"One file, called notes.txt and no longer available on Github"
Uh... false? Seems to still be there to me...
British infosec biz NCC Group has admitted to The Register that its internal training materials were leaked on GitHub – after folders purporting to help people pass the CREST pentest certification exams appeared in a couple of repositories. The documents, posted to the cloudy code shack by an account set up last month, were …
They put in a phone-home thingie on _files from an infosec course_? Really? Lesson 1, laddie: air gap. Or use Someone Else’s Computer (™). Or set the firewall, etc, on the home server (anyone taking infosec courses would have a home server or two, right? DHCP, DNS, RRAS, ADDS, Pi-hole, etc...). Or some combination of the three. Anyone who got caught by this should fail twice. Once for cheating, once for not taking elementary precautions.
One of those cheat sheet documents is an exact abbreviated walkthrough of an exam box I saw before the Covid-19 lockdowns. Some of this is definitely recent. I am appalled buy their attitude and attempts to talk this down. Especially, when others have worked very hard for the qualification.
The title says it all really - unfortunately CREST and NCC will never be honest about this. It's a known fact that NCC have CREST documentation about how to pass the CRT/CCT exams. I don't doubt that there are a number of genuinely good testers at NCC who achieved their qualifications through hard work and experience - but on the flip side, I can imagine the arrogate n*bs there sitting a new starter down and saying
'Don't worry about passing CRT/CCT - I'm just going to leave this pile of documents here for a moment while I go for lunch, when we come back we can discuss you booking your exam in - nudge nudge wink wink'
This becomes even more interesting when CCT and CRT act as gatekeepers for CHECK team positions and big government or public sector contracts. Bidding for these is limited based on having the staff available to deliver them.
I cant speak for NCC as have luckily never worked there but it used to be that Crest exams were very hard to pass within the time given if you did not know what was on there despite not being that hard technically. Most candidates from a company without a training programme wouldn't even know what to prepare for. I am out of the game and in management now but i think they have given more time. The syllabus never reflected the actual content but was just about close enough not to be an outright scam.
Convenient if you can get your staff through an exam that allows you to control the market and rent seek while others or the self employed have to fail the exams several times to work out what is on there at 2k a shot to get over the barrier. We could get a new STEM grad with little infosec knowledge through the exams and onto a CHECK team within a few months.
Also convenient if you can pick which staff to give access to the secret materials and run your pay and promotion structure based on passing them, then tell those who fail that they simply aren't good enough. It made the teams much easier to manage, saved some difficult conversations and helped justify keeping pay lower for those who wernt a flight risk.
I assume Crest will be treating NCC as per their CoC or alternatively apologising to the guy who was stripped of his qualifications and banned for being overheard discussing exam topics on the train back from slough - unless NCC are above that and it doesn't count...
Yes yes and yes. Correct on all accounts. If your face fits, especially in Manchester, you get access to all of the goodies and work your way up the ranks. Is there a reason NCC push CREST so hard? Sure, Mark is on the board at CREST and it makes things great from a business perspective knowing you can push loads of people through the CRT/CCT route using cheat sheets and cloned labs as a PR dream saying 'look how many of our testers are CRT/CCT - that's why we charge so much'.
If I was a customer of NCC - I would be wanting to know that the tester who did my work, potentially on government jobs did a thorough job and wasn't just someone who got their CRT through the 'rush' method. I'd also make ALL staff at NCC who are currently CRT/CCT re-sit their exams and see just how many of them passed. No doubt there would be some who would pass it no problems at all, but would weedle out those who had 'special' help. I wonder how many of the 'cheaters' would drop Mark or one of his fanbois in it if pressure was applied...
"Also convenient if you can pick which staff to give access to the secret materials and run your pay and promotion structure based on passing them" - I couldn't agree more with this statement in particular. Well I agree with most of your comment, but this one stands out. Do people think this is the only material that in circulating within the team? of course not!
Accept it, NCC is not the only company doing this "internal training with cheat sheets" and definitely not going to be the the last one. What was wrong with CHECK certification before CREST came along and tried to make money out of this exam ? What is wrong with TIGER scheme ?
The monopoly of CREST needs to end.
The Sales tactics of "We have largest CREST certified consultants so our day rate is high" needs to end too. As a customer if I'm getting rigged consultants, then I don't want to work with such company.
NCSC should step in and hand over the entire certification process to an independent body (just the way they did with Cyber Essentials) who is not inclined to get pally with one company out there to be the biggest pentest providers.
Given the out and out lies from Crest in their response. One of the exam boxes was still valid pre-covid so by "Old" they meant they just removed it.
Are NCSC going to respond at all? Should they strip the exam results from those who have taken Crest Exams from NCC during the time period?
As to different exam structures, having taken the Tigerscheme SST, Cyber Schem CSTL and Crest CCT in my time so far. I can confidently say there is barely any difference is difficultly technically only differences in what they test. The main difference however is that SST is 6 hours and CCT is 3 hours for the main scenario. I believe the viva in the SST and CSTL is a key part of testing as you have to explain how and why you made the choices you did this will catch out a lot of those who have just been trained on cloned rigs.
The way CREST works is bound to make people have cheatsheets and secret notes.
This is like enforcing 30 character passwords on employees with all the complexities for 30 day time period. What is the result ?? People are going to write their passwords on sticky notes and put it on their desk. Did you achieve the goal of making passwords secure? Not at all.
