Guidance CCP Penetration Tester Role, Practitioner Level
Overall Requirements for the Penetration Tester Role,
Practitioner Level
Key Principles
This document is intended as a guide on how to structure evidence when applying for certification as a CESG Certified Professional (CCP) Penetration Tester at Practitioner level and includes suggestions of what you need to learn and know before applying. It complements the ‘CESG Certification for IA Professionals’ and the ‘Guidance to CESG Certification for IA Professionals’ documents (references [a] and [b])).
Learning comes through acquiring skills and knowledge (from training, experience and seeing how others work) and putting these into practice. Some Penetration Testers will have carried out other roles previously, eg, Systems Administration or working in a Security or Network Operations Centre. Most, but not all, Practitioner Penetration Tester candidates will need at least 6-12 months of penetration testing experience before applying. This document outlines the basic skills and experience you need. You are encouraged to follow the advice in each section when completing your written submission of evidence.
Penetration Testing
Penetration testing is an independent assessment of the different elements that comprise an information system or product, with the goal of finding and documenting the vulnerabilities present. The resulting report is considered with threat reports and other information sources in order to derive a risk assessment that can be used to drive security improvements.
The role of a penetration tester is to:
ensure that any testing activity is lawful, compliant with all relevant regulations and within the agreed scope
conduct technical security tests against the information system or product, with the aim of identifying vulnerabilities
communicate the results of the tests at a level tailored to the audience
provide technical consultancy and recommendations to customers as to how any reported vulnerabilities could be mitigated
Page 4
Application Guidance CCP Penetration Tester Role, Practitioner Level
Practitioner Penetration Tester Role Headline Statement – SFIA Responsibility Level 3
Applies knowledge and contributes to the successful delivery of penetration testing services
Applying for CCP Scheme Certification
Qualifications
The mandatory qualifications listed here
www.cesg.gov.uk/awarenesstraining/certified-professionals/Pages/index.aspx are recognised by CESG as
demonstrating compliance with the knowledge requirements associated with this role and documented below. An applicant for this role must therefore hold at least one of the listed mandatory qualifications required for the role level, which must be valid when the assessment is made by the Certification Body (CB) (ie, the qualification must not have expired)
Knowledge Requirements for the Penetration Tester Role
The knowledge requirements for the Penetration Testing roles are detailed below. Although a single set of knowledge requirements applies to all four levels, the depth of understanding and experience an applicant will be required to demonstrate will differ with respect to the role claimed. The mandatory technical qualifications, where listed, will demonstrate full compliance with the knowledge requirements of each level. You should also check the website of the (CB) you wish to use, for any additional requirements it may have. If you consider that there are gaps in your skills, knowledge and experience, agree a plan with your manager to address these, eg, through placements, projects, training, coaching - before you apply for CCP certification
The following statement should be applied for assessment of candidates for certification as a Practitioner Penetration Tester.
Practitioner Penetration Tester - A candidate will have a basic understanding of the concepts and technology detailed in the knowledge requirements. He/she You will be able to apply appropriate tools and techniques whilst working under general direction and supervision, and will require regular assistance with the interpretation of findings. Your depth of technical knowledge and level of experience will represent significant areas of further development
Your written submission must show that you:
meet the Role Headline Statement for the Penetration Tester role (‘Applies knowledge and contributes to the successful delivery of penetration testing services’ – see above)
Page 5
Application Guidance CCP Penetration Tester Role, Practitioner Level
work under general supervision and on discrete tasks when performing penetration tests
demonstrate an analytical and systematic approach to penetration testing, and are able to apply your own initiative and discretion
understand and are able to apply appropriate tools and techniques during a penetration test, and work in accordance with relevant legislation and standards
perform penetration tests in a variety of environments
work as part of a larger team and assist senior colleagues in delivering successful penetration tests
demonstrate effective communication skills with colleagues, and when providing input to written reports and presentations
have regular working level-contact with customers
actively develop your understanding of penetration testing, and understand how penetration testing is to be applied and delivered to a customer
demonstrate the required skill levels from the Institute of Information Security Professionals (IISP) Skills Framework1
demonstrate all of the attributes of responsibility (autonomy, influence, complexity and business skills) from the Skills Framework for the Information Age (SFIA)2 at level 3. Alternatively you can show evidence of
least level 2 for the IISP J skills
Good penetration testing combines technical, business and people skills to provide easily understood information about system security vulnerabilities for the people who need to take action on the advice you give. You need to understand the business objectives, strategy and risk appetite, as well as the system and applications you work on. You need people skills to ensure that you explain your findings and secure all the information you need, for example when considering security incidents. You also need to ensure that all your testing operates within the appropriate legal frameworks.
