Wanna get EC-Council CEH? Think again.

compton2k15

My undergraduate degrees are in marketing and criminal justice... Those degrees are like some certifications..if you don't have them, then hr won't talk to you. They do show that you have some baseline level of knowledge and it says something about your character that you followed thru to complete a degree,or certification. But they Don't prove your capability

gespenstern

compton2k15 wrote: »

My undergraduate degrees are in marketing and criminal justice... Those degrees are like some certifications..if you don't have them, then hr won't talk to you. They do show that you have some baseline level of knowledge and it says something about your character that you followed thru to complete a degree,or certification. But they Don't prove your capability

Well, for a more precise analogy, your degrees should be named like 'marketing gosu' or 'criminal justice genius' and awarded by a sh!tty 3rd world overpriced university from overseas with flawed procedure and irrelevant and poorly worded study materials and exam.

compton2k15

lol ^

Basically

• the CEH isn't totally worthless. It's good with helping you get an interview..
• Once you get the interview, it's up to you to prove to them that you have the skills to do the job.
• The CEH alone doesn't qualify you to be a pen tester/ethical hacker but it gives you some baseline to:
• Get OSCP cert

gespenstern

compton2k15 wrote: »

lol ^

Basically

• the CEH isn't totally worthless. It's good with helping you get an interview..
• Once you get the interview, it's up to you to prove to them that you have the skills to do the job.
• The CEH alone doesn't qualify you to be a pen tester/ethical hacker but it gives you some baseline to:
• Get OSCP cert

Yeah, sure, I admitted that in the thread main message. It works. But... it shouldn't, that's why I've written all of this

Danielm7

I think if they just named it something different people wouldn't be so pissy about the cert. No one expects to be a network engineer after taking network+, but somehow after taking the CEH people flip out that it doesn't make you a hacker.

compton2k15

gespenstern wrote: »

Yeah, sure, I admitted that in the thread main message. It works. But... it shouldn't, that's why I've written all of this

i know. I was summarizing and agreeing with most of what you said. With 1 exception. If the cert got me a better job, then I wouldnt regret having taking the test. The registration process is absolutely laughable.

gespenstern

compton2k15 wrote: »

i know. I was summarizing and agreeing with most of what you said. With 1 exception. If the cert got me a better job, then I wouldnt regret having taking the test.

That's totally understandable from a personal point of view cause everything that helps me to earn more money is good for me. But is it good for society? Not always.

Why do we have so many 'passed CEH, excited!' threads in here and 'CEH is a BS' threads are so rare? Because if they pass it people tend to be satisfied because it serves well to them despite being a sh!tty cert. It works. Happy HR has a simple dumb criterion to filter out the crowd, CEH certified has a salary boost or a new job with a better pay, EC-Council gets their money. Everybody looks satisfied and the only side that suffers here is the industry as a whole and profession because in reality this cert is a BS and doesn't live up to the hype and smart people from outside who see that think to themselves like "who are all of these certified infosec people that tolerate this and seem to be happy with that happening? We probably shouldn't trust them too much."

That's what I care about.

compton2k15

Agreed. It's like getting a general liberal arts degree. You have a 4 year degree, but aren't really qualified. I take the test in 2 weeks, but I've read the book and watched videos and it is entry level stuff. Just like Security+ doesnt make you a info sec expert.. The CEH won't make you a pen test expert. But I am not bothered that people are excited when they accomplish something.

gespenstern wrote: »

That's totally understandable from a personal point of view cause everything that helps me to earn more money is good for me. But is it good for society? Not always.

Why do we have so many 'passed CEH, excited!' threads in here and 'CEH is a BS' threads are so rare? Because if they pass it people tend to be satisfied because it serves well to them despite being a sh!tty cert. It works. Happy HR has a simple dumb criterion to filter out the crowd, CEH certified has a salary boost or a new job with a better pay, EC-Council gets their money. Everybody looks satisfied and the only side that suffers here is the industry as a whole and profession because in reality this cert is a BS and doesn't live up to the hype and smart people from outside who see that think to themselves like "who are all of these certified infosec people that tolerate this and seem to be happy with that happening? We probably shouldn't trust them too much."

That's what I care about.

gespenstern

Look closely to your questions on exam and see if they are okay and then share your experience. I had several so-so and two that were straight-forward BS. I just knew what I'm supposed to choose there but in reality I wouldn't justify such questions cause they aren't based on best practices or some rationale and other questions were either typos or misunderstanding, like question talks about encryption/decryption and then asks you a question regarding integrity instead of confidentiality, etc.

ramrunner800

The industry isn't really worse off, because nobody is hiring a CEH thinking they're getting hacker. Everyone knows they're getting an entry level person with basic security knowledge. It's nowhere near the federal case being made.

colemic

sigsoldier wrote: »

Colemic is the resident EC-Council apologist on these boards. Hopefully he'll chime in and remind us why every IT professional needs to be CEH certified.

