back to article CREST exam cheat-sheet scandal: New temp chairman at UK infosec body as lawyers and ex-copper get involved

British infosec accreditation body CREST has appointed an ex-police officer to investigate the NCC Group exam cheat-sheet scandal as its chairman temporarily steps aside. The accreditation body has been rocked by revelations from The Register that major industry player NCC Group's training material was leaked in a Github repo …

  1. jsmith9999

    Ex Police Investigator

    Is the ex-officer the one from Channel 4's Hunted? As we've seen them all work with NCC on tv.

  2. Anonymous Coward
    Anonymous Coward

    Independence?

    He is a former Detective Chief Inspector and has been selected for his independence, integrity and investigatory skills.

    How independent? Who is paying his salary?

    1. Anonymous Coward
      Anonymous Coward

      Re: Independence?

      Let’s turn that around - who do you believe should be paying his fee/salary during this episode to ensure his independence remains (and is seen to remain)?

      1. Anonymous Coward
        Happy

        Re: Independence?

        Let’s turn that around - who do you believe should be paying his fee/salary during this episode to ensure his independence remains (and is seen to remain)?

        It doesn't matter who pays, what is more important is who selects the expert.

        What follows is a general observation and nothing to do with this specific case. If an independent expert excoriates her client with brutal honestly, then would this affect her chances of future work from other, similar, clients? The way to guard against this potential moral hazard is for such experts to always be appointed by someone other than the client, and who themselves are not paid by the client to make that selection.

      2. Anonymous Coward
        Anonymous Coward

        Re: Independence?

        The British Cheese Board.

  3. Mark192

    Individuals sharing cheat sheets will find they've got useless colleagues whose mess they end up sorting out.

    Organisations using cheats sheets will find they've got highly qualified but underperforming employees.

    This will be stamped out so fast... but will inevitably return. I'm surprised they didn't have a shedload of rotating, changing tests so that compiling cheat sheets is futile.

    1. WolfFan Silver badge
      FAIL

      Won’t work. I do adjunct instruction at a local community college. I have a pool of 2095 questions, multiple choice, multiple responses, matching, short answers, and case from which the test system selects 50 at random for each test. At least three individuals have gone to the trouble of getting answers to all 2095 and attempted to sell cheat sheets. What they didn’t know was that I was listed as a student, so they tried to sell me a cheat sheet. Oops. There were a few others who weren’t quite as mercenary, but they could be detected in other ways. I’m sure that there are a few I haven’t spotted. Yet.

      1. johnfbw

        2095 questions

        With that many questions doesn't memorising the answers really become studying?

        1. WolfFan Silver badge

          Re: 2095 questions

          Yep. It’s easier to study the relevant chapters than to try to cheat. It’s just that some people just have to cheat, it’s in their DNA, and they think that they’re putting one over on me.

  4. ortunk
    Devil

    25 years in the industry

    zero (0) certifications

    1. Anonymous Coward
      Anonymous Coward

      Why is that good?

      I don’t see why you think that’s a good thing or even relevant? For a start if you want to be CHECK qualified and therefore unlock career progression and more money in most firms in the UK you have to have some kind of qualification.

      I just find it weird in infosec that everyone wears having no qualifications as a badge of pride. It’s like a surgeon going, I have nothing to show I can do this, but trust me I can do brain surgery with the best of them.

      It should be a non issue, some people do certs, some don’t, but why it has to be a w**ly waving contest between the two is beyond me.

      1. Glen 1

        Re: Why is that good?

        The willy waving comes from being *smug* about being self-taught, and a certain level of arrogance from not having to *pay* someone else to teach them.

        If you can convince a company you know what you are doing, you don't *need* Industry certs/degree/ A-levels/GCSEs. The problem is that the hiring companies *themselves* often don't know what they are doing, so use certs as a proxy for measuring ability/performance.

        So some companies rely on certs. They are trusting a cert company that the box ticking exercise is legit, so they can do *their own* box ticking exercise in HR/Legal.

        --

        Remember, the object of the game is to convince someone to pay *you* a lot of money.

        Cert companies want you to pay *them* money, so they market the certs:

        a) to *companies* to convince them that folk with these certs know what they are doing

        b) to *you* stating that these companies will pay top dollar for people with those certs.

        Your certificate buys you marketing budget with your prospective employers. If you don't need that, you don't need the cert.

      2. Anonymous Coward
        Anonymous Coward

        Re: Why is that good?

        I have certs but mostly from donkies years ago. Most recent one was Cysa+ I did in December (and passed).

        Folks without certs have usually worked at the same place for decades and struggle to move on. I've never met anyone that freelances that doesn't have at least a few relevant certs.

  5. Outer mongolian custard monster from outer space (honest)

    Very very annoying...

    Its really annoying for me, because I am a holder of some CREST certs, and I did both when not attached to a larger company, the hard way, by studying independently and honing my craft (I'm not by day a windows bod so I had to pull up my socks on that side of the OS divide).

    Now after all that work, I'm going to be in a interview and someone will see CREST on the cv and think "oh he'll be one of those ncc cheats" or it happens everywhere.

    I hope CREST properly and fully crucify NCC in the name of all the honest people who did their certification.