1The IISP Skills Framework is copyright ® The Institute of Information Security Professionals. All
rights reserved. The Institute of Information Security Professionals ® IISP ® M.Inst.ISP ® and various IISP graphic logos are trademarks owned by the Institute of Information Security Professionals and may be used only with express permission of the Institute.
Page 6
Application Guidance CCP Penetration Tester Role, Practitioner Level
In no priority order, you need: Skills:
Negotiating
Influencing
Information-gathering
Communication – able to talk to specialists and non-specialists alike Vulnerability assessment and management
Business writing (all the information needed for a decision, on 1 side of A4)
Presentation
Stakeholder management
And familiarity with the following:
Penetration testing methodologies
Penetration testing standards and policies
The CESG Certification for IA Professionals and Guidance to CESG Certification for IA Professionals documents
Technical IA controls
Knowledge
Engagement, Legislation and Risk Engagement Life-Cycle - understands:
the penetration testing life-cycle, from the initial client contact, to the delivery of the final report and subsequent consultancy work
the structure of a penetration test, including all relevant processes and procedures
the different types of penetration test, such as infrastructure and application, white and black-box
penetration testing methodologies and follows these when required. These include methodologies defined by the tester’s employer, together with recognised standards, such as CHECK
and can articulate the benefits a penetration test will bring to a client
and can accurately convey the results of the penetration testing in a verbal de-brief and written report
Page 7
Application Guidance CCP Penetration Tester Role, Practitioner Level
Scoping - understands:
client requirements and can produce an accurate and adequately resourced penetration testing proposal
technical, logistical, financial and other constraints, and is able to take these into account without compromising the effectiveness of the penetration test
Legal Matters - understands the legislation pertaining to penetration testing and can give examples of compliance/non-compliance. This legislation includes:
Computer Misuse Act 1990
Data Protection Act 1998
Human Rights Act 1998
Police and Justice Act 2006
Police and Criminal Evidence Act 1984
Regulation of Investigatory Powers Act 2000: also understands
the impact this legislation has on the penetration testing process and the ethical issues associated with penetration testing
non-disclosure agreements and complies with their requirements
Understanding and Mitigating Risk - understands:
the risks associated with a penetration test and how these can be mitigated
the importance of availability and how the risk of a denial of service can be reduced
the importance of client confidentiality
Record Keeping and Reporting - understands:
the reporting requirements mandated by internal and external standards
the importance of keeping accurate and structured records during a penetration test, including the output of tools
the security requirements associated with record keeping, both during the penetration test and following the delivery of the final report
and can write a report from the information gathered during a penetration test
how to categorise vulnerabilities with respect to recognised methodologies, e.g. CVE, BID, CVSS
Page 8
Application Guidance CCP Penetration Tester Role, Practitioner Level
Platform Preparation:
is able to prepare for a penetration test with regard to the required hardware and software
ensures all necessary hardware is available, including laptops, switches, media-converters and wireless devices
ensures all operating system and testing tools are relevant and up-to-date
takes steps to avoid data cross-contamination, for example. by sanitising a hard disk prior to deployment or taking an image from a master build
Core Technical Knowledge
IP Protocols - understands:
IPv4 and IPv6 and their associated security attributes
common IP/Ethernet protocols and their associated security attributes, including: TCP; UDP; ICMP; ARP; DHCP; DNS; CDP; HSRP; VRRP; VTP; STP and TACACS+
the security implications of using clear-text protocols, such as Telnet and FTP
File System Permissions and System Processes - understands:
and can demonstrate the manipulation of file system permission on UNIX-like and Windows operating systems
how insecure file system permissions can be exploited to escalate privileges and/or gain further access to a host
and can find “interesting” files on an operating system, e.g. those with insecure or “unusual” permissions, or containing user account passwords
and can identify running processes on UNIX-like and Windows operating systems and exploit vulnerabilities to escalate privileges
Cryptography - understands:
cryptography and its use in a networked environment
common encrypted protocols and software applications, such as SSH, SSL, IPSEC and PGP
wireless protocols that support cryptographic functions, including: WEP; WPA; WPA2; TKIP; EAP; LEAP; PEAP
their associated security attributes and how they can be attacked
the differences between symmetric and asymmetric cryptography and can give examples of each
common cryptographic algorithms, such as DES, 3DES, RSA and AES, including their security attributes and how they can be attacked
Page 9
Application Guidance CCP Penetration Tester Role, Practitioner Level
common hash functions, such as MD5 and SHA1, including their security attributes and how they can be attacked
Message Authentication Codes (MACs) and Hashed MACs (HMACs)
Pivoting - understands:
the concept of pivoting through compromised devices
and can demonstrate pivoting through a number of devices in order to gain access to targets on a distant subnet
Using Tools and Interpreting Output - can:
use a variety of tools during a penetration test, selecting the most appropriate tool to meet a particular requirement
interpret and understand the output of tools, including those used for port scanning, vulnerability scanning, enumeration, exploitation and traffic capture
Packet Generation - understands:
the different types of packets that are likely to be encountered during a penetration test
and can generate arbitrary packets, including TCP, UDP, ICMP and ARP, modifying packet parameters as required, e.g. source and destination IP addresses, source and destination ports, and TTL
ARP spoofing and can demonstrate this technique in a safe and reliable way
Service Identification – can:
identify the network services offered by a host
state the purpose of an identified network service, and determine its type and version
Fingerprinting – understands active and passive operating system fingerprinting techniques and can demonstrate their use during a penetration test.
