Internal training documents belonging to British cyber security giant NCC Group along with information about Crest pentest certification exams were recently posted on Github, but Crest has stressed that the integrity of Crest's CRT certification remains uncompromised.
According to The Register who discovered the leak, the leaked documents offered Github users the opportunity to prepare for Crest's CRT (Crest Registered Tester) certification examination that required candidates “to find known vulnerabilities across common network, application and database technologies”.
The Register revealed that the leaked documents "offered step-by-step guides and walkthroughs of information about the Crest exams" with those who posted the documents claiming that the documents contained a clone of the Crest CRT exam app that helped users to pass the CRT exam in the first attempt. Copies of Crest's multiple-choice test questions, that are part of the CRT certification exam, with highlighted answers were also posted to Github.
Crest, which provides internationally recognised accreditations for organisations and professional level certifications for individuals providing penetration testing, cyber incident response, threat intelligence and Security Operations Centre (SOC) services, said that the leaked online scam questions and tutorials did not impact the test's integrity.
"CREST is aware of the content that has been posted by an individual on Github. We have conducted our initial investigation and this does not affect the integrity of current CREST examinations. The content appears to mainly be internal training material produced by member company.
"There is also a small amount of old exam material that has been posted by the individual however this is out-of-date and is no longer used in CREST examinations. We can confirm that neither the “crestnda” or the “crestapproved” replies on Github were posted by CREST and that these accounts are not affiliated with us in any way. We are continuing to investigate this incident," Crest said.
“We take our membership of CREST, the integrity of the CREST Code of Conduct, and our related obligations very seriously and comply with our obligations as a CREST member. We are currently reviewing the materials that have been posted, and are working closely with CREST,” a spokesperson from NCC told The Register.
The spokeswoman added that the files were “a combination of old NCC Group internal training materials and content that has either been incorrectly attributed to NCC Group or which is unconnected to NCC Group.”
The news about Crest's CRT exam questions getting leaked coincides with Crest's examination schedule in the UK. The firm announced in July that it will be conducting CRT, CCT Inf, and CCT App exams at the examination centre in Slough between 11th and 13th August and CRT & CCT examinations in hotels in Cheltenham, Manchester and Milton Keynes between 15th and 24th August.