CEH Eligiblity

JSN

So I currently hold my Security+ and my next step was going to be CEH, however when I applied to take the exam my exam was rejected. I am slightly confused on what I have to do to take the exam. If this question has already been answered I apologize.

OctalDump

The easy way is to do their course. Otherwise it is going through their application process. Is that what you've tried?

If they are really making it hard for you, then there are other (arguably better) courses/certifications. There's mile2, eLearnSecurity, GIAC and OffensiveSecurity. The one with the best reviews at the moment for entry level is probably the eLearnSecurity Junior Penetration Tester certification which has PTSv3 course.

TechGuru80

Two ways:

1. Take either the official course online or in person and regardless of your experience you can sit for the exam.

2. Have two years of verifiable work experience in InfoSec (they verify with your supervisor). This option lets you self study or buy the official courseware (like $800) and sit for the exam when ready..the application does expire after a time period.

If you don't do one of the above, you cannot sit for the exam. It sounds like you applied to do the self study option and got declined...which means you have to take an official course or wait until you have the required two years of experience and then reapply. It does cost I believe $100 to apply each time though.

JSN

I am looking to take the course at a local community college, I just wonder if this is acceptable to earn the cert. To give a run down where I'm at, I'm entry level with no info sec experience. I'm now looking to get into the field at 26, and eventually go back for a degree. I'm looking to apply to an entry level blue team position and one of the preferred certs is CEH or GPEN. Even though I don't have the experience I'd like to at least learn the skills and try my luck at a security job.

TechGuru80

You would need to ask the school if they are an official trainer for ec council...or you could ask ec council. If they aren't an approved location, the training wouldn't qualify you to sit for the exam.

What is your background? Do you have any network or system background? Some of that information is useful to actual be a productive member of a blue team.

PJ_Sneakers

Your best bet without the experience is taking the official course. Or, you may want to look at an alternative like the eLearnSecurity certs.

JSN

Sorry I can't seem to quote on my phone. But my experience is in physical security, and my goal is to end up working in info sec. I am trying to pursue as many certs as I can in security to learn the skills. Whether it is pipe dreams to be able to start in sec without a degree or is experience I'm not sure. As far as knowledge in networking and systems, I've been a hobbyist most of my life. It's so much for me as getting some validation for what I know. I have had some job interviews with my sec+ and no it experience.

JSN

Sorry for double post, also those junior pen tester certs would actually be right up my alley. Are those recognized in the field?

Chinook

@JSN

I'm not trying to dissuade you from taking the course (as I have) but you may want to allocate your funds elsewhere to get a better bang for your buck. C|EH is not a bad certification, but it really is just "hacker basics" and it's expensive. Octaldump mentioned a few other links about that you should investigate. I particularly like Offensive Security. The SSCP is another good certification which is a good compliment to Security+. The GIAC stuff is really the "cream of the crop" but they're also expensive.

If you want to be a pen tester my advice is to take as many courses (including Udemy) on things like Kali Linux, SQL injection, social engineering, etc. Get familiar with nmap, metaspoilt, armitage, burpsuite, maltego, all things XSS and all things SQL injection. And learn the "theory" stuff like access control, CIA, incident response, cryptography & reading things like logs.

There is a site called HackThisSite which is a good place to mess around (legally) and learn things. Practice and play around. Don't worry so much about certification.

I see the C|EH like I saw the MCSE in 1999. The name sounds kick ass but there are lots people who could have that certification and not even know what XSS is.

Good luck.

JSN

Chinook wrote: »

@JSN

I'm not trying to dissuade you from taking the course (as I have) but you may want to allocate your funds elsewhere to get a better bang for your buck. C|EH is not a bad certification, but it really is just "hacker basics" and it's expensive. Octaldump mentioned a few other links about that you should investigate. I particularly like Offensive Security. The SSCP is another good certification which is a good compliment to Security+. The GIAC stuff is really the "cream of the crop" but they're also expensive.

If you want to be a pen tester my advice is to take as many courses (including Udemy) on things like Kali Linux, SQL injection, social engineering, etc. Get familiar with nmap, metaspoilt, armitage, burpsuite, maltego, all things XSS and all things SQL injection. And learn the "theory" stuff like access control, CIA, incident response, cryptography & reading things like logs.

There is a site called HackThisSite which is a good place to mess around (legally) and learn things. Practice and play around. Don't worry so much about certification.

I see the C|EH like I saw the MCSE in 1999. The name sounds kick ass but there are lots people who could have that certification and not even know what XSS is.

Good luck.

I've looked into SSCP, sadly you need at least a year of security experience. I'm wondering about a lot of GIAC certs because I've noticed a lot of high level security pros hold them. I'm going to look into the Junior Penetration Tester certification, even if it isn't common to see I'm still getting the knowledge.

PJ_Sneakers

The eJPT doesn't have much notoriety, but has a good rep on this forum. The training is online and hands on. Their eCPPT cert looks like it's gaining some traction in the market.

I did pass the CEH, and I think the eLearnSecurity and Offensive Security are far better for actually learning how to pen test. I'm really interested in the ELS courses, myself. They seem really affordable and get rave reviews on TE.

Since you seem like you're new to IT, have you looked into something like an entry level support role? Something to get you into IT, but also so you can build up your skills and gain experience in the field.

JSN

PJ_Sneakers wrote: »

The eJPT doesn't have much notoriety, but has a good rep on this forum. The training is online and hands on. Their eCPPT cert looks like it's gaining some traction in the market.

I did pass the CEH, and I think the eLearnSecurity and Offensive Security are far better for actually learning how to pen test. I'm really interested in the ELS courses, myself. They seem really affordable and get rave reviews on TE.

Since you seem like you're new to IT, have you looked into something like an entry level support role? Something to get you into IT, but also so you can build up your skills and gain experience in the field.

I've tried for a couple, I almost had an IT support job for a government contractor. I've been applying for a lot of jobs in DC, MD and VA as well. Seems like that info sec jobs are bountiful there, so I figured I'd give it a shot. My long term goal is to get into Lockheed Martin or Booz Allen Hamilton.

Chinook

@JSN

If you don't have a year of security work, you'll get an "Associate" degree with the SSCP. Don't let that dissuade you. It's a recognized entry level certification and employers likely won't be concerned you're an associate. SSCP is a course which discusses fundamentals & theories. This is important because security is just more than knowing how to use a tool. It's understanding what that tool is doing. That's what separates you from the "script kiddie" label.

Also, in the world of security it's important to understand how things work. To start, learn & breath all things Linux. Pretty much every good security tool is released on Linux. Secondly, learn to understand as much as you can about everything else. You don't need to be a MCSE or a CCNA, but know the talk/walk of technology. You'll have to attack it someday.

[Deleted User]

Just do the training course. It will guarantee you can sit for the exam and you get the courseware, manuals and virtual labs to mess around with if you go to a new horizons center. Also, you get a good quality backpack to keep your hacking arsenal in as well

JSN

Chinook wrote: »

@JSN

If you don't have a year of security work, you'll get an "Associate" degree with the SSCP. Don't let that dissuade you. It's a recognized entry level certification and employers likely won't be concerned you're an associate. SSCP is a course which discusses fundamentals & theories. This is important because security is just more than knowing how to use a tool. It's understanding what that tool is doing. That's what separates you from the "script kiddie" label.

Also, in the world of security it's important to understand how things work. To start, learn & breath all things Linux. Pretty much every good security tool is released on Linux. Secondly, learn to understand as much as you can about everything else. You don't need to be a MCSE or a CCNA, but know the talk/walk of technology. You'll have to attack it someday.

You can do that with CISSP as well right?

TechGuru80

The Associate of ISC2 status specifically states you cannot identify the exam you passed in resumes and what not. You can get the Associate title for any ISC2 exam, however you are very unlikely to pass without at least a couple years under your belt.

Now for this script kiddie stuff...unless you are actually a pentester, you are more likely to be a script kiddie anyways because you will be responsible for knowing other stuff and not developing exploitation tools and or exploits. I wouldn't worry about being called that term for a while because the people who are not...have several years in the industry. Also, the SSCP is a defensive based certification just like the CISSP, so if you do go that route don't be surprised you aren't learning how to develop 0-days for Adobe.

JSN

TechGuru80 wrote: »

The Associate of ISC2 status specifically states you cannot identify the exam you passed in resumes and what not. You can get the Associate title for any ISC2 exam, however you are very unlikely to pass without at least a couple years under your belt.

Now for this script kiddie stuff...unless you are actually a pentester, you are more likely to be a script kiddie anyways because you will be responsible for knowing other stuff and not developing exploitation tools and or exploits. I wouldn't worry about being called that term for a while because the people who are not...have several years in the industry. Also, the SSCP is a defensive based certification just like the CISSP, so if you do go that route don't be surprised you aren't learning how to develop 0-days for Adobe.