Traffic Filtering and Access Control - understands:
network traffic filtering and where this may occur in a network
the devices and technology that implement traffic filtering, such as firewalls, and can advise on their configuration
and can demonstrate methods by which traffic filters can be bypassed
network access control systems, such as 802.1x and MAC address filtering, and can demonstrate how these technologies can be bypassed
Page 10
Application Guidance CCP Penetration Tester Role, Practitioner Level
Patch Levels - can obtain operating system patch levels on UNIX-like and Windows operating systems.
Information Gathering
Domain Registration - understands the format of a WHOIS record and can obtain such a record to derive information about an IP address and/or domain.
DNS - understands:
the Domain Name Service (DNS) including queries and responses, zone transfers, and the structure and purpose of records, including: SOA, NS, MX, A, CNAME; PTR, TXT and HINFO
and can demonstrate how a DNS server can be queried to obtain the information detailed in these records
and can demonstrate how a DNS server can be queried to reveal other information that might reveal target systems or indicate the presence of security vulnerabilities
Web Site Analysis - can interrogate a website to obtain information about a target network, such as the name and contact details of the network administrator.
Search Engines, News Groups and Mailing Lists - can use search engines, news groups, mailing lists and other services to obtain information about a target network, such as the name and contact details of the network administrator.
Information Leakage - can obtain information about a target network from
information leaked in email headers, HTML meta tags and other locations, such as an internal network IP addresses.
Banner Grabbing - can enumerate services, their software types and versions, using banner grabbing techniques.
SNMP – can retrieve information from SNMP services and understands the MIB structure pertaining to the identification of security vulnerabilities.
Networking
Network Architecture understands:
network architectures and logical network diagrams
the security benefits of tiered architectures, DMZs and air-gaps
the security implications of shared media and can exploit its vulnerabilities during a penetration test
Network Routing – understands:
network routing and its associated protocols, including: RIP, OSPF, IGRP, EIGRP, BGP, EGP, IGMP
Page 11
Application Guidance CCP Penetration Tester Role, Practitioner Level
Network Mapping - can:
demonstrate the mapping of a network using a range of tools, such as traceroute, tcptraceroute and ping, and by querying active services, such as DNS and SNMP servers
present the map as a logical network diagram, detailing all discovered subnets and interfaces, including routers, switches, hosts and other devices
accurately identify all hosts on a target network that meet a defined set of criteria, e.g. to identify all FTP servers or CISCO routers
Management Protocols - understands:
and can demonstrate the use of protocols often used for the remote management of devices, including: Telnet, SSH, HTTP/HTTPS, SNMP, TFTP, NTP
the security attributes of these protocols
and can demonstrate how these services can be exploited to gain access to a device or derive further information about the target network, e.g. SNMP service enumeration or the exploitation of a vulnerable Cisco HTTP server
Traffic Analysis:
can intercept and monitor network traffic, capturing it to disk in a format required by analysis tools
understands and can demonstrate how network traffic can be analysed to recover user account credentials and detect vulnerabilities that may lead to the compromise of a target device
Configuration Analysis:
understands configuration files of Cisco routers and switches, and can advise on how their security can be approved (most common features, such as access-lists and enabled services)
can interpret the configuration files of other network devices, including those produced by a variety of vendors (most common features, such as access-lists and enabled services)
Routers and Switches - understands and can demonstrate the exploitation of vulnerabilities in routers and switches, including the use of the following protocols: Telnet, HTTP/HTTPS, TFTP SNMP.
VoIP - understands VoIP services, such as SIP, and can identify and fingerprint devices offering these services.
