NOTE FROM CLEMENT:
Below you will find a nice article posted by sil @ e-fensive dot net. As the author mentions his goal is not to trash and attack the CEH certification but to express his fair opinion about the certification based on the factual information and his own experience of security certification.
Unfortunately I must admit that his opinion is somehow skewed and not as factual as it really is. It seems that Sil used public information at www.eccouncil.org as the basis of his opinion. I think that I have to add my own note to it simply because I am very familiar with the CEH program, I have delivered many CEH classes in the past, and I am also in touch with some of the most talented instructors delivering the CEH on regular basis and they do have very successful classes.
The public side of the EC-Council website is build by people who are into marketing, they will throw buzzword and say things in a way that is very enticing to visitors but it is not always an accurate representation of how the actual class will be delivered or the way the training company you choose will deliver it. The actual delivery is left to the discretion of the trainer center or the trainer delivering the class with guidelines from the EC-Council on how to make it a success.
Yes, the EC-Council does provide instructions that have to be followed by their Authorized Training center and their Certified Instructors as well. The instructor guide to the CEH V6 does a great job framing how the class will be delivered, it tells the instructor how the class should be configured, how to deliver it, and what the class is and what the class is not.
If a training centre uses the can material within the student books, uses an inexperience tester/security instructor, or does not use any supplement it can make for a dry class where someone is reading the slides to you.
However, I have seen companies out there who spent a large amount of time adding their own unique labs and corresponding target range to add more spice to the existing CEH content. This makes for a class really exciting where you get a lot more than some of the other competitors not going the extra mile.
CHOOSE YOUR INSTRUCTOR CAREFULLY
The instructor you get in class is what makes the biggest differenciator between an average class and a fantastic class. You wish to get someone in class who is an experience tester/security professional on both the defensive and the offensive side. You want somone who has delivered the class dozens of times already. You want someone who has proven his teaching skills over and over again. That will give you your money worth.
I have included my comment in between the paragraph written by Sil below. I will use a bold font below to ensure my comments are clearly visible and you can tell them apart from Sil message.
Here is Sil posting:
I edited and reworded this from a post I made on a certification forum. This will seem like some form of rambling, attack on EC-Council's cert, but its just an opinion. An opinion based on factual information and experience not only with EC-Council, but experience in the industry for well over 10 years professionally in security and too many to count in IT. As I wrote this, I thought long and hard about backlash involved in writing this, the naysayers who won't understand it, many thoughts ran through my mind, but I figured I'd take a hard look at the C|EH v6 since many have asked me about it. Without further ado, let's begin.
Take a common sense, logical view to the C|EH V6 exam. There are now 67 modules associated with the C|EH exam and according to EC-Council, you can take their 5 day course from the hours of 9am - 5pm and pass the exam. The mathematical break down to learn the C|EH if you follow EC-Council: 40 hours to cram 67 modules: 35 minutes per module. Is this realistic? Of course not, yet according to EC-Council's own wording: This class will immerse the student into an interactive environment where they will be shown how to scan, test, hack and secure their own systems. The lab intensive environment gives each student in-depth knowledge and practical experience with the current essential security systems. Really? Considering there are no pre-requisites, e.g., 1-2 years systems administration, 1-2 years networking experience, an exam taker will have to cram understanding the OSI layer, TCP/IP and networking as a whole in 35 minutes. A miraculous feat in training if you ask me. (http://www.eccouncil.org/Course-Outline/Ethical%20Hacking%20and%20Countermeasures%20Course.htm)
When I first saw the announcement of the CEH V6 my reaction was exactly the same as yours. I taught it was completely retarded to even attempt to deliver that many modules within such a short time frame. Covering all of the modules added to well over 300 powerpoint slides per day which cannot humanly be done.
However, Just like you I was wrong in my ASSUMPTIONS because not ALL of the modules are required for the purpose of the certification exam. Some of the content is for exploration only, to make you think, play, challenge yourself, think outside the box like hacking was meant to be. These modules would never be used at a client site, for example: Hacking and Cheating Computer Games.
The instructor guide clearly guides the instructor on this subject. The instructor guide proposes three ways that the class could be delivered and the training centre decides which of the three ways they wish to use according to time availability.
The CEH description on the public site also clearly state that the class requires "Self Study".
GARBAGE IN = GARBAGE OUT
Your experience and what you get out of of this class or any class for that matter greatly depend on how much of your time you are willing to invest into it prior to sitting in class and while taking the class.
