“Thank you for taking your assessment with the Cyber Scheme. Unfortunately, you haven’t been successful on this occasion”

I have an amazing, very rewarding and somewhat unusual profession. I get to watch people who treat hacking as an art form painting their masterpieces. I assess exams for The Cyber Scheme. I also get to see some dumb, out of this world crazy stuff too, but that’s for another post. Despite many people passing Cyber Scheme assessments, I want to explore when a good, solid, penetration tester who clearly has experience, knowledge and skills manages to pull defeat from the jaws of victory.

The words that put fear into every CHECK team member and leader, alike? “Unfortunately, you haven’t been successful on this occasion”.

Without giving anything away that isn’t already publicly available, here is my top ten list of being successful in a Cyber Scheme exam (unless you enjoy a day out at Eagle Tower with nothing to show for it, in which case, “as you were, nothing to see here”).

1 – You need time to prepare – you wouldn’t run a marathon without some training, you wouldn’t take a driving test without lessons, and you wouldn’t dream of taking an exam that your career depends upon without a few days to prepare, right? Failing to prepare is preparing to fail – apparently, it’s a famous military saying. Take time to study, take a training course, practice the commands and flags, revise the knowledge, and seek out a mentor. This is your trade craft, own it.

2 – If you can’t get on the network, the exams going to be very, very, very challenging. You might as well have stayed in bed. Every penetration tester needs to be able to connect to a network, either via WIFI, ethernet or both. Our CSTM joining instructions say – “You will need to set a fixed IP using the command line interface”. Three seconds into the exam – “erm I’m just jumping onto Google” followed by a sheepish look from the candidate as they search for “how to connect to a network”. (That’s right you can even look things up on the internet during the assessment, just like an actual penetration test.)

3 – Keep it simple. If you are taking the CSTM (Cyber Scheme Team Member) exam or the CSTL (Cyber Scheme Team Leader) exam read your notes on the basics before the exam, 101 penetration testing. Start off with the easy stuff and work your way up to the advanced techniques. The Cyber Scheme exams are very fair and mimic an actual penetration test engagement. (I am biased, of course, but I had no hand in the CSTM or CSTL exams so credit to all those who created them). I see really good testers missing the easiest of challenges because they expected it to be harder. All the knowledge domains (syllabus) are on the Cyber Scheme website. It’s no secret what the knowledge and skills are to be a CHECK penetration tester at CTM (CHECK team member) or CTL (CHECK team leader) level.

4 – Forget the rumour mill – I see good people failing exams because they heard from a friend of a friend’s dog’s uncle second removed on their mum’s side, that the way to exploit a box was to do x, y and z. So instead of doing their day job, which they are very skilled at and spent many hours perfecting, throw all that out of the window and waste a good part of the exam trying techniques that just don’t and won’t work.  The exams are dynamically generated, and everyone gets a unique experience.

5 – If you want to be an infrastructure CTL your pivoting game needs to be on point. I learned the existence of pivoting as a new CTM, when the elders (the CTLs) were discussing the mystical secret dark arts of tunnelling and pivoting, so why anyone would come to a CTL level assessment without a good pivoting game? See point 1

6 – If you want to be an application CTL you need to be good. It’s not CTM. I know this is a bit “Try Harder” but you need to be all over the current OWASP top 10 and very importantly don’t listen to the rumor mill. See point 4

7 – If you want to be a CTM, you need to have many hours of penetration testing under your belt. Whether on real customer systems or on test / training networks. This is not an entry level exam; you are qualifying to be an ethical hacker to keep systems safe. The CSTM exam is not for beginners.

8 – For the love of <insert name of deity>, do some preparation (see point 1). Don’t turn up with half the internet downloaded and learn to penetration test as you go. You don’t have the time. Copy and pasting line after line of random commands with no idea what they do, how they work, or what the flags do, it’s just not going to get you a pass. Yes, you can bring notes (for open book exams), and yes you can look things up on the internet but that should be a backup, a last resort, not your “A” game.

9 – Make sure you bring the correct hardware; make sure you installed all your software and you have tested that everything works. You need to be able to mirror your screen via HDMI. It’s not a great start to the day if you are flustered and stressed because the simple task of mirroring your screen turns into a big deal. You need to connect to a network, so bring your USB network card, etc. Oh and don’t forget to bring your power supply, mouse, keyboard, and even bring that python library you use often. The exam isn’t the correct time to try a new Linux distro or to see if the old broken laptop from the office bottom drawer will last longer than a few hours.

10 – Have faith in yourself, you are good at this. Follow your methodology. Everyone gets exam nerves but remember, “you are good at this”, you did the prep (see point 1) and you are ready. Many people tell me the only reason they failed was a lack of faith in their own ability, second guessing, and not trusting they can smash it. Have no regrets on the long drive home.

Thanks to this guest blog from Paul Richards – Lead Assessor for The Cyber Scheme.

If you’re interested in becoming a pen tester, you can find out more about how The Cyber Scheme can help here. You can also read more on how The Cyber Scheme is working to address the vital skills gap here.

cyber cyber security Education