I hope that was said in jest...

cyberguypr is a real fanboi!

gespenstern

ramrunner800 wrote: »

nobody is hiring a CEH thinking they're getting hacker. Everyone knows they're getting an entry level person with basic security knowledge.

That's not true.

NetworkNewb

I dunno, definitely think a lot of IT managers don't what any of these certs actually consist of. They probably see "Certified Hacker" and their eyes light up thinking they are getting someone who regularly hacks in to the FBI.

colemic

NOC-Ninja wrote: »

The best hacker i know dont even have CEH, CISSP, CISM and all this sec certs.

And that makes total sense, since the CISSP and CISM are security management certs, not 'hacking.'

colemic

compton2k15 wrote: »

Agreed. It's like getting a general liberal arts degree. You have a 4 year degree, but aren't really qualified. I take the test in 2 weeks, but I've read the book and watched videos and it is entry level stuff. Just like Security+ doesnt make you a info sec expert.. The CEH won't make you a pen test expert. But I am not bothered that people are excited when they accomplish something.

I can't think of a single college degree that automatically qualifies you for a position, in security or even IT. A CompSci major would have a hard time being dropped into a sysadmin role, without experience in supporting desktops, other systems, etc. Experience is king.

kleecksj

I find all the CEH hating quite humorous. How many times have I read "Nah, man. That cert is trash. You should get the OSCP instead!".

"Oh, really? Is the entry level cert not as robust as the advanced one?"

I have my CEH because my Lead IT Analyst told me to get it if I wanted to start my bridge into ITSec from Sys. Admin. It was a fine course (used CBTNuggets with Conrad). I describe it as "a mile wide and an inch deep". You aren't a hacker, but if you're doing it right you'll "know what you don't know" and where to focus your training to become an effective security professional. In the month to follow the completion of my certification I've used the knowledge gained many, many times to assist in troubleshooting my environment.

Also, I don't know what planet some of you are living on. The CEH is listed on many job postings from very respectable organizations.

It isn't trash and it isn't the OSCP.

NetworkNewb

I don't think people think it is a bad cert. It is just way over priced for a entry level cert. And people feel that others who don't know what it is put it up on a pedestal when it doesn't need to be.

I wish my employer would pay for me to take it... Would do it in a heartbeat.

kleecksj

NetworkNewb wrote: »

I don't think people think it is a bad cert. It is just way over priced for a entry level cert. And people feel that others who don't know what it is put it up on a pedestal when it doesn't need to be.

I wish my employer would pay for me to take it... Would do it in a heartbeat.

People are literally calling it trash. So, yeah, some people think it is a bad cert. My point is that it has it's place in the security training paradigm. I think you're agreeing with that.

I think you make a good point about the price. My employer paid for mine, however I'm not sure what the alternative, cheaper certifications. If you think that Sec+ is equivalent to it then maybe? (For the record, I do not believe the Sec+ is an equivalent to the CEH). I'm genuinely curious what other equivalent cert is cheaper than the CEH?

Edit: I just realized that when considering price people are talking about bootcamp courses plus exam fee... My total cost with course, application, and exam all came to $600 (a little more for the CBTnuggets subscription, I guess.) If you self study it doesn't have to cost anywhere near $2800.

cyberguypr

Wow, Colemic finally showed up to this dicussion. Now it's official!!!

NetworkNewb

I agree, I don't think there is a good entry level alternative to this cert unfortunately.

As far as the cost, You need at least 2 years working strictly a security position if you don't do the bootcamp correct? I have an admin position atm, I might actually do the course if I could do it for $600. (which is still expensive)

kleecksj

The requirement is that you have two years of "security related experience". I'm also a Sys. Admin. and I've handled building out and maintaining two different AV endpoint environments as well as implemented a global desktop and server patching policy and procedure. I handle incident response to events like CryptoLocker outbreaks, etc. It really isn't hard if you've got a broad scope Admin position (like many do).

In the end, its your boss that makes the call as they'll reach out to your employer to verify what you put on your application.

Also, I agree, $600 out of pocket it a lot for an individual. I probably wouldn't have done it outside of my employers generous education policy.

NetworkNewb

hmmm interesting, I haven't had 2 years experience at my position, but might have to look into this next year. My company is actually going to pay for me to take the SANS GSEC course this summer (as long as I get into the work study program that is). Will probably keep the CEH on my radar.

