A new report released by Cybersixgill highlights how some individuals are finding illegal shortcuts to certifications on the dark web. These shortcuts include everything from fake diplomas to cheating services with a “guarantee” of bypassing the proctor and receiving the certification.
Making matters worse, with a global cyber workforce gap already at 3.4 million, employers are desperately searching for qualified candidates to help secure their organizations, and threat actors know this. Cybercriminals are doing what they do best – tracking the industry’s trends and exploiting its weak spots. If these highly regarded cyber certifications are going to maintain legitimacy, it’s time for certification organizations to bolster their own cyber posture and handle any suspicious activity extremely carefully.
Casey Marks, Chief Qualifications Officer at (ISC)² shared his thoughts on the risks associated with these phony certifications and what certifying bodies should be doing to ensure the credibility of their exams in the wake of these scams. "Fraudulent certifications and certificates erode confidence and diminish the credibility and reputation of the certified professional and profession at large. In addition to certification bodies and educational providers' loss of intellectual property, misrepresentation of certification status leads to severe financial costs and damage to both employers and technology providers. Certifications are not measures of competency assurance without adherence to strict compliance to requirements, as established by accreditation, that fairly, reliably and validly measure necessary knowledge, skills and ability to create a standard for competence.
To ensure a high level of integrity, certification providers must enforce stringent security posture – especially when evaluating candidates' testing environments, whether it be center-based or online. At (ISC)², we have conducted two extensive piloting tests for online-proctored exams. What have we found? Currently, the online environment is not conducive to security standards as it can allow for cheating services and unethical behaviors. Unfortunately, individuals are taking advantage of the environment – but it is another validating point that certification providers need to level up regarding the security posture of their exams and testing centers.
Employers need to exercise due diligence when it comes to hiring candidates. For example, employers should always validate the current certification status and verify the candidate's skills and knowledge ahead of employment. Employers should go directly to a certification body's website to verify the current certification status. Alternately, some certification bodies issue "badges" which contain evergreen information regarding certification information for the individual. The cautionary note is that employers should never rely on a candidate provided "certification/certificate" as a valid statement of current status.
At (ISC)², we are constantly monitoring and testing the environment, as well as providing an ethical evaluation of suspicious and fraudulent activity; when we do see something, action is taken. Suppose a candidate joins an organization with a bogus certification. In that case, it can be a critical concern as it can allow the imposter access to sensitive information, endangers contracts and provides risks to security clearances. Additionally, it tarnishes the reputation of those in the field who have taken ample time to obtain their accredited certifications."