crest practitioner security analyst crest registered … · 2017-11-23 · crest practitioner...
TRANSCRIPT
CREST PRACTITIONER SECURITY ANALYSTCREST REGISTERED TESTERv1.0
The candidate will learn how to perform basic to intermediate level infrastructure and web application security testing and methods to identify common web application security vulnerabilities. This course prepares the student for a career in Penetration Testing and provides all of the tools and teaches the techniques needed by a practicing professional.
Following this course a student may challenge the CREST core skills exam resulting in the CREST Practitioner Security Analyst (CPSA) professional qualification. The CPSA examination covers a common set of core skills and knowledge that assess the candidate’s technical knowledge and the candidate must demonstrate that they are able to perform basic infrastructure and web application testing and interpret the results to locate security vulnerabilities. The CPSA qualification is a pre-requisite for the CREST Registered Tester (CRT) professional qualification. The CRT exam can be challenged later, once more experience has been gained through real life scenarios.
www.infosecskills.com
CREST Penetration Testing - Career Pathway
The InfoSec Skills CPSA-CRT course leads to the CREST Practitioner Security Analyst (CPSA) examination and beyond onto the CREST Registered Tester (CRT) examination, once the candidate has gained sufficient practical experience.
WHO SHOULD ATTEND?
• Aspiring information security personnel who wish to be part of a PenTest team• System administrators who are responding to attacks• Incident handlers who wish to expand their knowledge into Penetration Testing and Digital Forensics• Government departments who wish to raise and baseline skills across all security teams• Law enforcement officers or detectives who want to expand their investigative skills• Information security managers who would like to brush up on the latest techniques and processes in
order to understand information security implications• Anyone meeting the pre-requisites who is considering a career in Penetration Testing
COURSE AGENDA DURATION: 80 hours
MO
DU
LE 1
Soft Skills and Assessment ManagementEngagement LifecycleLaw & ComplianceScopingUnderstanding Explaining and Managing Risk Record Keeping, Interim Reporting & Final Results
M
OD
ULE
2
Core Technical SkillsIP ProtocolsNetwork Architectures Network RoutingNetwork Mapping & Target Identification Interpreting Tool Output Filtering Avoidance Techniques Packet CraftingOS Fingerprinting Application Fingerprinting and Evaluating Unknown ServicesNetwork Access Control AnalysisCryptographyApplications of CryptographyFile System PermissionsAudit Techniques
MO
DU
LE 3
Networking Equipment
Registration RecordsDomain Name Server (DNS)Customer Web Site AnalysisGoogle Hacking and Web Enumeration NNTP Newsgroups and Mailing Lists Information Leakage from Mail & News Headers
M
OD
ULE
5 Microsoft Windows Security AssessmentDomain ReconnaissanceUser EnumerationActive DirectoryWindows PasswordsWindows VulnerabilitiesWindows Patch Management Strategies Desktop LockdownExchangeCommon Windows Applications
MO
DU
LE 4
Management ProtocolsNetwork Traffic AnalysisNetworking ProtocolsIPSecVoIPWirelessConfiguration Analysis
Information Gathering & Open Source
Unix Security Assessment
▶ User Enumeration▶ Unix Vulnerabilities▶ FTP▶ Sendmail / SMTP▶ Network File System (NFS)▶ R* services▶ X11▶ RPC services▶ SSH
MO
DU
LE6
MO
DU
LE 7 Web Technologies
▶ Web Server Operation▶ Web Servers & their Flaws▶ Web Enterprise Architectures▶ Web Protocols▶ Web Mark-up Languages▶ Web Programming Languages▶ Web Application Servers▶ Web APIs▶ Web Sub- Components
COURSE AGENDA M
OD
ULE
8 Web Testing Methodologies
Preparation for the CPSA and CRT exams▶ CPSA & CRT Examination guidance▶ CPSA Mock examM
OD
ULE
11
www.infosecskills.com
CREST Penetration Testing - Career Pathway
▶ Web Application Reconnaissance▶ Threat Modelling and Attack Vectors▶ Information Gathering from Web Mark-up▶ Authentication Mechanisms▶ Authorisation Mechanisms▶ Input Validation▶ Application Fuzzing▶ Information Disclosure in Error Messages▶ Use of Cross Site Scripting Attacks▶ Use of Injection Attacks▶ Session Handling▶ Encryption▶ Source Code Review
MO
DU
LE 1
0
Databases
▶ Microsoft SQL Server▶ Oracle RDBMS▶ Web / App / Database Connectivity
MO
DU
LE 9 Web Testing Techniques
▶ Session ID Attacks▶ Fuzzing▶ Data Confidentiality and Integrity▶ CRLF Attacks▶ Application Logic Flaws