Page 12
Application Guidance CCP Penetration Tester Role, Practitioner Level
Microsoft Windows Security Assessment
Reconnaissance – can:
identify Windows hosts on a target network
identify domains, domain controllers, domain members and workgroups
enumerate accessible Windows shares
Enumeration – can:
perform user and group enumeration on target systems and domains, using protocols including: NetBIOS, LDAP, and SNMP
obtain other information, such as password policies
Active Directory – understands: Active Directory
Group Policy
Local Security Policy
user accounts and can manipulate these accounts to gain further access to a target system, e.g. by escalating privileges from a domain user to a domain admin
Passwords – understands:
password policies, including complexity requirements and lock-out
how to avoid causing a denial of service by locking-out accounts
Windows password hashing algorithms and their associated security attributes
how passwords are stored and protected, and can demonstrate how they can be recovered
and can demonstrate off-line password cracking using dictionary and brute-force attacks, including the use of rainbow tables
and can demonstrate the recovery of password hashes when given physical access to a Windows host
Remote Vulnerabilities - understands and can demonstrate the remote exploitation of Windows operating system and third-party software application vulnerabilities. Local Vulnerabilities - understands and can demonstrate:
the local exploitation of Windows operating system and third-party software application vulnerabilities
local privilege escalation techniques, e.g. through the manipulation of insecure file system permissions
Page 13
Application Guidance CCP Penetration Tester Role, Practitioner Level
Post Exploitation - understands and can demonstrate common post-exploitation activities, including: password recovery, including cached credentials; lateral
movement and domain compromise; the checking of operating system and third party software application patch levels.
Desktop Lockdown - understands the concept of desktop lockdown and can demonstrate how a user can break-out of a locked down environment.
Patch Management - understands common patch and software management techniques and applications, including WSUS and Alteris.
UNIX Security Assessment
Reconnaissance - can identify UNIX hosts on a target network. Enumeration:
can perform user enumeration on target system using a variety of techniques including remote login protocols, SMTP, finger and SNMP
can perform file system enumeration on a target system using a variety of techniques including remote login protocols, FTP, HTTP, NFS and TFTP
is aware of legacy user enumeration techniques such as rusers and rwho
can enumerate RPC services and identify those with known security vulnerabilities
Passwords - understands:
users, groups and password policies, including complexity requirements and lock-out
how to avoid causing a denial of service by locking-out accounts
the format of the passwd, shadow, group and gshadow files
UNIX password hashing algorithms and their associated security attributes
how passwords are stored and protected, and can demonstrate how they can be recovered
and can demonstrate off-line password cracking using dictionary and brute-force attacks
and can demonstrate the recovery of password hashes when given physical access to a UNIX host
Remote Vulnerabilities - understands and can demonstrate the remote exploitation of Solaris and Linux operating system vulnerabilities (several key remote
Page 14
Application Guidance CCP Penetration Tester Role, Practitioner Level
Local Vulnerabilities - understands and can demonstrate:
the local exploitation of Solaris and Linux operating system vulnerabilities
local privilege escalation techniques, e.g. through the manipulation of insecure file system permissions
Post Exploitation - understands and can demonstrate common post-exploitation activities, including: password recovery, lateral movement, the checking of operating system and third party software application patch levels.
FTP/TFTP - understands:
FTP and can demonstrate how a poorly configured FTP server can be exploited, e.g. the downloading of arbitrary files, the uploading and over-writing of files, and the modification of file system permissions
TFTP and can demonstrate how a poorly configured TFTP server can be exploited, e.g. the downloading of arbitrary files, the uploading over-writing of files
NFS – understands:
NFS and its associated security attributes, and can demonstrate how exports can be identified
and can demonstrate how a poorly configured NFS service can lead to the compromise of a server, allow a user to escalate privileges and/or gain further access to a host, e.g. through the creation of SUID-root files, the modification of files and file system permissions, and UID/GID manipulation
Berkeley r-Services – understands:
the Berkeley r-services and their associated security attributes, and can demonstrate how trust relationships can lead to the compromise of a server, allow a user to escalate privileges and/or gain further access to a host, e.g. through the use, creation or modification of .rhosts and/or /etc/hosts.equiv files
SSH – understands:
SSH and its associated security attributes, including the different versions of the protocol, version fingerprinting and how the service can be used to provide a number of remote access services
and can demonstrate how trust relationships can lead to the compromise of a server, allow a user to escalate privileges and/or gain further access to a host, e.g. through the use, creation or modification of ~/.ssh/authorized_keys files
X – understands:
its associated security attributes, and can demonstrate how insecure sessions can be exploited, e.g. by obtaining screen shots, capturing keystrokes and injecting commands into open terminals.
