CREST Explained: Certifications, Accreditation, and Industry Impact

 CREST

(Council of Registered Ethical Security Testers)

CREST (Council of Registered Ethical Security Testers) is a globally recognized not-for-profit accreditation and certification body that plays a vital role in the cybersecurity industry. Here's a detailed breakdown of what CREST is, what it does, and why it matters:

What Is CREST?

CREST is an international membership organization that sets rigorous standards for cybersecurity service providers and professionals. Founded in 2006, it aims to build trust in the digital world by improving the quality and consistency of cybersecurity services worldwide.

Mission and Goals

CREST focuses on four key pillars:

• Capability: Developing and measuring the skills of cybersecurity professionals.
• Capacity: Expanding the global pool of cybersecurity talent.
• Consistency: Ensuring high-quality service delivery across the industry.
• Collaboration: Engaging with governments, academia, and industry to share knowledge and improve standards.

CREST Certification

CREST offers certifications for both individuals and organizations:

For Individuals:

• Certifications like CPSA, CRT, and CCSAS validate technical skills in areas such as penetration testing, incident response, and threat intelligence.

For Organizations:

• CREST accreditation is a quality assurance benchmark. It confirms that a company meets strict standards in areas like:
• Operating procedures
• Personnel development
• Testing methodologies
• Data security

Accreditation Process

To become CREST-accredited, companies must:

1. Submit a detailed application.

2. Provide documentation (e.g., insurance, compliance certificates).

3. Undergo audits and possibly on-site assessments.

4. Demonstrate that staff hold relevant CREST certifications.

CREST also provides feedback during the process to help applicants meet standards.

Global Reach

CREST operates internationally, with regional councils in the UK, Americas, Asia, Australasia, and EMEA. It supports cybersecurity ecosystems across borders, recognizing that cyber threats are a global concern.

Benefits of CREST Accreditation

• Trust and credibility in the cybersecurity market
• Competitive edge for bidding on contracts
• Compliance support for regulated industries
• Proof of technical competence and ethical standards

ASLR: A Critical Defense Against Buffer Overflow and ROP Exploits

 ASLR Address Space Layout Randomization

Address Space Layout Randomization (ASLR) is a security technique used in modern operating systems to randomize the memory addresses used by system and application components. Its primary goal is to make the exploitation of memory corruption vulnerabilities (such as buffer overflows) significantly harder for attackers.

Why ASLR Matters

Many attacks rely on knowing the exact location of code or data in memory. For example, if an attacker wants to execute malicious code via a buffer overflow, they need to know where to jump in memory. ASLR disrupts this by randomizing memory layout, making it unpredictable.

How ASLR Works

When a program is loaded into memory, ASLR randomizes the locations of:

• Stack
• Heap
• Shared libraries
• Executable code
• Memory-mapped files

This means that each time a program runs, its memory layout is different.

Example:

Without ASLR:

• Stack always starts at address 0x7fff0000
• libc always loads at 0x40000000

With ASLR:

• Stack might start at 0x7fffa123
• libc might load at 0x41b2f000

Security Benefits

• Mitigates buffer overflow and return-oriented programming (ROP) attacks
• Increases the difficulty of successful exploitation
• Forces attackers to guess memory addresses, which often leads to crashes

Limitations

• Not foolproof: If an attacker can leak memory addresses (e.g., via an info leak), ASLR can be bypassed.
• Partial ASLR: Some systems or applications may only randomize certain regions.
• Performance impact: Minimal, but present in some cases.

ASLR in Practice

• Enabled by default in most modern OSes:
• Windows (since Vista)
• Linux (via execstack, PaX, or kernel settings)
• macOS
• Can be disabled for debugging or legacy compatibility
• Enhanced with other techniques like DEP (Data Execution Prevention) and stack canaries

Testing ASLR

You can check if ASLR is active by:

On Linux:

1 cat /proc/sys/kernel/randomize_va_space

2

• 0: Disabled
• 1: Conservative randomization
• 2: Full randomization

ASLR Memory Layout Diagram Description

Imagine a horizontal block representing a process's memory space. Here's how it typically looks without ASLR vs with ASLR:

Without ASLR (Fixed Layout)

+----------------------+ 0x00000000

| Executable Code      | (fixed address)

+----------------------+

| Shared Libraries     | (fixed address)

+----------------------+

| Heap                 | (fixed address)

+----------------------+

| Stack                | (fixed address)

+----------------------+ 0xFFFFFFFF

With ASLR (Randomized Layout)

+----------------------+ 0x00000000

| Executable Code      | (randomized address)

+----------------------+

| Shared Libraries     | (randomized address)

+----------------------+

| Heap                 | (randomized address)

+----------------------+

| Stack                | (randomized address)

+----------------------+ 0xFFFFFFFF

Each component is loaded at a different address every time the program runs, making it harder for attackers to predict where to inject or redirect malicious code.