Simply sitting 6 hours per day in class, running away from class as soon as you can at the end of the day, is not going to cut it. You must prepare ahead of time, you must familiarize yourself with Linux, VMWare, and some of the most common tools before even showing up in class. This is how you will get the most just like any other classes you would take.
Here are the three delivery methods proposed:
5 Days of training from 0900 hrs until 1700 hrs
21 Modules will be covered
Students have a series of modules as self study
6 days of training from 0900 hrs until 1800 hrs
25 Modules will be covered
Students have a series of modules as self study
Method 3 (BOOT CAMP)
6 days of training from 0900 hrs until 2100 hrs
A larger number of modules will be covered
Students have some modules to go through as self study
As you can see this is why you have to select your training company carefully. You wish to get a company that will be delivering the class BOOT CAMP STYLE which is method 3 above. This will give you the best benefit. Some company even offer all in one formulas where all your meals and accommodation will be included in your tuition feed. This means that lunch and supper will be short interruption and not 1.5 hour or more. By the end of the week you have learned a lot, and you will be exhausted for sure. You must dedicate the week to doing your CEH in order to get the most out of it, just like any other certification class out there.
This premise of offering so called practical experience is highly disturbing considering that again, EC-Council makes no mention of candidates acquiring or having any kind of experience in any field be it networking, security, systems, nothing is mentioned. Continuing: Students will begin by understanding how perimeter defenses work and then be lead into scanning and attacking their own networks, no real network is harmed. Students then learn how intruders escalate privileges and what steps can be taken to secure a system.
Now I ask myself, how can a student understand the concepts of role based access controls, permissions, domains, LDAP and other technologies in this amount of time, I mean seriously think about this. How can a student learn to optimally "secure a system" when they're basing their experience on pre-configured lab machines. I've taken the C|EH v5 and I can tell you first hand its filled with tools. All flash no cash. This testing methodology EC-Council is offering conveys a false sense of "security" expertise. A candidate should understand the systems they're "hacking" or "securing" for one, they should know the networking involved with that system down to understanding at an RFC level TCP/IP and the OSI layer to truly understand the technicalities of it all. Otherwise, what is the point of the exam, to point out how many different modules a certifying body can place into an exam? How many tools can the exam creators discover, capture screen shots and label someone an expert at 35 minutes worth of knowledge on the TOOL - not the fundamentals.
The biggest misconception about this entire course is that it will make someone a security expert. While EC-Council may have the best intentions in the creation of the exam, exposing candidates to the different areas of security, the expectations of a candidate truly knowing and understanding even the minimal concepts to pass an exam after again, 35 minutes of teaching on each subject is insane. Snake oil at best. Moving on: Students will also learn about Intrusion Detection, Policy Creation, Social Engineering, DDoS Attacks, Buffer Overflows and Virus Creation. When a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.
I agree with you that presenting this class as an expert level class is misleading. You should not take word "experience" as a synonym for the word "expert". For example, if I wanted to "experience" the intensity of driving at 200 miles per hour on a Nascar track I would not buy a car and rent track time just for that one time event as I don't even know if I am going to like it or not. I would find an experience driver who can let me ride alongside with him and see what it feels like. Attempting to drive the car myself would be completely foolish, I would most likely hit the wall at the first turn and risk hurting myself badly.
The same apply when learning the basis of security testing. You need someone that will guide you and tell you about the basic skills and techniques that are needed to perform security testing. The class is not meant to be an expert level class, it is a foundation class presenting an overview and introduction to the world of hacking tools and techniques. (Note I did not say Methodologies, this is what the ECSA is about, not this class)
If you look at the text extracted below from the EC-Council documentation, I think they state very clearly what it is and what it is NOT:
----- Beginning of extract -----
What CEHv6 is and what it is not?
The CEHv6 program is 100% focused on hacking technologies and the hacker tools. The emphasis of the program is based on the weapons used by the hacker. Think of it like this: if you want to beat the terrorist in a war, you will need to understand and master the various weapons used by these terrorists. Without the knowledge of their machine guns, tanks and communication techniques you will not be able to effectively produce a counter strategy.
The CEHv6 is NOT a network defense program and security policy implementation program. This course does not cover system administration, firewall rules implementation and configuring security policies. If you are looking for a network defense program then you should look into EC-Council’s ENSA program. CEHv6 = Hacking Technologies
----- End of extract -----
I disagree. There is no way I can think of someone leaving this course becoming "experienced" enough to call themselves a C|EH at its concept. What this course will produce is someone with a wide array of useless knowledge, akin to someone saying "I know TCP/IP like the back of my hands, it consists of packets!" Using pre-defined, often outdated tools does not make someone an experienced security professional let alone a hacker, monkeys can be trained to use tools. Because of the nature of the C|EH's structure, one million tools, 3/4's of them obsolete, I can see more security professionals snickering at the exam and the holders of the C|EH (all versions). A devaluation of the security professional.
