Cybersecurity accreditation provider CREST has branded NCC Group “vicariously responsible” participants in a cheating scandal first reported last summer.
In August 2020, CREST was made aware of potentially sensitive files posted to Dropbox and GitHub. The two caches contained content relating to the CREST Certified Infrastructure Tester (CCT Inf) and Certified Web Application Tester (CCT App) courses.
Hundreds of files were uploaded, but some were duplicates. Only 25 of these files were considered problematic, but the leaked material included exam and revision notes, as well as NCC Group training materials.
The identity of those who posted the material has never been established.
In the months following, CREST refreshed the infosec courses in question and appointed an independent board to investigate, together with the assistance of the UK’s National Cyber Security Centre (NCSC).
The probe has taken 12 months to complete.
CREST has issued a final statement on the situation, accompanied by a report (PDF), concluding that the scandal centered around two occasions, taking place between 2012 and 2014, in which “the examination-related activities of some NCC Group employees and candidates breached the CREST code of conduct and non-disclosure agreements [NDAs]”.
“As their employer, NNC Group was, at the time, vicariously responsible for those individuals,” the report says.
Lengthy investigation
The NDAs, likely broken in CREST’s eyes, involved an NCC Group employee talking about CREST exams and candidates creating notes based on the tests.
However, CREST acknowledged that there does not appear to be any “anomalies” suggesting NCC Group students capitalized on the leaked data to their advantage.
“We acknowledge that the whole investigation and review process has taken significantly longer than people would have liked,” CREST said. “It has been complex, and we have done everything we can to ensure that it has been based on high-quality evidence, thorough and fair throughout.”
NCC Group has agreed to put no more candidates forward for CREST examinations until the review is concluded and improvements are made, and CREST’s panel has outlined required changes to lift the suspension of NCC Group assessors in the UK.
These include process changes to reduce the risk of material being leaked online again; providing evidence that candidates are made aware of CREST’s code of conduct, and a financial “contribution” needs to be made, considering the costs of CREST’s investigation.
In addition, NCC Group will need to secure an assessor to review its CREST-related training material.
In a statement on August 26, NCC Group said the organization “fully accepts” the results of the investigation, highlighting that there was “no evidence that NCC Group knew about, condoned, or otherwise sanctioned such activity [and] there was no evidence that any NCC Group candidate gained an unfair advantage when sitting a CREST exam”.
NCC Group added that improvements have been made to internal processes following an in-house investigation.
“We further support and welcome CREST’s own improvements, which we believe will benefit all members and strengthen the value the examination process has in protecting society from the ever-increasing threat landscape,” NCC Group says.
The Daily Swig has reached out to CREST for further comment and we will update when we hear back.
NCC Group declined to comment further.
