back to article CREST cancels two UK infosec accreditation exams after fresh round of 'cheat sheets' are leaked online

British infosec accreditation body CREST has suspended all of its accreditation exams after The Register revealed a published cache of files including what appeared to be internal exam sheets as well as docs apparently tied to key industry player NCC Group. We understand from sources that the security body has suspended all of …

  1. Booh
    Trollface

    Ethical?

    When are they rebranding to CRUST then?

    1. Booh
      Trollface

      Re: Ethical?

      Thanks for the down-votes, CRUST members... At least I don't have to worry about you pwning me, not because you're ethical, but because you're probably not that good if you need to use cheatware.

  2. Anonymous Coward
    Anonymous Coward

    So the other companys now has to wait to get staff qualified while the NCC are allowed to carry on like normal?

    Thanks CREST for supporting monopoly in UK!

  3. Anonymous Coward
    Anonymous Coward

    Weed out the 'script oldies' residents

    Not sure what the ultimate decision of CREST is going to be, wait and watch ig.

    But if they penalise NCC by ensuring every consultant who has passed CCT/CRT in first attempt to re-sit the new rigs (hopefully not rigged), bet more than 95% of the Manchester staff wont even pass. They are resident pentesters whose only job is to pass CREST (using all the leaked notes) and enjoy all the perks offered by the company on expense of their customers.

  4. chivo243 Silver badge
    Coat

    Oh Crap!

    I just found these docs, and I was in the process of osmosis data transfer... another paper cert down the drain I guess.

  5. VicMortimer

    Oh wow. You guys get certified by a toothpaste company? Seriously?

    `Look, I know stannous fluoride protects against cavities, acid erosion, gingivitis, plaque, bad breath, and tooth sensitivity. But it's not going to do anything for infosec.

    1. DJV Silver badge

      Oh wow. You guys get certified by a toothpaste company? Seriously?

      Yes, how else would you brush up on your knowledge?

  6. RM Myers Silver badge
    Coat

    "...CCT is regarded as a gold standard accreditation..."

    I believe most countries moved off the gold standard decades ago. The gold standard just doesn't mean as much any more, so the CCT may just be keeping up with the times.

    1. Mike 16 Silver badge

      Re: "...CCT is regarded as a gold standard accreditation..."

      Iron Pyrite Standard?

    2. DJV Silver badge

      Re: "...CCT is regarded as a gold standard accreditation..."

      Whenever I hear the term "gold standard" I can't help thinking of this: https://www.youtube.com/watch?v=LS37SNYjg8w

  7. Mike 137 Silver badge

    Move along please - nothing to see here

    "...exam docs contained up-to-date material intended to help candidates pass tests rather than learn and understand the course content."

    Isn't this the norm? In two decades of involvement in commercial technical training I've practically never encountered any other approach. Quite apart from crib sheets, what on earth can you really learn by attending a one week powerpoint presentation followed immediately by a multiple choice memory test?

    1. Anonymous Coward
      Anonymous Coward

      Re: Move along please - nothing to see here

      The problem here is by gaining a CCT certificate, and getting SC you can become a CHECK Team Leader, and then lead projects testing central and local government, police, NHS, military and other computer systems as part of the CHECK scheme.

      These projects need people with skills, experience and expertise. Not people who have memorised steps to pass and exam without the prerequisite knowledge.

      1. Alan Brown Silver badge

        Re: Move along please - nothing to see here

        > These projects need people with skills, experience and expertise. Not people who have memorised steps to pass and exam without the prerequisite knowledge.

        Worse, they parrot shit they've wrongly picked up as "gospel" and people around them repeat it - then they get salty when you point out it's bullshit

  8. Valeyard

    pentesters

    we've had 3rd party pentesters in quite a few times. has anyone ever NOT had a junior sent out? I only have an OSCP and I still outrank them in qualifications and experience, which is insane for the fees these people charge

    1. Anonymous Coward
      Anonymous Coward

      Re: pentesters

      Nope. I was called in to assist with a ransomware cleanup at some company that got my details from another company, they had a whole team of juniors scurrying around that were sent in by the insurers...they got nowhere in 3 days. I had the infrastructure squeaky clean, restored and running smoothly within 6 hours...I left the juniors rebuilding workstations on an isolated network.

      Are you hiring firms or freelancers? Most of the insanely talented pentesters I know are freelance...you just can't hire a full on wrecking ball through a firm.

      Most people go and work for a firm to get a start in their career...those with experience move on to freelance. I think this is generally universal across IT.

      There is nothing as soul destroying as being an IT guy nailed down at a single firm. It is boring, unchanging and extremely hard to escape if you've been there a while due to professional stagnation.

      I know many poor souls that are trapped at large firms. They convince themselves that "one day, i'll get out" but never do because they start reading job descriptions and realise they've boxed themselves in.

      1. Anonymous Coward
        Anonymous Coward

        Re: pentesters

        To be fair, I've been on the other side of incident response to yourself, and it is a different kettle of fish to testing as insurance companies will often rush around and hire many companies to collaborate. Sounds to me like their strategy worked out as they had a skilled IR investigator onsite (yourself), assisted by juniors that you could direct.

        Pen testing is a different ball game where sending inexperienced juniors and unaccompanied to jobs is lame and leads to piss poor assessments. NCC's approach to pentesting has led people to think pentesting means 'Nessus', compared with some of the smaller consultancies we use that actually seem to care about the work.

  9. lansalot

    so...

    I wonder how the ratio of pass:fail will fluctuate in light of this...

    1. Anonymous Coward
      Anonymous Coward

      Re: so...

      I thought the pass rates were very low anyway?

      It will depend on how hard they make the new tests.

  10. zlyk

    Integrity

    Knowledge testing is one of the key elements in proof of competence, as are skills, education, training and experience.

    The greater concern for me is the sacrifice of integrity for expediency.

    Doing the right things the right way is important.

    Personally, I would not want such individuals testing my systems.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020