After a year-long investigation, Phil Muncaster asks what lessons can be learned from the CREST exam leak scandal
For professional certification bodies, few things are more important than sanctity of the accreditation and examination process. If people believe others are gaming the system, it devalues the process for all.
This nightmare scenario became reality for UK-based non-profit CREST last year, after it emerged that exam ‘cheat sheets’ had been posted online by employees of member organization NCC Group. After a year-long investigation, during which time GCHQ offshoot the National Cyber Security Centre (NCSC) was drafted in to undertake its own probe, CREST issued a final statement and report on the matter.
While some are unhappy that the perpetrators went largely unpunished, a bigger question remains. Has the incident highlighted a deeper malaise with the cybersecurity accreditations industry — one which could ultimately damage the integrity of the sector and those who work in it?
Vicariously Responsible
The problems began in August 2020 after NCC Group-branded documents were discovered on GitHub and Dropbox. NCC Group is a Manchester-based information assurance firm which is a CREST accredited member company. The two troves were related to the CREST Certified Infrastructure Tester (CCT Inf) and Certified Web Application Tester (CCT App) programs. Although at the time of their discovery, the materials were deemed no longer current, the course was updated as a precaution and a full investigation was immediately started. Now-retired CREST GB chair, Mark Turner, who is a director at NCC Group, recused himself from the investigation to avoid any potential conflicts of interest. He has since retired by rotation.
"If, in other professions, individuals and companies can be censured or even forced to discontinue operating, then we should have something similar within the cybersecurity industry"
Ultimately, the probe found that 25 of the hundreds of files uploaded online contained content related to CREST exams. These featured ‘brain dumps’ put together post-examination, as well as candidates’ revision notes and training materials.
“On two occasions between 2012 and 2014, the examination-related activities of some NCC Group employees and candidates breached the CREST code of conduct and non-disclosure agreements (NDAs),” the CREST report concluded. More specifically, this involved an NCC Group employee improperly discussing CREST exams, and another person creating notes based on the exams. As their employer, the NCC Group was “vicariously responsible for those individuals,” it added.
Fortunately, the investigation concluded that no students appeared to capitalize on the leaked data to gain an advantage in their exams. The focus therefore now turns to what lessons can be learned and whether there has been, or will be, any deeper fallout from the incident.
A Proportionate Response?
NCC Group did not meet the minimum threshold for expulsion from CREST due to the incident. A series of new security and process requirements were instead forced upon NCC Group. “We fully accept the requirements in the CREST statement, of which improvements to processes have already been made following our own internal investigation into the historical breaches,” NCC Group says in a brief statement sent to Infosecurity.
Some have argued that more robust action should have been taken, although given the lack of evidence suggesting NCC Group “knew about, condoned, or otherwise sanctioned such activity,” that would seem unfair. CREST president, Ian Glover, defends his organization’s handling of the incident and its “entirely proportionate” response.
“As a matter of urgency, we appointed an independent investigator to establish the facts. This included a detailed review of the material posted online which, out of around 400 files, identified 25 whose content was of concern,” he tells Infosecurity. “The investigator went to considerable lengths to encourage people with information to come forward and he interviewed 22 people in confidence. In addition, the investigator ordered a detailed review of NCC Group’s training material and he undertook a thorough examination of relevant documents and policies.”
Glover is also quick to head off any suggestions that, because NCC Group is a CREST member, the investigation may have been compromised.
"We fully accept the requirements in the CREST statement, of which improvements to processes have already been made following our own internal investigation into the historical breaches"
“All members, regardless of size, pay the same for their membership of CREST. This was a decision we made when CREST was first established 15 years ago to help to avoid any potential conflict of interest,” he tells Infosecurity.
“To ensure total independence, we appointed an independent investigator who had no previous connection to CREST, NCC Group or indeed the security industry at all to gather all the facts. When it came to examining his report and making recommendations, this was done by a panel of NCC Group’s industry peers from the CREST executive who are elected from the CREST membership to represent them.”
The Bigger Picture
However, some commentators speculate that more needs to be done at an industry level to improve oversight of accreditations bodies. BH Consulting founder and Infosecurity Hall of Fame inductee Brian Honan argues that such measures are particularly important in an industry where certifications still play a key role in helping determine practitioner competence.
“What is missing from the industry is accountability for individuals who do not perform in a professional or unethical manner, organizations who behave in similar ways, or certification bodies who do not adhere to expected standards in administrating their certification schemes,” he tells Infosecurity.
“Given the criticality of cybersecurity to our businesses, our personal lives, our societies, our economies, and indeed national security, we need more robust ways to hold individuals and organizations accountable for any inappropriate behaviors. If, in other professions, individuals and companies can be censured or even forced to discontinue operating, then we should have something similar within the cybersecurity industry.”
Global certifications and training body SANS Institute will not be drawn on the specifics of the CREST case, but weighs in more generally.
One of the benefits of this investigation has been the recognition that we need to give more and clearer guidance to members in terms of what is and what is not acceptable in terms of their training practicesIan Glover, CREST
“Something can be said about the need for certification bodies to be accredited by reputable boards and organizations, to ensure they undergo frequent audits from accreditation boards which routinely check for fairness and ethical standards, by default, holding policies to a higher standard,” it tells Infosecurity.
Glover, who will step down after 13 years at the helm of CREST, is confident the organization will improve as a result of this incident, with a focus on supporting sound training processes and investigating breaches of NDAs and codes of conduct whenever they’re brought to light.
“One of the benefits of this investigation has been the recognition that we need to give more and clearer guidance to members in terms of what is and what is not acceptable in terms of their training practices. We are also adding elements to the accreditation process in which members make declarations about their training material,” he concludes.
“The aim is to help member companies deliver training that supports the professional capabilities of their employees through ongoing professional development. No company wants an employee to cheat their way through an examination. They want people to pass exams because they have the required knowledge and skills that can be applied in the real world.”