Page 15
Application Guidance CCP Penetration Tester Role, Practitioner Level
Databases
Microsoft SQL Server - understands and can demonstrate: the remote exploitation of Microsoft SQL Server
how access can be gained to a Microsoft SQL server through the use of default accounts credentials and insecure passwords
how to identify and extract useful information stored within a database (e.g. user account names and passwords, recovering passwords where possible)
following the compromise of Microsoft SQL server how to use stored procedures to execute system commands, escalate privileges, read/write from/to the file system, and/or gain further access to a host
Oracle:
understands and can demonstrate the remote exploitation of an Oracle database
understands the security attributes of the Oracle TNS Listner service
understands and can demonstrate how access can be gained to an Oracle database server through the use of default accounts credentials and insecure passwords
can identify and extract useful information stored within a database (e.g. user account names and passwords, recovering passwords where possible)
can demonstrate how the software version and patch status can be obtained from an Oracle database
following the compromise of an Oracle database server, can use stored procedures to execute system commands, escalate privileges, read/write from/to the file system, and/or gain further access to a host
Other Database Servers:
understands and can demonstrate the remote exploitation of other common database servers, such as MySQL and PostgreSQL
understands and can demonstrate how access can be gained to such a database server through the use of default accounts credentials and insecure passwords
can identify and extract useful information stored within a database (e.g. user account names and passwords, recovering passwords where possible)
Web Technologies
Web servers:
can identify web servers on a target network and can remotely determine their type and version
Page 16
Application Guidance CCP Penetration Tester Role, Practitioner Level
understands and can demonstrate the remote exploitation of web servers
understands the purpose, operation, limitation and security attributes of web proxy servers
Protocols and Methods - understands:
and can demonstrate the use of web protocols, including: HTTP, HTTPS, SOAP
and can demonstrate how the insecure implementation of software developed using these languages can be exploited
all HTTP methods and response codes
Reconnaissance - understands:
the purpose of web site and application reconnaissance
and can discover the structure of a web site and application
Languages - understands:
common web mark-up and programming languages, including: .NET, ASP, Perl, PHP, JSP, JavaScript
and can demonstrate how the insecure implementation of software developed using these languages can be exploited (candidate may select two languages)
APIs – understands and can demonstrate:
the use of web-based APIs to remotely access remote services
how the insecure implementation of web-based APIs can be exploited
Information Gathering – can gather information:
from a web site and application mark-up or programming language, including: hidden form fields; database connection strings; user account credentials; developer comments; external and/or authenticated-only URLs
about a web site and application from the error messages it generates
Authentication - understands common authentication and access-control
mechanism vulnerabilities, and can give examples of common vulnerabilities and implementation best practice.
Input Validation - understands the importance of input validation and how it can be implemented, eg, white-lists, black-lists and regular expressions.
Fuzzing - understands:
fuzzing and its use in web application testing
the generation of fuzzing strings and their potential effects, including the dangers they may introduce
Page 17
Application Guidance CCP Penetration Tester Role, Practitioner Level
XSS - understands cross-site-scripting (XSS) and can demonstrate the launching of a successful XSS attack.
Injection - understands injection vulnerabilities, including: code injection, SQL injection, XML injection.
Blind SQL Injection - understands blind SQL injection vulnerabilities.
Sessions - understands how sessions are managed and can give examples of common vulnerabilities and implementation best practice.
Cryptography - understands:
how cryptography can be used to protect data in transit and data at rest, both on the server and client side
the concepts of SSL and can determine whether a SSL-enabled web server has been configured in compliance with best practice (ie, it supports recommended ciphers and key lengths)
Code Review - understands the techniques for identifying vulnerabilities in source code.
Physical Access and Security
Locks - understands how locks can be used to restrict access to computer hardware. Tamper Seals - understands how tamper seals can be used to deter access to
computer hardware.
Platform Integrity - understands platform integrity technologies, e.g. TPM.
Boot Sequence - understands the BIOS boot sequence and can obtain privileged access to an operating system by exploiting vulnerabilities in a boot sequence configuration, eg, booting from removable media or enabling PXE boot.
Disk Encryption:
understands the security implications of unencrypted storage devices, such as hard disks
can demonstrate how data can be recovered from unencrypted storage devices, and how such data can be manipulated to introduce vulnerabilities into an operating system.
Recovery Functionality - understands the security attributes of operating system recovery functionality, eg, Windows Recovery Console and Safe Mode.
Multi-Factor Authentication - understands multi-factor authentication systems, such as tokens and SMS.
Page 18
Application Guidance CCP Penetration Tester Role, Practitioner Level
Web Application Security Assessment
The knowledge requirements for Web Application Security Assessment apply to those who demonstrate this particular technical specialism within the wider Penetration Tester role. It is acknowledged that such a specialism may result in a Penetration Tester having a lesser understanding of the knowledge requirements detailed in the sections on Networking, Microsoft Windows Security Assessment and Unix Security Assessment. This is captured by the providers of the mandatory qualifications detailed within the role definition and need not be further explored by the Certification Body.
