Tiger Scheme CHECK Team Member exam

Sat 15th Jan 11

Yesterday a colleague and myself went to Kiderminster to take our Tiger Scheme CHECK Team Member (CTM) exam. Up until recently anyone in a CHECK approved company could be a CTM but that has been changed so you now have to pass an exam.

Having heard about how hard the CHECK Team Leader exam is I went into this with a mix of real nerves and a feeling that I was way under-prepared, but also an opposite feeling that the exam was only for team members and as recently anyone could become a CTM then the exam couldn't be too hard.

When we got there the examiner, Campbell, did a really good job of putting us at ease, saying that anyone who had been a real jobbing pen-tester for a year or so should sail through the exam. There are no tricks or gotchas, just follow the instructions and you should do fine - That really helped. He explained that the idea is to separate the people who are really doing tests and those who just spend their time running Nessus scans and just printing the reports.

The exam is in four parts:

  • Multi-choice exam
  • Essay
  • Lab
  • Viva

The multi-choice exam is a selection of 80 questions from a bank of around 1000. We had an hour to attempt all questions which is under one minute per question. Luckily most of the questions were of the kind that if you knew the answer you could just tick the box and move on. There were a few however that you did have to stop and think about. The questions covered all areas from web apps through to low level networking protocols, such as RIP.

The scheme hasn't been going for to long, I think it started around November, and because of this there were a few questions which we flagged for having poor English or having multiple possible correct answers and some that had been corrupted in some way when the question database had been created. Any questions where there was a problem with the answer were recorded and taken into consideration in the marking. Being used to the SANS style of exam where you are limited to what questions you can flag and dispute this is a nice touch and I think helps both the student and the exam.

The next part was the essay, this is the bit I was least looking forward to. Two questions from four in an hour. The four questions we had to choose from covered management, legal and two technical. Campbell told us that most people choose the management and the legal however two of the three of us chose the management and the same technical. I knew the area the legal question was on but couldn't think how I could write for half an hour on the subject whereas the technical one I chose had lots of scope for discussion. The final technical question I admit was on a subject I've never heard of, something to do with Windows SIDs and annoyingly I can't remember it so I can now look up what it actually meant.

The lab was the fun bit of the day. Obviously I can't give too much away but it as was said at the start, all that they wanted you to do was set out in the questions and as long as you can run a few basic tools you should be ok to get reasonable marks. The test covers basic network, server and web app testing but none of it in too much depth and having tested networks with tens and hundreds of servers in them it was a shock to get such a small test environment but it didn't need to be any bigger, it covered everything it needed to. There was a two hour limit to the test and I wasn't clock watching but I know I finished in under an hour, I spent the rest of the time worrying what I'd missed and looking for the hidden questions that weren't there. Campbell told us that one of their team had done the whole test in around 20 minutes. I believe that and think that without the stress of exam conditions and knowing what to expect you could easily run through it in that time.

Something that impressed me about the lab was that we all connected to the same server and each got a complete virtual network of our own to work in. There was no allocating different IP addresses to people and no worrying about other people knocking over the server you were in the middle of scanning. This may be an easy system to setup but I've not seen it done before. There were a couple of glitches where machines died, we think under too high load while being scanned, but all-in-all it performed well.

Importantly, while doing the test we all had to have our monitors mirrored to the examiners machine, this meant that he could click through and watch what each of us was doing in real time. I initially thought this would be intrusive and I'd feel odd knowing that he could be watching me but as soon as I started the test it stopped mattering. It actually turned out to be useful at times when I could ask questions about scope or similar things and he could just look at my screen rather than having to walk over and look over my shoulder. The only problem I had was having to drop my screen resolution so his monitor could cope which resulted in the button to start the Nessus scan disappearing off the bottom of the screen, the only way I could start scans was to go to the lowest input box I could see then blindly tab through to where I thought the OK button was.

The last part of the test is the viva. I think this is the bit that lets the examiner differentiate the button clickers from the actual testers. In it you have to present the answers to the lab questions and discuss what you did and why you did it. It is an informal chat, so no whiteboard or projector, just sit around your machine and look at screenshots and notes. If you can explain things such as why from seeing TCP/53 on an Nmap scan you'd probably want to try DNS zone transfer and why that is important, you'd probably be fine with this bit.

The multi-choice, lab and viva were all marked as we went along but the essay has to be sent off to Glamorgan University to be marked. I know I passed all the in-house stages so now it is just waiting for the essay results to come back. I feel pretty confident as the pass mark is 60% and I'm sure I put down enough to cover that.

For anyone thinking of doing this test, when revising you need to remember who it is aimed at and why it is there. The minimum target audience is a working pen-tester who has around a year of real experience, i.e. not a button pusher. A Team Member is someone who can do scans and identify issues but then reports them to the Team Leader to make the big decisions and liaise with the client on where to take the test. Obviously Team Members can do, and do do, a lot more than this but this is the level the exam is set at. It aims to weed out the button pushers and have a good baseline of competence. My revision tips, make sure you know your vulnerability and port scanners of choice and make sure you know how to interpret their output. Doing an Nmap scan is good but not knowing what it comes back with makes it pointless. Also read around the management and legal areas associated with the job. I don't think you need huge knowledge but you do need to know the basics.

My weak points identified by the test were around low level networking which I already knew as I've come into testing from a development background rather than a sys-admin as a lot of testers. I also want to learn a lot more about Windows administration, group policy, that kind of thing. The other area is the complete other end of the scale, I need to improve my legal and management knowledge. I'm planning to do the CISSP at some point this year so figure that should help, even if the legal side to that is US centric.

The next level on the scheme is CHECK Team Leader. From what I've heard about it, is a serious exam. Two days, essay and multi-choice on the first day then a six hour lab on the second which gets tuned to your individual needs based on the results from day one. With a pass rate of 20% you really have to revise hard for that. I'll be looking to do this either this year or next but there is a lot of revision and a lot of practice needed before I take that.