This morning I had the opportunity to listen to a webcast on the new CHFI Version 4 that will very soon be released.

The presenter was no other than Haja Mohideen.  Haja Mohideen is the technical director for EC-Council. He manages the certifications and training programs at EC-Council. He has multiple years of experience in IT. He has contributed to the development of EC-Council programs such as CEH, CHFI, LPT, ECSA, etc.

Haja started the webinar by describing what the CHFI Version 4 will be,  he used words such as bigger, better, Enormous, a Monster.   As you will see below he was not playing with words, it is a very accurate description of what the CHFI Version really is.

The CHFI Version 4 is not a complete rewrite of the course, it is based on the old version 3.  More data, content, products, and tools have been added to the 5 days of training.   A total of 27 new modules have been added to the content of the CHFI V4.  For a great total of approximatively 65 modules overall.

If this pattern is maintained we can expect to have 150 modules for version 7 of the courseware as Haja mentioned semi seriously in the Webinar.

WHAT IS NEW ?

One great addition will be thorough coverage of Encase.  The EC-Council has signed an agreement with Guidance Software to get an academic version of the software to be use in class.  Guidance has provided a full slide show to be use to teach it as well. 

The academic version cannot be used on real case but it allow you to make use of the images contained within the software itself to go through the normal step that would be followed to investigate a computer crime.

Below you have a high level overview and comparison of the old version versus the new version:

MODULES ADDED TO THE COURSE

Below you have a screenshot of some of the modules that were added to the course.  This is not the official list as there could be minor changes between now and the final release of the V4 courseware.  But it will give you a good idea of what to expect:

WHAT ABOUT THE CHFI V4 EXAM

Of course more content means that the exam must be expanded to cover it properly.  The exam will consist of:

150 Questions
4 hours in length
70% is required to pass
Availability as of the 1st of February 2010

Just like the curriculum the exam will not be completely new.  Some of the old V3 exam content will remain with the addition of a lot of new questions to cover the new material of the V4 version.  More study will be required to master this exam.

HOW COMPLEX DOES THE LAB SETUP HAS TO BE

The lab setup has not change much compare to the old CHFI V3, the following is recommended:

1.  Follow same steps as V3
2. Windows Server 2003 with 2 partitions,  C & D partitions.
3. CHFI Tools preloaded on each of the machines

Haja discussed why they decided not to move to the new Windows Server 2008 as the base platform.  Mostly the main reasons were that 2008 is very well locked down, it is hard to run all of the tools on that platform.   2003 is simple to install and run.

MY PERSONAL OPINION AND FEELING ABOUT THIS VERSION

BIGGER IS NOT ALWAYS BETTER (At least in the world of Penetration Testing and Security Assessment training)

It is very scary to think that this package has close to 5000 slides and more than 4000 pages.   At one point one has to wonder how can this be delivered over a period of 5 days.   The answer is very simple:  IT CANNOT BE

Then what else can be done.   The instructor guide usually always propose 3 delivery methods.  The usual one where you ONLY cover only the core modules and the class run from 9 AM to 5 PM.   The second method is to extend the training hours where you start at 0800 AM and you finish at 6 PM.  A few more modules can be covered this way.  The third method is simply PURE bootcamp method where you get in class earlier than 8 AM and you stay in class until 10 PM or more.  That will allow you to cover yet more modules but not all of them for sure.

From personal experience,  you cannot teach for 16 hours a day to students.  After 8 to 9 hours or even less in many cases their brain is no longer in receive mode.  You need to have some hands on labs or red team exercises to close the day.  You let them use their brain and further explore what they have learned under the supervision of a master.  This is the only way you will keep them awake and engage that long.

That brings another challenge,  it means that the class has to be adapted by the instructor according to his own desire or what the client stressed that he wanted as far as content.  It works well when it is an onsite class,  the client who pays the bill for all the students can tell you what focus he would like for his class.  However, this is not a viable solution for a public class with a mix and match of experience level.  It is hard to succeed and still carry along everyone under such a scenario.

A normal class day (8 hours of teaching) usually covers a maximum of 220 slides without any labs.  If you introduce labs you have to reduce this down to about 180 slides per day or maybe a bit less.  Those numbers have always work very well for us.  There is no way you can go through a lot of modules per day when there is an average of 75 slides per modules.  This means that on a good day you would cover about 3 modules if you do it correctly.  If you multiply this by 5 you get 15 modules done at the end of the week.   What about the other 50 you haven't done....

If you can do more than 3 full modules a day it means that you have very little content on your slide or you have slide with one or two bullet points that could have been condensed onto less slides as they add little value to the package.  Some of those slides are the dozen of tools listen within some of the modules.  The instructor must skip through those at warp speed.  They are only there for reference and to make you aware that they exist.  Such a list of tools should be listed in the student manual but not one by one on the slides.   

Let's say for the sake of argument that you are a top trainer and you can zip through slide at a rythm of 1 slide every two minutes (which is about the normal ratio for a fast instructor who does not add much value to the slides),  if you teach for ten hours without any pause or break, you would cover only 300 slides in a day.  You would still be short on time and would only complete 4 modules in your full day.  This means a total of 20 modules for a 5 day class without any pause, break, lunch break, or labs at all.   It does not add up.

THE INSTRUCTOR DECIDE HOW THE CLASS WILL BE

As you might have guessed there are many instructors who can deliver such a class.  They are the one in charge and they decide what is more important to cover within all of those modules.  The student has to and must do self learning of the modules not covered in class.  Certainly NOT what most students would expect.  They expect to learn from a master.

This means that you must pick your instructor very carefully as it could make a world of difference from one class to the next.

WHAT CAN BE DONE

Some very serious taught has to be given to the CHFI and the CEH class for that matter.  They both suffer from bloatware.  Adding, adding, and adding more content does not generate a cohesive CBK or map to clear objective.

150 Questions means 2.3 questions per modules.  If a module does not have enough material to generate more then 2.3 questions, it should not be called a module.  Seriously,  any modules that has content should have 5 or more questions.  If an exam with 300 questions is needed then be it.  Else your exam does not validate the full spectrum of what the class contains.

This MONSTER as Haja defined it should be cut in three portions where there could be a foundation class, an intermediate, and advanced.  Then it would make sense as far as content, progress, and delivery.  I think giving someone all of the tools that exists at Home Depot does not make that person a carpenter.   Only years of experience and leaning from other carpenters will allow you to become such an expert.  You have to learn to walk before you run.  It is better to learn one tool at the time than TONS of tools in 5 days.

Anyway, this is a quick overview of the CHFI V4 and some of the challenges and issues that I can foresee in the future.

Do take care

Clement