British infosec accreditation body CREST has declared that it will not be publishing its full report into last year’s exam-cheating scandal after all, triggering anger from the cybersecurity community.
“The Report of the Independent Investigator contains information that was obtained in confidence and, therefore, in line with both the terms of the Process and CREST’s Complaints and Resolution Measures, the Report is confidential and cannot be made public,” said CREST in an update published on its website late on 10 May, right before the CyberUK conference began.
Multiple infosec people forwarded this statement to The Register and expressed concern that the scandal was being quietly buried by CREST.
One told us he was a strong believer in “what CREST qualifications should mean so I’m hoping that they don’t brush it away as I don’t honestly believe NCC are quite in the clear here!”
Last August The Register reported on a cache of files published on a publicly viewable Dropbox account. Many of those files bore the branding of pentesting firm NCC Group, as we reported, though rumours have reached El Reg that the Manchester-headquartered firm wasn’t the only one systematically building up cheatsheets for CREST certification exams. What was revealed in that Dropbox were “step-by-step instructions” on passing theory and practical exams for, among other things, CCT-INF (CREST Certified Tester – Infrastructure) and CCT-APP (applications).
A CREST spokeswoman told us today: “We commissioned a comprehensive investigation that involved a significant amount of work. This has included allowing time for the publicity of independent whistleblowing channels, detailed interviews by the appointed independent investigator, the follow-up and validation of all information obtained, and taking legal advice on the validity of the process.”
The whistleblowing channels consisted of a Gmail address published alongside urgings to email the former senior police manager running CREST’s investigation if you had “relevant information about the unauthorised publication of the confidential material.” Some suggested to El Reg that CREST was more interested in hunting down the whistleblowers than investigating NCC’s involvement with the cheatsheets.
Addressing these concerns, CREST said: “Commitments were made to maintain the confidentiality of all those who contributed to the investigation. This is to protect individuals, members and other relevant parties who have provided information to the independent investigator. Confidentiality provides the protection for contributors and ensures a fair investigation can be conducted. The publication of the full Independent Investigator Report would remove these protections.”
It seems implausible to us that a carefully drafted piece of investigative writing would reveal the identities of sources. After all, we know a thing or two about how that’s done.
Certification is the key to lucrative contracts
CREST is the gatekeeper for security-critical infosec work on UK government and critical national infrastructure. Individuals and companies alike are required to pass CREST certifications before being eligible to bid for certain contracts and subcontracts. Evidence suggesting one of the industry’s biggest players had been bending the rules on these tests would reduce public confidence in the certifications’ legitimacy, especially if employees had been guided to pass the exams by rehearsing the questions in advance rather than applying learnt skills and knowledge.
“It’s not something I can speak out about as it’s pretty much an old boys’ club, but the ‘training’ rigs and the cheatsheets are an open secret,” one ex-NCC infosec bod who spoke on condition of anonymity told The Register, summarising general feeling among those who have spoken to us about the scandal.
CREST has sought to paint a picture of a thorough investigative process, describing it to us as “independent, unbiased, fair and as thorough as possible.”
“To this end,” the spokeswoman continued, “an impartial Review Panel comprising members of the elected CREST GB Executive has been established as part of the process. On behalf of the CREST Members this Panel has been given access to the investigation information under strict non-disclosure agreements allowing them to contribute to the review process.
“We can confirm that there are currently no senior staffers from NCC Group that hold key positions at CREST.”
Last year an NCC Group spokeswoman told The Register that the files were “a combination of old NCC Group internal training materials and content that has either been incorrectly attributed to NCC Group or which is unconnected to NCC Group.”
We understand the company maintains this position while the investigation is ongoing – though doubtless it will be breathing a sigh of relief now CREST has decided not to publish a report into the scandal after all. ®
If you have something to share about the cheatsheet scandal the author of this article can be contacted on Signal: +44 7714 750 783