Right now I'm currently in parallel studies on my own leisure for the NSA IAM, CISM and OPST with my seat for the CISM confirmed in December. From all I've read and learned, I value my OSCP more than the C|EH and look forward to the OPST exam. The OPST is more structured and realistic using real world experience coming from the most respected and trusted names in the industry. The creators of the OPST exam hold a lot more clout and credibility in my eyes than those of EC-Council. These are my two cents. Now, I've been in the security industry now for quite some time in fact, I've met some of my peers who would have been in diapers when I got involved in computing professionally. It doesn't take a rocket scientist to cobble together every security tool under the sun, give a base introduction to said tool, ask two questions on that tool, and label someone an expert.
I am not sure where you got this misconception. YES, there are many tools out there, there are new ones that are great and there are new ones that are completely crappy. However, there are also older tools who have been used over the years that you can't replace, for example Netcat/Cryptcat. I always stress in class that the best tool ever is your brain followed closely by a good browser. Tools alone will not get you there. I have written a lot of courseware myself and I always stress that understanding the CONCEPT is always more important than having the latest version of tool that came out this morning.
Myself I do not care much for tools or having a large collection of them. What I care about is that the student understand where the tool can be used best, how to use it, what the tool does on your behalf, how it does it as well.
Even if you would give me 100 power tools that does not mean that I could build a nice piece of furniture. However, if you show me the CONCEPT, the TECHNIQUES one by one, then you demonstrate each power tool one by one, you tell me the tips and tricks of using them with the proper technique while not damaging myself (i wish to keep all my fingers), then I might come out with something that looks like a piece of furniture instead of a pile of wood.
I am glad you mentioned the OPST, Pete Herzog at ISECOM has been running a very tight program and I also like his cert very much. It is definitively worth taking a look as an alternative. We need more accessibility to the OPST program here in the states. Recently I have seen that there is some push to bring this deeper into the US market which is good. Competition is always sane in this field and keeps all players in line.
Below you have an extract from the EC-Council web site, i love the clear "WARNING" on the last line very much:
----- Beginning of extract -----
Proof of concept tools
The goal of the class is to demonstrate various hacking techniques using the tools as an example to prove a point. For example, Netbus Trojan is showcased to show how a machine can be controlled by planting a server Trojan and control it by using client software. Practically speaking, the Netbus Trojan will be caught by anti-virus software and quarantined if files are infected. So do not dismiss this Trojan as being OUTDATED and does not work in real life. What you are showcasing is an example of a Trojan at work. This concept is VERY IMPORTANT. A skilled hacker can easily write his own Trojan in C++ with similar features as that of Netbus and call it Netbus 2008 version.
Many tools presented in the syllabus are proof of concept tools to demonstrate a hacking concept. If you blame the tools as being outdated and dismiss them in the class then you will do so for EVERY TOOL IN THE WORLD will be OUTDATED as time moves on.
Please explain this concept before the class starts and you will be safe. The focus of the class is Hacking Technologies using tools as an example. Encourage students to visit various hacker websites to update the tools’ version.
WARNING: YOUR CLASS WILL FAIL IF YOU FOCUS HEAVILY ON THE TOOLS AND NOT THE CONCEPT BEHIND IT
----- End of extract -----
If anyone ever criticized the CISSP for being a mile wide and an inch deep, I beg them to look at the concept that EC-Council is putting forward. A realistic expectation for someone to take this exam if it truly held its weight would be for the candidate to have at minimum six years experience with a mixture of industry experience, even then with the modules cobbled together, it's not asking for enough. From systems administration, to network administration and design, incidence response roles, programming to truly understand buffer overflows, the pre-requisites could go on and on.
Sadly I see the C|EH imploding within a few years as did the MCSE when everyone began labeling it the "Must Consult Someone Experienced" certification with everyone under the sun with zero knowledge acquiring this certifcation. At the core, EC-Council's concept seems to offer an unparalled level of expertise, but knowing the structure of the v5 exam, its content, after having taken the exam, I truly don't believe it's worth the paper its printed on, nor will the v6 be. Perhaps test takers care solely about the gimmicky "Got Hacked" t-shirts or the telephone book thick like books, whatever the case is, someone would have to be extremely clueless to expect a C|EH v6 to be an expert. Either that, or C|EH v6'ers will be uber security geniuses worthy of PhD's in information security at the end of a bootcamp.