The knowledge requirements for Web Application Security Assessment are defined in the OWASP Testing Guide v4. See http://www.owasp.org/ for further information and to obtain a copy of this guide.
To avoid duplication, these requirements have not been repeated in this document; however, the mandatory sections to be included and the associated knowledge requirements are detailed below:
Information Gathering
Configuration & Deploy Management Testing Identity Management Testing
Authentication Testing Authorisation Testing
Session Management Testing Data Validation Testing Error Handling
Cryptography Logging
Business Logic Testing Denial of Service Web Service Testing Client Site Testing
Page 19
Application Guidance CCP Penetration Tester Role, Practitioner Level
Skills
When presenting your skills evidence, use the ‘STAR’ format: ‘Situation, Task, Action, Result’
Use a narrative form, eg, ‘... I produced ...My decision was...’
You must meet the required levels at all 4 core skills - (A2 Policy and Standards, D2 Security Testing, E3 Vulnerability Assessment,
I3 Applied Research)
You must meet 75% of the remaining skills
A single piece of work may be used for several skills, but a variety of examples gives better evidence of being able to work in more than one situation
The following table provides suggestions for starting points in evidence.
Technical Skills
SKILL EVIDENCE OF SKILL
A2 – Policy & Standards, Level 1 - Core Skill
Understands the need for policy and standards to achieve Information Security (IS)
Give examples of:
- your experience of IS policies and standards. How does penetration testing fit within your company’s information security policy?
A6 – Legal & Regulatory Environment, Level 1
Is aware of major pieces of legislation relevant to Information Security and of regulatory bodies relevant to the sector in which they work
Give examples from different work environments of how you:
- ensured that your work didn’t contravene relevant statue/regulations and how you explained this to your customer(s).
For example, the Computer Misuse Act prohibits breaking into a system but the contract you were employed on might require or permit this.
Page 20
Application Guidance CCP Penetration Tester Role, Practitioner Level
SKILL EVIDENCE OF SKILL
A7 – Third Party Management3 Level 1
Is aware of the need for organisations to manage the information security of third parties
Give examples of how you:
- advised a customer’s supplier about the vulnerabilities in their information systems. B1 – Risk Assessment, Level 1
Demonstrates awareness of the causes of information risk and their implications
Give examples of how you:
- Identified vulnerabilities and risks in a number of different systems. B2 – Risk Management, Level 1
Demonstrates awareness of techniques to manage information risk
Give examples of how:
- IT systems’ risk and vulnerabilities are managed and advice you have given to mitigate these. C1 – Security Architecture, Level 1
Is aware of the concept of architecture to reduce information risk
Describe how you have advised on modifications to IA architecture to mitigate potential information risk. What was the outcome?
C2 – Secure Development, Level 1
Is aware of the benefits of addressing security during system development
Explain how security and secure development of products and systems are improved by penetration testing.
Page 21
Application Guidance CCP Penetration Tester Role, Practitioner Level
SKILL EVIDENCE OF SKILL
D1 – IA Methodologies Level 1
Is aware of the existence of methodologies,
processes and standards for providing
Information Assurance
How is appropriate and proportionate penetration testing carried out in your organisation?
D2 – Security Testing, Level 1 - Core Skill
Is aware of the role of testing to support IA
Give examples over a range of environments of:
different ways in which you have tested the security of systems. Which frameworks did you use? Explain what level of security was achieved and what system vulnerabilities remained. What was the outcome of your work?
E1 – Secure Operations Management, Level 1
Is aware of the need for secure management of information systems
Give examples of tests you have carried out to detect vulnerabilities – how did you do this? What changes to corporate security processes or systems could you recommend to mitigate vulnerabilities?
E2 – Secure Ops & Service Delivery, Level 1
Is aware of the need for information systems and services to be operated securely
Give examples of how you have influenced a customer to mitigate security risks.
E3 – Vulnerability Assessment, Level 2 - Core Skill
Obtains and acts on vulnerability information in accordance with Security Operating Procedures
Give examples from different work environments of occasions when you identified vulnerabilities in a system or application. What tools and methodologies did you use and how did you make colleagues and/or customers aware of the vulnerabilities? What did you do to mitigate the vulnerabilities and what was the outcome?
Page 22
Application Guidance CCP Penetration Tester Role, Practitioner Level
SKILL EVIDENCE OF SKILL
F1 – Incident Management, Level 1
Is aware of the benefits of managing security incidents
Provide examples of how security incidents are managed in the organisation(s) you work in. How does this improve cyber security?
F2 – Investigation, Level 1
Is aware of basic principles of investigations
Give examples of how information is collected in order to investigate a security incident. What sources can be used and why?
F3 – Forensics, Level 1
Is aware of the capability of forensics to support investigations
What information can be recovered through the use of forensic tools?
