back to article We'd love to report on the outcome of the CREST exam cheatsheet probe, but UK infosec body won't publish it

British infosec accreditation body CREST has declared that it will not be publishing its full report into last year's exam-cheating scandal after all, triggering anger from the cybersecurity community. "The Report of the Independent Investigator contains information that was obtained in confidence and, therefore, in line with …

  1. Chris G Silver badge

    "It's not something I can speak out about"

    That sentence pretty much sums up what I was thinking as I read the article.

    The statements from Crest seemed to be a lot of words that didn't really say much.

    I suspect an easy route to certification to enable access to bidding may be quite beneficial to some....

    1. Zippy´s Sausage Factory
      Joke

      Re: "It's not something I can speak out about"

      "How can we bury this, Sir Humphrey?"

      "Data Protection legislation, Minister"

      "Excellent idea."

      1. Anonymous Coward
        Anonymous Coward

        Re: "It's not something I can speak out about"

        1) I do internal investigations for a living and have done for a long time. We never promise confidentiality to witnesses or anyone else, precisely because we might want to distribute the report outside my organisation - to affected people, to cops, to the courts when we file claims, whatever. We will consider anonymity for some people.

        2) this is not to do with data protection legislation, and is not (only?) to do with protecting the identity of witnesses. Much of the criticism in the article and the comments here is misaimed.

        If information has been given under an assurance of confidentiality, then CREST cannot release it without being in breach of a legal obligation, regardless of the impact. This goes back to why they shouldn't have promised confidentiality in the first place...

        1. nichomach

          Re: "It's not something I can speak out about"

          A cynic might surmise, therefore, that promising that confidentiality at the start gives a tailor-made excuse for never having to publish the findings.

          1. Anonymous Coward
            Anonymous Coward

            Re: "It's not something I can speak out about"

            I think it's just poor execution rather than a cunning conspiracy - I see plenty of it. Private investigations are still not a regulated activity in this country.

  2. Shadow Systems

    Reduced confidence?

    If it gets any lower it'll require negative imaginary irrational numbers to express. Time to find a more professional certification provider.

  3. Pascal Monett Silver badge
    FAIL

    We can confirm

    "We can confirm that there are currently no senior staffers from NCC Group that hold key positions at CREST. "

    And I can confirm that there is no need for someone from one company to hold "key positions" in another company for there to be, shall I say, parallel communication channels.

    It is entirely illogical to withhold the report on an investigation to "protect whistleblowers". You just need to redact the parts that give identifying information about them.

    What this is demonstrating is that CREST is intent on not revealing any information on its internal functioning, which already says damning things about what goes on.

    1. GrumpenKraut Silver badge

      Re: We can confirm

      > You just need to redact the parts that give identifying information about them.

      Drop that "just": making sure that individuals cannot be pinpointed can be *significantly* more work that just erasing some names. In extreme cases so much material needs to be removed that next to nothing useful is left.

  4. Anonymous Coward
    Anonymous Coward

    Security by Obscurity?

    Covering their arses.

  5. heyrick Silver badge

    Yet another whitewash

    Colour me surprised.

  6. Mike 137 Silver badge

    " "step-by-step instructions" on passing theory and practical exams"

    Any exam that can be passed by following "step by step instructions" can't be worth a fetid dingo's kidneys.

    However having researched the training and syllabi for literally dozens of security and data protection exams over a period of several years, I can confidently state that pretty much all of them can be passed that way. Not a single one I've investigated actually tests the skills needed in real world practice. They merely validate the ability to remember some factoid or repeat some standard procedure when prompted, whereas what's actually needed is the ability to work out reliably and fast what the hell is going on in the face of the unexpected and come up equally swiftly with an appropriate course of action.

    1. keithpeter Silver badge
      Windows

      Re: " "step-by-step instructions" on passing theory and practical exams"

      "[...]what's actually needed is the ability to work out reliably and fast what the hell is going on in the face of the unexpected and come up equally swiftly with an appropriate course of action"

      What assessment process would test those skills?

