Cutting short my ECC journey?
binarysoul
Posts: 993Member
in CHFI
At start of my ECC journey, I'm disappointed to see so many complaints about ECC and exam version. Until yesterday, I thought ECC was right, but all those folks complaining can't be all wrong.
Also, for ECC to expect us to be up-to-date with industry for CEH exam is at best unrealistic and at worst foolish.
I really hope I won't have to give up on ECC. I will wait on the sideline until the dust settles. Or should I cut my journey and go after another cert?
Also, for ECC to expect us to be up-to-date with industry for CEH exam is at best unrealistic and at worst foolish.
I really hope I won't have to give up on ECC. I will wait on the sideline until the dust settles. Or should I cut my journey and go after another cert?
Comments
A lot of people are concerned because the v9 just came out. The same thing happened when Microsoft pushed the R2 update to server. It catches people off guard. That happens. I wont say that it absolutely terrible but you have to be prepared for those sort of things.
Website gave me error for signature, check out what I've done here: https://pwningroot.com/
If one is certified to be a programmer, then it makes sense to expect him/her to keep up to date with all languages, syntax, for one exam.
Right now, the VP of ECC is getting involved since I spoke with him last night. This should not have happened. There is always a grace period for those using material is schedule to expire and the transition (hand shake) of the new material coming online. What has occurred in the last 2 weeks is a total "change management" failure on the testing center for ECC.
Even CompTIA uses a "grace" period for its students and issues out those Objectives clearly - with "official" study guides that the IT Industry can get their heads wrapped around it. ECC position is that if it does not say ECC on the book - then it is grey material - that may or may not aid a test taker.
The point I'm trying to make is that this change was so immediate and drastic that no one was prepared for it. A test taker cannot stay in a perpetual state of study fearing that they might miss the crucial 38 questions that cause s 68% score on the exam - 140 New labs and 2200 common used tools can garner a massive amount of specific questions.
There needs to be order and balance. That is why CompTIA uses the CE so that once a test taker achieves the exam and certification (foundation) - they continue to learn new and developing trends within the IT realm (building the infrastructures of knowledge).
So - no binarysoul you don't need to change right at this moment - hang tough to see what is going to happen. It will be quick, I hope. In the end, Offensive Security is what all high end hackers are using to crack worldwide networks. It's the most "in your face" one can get. So - perhaps this is the way it was meant to be. I tend not to question why things occur in a bad light, but jump at the opportunity to learn from it and excel towards another journey...and that will be Offensive Security (Metasploit and their first certification they offer OSCP).
Your concerns are well placed....
You could short cut the whole CEH path by going straight to OSCP. The thing is, you can just learn whatever you like without getting a cert, and if you do get a cert, then a higher level one sort of negates the lower level one. I mean, why go on about your CCNA if you have CCNP, or why mention your A+ if you have MCSE?
Even if you don't get the CEH, what you've learnt won't go to waste. It will still add to what you know, and gives a reasonable base to scale greater heights.
I'm hoping that ECC will clarify the situation with the exam, though.
"The CISSP draws from a comprehensive, up-to-date, global common body of knowledge that ensures security leaders have a deep knowledge and understanding of new threats, technologies, regulations, standards, and practices. "
To be an accredited certification you have to have up to date questions.
"A lot of people are concerned because the v9 just came out."
The v9 course just came out not the v9 exam. There is not version on the exam.
As per the EC Council Web Site "What is new in the CEH Version 9 Course"
I understand the confusion they should just version the COURSE by year. CEH 2013/14 Course (v
The complaints you have read are due to individuals training for one exam and either taking the newer exam or seeing newer questions mixed in. Don't be frustrated but appreciate the certification is respected and you have that brand name backing you up now once you passed your exam. ECC is a very good company and like all humans are not prone to mistakes. Be calm and sort them out with them. Study and enjoy the material. I am looking forward to v9.
Courses: Real World Red Team Attacks- AppSec Cali 2019 (complete), Active Directory Attacks for Red and Blue Teams Advanced Edition - BlackHat (completed),
Certs: Certified Red Team Professional - Pentester Academy (passed!), Azure Fundamentals AZ-900 (in progress), Azure Security Engineer Associate AZ-500
That only plays to my biggest issue with CEH - that it's too easy and people not qualified still manage to pass it.
Then those not qualified enter the field but don't really know what they are doing. Which in turn makes the CEH look bad. This hurts both sides of that engagement (the tester and client), as well as other certification holders.
I've always treated it as an entry level cert. In the same way I wouldn't trust an A+, no experience, tech to manage 2008 Server, I would expect a CEH to run a pen test (or write a report). A CEH might be useful for hiring a Pen Tester or writing up a pen test RFQ/RFI. It's also a useful cert to orient to the field, and useful for people in other fields (Network or System Admins) who need some security training. There's a bunch of better certs at higher levels, along with numerous capture the flag events, for people who really want to prove themselves.
The weird thing about CEH is that EC Council say that it is the pre eminent hacking certification (pinnacle, most advanced, master etc) and then go and offer the ECSA and LPT above and beyond CEH.
From what I've read from those in the industry, and in conversations, is that CEH isn't respected and that most only get it to satisfy some "need" from clients who probably get fixated on the "Certified" and "Ethical" part of the name rather than the substance of what it is - 125 multiple choice questions.
CISSP is the only other cert that gets you more bang for your buck as far as DoD 8570.01-M.
CISSP - Information Assurance Manager level 2 and 3.
CISSP - Information Assurance Technical level 3.
CISSP - Information Assurance System Architect and Engineer level 1, 2 and 3
CEH - Computer Network Defense Analyst
CEH - Computer Network Defense Infrastructure Support
CEH - Computer Network Defense Incident Responder
CEH - Computer Network Defense Auditor
CISSP - Computer Network Defense Service Provider Manager
CISSP - Information Assurance System Architect and Engineer level 1 and 2.
If you want to work in Computer Network Defense for the DOD you should get CEH.
If you want to work in Computer Network Defense for a non DOD organization you should get CEH. The thing is most companies are not going to go and do the work the DOD did in order to make sure certain certs meet the criteria of someone working in a certain field. What is happening is other companies are looking and saying hey if is required by the DOD it should be good enough for us.
I'm certain there are many certs and non cert courses that teach you more then CEH does. However can you consider them to be better if they are not required for the job.
I agree on the disconnect with how it has been marketed, and how it's perceived by the industry as such. You want to expect more from someone holding the certification. Hopefully this will be addressed in the future with new updates to all of the courses.