G1 – Audit and Review, Level 1
Understands basic techniques for testing compliance with security criteria (policies, standards, legal and regulatory requirements)
Give examples of auditing a system to test for vulnerabilities. How did this improve the scope of the vulnerability testing? How did you communicate the results to information risk owners and what was the outcome of this?
H1 – Business Continuity Planning and H2 – Business Continuity Management,
Level 1
Understands how Business Continuity Planning & Management contributes to information security
Describe how you incorporated business continuity management into your vulnerability testing and your advice on vulnerability mitigations.
I3 – Applied Research, Level 1 – Core Skill
Understands the fundamental concepts of
Give examples from different work environments of:
- how you have used your research as part of penetration testing. How did that research support the overall security assessment process?
Page 23
Application Guidance CCP Penetration Tester Role, Practitioner Level
applied research but does not yet have the knowledge needed to apply this skill in an operational context
- areas you have found where further research is needed. How could that research be used to enhance levels of security?
- research you have used when considering how vulnerability testing tools or techniques could be improved
PEOPLE SKILLS ‘J skills’ (instead of SFIA level 3 – see p4)
SKILL EVIDENCE OF SKILL
J1 - Teamwork and Leadership - Level 2 Is encouraging and supportive and provides a lead within the local area. Task-based team working
Give examples of sharing information and knowledge with others to promote team objectives.
J2- Delivering – Level 2
Responsibility for an element of delivery against one or more business objectives, balancing priorities to achieve this
Give examples of tasks which you delivered to deadlines.
J3 – Managing Customer Relationships – Level 2
Negotiates with customers to improve the service to them and to manage their expectations
Describe ways in which you have worked with customers to agree solutions.
J4 - Corporate Behaviour – Level 2
Understands the aims of own and related areas across an organisation
Give examples of proposals you have made to mitigate security vulnerabilities.
J5 – Change and Innovation – Level 2 Generates creative ideas and demonstrates sensitivity in implementing local change
What changes have you introduced – what did you do, what techniques did you use and why? How did you consider the impact on other people and processes?
Page 24
Application Guidance CCP Penetration Tester Role, Practitioner Level
SKILL EVIDENCE OF SKILL
J6 - Analysis and Decision Making – Level 2
Makes effective decisions in
consultation with others and/or solves complex problems in immediate area
Give examples of recommendations and solutions you have suggested. What was the outcome in these cases?
J7 – Communication and Knowledge Sharing – Level 2
Encourages and contributes to
discussion. Is proactive in sharing information in own work area
Give examples of how you have adapted your communication to suit different media, including face to face, over the phone, emails, presentations and meetings: eg,
- contributing to reports - stand up briefings
Page 25
Application Guidance CCP Penetration Tester Role, Practitioner Level
Experience
Agree a plan with your manager to ensure that you cover the necessary ground, as suggested below. Your evidence should show that you have:
assisted in, or carried out penetration testing under supervision or in a team, in a variety of environments and ensured that the testing was consistent with risk appetite and tolerance, as well as conforming to all legal requirements and regulations
Or
have experience in a technical/information security role (such as a System Administrator) or SOC/NOC analyst You must show that you
do penetration testing and that your testing follows a systematic and appropriately analytic process have some experience of using penetration testing tools and techniques
effectively communicate the outcomes and implications of penetration tests to colleagues and/or customers and ensure that they understand them
can recognise when a decision must be escalated because of implications beyond your level of responsibility or experience are developing your understanding of penetration testing and associated research
Page 26
Application Guidance CCP Penetration Tester Role, Practitioner Level
The Certification Process – next steps
For completeness the certification processes for the different CBs follow.
1. If you are considering applying for the Senior or Principal level, you will need to show wider experience of more complex systems and satisfy the requirement for higher skill levels and the appropriate technical qualification (s). Supervisory experience to show evidence of coaching and developing other Penetration Testers would also be helpful for the Senior level and consultancy experience would be appropriate for the Principal level.
2. If you are applying for the Lead level, you will need to show that you influence and direct the penetration testing function at an organisational or inter-organisational level and satisfy the requirement for higher skill levels. For example, you directly and regularly brief or advise a Directors’ Board in this regard.
There are 3 CBs: the APM Group (www.apmg-ia.com ), BCS, the Chartered Institute for IT (www.bcs.org ) and the IISP, RHUL and CREST Consortium (www.iisp.org ). Certification lasts for 3 years and requires evidence of continuing professional development throughout the period of certification.
