Exclusive British infosec accreditation body CREST has changed some of its exams after cheat sheets containing exam answers and practical walkthroughs were posted on GitHub in a repo that NCC Group confirmed included its own documents.
In an email to all CREST members sent on the afternoon of 12 August, the certification body assured members that leaked elements of its certification exams have now been "deprecated" as part of a process already in motion "between June 2018 and July 2020".
The move comes after El Reg revealed that NCC Group-branded sheets had been posted to GitHub, prompting group CISO Dominic Beecher to comment on the repo and ask for the "proprietary and confidential information" to be taken down.
Several public-spirited people forwarded the link to us.
With its latest update, CREST has confirmed that at least some of the exam material posted to GitHub was in current use, at least until CREST became aware of what was going on. Exam sittings had been postponed because of the COVID-19 pandemic and exam centres were only due to reopen over the last couple of days, as a CREST update dated 3 July explained.
NCC Group maintains that some of the material in the repo did not originate from the company.
Don't tell him, Pike!
Many people contacted The Register after we revealed the GitHub postings. All of them questioned how seriously CREST would take the breach and whether the body would enforce its customary non-disclosure agreement (NDA) against NCC, which prohibits the disclosure of exam content.
It is unclear whether NCC's apparent retention of notes about the exams falls within the CREST non-disclosure agreement. A copy of the NDA shown to El Reg says information from CREST exams must be "protected from disclosure to anyone outside of the CREST Assessors, the CREST Executive (defined as the governing body of CREST) or CREST permanent staff".
It also said people receiving exam info must "take the same degree of care to protect such information" as if it were a trade secret.
We understand CREST exam candidates are urged "not to act deceptively or dishonestly during an examination". They are also obliged to "report to CREST any instances of deceptive or dishonest behaviour during or related to CREST examinations".
In its statement, CREST said it "will be appointing an independent investigative panel to assess a number of different aspects of the case including the extent to which NCC were aware, or should have been aware, of the content of their training material".
Here's what happened behind closed doors
Six sources described the process within NCC for CREST exam preparation to The Register. Their recollections were all notably similar to each other even though they spanned a period of years.
Exam candidates working for NCC were urged to sign up for internal pre-exam preparation courses. During those courses they were shown testing rigs with vulnerabilities to tackle and given multiple choice questions to answer, just as in the real CREST registered pentester (CRT) exam. Supporting materials given to exam candidates also included what appeared to be marked exam papers and detailed walkthroughs of pentesting scenarios. Documents leaked on GitHub claimed these courses could be booked through employees' line managers.
"The training session is basically a primer on everything that's needed to pass," said one source, Alice. "The trainer will say things like, 'This is included in the exam and the way it works is this.' When I took my exam the long form questions I got [in the training session] were the same as the ones in the exam."
Real CREST exams administered by NCC, alleged our sources, contained questions and scenarios they had practised beforehand in detail in the pre-exam "training" session. Another person, Bob, told us: "I recall there was some variation but very little. The majority of the questions were very similar."
Others said there were parts to their exams that they had not seen in full detail beforehand. A source we will name as Craig commented: "So the labs weren't exactly the same. It's more like a CREST question might have 4 to 6 main steps, and these would be separated out between several lab boxes."
Another source, Dan, said: "I think a lot of the motivation for the whole thing is to minimise study time and investment in training."
Multiple sources named senior people inside NCC whom they claimed were instrumental in building the company's exam training documents and walkthrough rigs. All said they had seen internal exam documents in use – and others claimed they had also used step-by-step walkthroughs to solve practical exams.
"The content of the exams and syllabus is intentionally extremely vague and under heavy NDA," said a fifth source who we will refer to as Eve. "NCC having access to this kind of information completely undermines the purpose of CREST, in my humble opinion."
CREST: We are investigating and top NCC bod has 'recused' himself
In a statement emailed to its members and to The Register, CREST said it was taking action to investigate the breach. We understand that a group of CREST assessors is running the investigation and that none of those people work for NCC.
"NCC are co-operating fully with CREST," said the company. "CREST takes breaches of its non-disclosure agreements very seriously and expects high standards of ethical behaviour from both its member companies and those holding CREST qualifications. CREST will take appropriate action once its investigation has been completed."
CREST chairman Mark Turner, also of NCC Group, has "recused" himself from the investigation.
NCC Group told us: “We have commenced our own investigation and are fully co-operating with CREST and NCSC.”
A spokesperson from the National Cyber Security Centre (NCSC), the cyber offshoot of UK signals intelligence agency GCHQ, told The Register: "We are aware of these allegations and are working with CREST and the NCC Group to understand their validity, as well as undertaking our own investigation into any potential implications.
"The NCSC takes anything that could undermine the CHECK scheme seriously, and we conduct audits of examination boards and the CHECK companies themselves." ®
All pseudonymous names in this article are drawn from the Wikipedia entry for Alice and Bob. They bear no resemblance to the sources' actual identities.