NCC Group’s internal training data – and CREST cheatsheets
NCC Group has admitted leak of its internal training data on GitHub
British information assurance firm NCC Group has admitted that its internal training documents - as well as information apparently written to help people pass their CREST pentest exams - were leaked on GitHub.
According to The Register, the leak was uncovered last week after documents appeared in several repositories, in a folder marked 'cheatsheets'. Documents containing CREST's multiple-choice questions, with answers, were also posted to GitHub by an account created in July.
The CREST CRT exam is designed to assess a candidate's ability to carry out basic vulnerability assessment and uncover known security bugs across common application, network and database technologies.
According to The Register, the leaked documents offered step-by-step guidance about the Crest exams. It notes, 'One file, called notes.txt, included the line, "clone of the app exam so u can pass 1st time," adding "speak to your line manager or AD first to book before your exam."'
The leak has triggered a debate in British infosec community about the nature of the relationship between CREST and NCC.
A CREST spokesperson told The Register that it has completed an initial investigation and that the incident does not affect the integrity of current CREST examinations.
"CREST is aware of the content that has been posted by an individual on GitHub," the spokesperson said.
"The content appears to mainly be internal training material produced by a member company. There is also a small amount of old exam material that has been posted by the individual, however this is out-of-date and is no longer used in CREST examinations."
A spokesperson from the NCC Group told The Register that the firm takes CREST membership very seriously and takes all steps to comply with obligations as a CREST member.
The spokeswoman also said that the documents posted on GitHub were "a combination of old NCC Group internal training materials and content that has either been incorrectly attributed to NCC Group or which is unconnected to NCC Group."
Gloss