      I'm guessing something like they use in medical schools ('circus' where candidates move around stations and read real diagnostic reports from things like scans and x-rays with made up medical histories. Candidates have to recommend treatments/procedures based on the evidence).

      Would this kind of thing be too expensive?

      1. Mike 137 Silver badge

        Re: " "step-by-step instructions" on passing theory and practical exams"

        "What assessment process would test those skills?"

        Ideally, being thrown into practical scenarios where both the situation and the preferred outcome are not prior knowns (just like in the real world). The CCIE seems to be about the only qualification that passes muster against this criterion at present.

        When I consult on incident response, I always recommend that exercises rather than discussion are the basis for performance testing, that the exercises are triggered unexpectedly, and that some arbitrary confusion is intentionally injected into the scenario. However everyone prefers to sit round a table in perfect peace and discuss what they might do if a rather elementary and simplistic kind of shit were hypothetically to hit the fan. It's both cheaper and avoids anyone getting egg on their face. But unfortunately it leaves organisations utterly unprepared for real incidents without alerting them to their lack of preparedness, so it's damned dangerous.

    2. amanfromMars 1 Silver badge

      Re: " "step-by-step instructions" on passing theory and practical exams" relating to complex systems

      Not a single one I've investigated actually tests the skills needed in real world practice. They merely validate the ability to remember some factoid or repeat some standard procedure when prompted, whereas what's actually needed is the ability to work out reliably and fast what the hell is going on in the face of the unexpected and come up equally swiftly with an appropriate course of action. ...... Mike 137

      And that is what most probably has resulted in the current dire straits predicament and present horrendous reputation for serial global failures in foreign international interventions and mercenary expeditions of Uncle Sam and his Five Eyes cohorts/the conspiring camp followers and aspiring poison pen writers of the West, despite the land of the free and the brave and media pimping and pumping and dumping the likes of a secret Pentagon army of 60,000 undercover operatives into the open as any sort of measure of success whenever it would so clearly be signalling fundamental failure on a heart breaking scale.

      The difficulty such operations have, and it be much the same in any similar case everywhere else too, is that even whenever it is clearly pointed out to them what the problem is, they appear to be disenabled to address, with a meaningful effective radical change of policy and direction, that which would be the least that they would need to heed and provide, or be provided with, in order to head off rapidly approaching catastrophes.

      One does what one can in such instances, but if the dead duck horse doesn't want to drink from the trough of ancient wisdom and novel intelligence, best leave it alone in its misery to sink into the stink of its own fetid demise. Beyond help is certainly indicative of certifiable madness, and verging as it does on the crazy edge which provides ledges and hedges for evil insanity, it is gravely to be regarded and avoided like the plague.

  7. TimMaher Silver badge
    Pirate

    Ransomeware Required

    Perhaps someone would like to hack into CREST, nick the report, encrypt everything else and then publish the report somewhere with a lot of exposure.

    Then ask for some money.

    1. Chris G Silver badge

      Re: Ransomeware Required

      But, but, that's not very ethical.

      1. Anonymous Coward
        Anonymous Coward

        Re: Ransomeware Required

        Because test rigs that have the same names and IP addresses as those used on the real test so that a company has certified staff and can bid for Government work, that's tax payers money, is far more ethical...

  8. Anonymous Coward
    Anonymous Coward

    100% corruption to the core.

    I'd imagine most pentest companies will be making the move to Tiger now.

    CREST should be stripped of their abilities to offer any government approved contracts. This has been the worst kept secret in the industry. NCC staff were then caught out. The only people that were then penalised were NON NCC organisations as certification was put on hold meaning that ONLY NCC had the certified staff.

    if you are a CREST company or a consumer of services write to your stakeholders, including the bank of England and ask them to work with an alternative.