CREST exams are more like CTF's with a timer assigned to each flag. Is this the right way to test how competent you are ?? If your approach is correct but you failed to achieve the flag, you fail the exam straightaway. And if god forbids if you are in NCC, that means you fail your promotion and hike as well because management is prepared with - we paid 2K for your CREST so no hike for you this year!
Other exams dont do that. CHECK scheme (and I believe TIGER as well) watch your screen and grades you based on your approach and knowledge of attempting a challenge. My clients while on a project dont want me to take their network as a CTF, they want to get a thorough testing. CREST needs to change their approach.
This post has been deleted by its author
Why is CREST solely responsible to take the entire UK (and global) market to assess the consultants ? No wonder they are abusing this privilege and their monopoly.
Rotate the certification bodies operating this assessment each year. There are other players in the market too. Give one year to TIGER, then to OSCP, IRM, back to CREST. This would be the true test of people actually passing out without having to maintain cheat sheet and secret notes. Lets see how many actually pass out from companies like NCC who are producing more CRT/CCT's
What is NCSC doing about all this corruption that is happening already.?
What is even worse about this is that Mark Turner in his day job of director of NCC is ultimately responsible for the team schedule. When jobs are allocated by the scheduling team, Mark has overall say and oversight of the schedule and approves jobs. And yet, he is also the chairman of CREST talking about ethics and professionalism...
I had posted this earlier but withdrew it in order to add the following:
When consultants are taking non-billable time for training and courses this is reviewed and noted in the schedule differently to a client project. As Mark Turner approves the schedule, he is fully aware of the training courses his company run, and he's fully aware of who is on these courses so he can't claim ignorance as he knows full well who is doing what and when. He would also approve the non-billable development time needed to build and deploy training machines...
He has wilfully ignored the CREST CoC and NDAs and should resign from CREST immediately.
If this is true, then its really bad to be affiliated with CREST and manage a team who are breaking the NDA and CoC willy nilly.
I wonder what investigation CREST is doing as they clearly denied wrong doings according to their announcement and that the "material was outdated". So is it fair for everyone who has appeared for CREST to release their cheat sheets and secret notes on the Internet? How is CREST going to stop that from happening ? And what is stopping people from releasing their "outdated" notes ?
As an Ex-NCC employee I can confirm it is true that mark is the person ultimately in charge of the manchester team schedule. Everyone at NCC knows about cheat sheets and is always sharing exam material. Management know too. All the assessors who work at NCC know.
Considering these certificates are tied to promotions and payrises, no wonder everyone is at it.
I am personally very happy to see that someone finally decided to expose this corrupt relationship between CREST and NCC Group. This is indeed an open secret known in the UK infosec industry for a long time, and many other companies and individuals suspected of the disproportionate amount of CREST certified consultants from NCC Group that passed the exam in their first attempt - now you all know why.
While I cannot confirm the materials leaked are real, I can say their internal CREST workshop is indeed a leaked version of the exam. This is not a new thing: I was certified nearly a decade ago while working there and seems like this practice exists up to this day. To make matters worse, management is complicit and senior staff are aware of this and many of them are holding this workshop.
When the workshop finished we were not allowed to take the mock exam or any other material: it was all shredded right in front of us. A few days later I sat the exam and lo and behold... those were the exact same questions of the mock test of a few days earlier.
The response from CREST to this leak was ludicrous, but not unexpected. The not-for-profit is nothing but an old boy's club, money grabbing scheme envisioned by Ian Glover to make sure government and private sector won't hire the companies that prefer to stay out of this bullshit and don't subjugate to their extortionate membership fees.
Consultants from NCC Group and the company have been given an unfair advantage over all other consulting firms competing for CREST work for over a decade now. If CREST was a serious organization, all certificates issued to NCC would be voided by now - but we all know this will never happen.
Both NCC Group and CREST should be held accountable for their corrupt relationship. This episode should serve as a warning to the whole industry and infosec market about how worthless many certifications and schemes are and about their real purpose: to benefit the big players and screw over small boutique firms trying to make a name for themselves in this market.
As an ex-NCC pentester this isn't a surprise. The internal lab environment closely mirrored the CREST lab including having the same AD domain names and host names. I wasn't told this before the exam, however, during the exam it became clear.
I brought this up at my annual review and was told to look at it from a commercial perspective. They need to churn out qualified testers to do more CHECK work. It makes sense for them to make it easy to pass the exams.
Glassdoor review from 11th Feb 2019 (http://www.glassdoor.co.uk/Reviews/Employee-Review-NCC-Group-RVW31805003.htm)
"Good training program, especially the internal CREST workshops and virtual labs that train you to pass CRT and CCT first time. I took CCT App and passed 1st time because of the the training labs."
Overall it's a negative review but NCC even responded to it with - "It's fantastic to hear you consider your bonus scheme and technical training programs to be some of the pros of your role."
The arrogance they wouldn't get caught beggars belief.
It's a well-known industry fact that if you have a CREST assessor in your company then you're much more likely to pass CREST. I worked at NCC when the CREST exam replica rigs were set up and the exam has not changed much over the years. Before that when GCHQ were doing the exams there was a replica set up of that exam to set up by Mark Turner.
For the Git dump to have the entire multi-choice question and answers, this has come directly from an assessor within NCC who had access to copy it and distribute it internally. Can't believe Ed and Dave Cash were so stupid to put their names on the documents.
Then for CREST to say the changed made to the rig between 2018 and JULY 2020 make the info invalid is absolutely absurd as anyone who has sat the exam in the last few weeks will attest to.
That said, nothing will happen. The "independent" review they say they will do will be selected by CREST so won't result in anything.
Biting the hand that feeds IT © 1998–2021