
Ethical?
When are they rebranding to CRUST then?
British infosec accreditation body CREST has suspended all of its accreditation exams after The Register revealed a published cache of files including what appeared to be internal exam sheets as well as docs apparently tied to key industry player NCC Group. We understand from sources that the security body has suspended all of …
Not sure what the ultimate decision of CREST is going to be, wait and watch ig.
But if they penalise NCC by ensuring every consultant who has passed CCT/CRT in first attempt to re-sit the new rigs (hopefully not rigged), bet more than 95% of the Manchester staff wont even pass. They are resident pentesters whose only job is to pass CREST (using all the leaked notes) and enjoy all the perks offered by the company on expense of their customers.
Whenever I hear the term "gold standard" I can't help thinking of this: https://www.youtube.com/watch?v=LS37SNYjg8w
"...exam docs contained up-to-date material intended to help candidates pass tests rather than learn and understand the course content."
Isn't this the norm? In two decades of involvement in commercial technical training I've practically never encountered any other approach. Quite apart from crib sheets, what on earth can you really learn by attending a one week powerpoint presentation followed immediately by a multiple choice memory test?
The problem here is by gaining a CCT certificate, and getting SC you can become a CHECK Team Leader, and then lead projects testing central and local government, police, NHS, military and other computer systems as part of the CHECK scheme.
These projects need people with skills, experience and expertise. Not people who have memorised steps to pass and exam without the prerequisite knowledge.
> These projects need people with skills, experience and expertise. Not people who have memorised steps to pass and exam without the prerequisite knowledge.
Worse, they parrot shit they've wrongly picked up as "gospel" and people around them repeat it - then they get salty when you point out it's bullshit
Nope. I was called in to assist with a ransomware cleanup at some company that got my details from another company, they had a whole team of juniors scurrying around that were sent in by the insurers...they got nowhere in 3 days. I had the infrastructure squeaky clean, restored and running smoothly within 6 hours...I left the juniors rebuilding workstations on an isolated network.
Are you hiring firms or freelancers? Most of the insanely talented pentesters I know are freelance...you just can't hire a full on wrecking ball through a firm.
Most people go and work for a firm to get a start in their career...those with experience move on to freelance. I think this is generally universal across IT.
There is nothing as soul destroying as being an IT guy nailed down at a single firm. It is boring, unchanging and extremely hard to escape if you've been there a while due to professional stagnation.
I know many poor souls that are trapped at large firms. They convince themselves that "one day, i'll get out" but never do because they start reading job descriptions and realise they've boxed themselves in.
To be fair, I've been on the other side of incident response to yourself, and it is a different kettle of fish to testing as insurance companies will often rush around and hire many companies to collaborate. Sounds to me like their strategy worked out as they had a skilled IR investigator onsite (yourself), assisted by juniors that you could direct.
Pen testing is a different ball game where sending inexperienced juniors and unaccompanied to jobs is lame and leads to piss poor assessments. NCC's approach to pentesting has led people to think pentesting means 'Nessus', compared with some of the smaller consultancies we use that actually seem to care about the work.
Knowledge testing is one of the key elements in proof of competence, as are skills, education, training and experience.
The greater concern for me is the sacrifice of integrity for expediency.
Doing the right things the right way is important.
Personally, I would not want such individuals testing my systems.
Biting the hand that feeds IT © 1998–2022