DNS Filtering Explained: How It Protects Your Network

 DNS Filtering

DNS filtering is a cybersecurity technique that blocks access to malicious, inappropriate, or unwanted websites by controlling Domain Name System (DNS) queries. It acts as a first line of defense by preventing devices from resolving domain names associated with harmful content.

How DNS Works

• DNS translates human-readable domain names (like example.com) into IP addresses that computers use to communicate.
• When you type a URL into your browser, your device sends a DNS query to a DNS server to get the IP address.

What Is DNS Filtering?

DNS filtering intercepts these DNS queries and checks them against a filtering policy or threat database. If the domain is flagged (e.g., for malware, phishing, adult content), the query is blocked or redirected.

Example:

• You try to visit malicious-site.com.
• DNS filter checks the domain.
• If it's blacklisted, the request is blocked or redirected to a warning page.

Purposes of DNS Filtering

1. Security

• Blocks access to malware, phishing, botnets, and command-and-control servers.

2. Content Control

• Restricts access to adult content, gambling, social media, etc.

3. Compliance

• Helps organizations meet regulatory requirements (e.g., HIPAA, CIPA).

4. Bandwidth Management

• Prevents access to high-bandwidth sites like streaming platforms.

How DNS Filtering Is Implemented

• Cloud-based DNS services (e.g., Cisco Umbrella, Cloudflare Gateway, Quad9)
• On-premises DNS servers with filtering rules
• Network appliances or firewalls with DNS inspection
• Endpoint protection software with DNS filtering modules

Benefits

• Lightweight and fast (no need to inspect full traffic)
• Works across devices and platforms
• Easy to deploy and manage
• Can block threats before they reach the network

Limitations

• Doesn’t inspect encrypted traffic (e.g., HTTPS content)
• Can be bypassed using alternate DNS servers or VPNs
• May block legitimate sites if filtering is too aggressive

Best Practices

• Use a reputable DNS filtering provider with real-time threat intelligence.
• Combine DNS filtering with firewalls, endpoint protection, and web filtering.
• Regularly review and update filtering policies.
• Educate users about safe browsing habits.

Hacksplaining Explained: Interactive Cybersecurity for Developers

 Hacksplaining.com

Hacksplaining.com is a free, interactive web-based platform designed to teach web security through hands-on hacking simulations. It’s aimed primarily at developers and IT professionals who want to understand and defend against common security vulnerabilities.

Core Concept

Hacksplaining uses the philosophy:

“To defend against hackers, you must think like one.”

It allows users to hack simulated vulnerable applications directly in the browser, helping them understand how attacks work and how to prevent them.

Key Features

• Interactive Lessons: Users engage with real-world scenarios like SQL Injection, Cross-Site Scripting (XSS), CSRF, and more.
• Visual Demonstrations: Vulnerabilities are explained using animations and interactive examples.
• Code Samples: Secure and insecure coding practices are shown in languages like Python, Java, PHP, Ruby, C#, and more.
• Quizzes: Each lesson includes a quiz to reinforce learning.
• OWASP Top Ten Coverage: Lessons align with the most critical web security risks.

For Teams and Enterprises

• Enterprise Licensing: Companies can track employee progress and meet compliance goals.
• Team Training: Developers can be trained to identify and fix vulnerabilities in their own codebases.

Why It Stands Out

• No Cost for Individuals: All core lessons are free to access.
• Practical Learning: Instead of passive reading, users actively exploit and then fix vulnerabilities.
• Security Awareness: Helps developers build a security-first mindset from the ground up.

MAC Flooding Attacks: How They Work and How to Prevent Them

 MAC Flooding

MAC flooding is a type of network attack that targets switches in a local area network (LAN). It aims to overwhelm the switch’s MAC address table, causing it to behave like a hub and broadcast traffic to all ports, which can lead to data interception and network degradation.