    Meanwhile I'm pretty glad I also took offsec certs, because a) they're fairly well known outside the UK in comparison to CREST, and b) their reputation isn't tarnished by this mess..

    1. Joe Montana

      Re: Very very annoying...

      I'm in the same boat as you, have done several CREST certs while working at smaller companies not affiliated with NCC or the other large players. I managed to pass, yet the companies have also put forward other candidates who have failed. None of us were asked to divulge information from our tests either. Had we done so, the pass rate would probably have been higher.

  6. Mike 137 Silver badge

    Having to sign an NDA

    I agree entirely that cheat sheets for individual sessions discredit qualifications, but equally any exam that can only be rendered cheat-free via an NDA is a lousy exam. If the questions are either so elementary or drawn from so small a pool as to require secrecy from session to session, the qualification will intrinsically be valueless.

    1. Anonymous Coward
      Anonymous Coward

      Re: Having to sign an NDA

      Having taken CREST exams in the past, I can confirm that they don't check for your knowledge, instead its an exam on how quickly you can solve the CTF for 50 marks each. Never ever it has happened in my history of CTL work, a client has asked me to "break out of a locked environment" in 20 mins or they wont pay my day rate. Never at all.

      Cheating / keeping cheat sheets is the result of this CTF exercise. If only they had tested the knowledge and understanding of the concepts owned by the consultant, there was no need to have these kind of short cuts. But CREST wanted to control the Infosec market in the UK. CTL work is not even worth the efforts that go into preparing for these exams.

      CREST should first investigate themselves after all the bad publicity it has gained from this. Work into modifying the way they are testing the candidates. Will that happen? Of course not. They are already preparing new challenges which means new wave of cheat sheets in next couple of years.

      1. Anonymous Coward
        Anonymous Coward

        Re: Having to sign an NDA

        Exams are hard to design, I’m sure CREST and the wider industry will appreciate you putting your money where your mouth is and helping come up with a new model.

        Offsec which everyone seems to like, is based around a CTF model as well (all be it a longer exam). It’s not CRESTS fault that as the infosec industry we haven’t come up with anything better to test peoples skills.

        Also not all CTL work is testing your local borough council for bargain basement rates, some CTL work is extremely high-end and specialist, but clearly the kind most don’t hear about. (a la central MOD)

        1. Anonymous Coward
          Anonymous Coward

          Re: Having to sign an NDA

          The CTF model is bollocks though. I'm in infosec and in no way has the real world ever reflected a CTF simulation.

          The only thing missing from CTF style exams to make them entirely absurd is the blowjob Hugh Jackman gets in Swordfish.

      2. Joe Montana

        Re: Having to sign an NDA

        There are many things to weigh up when offering a certification...

        They want to make it repeatable and fair, if there is too much variation you will have people complaining that they got a harder set of questions than others.

        The shortness of the exam is also a concern for some, none of it is especially difficult but people often lose time and fail to gain enough marks who would have passed if given a bit more time / less pressure. This teaches you to cut corners to get it done in the time, something you shouldn't really be doing in the real world.

        The old CHECK model had the examiners mirroring your screen and watching what you did while discussing your progress as you went along, this was in some ways better as it gave them a good feel for the skill level of the candidate and someone who had been briefed how to complete the specific challenges but lacked in general skills had a chance of being caught out. On the other hand, people would complain it's too subjective and down to the whims of the examiners on the day.

    2. Anonymous Coward
      Anonymous Coward

      Re: Having to sign an NDA

      These sorts of exam questions will be hard to come up with. So it would be a lot of work (and/or expensive) to generate new questions for every exam.

      Nice to see CREST has opted for easy option of an NDA and to reuse the content as much as poss.

      When we procure pen testing services normally CREST cert is an accepted qualification. I think I'm now seeing why we occasionally get guys who seem to know less than me. If CREST don't step up we'll likely remove CREST as an accepted qualificationa and we'll just need to pay up for CHECK testing.

      Sucks for the good guys for CREST but what's a customer to do if we've lost faith in the qualification?

      1. ThrowAWay022020

        Re: Having to sign an NDA

        Why would you accept CHECK? (Respectfully it sounds like you don’t know the difference from that comment).

        CHECK is just Tiger/CyberScheme or CREST + SC clearance.

        So by accepting CHECK you’ll implicitly be accepting CREST people.

        Also if you’re a commercial entity and not related to government you won’t be able to get a CHECK test, you might get a “CHECK-like” test but NCSC frown upon them greatly.

        What should a customer do? What I always recommend customers do, ask for bio’s and if they don’t help make a decision, get on the phone and have a chat.

  7. Anonymous Coward
    Anonymous Coward

    CREST exam

    Q1: discover the location of the cheat sheets

    Q2: exploiting this information.....

    1. General Purpose

      CREST 2021

      1. Locate the honeypot of cheat sheets.

      2. In exam, try password from cheat sheet.

      3. Fall down increasingly frustrating rabbit-hole for remainder of exam.

      4. Fail without explanation or opportunity to resit for 5 years.

  8. Korev Silver badge
    Joke

    Crest? I prefer Colgate myself...

  9. Anonymous Coward
    Anonymous Coward

    Total bollocks

    NCC should be struck off the CREST list. This is a complete breach of the NDA and makes them a highly questionable supplier from an ethical stand point.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon