CEH Credibility Question

xiny · September 2014

Hello!

I'm working my way through the InfoSec field and i'm looking to get into Penetration Testing to help round off my skill set.
I know CEH is a good place to start but i'm worried that the certification will not hold any weight since their website was hi-jacked not too long ago.

Has anyone had any credibility issues with there EC Council Certs as of late?

JasminLandry · September 2014

I'm also curious about this question. I was going to start studying for this certification in a couple of months but I'm not sure if I should study for something else.

JDMurray · September 2014

Credibility with whom? The major job boards still have a lot of postings mentioning the CEH certification, and the US DoD isn't planning on dropping the CEH from its list of Information Assurance worker certifications (that I know of). Is there another area of credibility that the EC-Council had prior to their security incident?

aftereffector · September 2014

JDMurray wrote: »

Is there another area of credibility that the EC-Council had prior to their security incident?

Very nicely put... haha

Danielm7 · September 2014

From what I've seen on other forums/reddit/etc isn't so much that the material for the cert is garbage, but people seem to have more of an issue with the name itself. "Certified ethical hacker" but the cert doesn't really involve real hacking, more of an overview, use of some tools, etc. I'll bet if it was called something like Certified Novice Security Professional or something then you wouldn't hear people bash it.

xiny · September 2014

Ya I've heard people having issues with the actual name "Certified Ethical Hacker".
If you where interviewing 2 people for a Penetration Testing Job, candidate 1 had CEH and 2 years of experience and Candidate 2 has GPEN and 1 year of Experience, given only that information who would you immediately lean more towards?

Would you lean more towards the GPEN Candidate even though he has 1 year less of experience? If so, Why? Is it do to credibility issues with the EC Council? Or Would you lean more towards the CEH Candidate, and why?

colemic · September 2014

I think a lot of people's issues (including mine) stem from the way they conduct their business, especially since they have the name 'Ethical' in the name of one of their certs. Since they got picked up for 8570, they implemented a mandatory $100 'application fee' to determine if you are even eligible to take the exam. No other respected certifying body does that. Not to mention they doubled their test fees, which no appreciable return to the cert holder.

My biggest pet peeve with them was the awful, 3rd world Engrish the test had, but from others' comments, it looks like they have cleaned that up a lot. For what they charge for the test, is was inexcusable to look like the test was written by someone with little to no grammar skills. Just a pet peeve of mine.

That said, the way they handled their breach didn't do them any favors either. They were clearly compromised and denied that fact, and still do as far as I know.

bobloblaw · September 2014

The name is misleading. It's an entry/mid level cert. Still gets tons of hits on job boards.

More often than not you'll find the person that criticizes a certification doesn't have the certification they're criticizing.

JDMurray · September 2014

The CEH cert should be named "Hacking Essentials" and leave out the word "Ethical," as most of what the cert covers is ethics-neutral. The CEH exam is entry level, but the study material supplied by the EC-Council is definitely mid-level with some advanced topics. Its preponderance of objectives and topics makes the CEH look like the CISSP of hacking certs, but the CEH exam itself is more representative of a Hacking+ cert.

NotHackingYou · September 2014

colemic wrote: »

I think a lot of people's issues (including mine) stem from the way they conduct their business, especially since they have the name 'Ethical' in the name of one of their certs. Since they got picked up for 8570, they implemented a mandatory $100 'application fee' to determine if you are even eligible to take the exam. No other respected certifying body does that. Not to mention they doubled their test fees, which no appreciable return to the cert holder.

My biggest pet peeve with them was the awful, 3rd world Engrish the test had, but from others' comments, it looks like they have cleaned that up a lot. For what they charge for the test, is was inexcusable to look like the test was written by someone with little to no grammar skills. Just a pet peeve of mine.

That said, the way they handled their breach didn't do them any favors either. They were clearly compromised and denied that fact, and still do as far as I know.

This is how I feel about this cert as well. The $100 application fee feels underhanded at best.

Danielm7 · September 2014

bobloblaw wrote: »

More often than not you'll find the person that criticizes a certification doesn't have the certification they're criticizing.

I see that a lot too by the "The CISSP is stupid and pointless, I can take 15 minutes and get that!" sort of people.

JoJoCal19 · September 2014

JDMurray wrote: »

The CEH cert should be named "Hacking Essentials" and leave out the word "Ethical," as most of what the cert covers is ethics-neutral. The CEH exam is entry level, but the study material supplied by the EC-Council is definitely mid-level with some advanced topics. Its preponderance of objectives and topics makes the CEH look like the CISSP of hacking certs, but the CEH exam itself is more representative of a Hacking+ cert.

Yes JD you've said exactly how I've been feeling studying for this test. The exam itself seemed simple from what it asked. But the material is so broad and covers so much and actually goes into a lot more depth. I'm not sure where exactly I have come up short, although I have an idea, but I am hoping to tackle it this go-round.

jvrlopez · September 2014

Like others said, EC Council's presentation leaves a lot to be desired. Their $100 application fee seemed like a cash grab and their customer service was non-existent. I had to call multiple times after receiving no reply or invoice after paying the $100. My application had been approved 2 weeks prior but I was never informed and didn't have any idea until I called.

The test was rather straightforward, however, the questions were worded poorly. It was as if someone had translated the questions from English to another language and then back to English with a half hearted attempt to clean them up.

Their continuing education portal seems like something out of circa 2000 and I've had doubts as to their reviewing of credits. I was surprised when my CCNA R:S was counted as 40 credits due to it falling under the "pass a security certification exam" category.

Finally, is any portion of their organization based overseas? For some reason, my certification package was mailed out from Germany.

If I didn't need it for my job, I wouldn't have bothered with it. Almost everyone at work looks down upon it as a joke.

xiny · September 2014

Ok Thanks Everyone, so from what i've gathered is that some Companies see them as valid but the A lot of IT Folk do not.
This makes me think they will eventually lose there spots in the job markets down the road.

So! I'm going to go for GPEN then, my only fear is that I've heard how expensive it can be to buy the training material.

JoJoCal19 · September 2014

xiny, I would look into SANS Work Study Program. If you apply and are accepted to work an event, you pay a much smaller amount than usual for the courseware. It's $900 instead of like $5k. Also if you stay at the hotel that the event is at, they give you the exam attempt for free. I'm looking into doing this.

cyberguypr · September 2014

Wait, I missed a CEH "value" thread? How did this happen? Man, I gotta stop paying so much attention to WGU.

I echo what others have said. To me CEH and EC-Council are a joke. They really need to revamp their whole operation, introduce some quality control, improve processes, rename the cert... etc. I am only taking this test soon because it's required for my degree. I will not be listing it in my resume unless I am seeking a position where it specifically requires it.

And +1 on SANS work study program. $900 for class, MP3s, OnDemand, and exam attempt (you also get it if you are local to the city hosting the event.) Can't beat that.

Chivalry1 · September 2014

In my personal opinion, I consider it a very valuable cert. I tackled the cert after my CISSP. Although many of the tools are outdated, it offered great hands on experience.

Some of my major issues are of course the "English" grammar utilized within the course material & exam. 2. The professionalism and reputation of EC-Council overall as a company. With multiple security events that have occurred over the years it hard to take EC-Council serious.

retrokind · September 2014

Chivalry1 wrote: »

In my personal opinion, I consider it a very valuable cert. I tackled the cert after my CISSP. Although many of the tools are outdated, it offered great hands on experience.

Some of my major issues are of course the "English" grammar utilized within the course material & exam. 2. The professionalism and reputation of EC-Council overall as a company. With multiple security events that have occurred over the years it hard to take EC-Council serious.

hi there without the 2 years exp i am facing a rather costly money exchange with the ec council which i just cant afford.

do you have any tips on other routes i can take in terms of what kind of job role i should look for to get into the security area and gain my years exp as they are hard to find without certs and also what certs to take as i cant afford the $2000+ the ec council are asking for even for there offline material, i still dont see how there material is any better than say a combination of cbt nuggets and books apart from they want my money

xiny · September 2014

retrokind wrote: »

hi there without the 2 years exp i am facing a rather costly money exchange with the ec council which i just cant afford.

do you have any tips on other routes i can take in terms of what kind of job role i should look for to get into the security area and gain my years exp as they are hard to find without certs and also what certs to take as i cant afford the $2000+ the ec council are asking for even for there offline material, i still dont see how there material is any better than say a combination of cbt nuggets and books apart from they want my money

This entirely depends upon what you want to do in InfoSec. Do you want to build and protect a companies InfoSec infrastructure (InfoSec Officer)? Do you want to Audit and find issues with a companies Security Controls (Auditor)? Do you want to find holes and vulnerabilities in a companies infrastructure (Penn Tester/Auditor)?

You might even be like me and want to dive into them all.

retrokind · September 2014

xiny wrote: »

This entirely depends upon what you want to do in InfoSec. Do you want to build and protect a companies InfoSec infrastructure (InfoSec Officer)? Do you want to Audit and find issues with a companies Security Controls (Auditor)? Do you want to find holes and vulnerabilities in a companies infrastructure (Penn Tester/Auditor)?

You might even be like me and want to dive into them all.

Penn Tester/Auditor but I have come across CREST UK bred and based they seem perfect no stealing your money by making up lame reasons why you must pay them lots of money. CREST's cert seems locked down unlike ceh cert where you can find **** everywhere and the cert means sh*t.

well i hope they are as good as they seem there may be a reason why i cant find many fourms online about there certs lol
and the exams are overlooked one on one and it practical and writen, hopefully a decent above board cert unlike some!

CEH Credibility Question

Comments