Understanding How Switches Work

• Switches maintain a MAC address table (also called a CAM table) that maps MAC addresses to specific ports.
• When a frame arrives, the switch checks the destination MAC address and forwards it only to the correct port.
• This makes switches more secure and efficient than hubs.

What Is MAC Flooding?

MAC flooding involves sending a large number of frames with fake or random source MAC addresses to a switch. The goal is to populate the MAC address table so that the switch can no longer learn new addresses.

When the table is full:

• The switch enters a fail-open mode.
• It starts broadcasting all incoming traffic to every port.
• This allows an attacker connected to any port to capture traffic not meant for them using tools like Wireshark.

Goals of MAC Flooding

1. Data Interception

• Gain access to sensitive data by forcing the switch to broadcast.

2. Network Disruption

• Overload the switch, causing performance issues.

3. Preparation for Further Attacks

• Set the stage for Man-in-the-Middle (MitM) or session hijacking.

How It’s Done

Attackers use tools like:

• macof (part of the dsniff suite)
• Yersinia
• Scapy (Python-based packet crafting)

These tools generate thousands of frames with spoofed MAC addresses rapidly.

Detection and Prevention

Detection

• Unusual traffic patterns or high volume of MAC address changes.
• Switch logs show frequent MAC table updates.
• IDS/IPS systems detect abnormal behavior.

Prevention

1. Port Security

• Limit the number of MAC addresses per port.
• Configure sticky MAC addresses.

2. MAC Address Table Aging

• Adjust aging time to reduce vulnerability window.

3. 802.1X Authentication

• Authenticate devices before allowing network access.

4. VLAN Segmentation

• Isolate sensitive devices from general access.

5. Monitoring Tools

• Use SNMP, NetFlow, or security appliances to monitor switch behavior.

ARP Spoofing Explained: How Attackers Hijack Network Traffic

 ARP Poisoning

ARP poisoning (also known as ARP spoofing) is a type of cyberattack that exploits the Address Resolution Protocol (ARP), which is used to map IP addresses to MAC (Media Access Control) addresses in a local network. Here's a detailed breakdown of how it works, why it's dangerous, and how it's mitigated:

How ARP Works

In a local network:

• Devices communicate using IP addresses.
• To send data to another device, the sender needs the recipient's MAC address.
• ARP resolves this by sending a broadcast message like:
• "Who has IP 192.168.1.1? Tell 192.168.1.100"
• The device with that IP replies with its MAC address.
• The sender stores this mapping in its ARP cache.

What Is ARP Poisoning?

ARP poisoning is when an attacker sends fake ARP messages to a network. These messages falsely associate the attacker's MAC address with the IP address of another device (like the gateway or another host).

Example:

• Attacker sends a spoofed ARP reply:
• "192.168.1.1 is at AA:AA:AA:AA:AA:AA" (attacker’s MAC)
• Victim updates its ARP cache with this incorrect mapping.
• Now, traffic meant for 192.168.1.1 goes to the attacker.

Goals of ARP Poisoning

1. Man-in-the-Middle (MitM) Attack

• Attacker intercepts and possibly alters communication between two devices.

2. Data Theft

• Sensitive information like login credentials can be captured.

Session Hijacking

• An attacker can take over active sessions.

Denial of Service (DoS)

• Redirecting traffic to a non-existent MAC address can disrupt communication.

How It’s Done

Attackers use tools like:

• Ettercap
• Cain & Abel
• BetterCAP
• arpspoof

These tools automate the sending of spoofed ARP packets to poison caches across the network.

Detection and Prevention

Detection

• Unusual ARP traffic or frequent ARP replies.
• Duplicate IP addresses with different MACs.
• Tools like:
• Wireshark (packet analysis)
• ARPwatch (monitoring ARP activity)

Prevention

1. Static ARP Entries

• Manually configure IP-MAC mappings (not scalable).

2. Packet Filtering

• Use firewalls to block spoofed packets.

3. Encryption

• Use HTTPS and VPNs to protect data even if intercepted.

4. Network Segmentation

• Limit broadcast domains.

5. Dynamic ARP Inspection (DAI)

• Available on managed switches; validates ARP packets against the DHCP snooping database.

Subnetting Question 1 for Sept. 4th

 Subnetting Question 1 for Sept. 4th, 2025

Video Explanation in the next post