I agree with you that the exam could be made tougher. I could easily see an exam of 6 hours with 250 questions or more.
However, once you remove the marketing verbiage and you look at what the class is, I think it is adequate as is.
After all this is a foundation class and only a foundation class. It will NOT make you an expert within one week, in fact it is a lifelong learning experience if you really wish to stay updated and current within the security testing field.
The one thing I would really like to see is a practical test included as well. This would prove that the candidate has not only understood the theory but he can also apply his knowledge. That would make a whole world of difference in properly assessing the skills.
Before many get bent out of shape, be honest with yourself, look at a module:
Module 17: Web Application Vulnerabilities
- Web Application Setup
- Web application Hacking
- Anatomy of an Attack
- Web Application Threats
- Cross-Site Scripting/XSS Flaws
- An Example of XSS
- SQL Injection
- Command Injection Flaws
- Cookie/Session Poisoning
- Parameter/Form Tampering
- Hidden Field at
- Buffer Overflow
- Directory Traversal/Forceful Browsing
- Cryptographic Interception
- Cookie Snooping
- Authentication Hijacking
- Log Tampering
- Error Message Interception
- Attack Obfuscation
- Platform Exploits
- DMZ Protocol Attacks
- Security Management Exploits
- Web Services Attacks
- Zero-Day Attacks
- Network Access Attacks
- TCP Fragmentation
- Hacking Tools
- Instant Source
- SiteScope Tool
- WSDigger Tool – Web Services Testing Tool
- CookieDigger Tool
- SSLDigger Tool
- SiteDigger Tool
- Burp: Positioning Payloads
- Burp: Configuring Payloads and Content Enumeration
- Burp: Password Guessing
- Burp Proxy
- Hacking Tool: cURL
- Acunetix Web Scanner
- AppScan – Web Application Scanner
- Tool: Falcove Web Vulnerability Scanner
- Tool: NetBrute
- Tool: Emsa Web Monitor
- Tool: KeepNI
- Tool: Parosproxy
- Tool: WebScarab
- Tool: Watchfire AppScan
- Tool: WebWatchBot
- Tool: Mapper
63 concepts, tools, methods and countermethods. 35 minutes to learn and understand it all. Seconds to learn every tool, concept, method to make you an "expert." Don't fret though, before one takes the test, EC-Council will verify where they work. Whether or not they will verify someone's duties and experience in the industry, is an altogether different story. A story I seriously find hard to believe. Good luck in attempting to label yourself an expert at anything in the security field by passing this exam. Its akin to someone in medical school studing neurology, coming across a picture of the heart and labeling himself a cardiologist. Not only a cardiologist, but also a neurologist without even finishing up his studies and passing the necessary exams, having the right experience to qualify.
Once again you are wrong in your time estimates and assumption. If you look at the classes being delivered by the top training companies out there, they spend more than half a day on this subject alone which is today one fo the most important one.
The playground for hackers today is at layer 7 today. This is where many of the compromises will happen and you need to spend more time on this.
Always put your marketing filtering hat on before you start reading public information about any of the certifications out there. They all attempt to make them sound like it is better than slice bread. However you have to look under the crust to see what you are really getting. The loaf of break might be hollow. The training companies are the bakers in this case and they are the one that ensure you get a full loaf of bread.
Myself, I prefer by far the BOOT CAMP delivery method where you always get copious amount of practical lab time and it is also where you get to sit down, talk with other students in class, and learn by doing. I have seen student stay overnight and sleep in class they were so much into it. This is what training is all about.
It always look easy on the powerpoint slides. However, the life of a security tester is sometimes very boring and tedious, it is not always a sure kill and you do not always get to break in with ease, that happens only in movies.
Last but not least, regardless of the certification you pick, always ensure that you have the best instructor that can be. This is what will make the MOST difference in your training and the learning experience that you get.
The CEH, OPST, GPEN, and many others are ALL entry level security testing/penetraton testing certifications. The world is upside down today. Ten years back people would work in the field for many years and then seek certification into their field of expertise to prove their level of skills and knowledge. Today, people are taking a foundation class to learn more about the subject of interest and then they attempt to get into a new field of expertise. There are many students who simply wishes to learn more about the subject, it is a very different crowd then ten years ago.
Best regards and thanks a whole lot for this great posting highlighting some of the key issues we have with training today.
SGFA, SGFE, C|EH, CHFI, OSCP
sil at e-fensive dot net