Ex Police Investigator
Is the ex-officer the one from Channel 4's Hunted? As we've seen them all work with NCC on tv.
British infosec accreditation body CREST has appointed an ex-police officer to investigate the NCC Group exam cheat-sheet scandal as its chairman temporarily steps aside. The accreditation body has been rocked by revelations from The Register that major industry player NCC Group's training material was leaked in a Github repo …
Let’s turn that around - who do you believe should be paying his fee/salary during this episode to ensure his independence remains (and is seen to remain)?
It doesn't matter who pays, what is more important is who selects the expert.
What follows is a general observation and nothing to do with this specific case. If an independent expert excoriates her client with brutal honestly, then would this affect her chances of future work from other, similar, clients? The way to guard against this potential moral hazard is for such experts to always be appointed by someone other than the client, and who themselves are not paid by the client to make that selection.
Individuals sharing cheat sheets will find they've got useless colleagues whose mess they end up sorting out.
Organisations using cheats sheets will find they've got highly qualified but underperforming employees.
This will be stamped out so fast... but will inevitably return. I'm surprised they didn't have a shedload of rotating, changing tests so that compiling cheat sheets is futile.
Won’t work. I do adjunct instruction at a local community college. I have a pool of 2095 questions, multiple choice, multiple responses, matching, short answers, and case from which the test system selects 50 at random for each test. At least three individuals have gone to the trouble of getting answers to all 2095 and attempted to sell cheat sheets. What they didn’t know was that I was listed as a student, so they tried to sell me a cheat sheet. Oops. There were a few others who weren’t quite as mercenary, but they could be detected in other ways. I’m sure that there are a few I haven’t spotted. Yet.
I don’t see why you think that’s a good thing or even relevant? For a start if you want to be CHECK qualified and therefore unlock career progression and more money in most firms in the UK you have to have some kind of qualification.
I just find it weird in infosec that everyone wears having no qualifications as a badge of pride. It’s like a surgeon going, I have nothing to show I can do this, but trust me I can do brain surgery with the best of them.
It should be a non issue, some people do certs, some don’t, but why it has to be a w**ly waving contest between the two is beyond me.
The willy waving comes from being *smug* about being self-taught, and a certain level of arrogance from not having to *pay* someone else to teach them.
If you can convince a company you know what you are doing, you don't *need* Industry certs/degree/ A-levels/GCSEs. The problem is that the hiring companies *themselves* often don't know what they are doing, so use certs as a proxy for measuring ability/performance.
So some companies rely on certs. They are trusting a cert company that the box ticking exercise is legit, so they can do *their own* box ticking exercise in HR/Legal.
--
Remember, the object of the game is to convince someone to pay *you* a lot of money.
Cert companies want you to pay *them* money, so they market the certs:
a) to *companies* to convince them that folk with these certs know what they are doing
b) to *you* stating that these companies will pay top dollar for people with those certs.
Your certificate buys you marketing budget with your prospective employers. If you don't need that, you don't need the cert.
I have certs but mostly from donkies years ago. Most recent one was Cysa+ I did in December (and passed).
Folks without certs have usually worked at the same place for decades and struggle to move on. I've never met anyone that freelances that doesn't have at least a few relevant certs.
Its really annoying for me, because I am a holder of some CREST certs, and I did both when not attached to a larger company, the hard way, by studying independently and honing my craft (I'm not by day a windows bod so I had to pull up my socks on that side of the OS divide).
Now after all that work, I'm going to be in a interview and someone will see CREST on the cv and think "oh he'll be one of those ncc cheats" or it happens everywhere.
I hope CREST properly and fully crucify NCC in the name of all the honest people who did their certification.
Meanwhile I'm pretty glad I also took offsec certs, because a) they're fairly well known outside the UK in comparison to CREST, and b) their reputation isn't tarnished by this mess..
I'm in the same boat as you, have done several CREST certs while working at smaller companies not affiliated with NCC or the other large players. I managed to pass, yet the companies have also put forward other candidates who have failed. None of us were asked to divulge information from our tests either. Had we done so, the pass rate would probably have been higher.
I agree entirely that cheat sheets for individual sessions discredit qualifications, but equally any exam that can only be rendered cheat-free via an NDA is a lousy exam. If the questions are either so elementary or drawn from so small a pool as to require secrecy from session to session, the qualification will intrinsically be valueless.
Having taken CREST exams in the past, I can confirm that they don't check for your knowledge, instead its an exam on how quickly you can solve the CTF for 50 marks each. Never ever it has happened in my history of CTL work, a client has asked me to "break out of a locked environment" in 20 mins or they wont pay my day rate. Never at all.
Cheating / keeping cheat sheets is the result of this CTF exercise. If only they had tested the knowledge and understanding of the concepts owned by the consultant, there was no need to have these kind of short cuts. But CREST wanted to control the Infosec market in the UK. CTL work is not even worth the efforts that go into preparing for these exams.
CREST should first investigate themselves after all the bad publicity it has gained from this. Work into modifying the way they are testing the candidates. Will that happen? Of course not. They are already preparing new challenges which means new wave of cheat sheets in next couple of years.
Exams are hard to design, I’m sure CREST and the wider industry will appreciate you putting your money where your mouth is and helping come up with a new model.
Offsec which everyone seems to like, is based around a CTF model as well (all be it a longer exam). It’s not CRESTS fault that as the infosec industry we haven’t come up with anything better to test peoples skills.
Also not all CTL work is testing your local borough council for bargain basement rates, some CTL work is extremely high-end and specialist, but clearly the kind most don’t hear about. (a la central MOD)
There are many things to weigh up when offering a certification...
They want to make it repeatable and fair, if there is too much variation you will have people complaining that they got a harder set of questions than others.
The shortness of the exam is also a concern for some, none of it is especially difficult but people often lose time and fail to gain enough marks who would have passed if given a bit more time / less pressure. This teaches you to cut corners to get it done in the time, something you shouldn't really be doing in the real world.
The old CHECK model had the examiners mirroring your screen and watching what you did while discussing your progress as you went along, this was in some ways better as it gave them a good feel for the skill level of the candidate and someone who had been briefed how to complete the specific challenges but lacked in general skills had a chance of being caught out. On the other hand, people would complain it's too subjective and down to the whims of the examiners on the day.
These sorts of exam questions will be hard to come up with. So it would be a lot of work (and/or expensive) to generate new questions for every exam.
Nice to see CREST has opted for easy option of an NDA and to reuse the content as much as poss.
When we procure pen testing services normally CREST cert is an accepted qualification. I think I'm now seeing why we occasionally get guys who seem to know less than me. If CREST don't step up we'll likely remove CREST as an accepted qualificationa and we'll just need to pay up for CHECK testing.
Sucks for the good guys for CREST but what's a customer to do if we've lost faith in the qualification?
Why would you accept CHECK? (Respectfully it sounds like you don’t know the difference from that comment).
CHECK is just Tiger/CyberScheme or CREST + SC clearance.
So by accepting CHECK you’ll implicitly be accepting CREST people.
Also if you’re a commercial entity and not related to government you won’t be able to get a CHECK test, you might get a “CHECK-like” test but NCSC frown upon them greatly.
What should a customer do? What I always recommend customers do, ask for bio’s and if they don’t help make a decision, get on the phone and have a chat.