I've gotten mixed answers with Associate of ISC2, an infosec manager I worked with at my last job told me employers treat you the same way as a CISSP. So honestly that is on the back-burner for now. As far as being a pen tester that is a long term goal. My current goal is working towards a job in the defense contracting industry, however I will look into the eLearning certs you posted. I've looked at pen testers linkedin profiles, most of them have 10+ years experience. My next certification will likely be CEH or something from GIAC, because both seem highly recognized in the government sector/defense contracting sector.

PJ_Sneakers

You should look into DoD directive 8570.

Malita215

I have a Master's degree from Capitol Technology University if their Cyber Security program. Will this waive the 2 year work experience? Also, what work duties qualifies as direct security experience?

PJ_Sneakers

There's not an education waiver that I'm aware of. You have to prove IT security-related work experience by filling out a form and getting it verified by your supervisor. You get your boss to sign a form, and then they contact your boss. It's pretty straightforward.

binarysoul

The official CEH is the way to go; yes it's expensive. Investments are always expensive, but they will yield returns at the end.

Seab

Hi guys,

I am asking for a friend, because we were discussing that minutes ago...

He has SSCP and CCNA, 1 year exp in Info Sec, and many years of exp in network/telcomm.

How are the chances to apply and succeed for self-study for CEH?

thanks

EnderWiggin

Seab wrote: »

Hi guys,

I am asking for a friend, because we were discussing that minutes ago...

He has SSCP and CCNA, 1 year exp in Info Sec, and many years of exp in network/telcomm.

How are the chances to apply and succeed for self-study for CEH?

thanks

Due to only having one year of Infosec experience, he will not be able to pursue the self-study route. He will have to do the official CEH training in order to take the test. Otherwise, he'll have to get another year of Infosec experience.

In terms of knowledge, he sounds like he would be fine to learn the material and pass the test, though.

Remedymp

EnderWiggin wrote: »

Due to only having one year of Infosec experience, he will not be able to pursue the self-study route. He will have to do the official CEH training in order to take the test. Otherwise, he'll have to get another year of Infosec experience.

In terms of knowledge, he sounds like he would be fine to learn the material and pass the test, though.

This is a sad policy as it does nothing for the industry other than slow down the development of resources. SMH...

EnderWiggin

Remedymp wrote: »

This is a sad policy as it does nothing for the industry other than slow down the development of resources. SMH...

Yeah, it kinda sucks. Bypassing this was one of the big perks for me of WGU, as their course counted as official training.

PJ_Sneakers

Remedymp wrote: »

This is a sad policy as it does nothing for the industry other than slow down the development of resources. SMH...

I'm not trying to be argumentative, but how do you feel about other organizations have similar rules? Such as ISC2, ISACA, etc.

On one hand I feel that it helps keep the credentials valid, but on the other it is also a frustrating catch-22 for gaining employment.

EnderWiggin

PJ_Sneakers wrote: »

I'm not trying to be argumentative, but how do you feel about other organizations have similar rules? Such as ISC2, ISACA, etc.

On one hand I feel that it helps keep the credentials valid, but on the other it is also a frustrating catch-22 for gaining employment.

I don't necessarily have anything against requiring the work experience, when it's just a few years. Knock out a few lower-level certs first while working the entry-level jobs, then go for the higher level certs. The thing I can't stand though, is that ISC2 lets you take the tests, but if you pass, you're not allowed to say what test you passed. They need to either not let people take test before having the experience, or let them state what test they passed. Being in between those two options irks me.....

I'm sure I'll change my tune once I have the years of experience, and get a full-fledged CISSP though haha.

Remedymp

PJ_Sneakers wrote: »

I'm not trying to be argumentative, but how do you feel about other organizations have similar rules? Such as ISC2, ISACA, etc.

On one hand I feel that it helps keep the credentials valid, but on the other it is also a frustrating catch-22 for gaining employment.

I am not in disagreement with the policy. It is just a sad one. For example: We just filled several roles for L1 Security Analyst for IR. None of these people worked directly in Cyber Security at all, they all came from compliance or desktop support. These people can't sit for the exam even though they've worked on security issues in the previous roles. According to EC-Council, they're not eligible for sitting the exam, but are eligible for sitting for exams like Security+.

It just makes me SMH...