Page 27
Application Guidance CCP Penetration Tester Role, Practitioner Level
APMG CREST Practitioner Security Analys t O R G CH Q Practitioner Penetration Tes ter Apply online W ritten s ubmis s ion Pers onal evaluation Technical evaluation Interview Certification decis ion End of certification proces s
AMPG Certification Process
Practitioner
Penetration
Tester –
APMG
Certification
Process
Page 28
Application Guidance CCP Penetration Tester Role, Practitioner Level
BCS CREST Practitioner Security Analyst OR GCHQ Practitioner Penetration Tester PLUS CISMP apply online written submission assessment interview certification decision End of Certification Process BCS Certification Process
Practitioner
Penetration
Tester – BCS
Certification
Process
Page 29
Application Guidance CCP Penetration Tester Role, Practitioner Level
IISP CREST Practitioner Security Analyst OR GCHQ Practitioner Penetration Tester apply online written submission assessment interview Recommendation & certification decision End of Certification Process
IISP Certification Process
Practitioner
Penetration
Tester – IISP
Certification
Process
Page 30
Application Guidance CCP Penetration Tester Role, Practitioner Level
The CCP Scheme Certification Learning Cycle
If more learning is needed, make a time-bounded plan to achieve it
Page 31
Application Guidance CCP Penetration Tester Role, Practitioner Level
References
[a] CESG Certification for IA Professionals. Available from
http://www.cesg.gov.uk/awarenesstraining/certified-professionals/Pages/index.aspx
[b] Guidance to CESG Certification for IA Professionals. Available from
Page 32
Application Guidance CCP Penetration Tester Role, Practitioner Level
Glossary
AES Advanced Encryption Standard API Application Programming Interface ARP Address Resolution Protocol BGP Border Gateway Protocol BIOS Basic Input Output System CDP Cisco Discovery Protocol CHECK IT Health Check Service CNAME Canonical Name Record
CVSS Common Vulnerability Scoring System DES Data Encryption Standard
DHCP Dynamic Host Configuration Protocol DMZ Demilitarized Zone (firewall configuration) DNS Domain Name System
EAP Extensible Authentication Protocol EGP Exterior Gateway Protocol
EIGRP Enhanced Interior Gateway Routing Protocol FTP File Transfer Protocol
GID Group Identifier HINFO Host Information HMACs Hashed MACs
HSRP Hot Standby Router Protocol HTML Hyper Text Mark Up Language HTTP Hypertext Transfer Protocol
HTTPS communications protocol for secure communication over a computer network
ICMP Internet Control Message Protocol IGMP Internet Group Management Protocol IGRP Interior Gateway Routing Protocol IPSEC Internet Protocol Security
LEAP Programming language
LDAP Lightweight Directory Access Protocol MACs Message Authentication Codes
Page 33
Application Guidance CCP Penetration Tester Role, Practitioner Level
MD5 Message Digest algorithm – cryptographic hash function MIB Management Information Base
MX Mail Exchanges
NetBIOS Network Basic Input/Output System NFS Network File System
NS Name Server (implements a name service protocol) NTP Network Time Protocol
OSPF Open Shortest Path First
OWASP Open Web Application Security Project PEAP Protected Extensible Authentication Protocol PGP Pretty Good Privacy
PTR Pointer record
PXE Preboot execution environment RIP Routing Information Protocol RPC Remote Procedure Call
RSA public key cryptosystem (named after its authors) SHA1 Secure Hash Algorithm – cryptographic hash function SIP Session Initiation Protocol
SMTP Simple Mail Transfer Protocol
SNMP Simple Network Management Protocol SOA Service Oriented Architecture
SOAP Simple Object Access Protocol SQL Structured Query Language SSH Secure Shell
SSL Secure Sockets Layer STP Straight through Processing SUID Set Owner User ID up
TACACS Terminal Access Controller Access-Control System Plus TCP Transmission Control Protocol
TFTP Trivial File Transfer Protocol TKIP Temporal Key Integrity Protocol TPM Trusted Platform Module
TTL Transistor-Transistor Logic TXT Text file
Page 34
Application Guidance CCP Penetration Tester Role, Practitioner Level
UDP User Datagram Protocol UID User Identifier
URL Uniform Resource Locator VOIP Voice Over Internet Protocol
VRRP Virtual Router Redundancy Protocol
VTP VLAN (Virtual Local Area Networks) Trunking Protocol WEP Wired Equivalent Privacy
WPA Wifi-protected access
WSUS Windows Server Update Services XML Extensible Mark Up Language
CESG Provides advice and assistance on information security in support of UK Government. Unless otherwise stated, all material published on this website has been produced by CESG and is considered general guidance only. It is not intended to cover all scenarios or to be tailored to particular organisations or individuals. It is not a substitute for seeking appropriate tailored advice.
CESG Enquiries Hubble Road Cheltenham Gloucestershire GL51 0EX Tel: +44 (0)1242 709141 Email: [email protected] © Crown Copyright 2015.