Exam-Cheating Scandal: CREST Finds NCC Group Broke RulesPen-Testing Accreditation Body Says NCC Group Will Revamp Policies and Monitoring
Accreditation organization CREST has concluded an investigation into whether NCC Group employees cheated on its penetration-testing exams, finding that the cybersecurity business's training materials violated its rules. It says NCC Group has agreed to overhaul and monitor its processes and demonstrate its future compliance.
NCC Group is a Manchester, England-based cybersecurity business that has more than 15,000 clients and trades on the London Stock Exchange.
The Council for Registered Ethical Security Testers, aka CREST, launched its investigation in August 2020, after a still-unknown individual or group of individuals leaked internal NCC Group training documents that appeared to contain legitimate material from past tests. Such material could have helped future test takers to more easily pass their exams.
Operating internationally, CREST offers accreditations for organizations as well as professional-level certifications for individuals on a number of fronts, including penetration testing, cyber incident response, threat intelligence and security operations center services. The organization's pen-testing qualification is the CRT, which stands for "CREST Registered Tester."
One year after launching its probe, CREST has concluded that NCC Group employees, and thus by extension the business itself, broke CREST's rules in multiple ways. Rather than eject NCC Group from CREST, however, a panel set up by CREST to review the results of the independent investigation it commissioned have opted instead to require changes from NCC Group and also require that company cover some of the costs of the probe.
"The panel assessed the findings in the investigation report as being of a serious nature," CREST says in its public statement on the investigation, issued Thursday. "However, the panel concluded that the findings, based on the evidence in the investigation report, did not breach the threshold for NCC Group's expulsion from CREST. The panel also observed that some of the CREST policies and procedures had the potential to create ambiguity, leading to confusion and inconsistent application of our rules relating to examinations."
As the Register reported last August, leaked NCC Group training materials were posted to GitHub, in a folder named "cheatsheats."
All told, two batches of training materials were posted, on or around Aug. 11 and Aug. 15 of last year, seemingly to highlight what was happening inside NCC Group.
Independent Probe Launched
In response, CREST on Aug. 20, 2020, appointed Adrian Lennox-Lamb, a former detective chief inspector and senior investigating officer with the police who has extensive workplace investigation experience, who "had no previous connections with the cybersecurity community," to act as an independent investigator. It also appointed legal counsel to handle any necessary discussions between CREST and either the investigator or NCC Group, "to further ensure the independent and integrity of the investigation."
Lennox-Lamb appealed for individuals with information to come forward, and interviewed multiple people during his investigation, CREST says, noting that some of those interviews remain confidential and will not be publicly disclosed. He submitted his report to CREST on Dec. 22, 2020, after which it established a review panel comprised of three elected members of CREST's U.K. executive board, as well as then president Ian Glover, who assessed the report's findings and recommended next steps. CREST says the panel liaised with NCC Group from May through August.
According to the public report released by CREST, the review panel concluded that "one or more NCC Group employees and candidates breached the NCC Code of Conduct and NCC Group was, as their employer, vicariously responsible for those individuals at that time." The review panel found that the same held true for violations by individuals of the CREST non-disclosure agreement thy had signed.
But Lennox-Lamb reportedly found no evidence of widespread cheating at NCC Group, after comparing its candidates' results from 2010 to 2014, with 2015 to 2020. In both cases, he found that NCC Group remained the third best-performing business in both time periods, with its results declining from 2015 to 2020.
At the investigator's request, an independent CREST assessor reviewed NCC Group's training materials, and found that they included content that breached CREST's code of conduct and NDAs, some of which were still being used. "While the investigator was unable to say whether all the material of concern was widely available to NCC candidates, he concluded that the two mock exam papers were likely to be widely available. There was evidence, from some of those interviewed, that candidates did discuss exam content between themselves."
NCC Group Responds
The review panel notes that NCC Group "cooperated with the independent investigation and the review process," and had voluntarily withdraw its representatives from CREST activities, as well as not put forward any candidates for CREST exams, pending the conclusion of the investigation.
"We fully accept the requirements in the CREST statement, of which improvements to processes have already been made following our own internal investigation into the historical breaches," NCC Group says in a statement.
NCC Group emphasized that the investigation found that a "small number of people" it had employed had broken the rules. But it noted that the report found that "there is no evidence that NCC Group knew about, condoned, or otherwise sanctioned such activity," or that "any NCC Group candidate gained an unfair advantage when sitting a CREST exam."
5 Requirements for NCC Group
Based on the results of the investigation, CREST says NCC Group must comply with these five requirements:
- "Revise its processes" to help prevent and spot any future cheating, and prove that these measures are in effect whenever it reviews its CREST membership annually;
- Ensure processes are in place to remind NCC Group test takers of their obligations;
- Fund CREST to bring in an independent assessor to ensure that NCC Group's internal training materials do not violate CREST's rules, or contain any CREST of "implied content" in those training materials;
- Pay for half of the "reasonable costs" incurred by CREST's NCC Probe, which the accreditation organization says will fund "socially responsible activities";
- "NCC Group will issue a statement accepting the investigation, its findings and the requirements."
CREST says that until requirements 1, 2, 4 and 5 get fulfilled, NCC Group's assessors in the U.K. will remain suspended from CREST activities.
CREST says that "NCC Group has accepted all the above requirements and continues to work with CREST to implement them without delay."
CREST Previews Internal Changes
CREST says it's also making numerous internal changes, including "creating additional complaints and resolution processes" to better facilitate any complaints, making clearer "what constitutes acceptable training and preparation material," as well as revising its NDAs to make clearer that the sharing or discussing of exam questions remains prohibited.
Further improvements are being considered as well, it says, such as releasing mock or practice examinations "as a way of leveling the playing field for all members and to help support acceptable training and exam preparation."