British infosec firm NCC Group has been rapped over the knuckles after infosec accreditation body CREST found it was "vicariously responsible" for employees who helped staff cheat certification exams.
In a lengthy statement published yesterday, CREST said last summer's exam-cheating scandal boiled down to just two incidents carried out between the years 2012 and 2014.
"On two occasions between 2012 and 2014, the examination-related activities of one of more NCC Group employees and candidates breached the CREST Code of Conduct and NCC Group was, as their employer, vicariously responsible for those individuals at the time," said CREST [PDF, 19 pages]
The certification body added that NCC Group's actions also breached its non-disclosure agreements, signed by exam candidates to confirm they won't reveal the exams' contents to anyone.
Last summer someone dumped a cache of files onto GitHub and Dropbox. Those files were exam walkthroughs, cheatsheets and reams of material that would be helpful to anyone sitting CREST's CCT-INF (CREST certified tester – infrastructure), CCT-APP (applications) and CRT (pentesting) exams.
The investigation concluded in December 2020 and while CREST said it would not publish its full report into the scandal, this week's statement is as near as the public is likely to get to the full facts.
Many people contacted The Register to say they thought this organised cheating was one of the worst-kept secrets in the British infosec industry. So why didn't CREST tear into the NCC Group?
A retired copper, former detective superintendent Adrian Lennox-Lamb, was appointed to run the investigation into the scandal. CREST's executive chairman, Mark Turner of NCC Group, recused himself "for the duration of the investigation" (which concluded in December 2020) while other company reps "also withdrew from other CREST activities."
CREST rapidly identified a key problem:
The CREST GB Executive took responsibility for initiating a full investigation on behalf of members which meant that we became the de facto complainant. As such we could not investigate our own complaint which is why the Executive appointed an independent investigator to carry out this work.
The organisation's internal complaint processes were set up so CREST would investigate complaints from third parties against third parties, not situations where the org itself would be involved. Meanwhile, the investigation ran into a bigger problem: although Lennox-Lamb set up a Gmail inbox for people to contact him, only five did.
"Of these, one was interviewed and gave a statement," said CREST. "The other four either gave information that was assessed as not being directly relevant to the investigation or they failed to respond to the investigator's follow-up emails."
What did NCC fall foul of?
CREST had some of its exam assessors look at the NCC Group material leaked online. Of the hundreds of files in the cache (a list of filenames can be found on Pastebin), they identified 25 which they said were "considered problematic and deemed to contain content relating to CREST examinations."
- CREST president Ian Glover to retire after 13 years – but where's the transparency, bossman?
- We'd love to report on the outcome of the CREST exam cheatsheet probe, but UK infosec body won't publish it
- CREST exam cheatsheet scandal: New temp chairman at UK infosec body as lawyers and ex-copper get involved
- CREST cancels two UK infosec accreditation exams after fresh round of 'cheatsheets' are leaked online
We asked CREST about those 25 files and were told they were "a mix of notes, some characterised as 'brain dumps' put together post-examination; candidates' revision notes; training material based around content, including syllabuses, that was publicly available from CREST; and generic information relating to penetration testing."
An NCC-branded item from the cheat sheet repo, shown to us by a source who examined the cache
Multiple sources from across the British infosec world (and beyond) told The Register they recognised the full cache as being information that would be very handy for anyone about to sit CREST exams.
Six of the files were on NCC headed paper while another one was an email between NCC Group staff. The authors of those files were interviewed by Lennox-Lamb, and views were mixed; some said they "contained no actual exam content" while others gave the game away.
And the outcome
NCC Group got away lightly with a finding that it was "vicariously liable" for the actions of just two employees, who were unnamed in CREST's statement. CREST said there was no evidence that NCC exam candidates' pass rates were higher than its competitors, also pointing out that NCC has never been the top firm for passes as a percentage of candidates entered; though the company is many times bigger than most of the UK infosec sector and enters many more candidates as a result.
The pentesting firm issued a public statement yesterday describing the exam-cheating as "historical", adding: "There is no evidence that NCC Group knew about, condoned, or otherwise sanctioned such activity."
Just for good measure, the company added that it "fully accepts the requirements in the CREST statement." It refused to answer questions from The Register beyond its prepared statement.
Those requirements mentioned by CREST are for NCC to prevent something like this from happening again by creating "a means of monitoring the application of such processes" together with evidence to be submitted to CREST. In addition, the company will cover half of CREST's investigation costs and pay for an assessor to go through its current training material "to ensure that no CREST-related and implied content is included."
NCC exam assessors will "remain suspended from CREST activities" until those things are done.
Part of the delay in publishing the CREST report was to allow feedback from NCC Group. That seems to have been successful from NCC's point of view; CREST accepted that its NDAs created "a level of confusion" over "what is unacceptable" for companies and exam candidates alike to do when preparing for CREST exams, and the documents will be rewritten accordingly.
CREST's member declaration will also be rewritten to explicitly state that members will abide by CREST NDAs, its code of ethics, code of conduct, and the complaints handling process.
A UK infosec bod who asked for anonymity in case of reprisals told El Reg that he was happy the CREST statement was published, saying that no matter what CREST found he couldn't imagine it would ever eject NCC, one of its biggest backers, from membership.
Many others have expressed anger to El Reg over the scandal, believing it devalued their qualifications and was likely to call into question the integrity of the entire industry. All also expressed fears about going public.
An NCSC spokesperson told us: "NCSC has conducted an investigation into these allegations, led by an independent person. This has identified some areas for improvement in CREST’s processes and we will work with them to ensure the recommendations are implemented.
"CREST and NCC co-operated fully with the NCSC investigation, and CREST's own investigation drew similar conclusions to the NCSC one.
"We do not believe that the sharing of this information would have conferred advantage on anyone who was significantly below the standard expected and nor do we believe that this incident is likely to lead directly to vulnerable systems." ®