VA+ (Vulnerability Assessment Plus)
Remote exam with live assessment
Being able to understand the vulnerabilities in an environment is not as simple as clicking ‘run’ on the vulnerability scanner and hoping for the best.
This comprehensive exam has been developed in conjunction with NCSC and IASME and is a requirement for all Cyber Essentials Plus (CE+) assessors that do not have a Lead Assessor qualification. Find out more here.
What you need to know:
- Provide an overview of the vulnerability assessment process.
- Learn about tools used during the vulnerability assessment process.
- Understand the underlying concepts of TCP/IP, Ports and Protocols.
- Apply critical thinking to solve problems encountered during an assessment.
Apply tools and techniques to assess:
- external facing interfaces.
- internal interfaces
- the threat of malware (Antimalware solutions, Application whitelisting)
- Assess the threat of common external attacks (Email, SMS etc)
- Assess the threat of common internal attacks (Web Applications, Downloads)
- Report/Explain Vulnerabilities found.
- Understand Information security in the corporate world.
- Understand the laws and regulations involved with vulnerability assessing
- Understand quantifying and measuring risks associated with vulnerabilities
- Understand how to find internal and external vulnerabilities
- Understand how to test hardening measures for malware
- Report and explain vulnerabilities found throughout a project.
The VA+ exam is in four parts:
1. Practical Element
During the practical element of the VA+ exam your assessor will act as your client contact and is open to questions about the scope of the engagement. You will conduct parts of a VA+ assessment and demonstrate good practice and a sound understanding of cybersecurity with regards to dealing with end users, VA+ automated tool* use, solving problems and analysing the results of a VA+ assessment. You should attend the practical exam (online) ready to perform a VA+ assessment.
* Familiarity with Nessus is required for the remote version of this assessment. We make allowances for lack of familiarity with Nessus specifically but expect the principles, protocols and methodologies to be well understood for remote testing.
If you have any questions regarding the scenarios, please ask your assessor for guidance.
2. Longform Written Essay Element
You will be asked to answer scenario style questions (the scenario may or may not be linked to practical phase – depending on the assessment paper on the day) in essay style paragraphs to a high standard, targeted at a specific audience (to be chosen by the assessor / exam paper).
If you are asked to produce an executive summary the language should be aimed at non-technical executives and should include organisation specific outcomes and consequences.
If you are asked to produce a technical summary this should be a “summary” not the finding details.
If you are asked for remediation advice you are expected to go beyond the tool output provided.
If you have any assumptions or questions regarding the scenarios either state your assumption in your answer or ask your assessor for guidance.
3. Multiple-choice Exam element
The multiple-choice element allows the candidate to demonstrate their wider understanding of cybersecurity in terms of knowledge, experience, and skills.
The topics and domains are wide in scope and examine topics from an historic stance as well as looking at current practices.
Shown below is a list of topics and domains often seen in the multiple choice element along with a brief explanation and example to aid the candidates ongoing research and self-study.
The examination and scrutiny of devices, software, and services available on a network which may give information or indication to further disclose the inner workings, structure, and secrets of an unknown system.
An example might be to question what tools are currently available to gather information from a device offering domain name system (DNS) services.
Encryption / Cryptography
The practice and study of securing communications in the presence of adversaries. An example question might be to describe vulnerabilities in different versions of secure shell (SSH).
The laws, rules, regulations, best practice, and ethics associated with working in cybersecurity. Clients and customers put a lot of good faith in the operatives involved in cybersecurity engagements including the disclosure of information and the trust that is implied by allowing their systems to be scrutinised. An example might be to question what methods and techniques could be used by a cybersecurity consultant to stay within a scope and which laws, rules, regulations, best practices, and ethics would be called into question if not adhered to.
Linux operating system
The use of the Linux operating system has many benefits for the cybersecurity consultant and being aware of these benefits is important. Furthermore, the Linux operating system is used in many industries and is highly likely to be present in some form at most if not all customer sites. Most of the network devices as well as many servers use a Linux operating system.
Knowledge and understanding of the protocols used for data in transit is invaluable to the cybersecurity consultant. Even though some of the work can be simplified by the use of automated tools in order to validate results, mitigate issues and troubleshoot problems the consultant requires a solid background in low level computer networking. Networks come in many flavours such as wired ethernet, wireless, local, and wide area. An example might be to explain how network mapping tools can distinguish between open, closed, and filtered TCP ports on a local area network.
The testing domain is better described as general cybersecurity knowledge and the soft skills required by a penetration tester. Many cybersecurity qualifications require an understanding of security models, frameworks, concepts, and definitions of cybersecurity terms. An example might be to describe the technical controls involved in the DDPRR security model.
The vulnerability topic or domain is knowledge of vulnerabilities both current and historic. Although an emphasis is placed on vulnerabilities which result in exploitation where remote code execution is possible, knowledge of vulnerabilities which result in information disclosure, denial of service and other types are also part of this domain. An example might be to describe how a particular SSL/TLS vulnerability works.
The Microsoft Windows operating system is extremely popular with users and administrators alike. Over the years vulnerabilities and misconfiguration of the Windows operating system has resulted in companies being compromised. This domain is specifically for Microsoft Windows operating system knowledge relating to cybersecurity. An example might be to question where passwords are typically stored on a specific Microsoft Windows server version.
The methodology domain is related to the many methodologies and standards used in cybersecurity such as infrastructure penetration testing methodologies, open-source intelligence gathering methodologies and vulnerability scanning methodologies. Some are widely accepted such as the OSSTMM framework and OWASP, whereas some are just best practice. An example question might be to ask about the steps required to scrutinise the configuration of a network security device.
There are other operating systems in use for example Apple, Android, and Unix which although similar might not be covered by the Windows and Linux Domains. An example question might be to ask about ubiquitous vulnerabilities found on Unix systems.
The web application domain covers the testing, auditing and scrutiny of web applications, mobile applications, and application programable application interfaces (APIs). An example question might ask about a vulnerability specifically associated with web application testing such as session fixation.
The Metasploit domain covers the topic of vulnerability exploitation using any technique or any framework associated with exploitation. This domain topic involves the exploitation of a vulnerabilities as a result of the enumeration of a device or network. An example might ask about the difference in crafting exploits with bind or reverse payloads.
The reporting domain is associated with the skills and abilities of the cybersecurity consultant to convey findings in a way that is relevant and suitable for the audience of any report. An example might be to explain how attack surfaces are best described and how findings relate to risk ratings or scoring metrics.
4. VIVA Exam element
A short verbal interview to allow the assessor and candidate to clarify any issues or to assess understanding. (Some assessors may split the VIVA element and cover the practical, longform and multiple-choice as distinct sections, others may combine all elements into a single VIVA – you will be asked to remove all exam materials from your device before the exam is complete).
The following has been provided as further information – you will be emailed a detailed set of joining instructions when you book your exam.
The VA+ certificate is valid for three years, and the exam will need to be retaken at this point in order to renew.
If you would like to book a re-sit please contact us. Please note that the following re-sit criteria applies:
You will need to wait 4 weeks before re-sitting the exam
The re-sit needs to be taken within 3 months of original date.