  9. amanfromMars 1 Silver badge

    What is obvious is ....... in a whitewash.

    The withholding of any report surely always is proof positive that an unpluggable exploitable 0day vulnerability persists to exist? Such then is more of a feature than a problem although whenever both, something of an abiding dilemma to plague systems administrations and render that particular program unfit for further future sanitised progress/SMARTR Utilisation.

    It seems to me that the present rapid pace of Sublime and Surreal Secrets Systems Research and Virtually Remote AIdDevelopment is causing a monumental information server block and advanced intelligence log jam for Aspirant Operands trailing and trialing with Special Forces Sources. Such creates a fertile vacant field in which to seed and nurture SMARTR Stock Produce without the hindrance of second and third party interference which realises increasingly rapid paces of revolutionary evolutionary change.

    And that, be in no doubt, is an almighty good thing, although of course the world is full of doubting Thomases and covetous Judases who would likely choose to vainly disagree.

  10. Anonymous Coward
    Anonymous Coward

    Cyber Security Money Machine.......

    .......no one cares.....except the "experts" who help out. They can tell you that the stable door has been open for umpty-ump years. They can tell you that the horse has long gone. They can bill you at some inflated hourly rate.....to tell you absolutely nothing useful....that you didn't know already. Nice work if you can get it!

    *

    Cynical, moi? Experian, Deloitte, NHS ransomware, Irish medical ransomware, gasoline pipeline hacks, SolarWinds.....the beat goes on......

    *

    Now, if the "experts" were actually able to stop this hacking..........then they would be out of business! So......it's all after the fact stuff....because fixing the problems isn't in the interests of the "experts".............

    1. Anonymous Coward
      Anonymous Coward

      Re: Cyber Security Money Machine.......

      Somewhat disagree. Fixing and preventing problems means re-designing if not replacing large quantities of infrastructure that aren't up to current standards; and also inventing proper working practises & staffing up to adequate levels.

      Cost cutting exercises mean the magic money tree doesn't print money for this particular threat, despite the consequences of a pipeline hack or similar being in absolutely plain sight.

      I have said it before and I will say it again, the investment will only be forthcoming once something financially painful is hit. If the NHS is anything to go by, who were indeed hit, money thrown at consultants creaming off the top while not actually fixing problems because of the incompetence of the bureaucracy wrapped around the organisations that make up the NHS (particularly procurement) is just being burned up for the sake of no real change on the ground.

  11. Flywheel Silver badge
    FAIL

    Redaction is the answer

    C'mon, it's the 21st century - couldn't they redact the names of the naughty?

  12. Kane Silver badge
    WTF?

    Welp, that's alright then...

    Last year an NCC Group spokeswoman told The Register that the files were "a combination of old NCC Group internal training materials and content that has either been incorrectly attributed to NCC Group or which is unconnected to NCC Group."

    This doesn't scan properly.

    It either is NCC Group materials or it isn't. It can't be a "combination of old NCC Group internal training materials and content" and be "incorrectly attributed to NCC Group or which is unconnected to NCC Group".

    If it's incorrectly attributed to NCC Group (someone else's documents), or unconnected to NCC Group (another someone else's documents) how can it be old NCC Group training materials and content?

    Something stinks here.

    1. John Riddoch

      Re: Welp, that's alright then...

      I think you're reading it wrong, I think - It's a combination of:

      1. Old NCC Group internal training materials and content and

      2. content that has either been incorrectly attributed to NCC Group or which is unconnected to NCC Group

      What's probably more important is how much of (1) there is and how "old" it is (e.g. "we stopped using it when we got caught, so it's now counted as non-current"). The second part is likely a diversion - if they could find one page which wasn't theirs, they could accurately say the above statement, even if the vast majority of the documentation was theirs.

      1. Kane Silver badge
        Thumb Up

        Re: Welp, that's alright then...

        Fair point, combination AND/OR failure on my part.

        Still stinks though.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021