SephStorm

griffondg wrote: »

I am not a CEH defender by any means. I personally don't think the cert is worth much other than checking a box on a job posting, BUT, I did learn quite a bit in the training and the online version put out by EC-Council was only $1,800 and it came with an exam voucher. I don't regret getting the cert and have just signed up for the OSCP.

Eric

And this makes no sense to me. Its worth nothing, but you learned from it and don't regret it. These don't mesh. I hear the same thing all around here and elsewhere. The material is useful, but the cert is worthless, unless you get a job because of it... or if it is a base for pursing other advanced EH certs...

Just say what you are really thinking. Its overpriced, perhaps overinflated, useful in the job search, useful in gaining foundational knowledge, useful for gaining practical knowledge if you do the practicals.

colemic

My beef is really more with EC-Council than the cert itself. (Although when I took it, the grammatical errors were godwawful and unacceptable IMO, but I think they have cleaned it up a little.)

I believe jdmurray teaches a CEH class, and I respect his opinion and knowledge enough to recognize that he sees value in it, so I'm not trashing the cert, per se, but EC-Council... that's a different story. Entirely unprofessional, moneygrubbing idjits. For example, equating their week-long 'training' with 2 years work experience.

It just doesn't have value for me. And I don't encourage people to pursue it because in my experience, most people who have it use it as an HR filter, it doesn't actually provide real security value to them. JMO.

that is all. The #1 fan has spoken.

gespenstern

colemic wrote: »

the grammatical errors were godwawful and unacceptable IMO, but I think they have cleaned it up a little.

Well... a little. And add to this straight up stupid questions that I can't share...

colemic wrote: »

that is all. The #1 fan has spoken.

LOL

cowill

Interesting post....I actually had the mentality that the CEH is a "joke" at first....But honestly, I think it SHOULD serve its' purpose of getting you in the door and/or noticed....What you do after is up to you....

Personally, I think ALL of them are a "joke" in terms of being security in the real world.....I wouldn't advertise my security certs....and I'm pretty sure "real" hackers are trembling because you have Security+ or CISSP....In fact...IMO You are asking for trouble.......and the minute you get "hacked", you begin to lose respect.


Personally, if I get the CEH, I wouldn't tell anybody other than up and coming IT folks, family and HR recruiters.....

Tyb

I just passed the CEH for WGU. I thought it was easy, I don't think it would have been though if I hadn't had a strong foundation that I have building on. If someone went in with no knowledge of networking, basic coding and system admin ect; I don't believe they would pass. It is nowhere near worth the $500 test fee and no, it will not turn someone into a hacker/pentester.

I haven't made the jump into infosec yet (that is my goal) so I don't really know how the people in the field view this cert. The more I read here though, not much.

NetworkNewb

cowill wrote: »

Interesting post....I actually had the mentality that the CEH is a "joke" at first....But honestly, I think it SHOULD serve its' purpose of getting you in the door and/or noticed....What you do after is up to you....

Personally, I think ALL of them are a "joke" in terms of being security in the real world.....I wouldn't advertise my security certs....and I'm pretty sure "real" hackers are trembling because you have Security+ or CISSP....In fact...IMO You are asking for trouble.......and the minute you get "hacked", you begin to lose respect.


Personally, if I get the CEH, I wouldn't tell anybody other than up and coming IT folks, family and HR recruiters.....

I think your just looking in the wrong spots. If you want certs that deal with Penetration Testing you should look at OSCP and OSCE. Sec+ and CISSP aren't going to teach you those things. Not sure who thinks they do... and I definitely wouldn't categorize those (OSCP and OSCE) as "joke" certs in terms of the real world either.

This CEH is pretty much an entry level Pen Testing cert. I'm going to tell people when I get it... I think your a little paranoid to think people are going to start coming after you if you do.

griffondg

SephStorm wrote: »

And this makes no sense to me. Its worth nothing, but you learned from it and don't regret it. These don't mesh. I hear the same thing all around here and elsewhere. The material is useful, but the cert is worthless, unless you get a job because of it... or if it is a base for pursing other advanced EH certs...

Just say what you are really thinking. Its overpriced, perhaps overinflated, useful in the job search, useful in gaining foundational knowledge, useful for gaining practical knowledge if you do the practicals.

I hear what you're saying...I should have said it's way overinflated in perceived value outside the security community but is useful to have and the course has good content.

Chinook

Few things to add to this debate

CISSP: This is a conceptual certification designed for management. It's an overview exam (and quite difficult too so take your breaks).

CEH: This is really an entry level offensive hacking/vulnerability assessment exam. Once you complete it you won't be Kevin Mitnick, but it will give you the knowledge to understand "hacking".

To be a good security guy you need to be a solid well rounded generalist in IT & then move into security. It's not a case of taking an exam or using a tool. Anyone can hack a CISCO router but once inside then what?