CREST exam cheat-sheet scandal: New temp chairman at UK infosec body as lawyers and ex-copper get involved

Plus: Sources showed us some of what was in that Dropbox leak


British infosec accreditation body CREST has appointed an ex-police officer to investigate the NCC Group exam cheat-sheet scandal as its chairman temporarily steps aside.

The accreditation body has been rocked by revelations from The Register that major industry player NCC Group's training material was leaked in a Github repo alongside cheat sheets to help candidates pass accreditation exams first time.

Despite claims by NCC Group that some material in a cache of documents leaked on Github did not originate from the firm, CREST has opened a formal investigation.

In an update sent to member companies and The Register, the organisation said that "an independent investigator has been appointed. He is a former Detective Chief Inspector and has been selected for his independence, integrity and investigatory skills."

A CREST spokeswoman did not immediately respond to a request for comment or for the name of the investigator.

CREST's chairman, NCC director Mark Turner, has also stood aside for the duration of the investigation into exams. The Register understands he has not quit but has "recused" himself from the organisation. Temporarily taking his place at CREST is new interim chairman Rob Dartnall, chief exec of infosec biz Security Alliance.

The accreditation body has also appointed lawyers to "oversee any necessary dialogue with NCC Group, the investigator or any other third parties involved", the update to members stated. Sources had previously whispered to The Register that they had little confidence in the investigation because of NCC's close links to CREST; the appointment of lawyers and an independent investigator suggests CREST is taking the scandal seriously.

About that thing everyone saw

A second tranche of leaked material was published on Dropbox last week. It appeared to contain material with NCC Group branding and which made mention of the names of several NCC Group personnel. The company declined to comment multiple times, citing its own internal investigation which is running in parallel with CREST's.

A source sent us a screenshot of a slide from the folder bearing what appeared to be the internal address of NCC's CREST practice rigs, computers set up to reproduce practical assessments seen in the real CREST exams.

Other slides from that same presentation - also appearing to bear the logo of NCC - suggested very specific penetration-testing techniques for candidates to practice before the exam, as well as software to install on laptops they would use in the exam.

As reported previously, CREST exam candidates are bound by a non-disclosure agreement preventing them from revealing anything about the exams themselves. The NDA must be signed before the exam begins.

Several sources told The Register the folder contained detailed, step-by-step walkthroughs of CREST exams. One screenshot was posted publicly.

Screenshot of one file said to be a detailed walkthrough of a CREST-accredited CCT INF exam scenario

One file said to be a detailed walkthrough of a CREST-accredited CCT INF exam scenario

"Jesus Christ, literally step by step instructions on how to go through the CCT-INF exam. I swear to god if something doesn't come from this then CREST will lose all validity," said one Redditor of the above screenshot.

Although sources have claimed that other companies in the UK infosec industry - besides NCC, which is being investigated over accusations of this - were engaging in practices similar to those seen in the leaks, so far little evidence has emerged to substantiate that. ®

Bootnote

If you have information to share about the cheat-sheet scandal, the author of this article can be contacted via Signal on +44 7714 750 783. All tipoffs are treated as confidential.


Biting the hand that feeds IT © 1998–2020