Seeing a bunch of people saying the CEH is outdated

So is it worth it or should I look at GIAC instead?

I'm hardcore gathering certifications trying to advance my career. I'm extremely interested in security due to it's growing prevalence and opportunities for side money like bug bounties and the like. I got my A+ recently just to have it, just passed Security+ on Tuesday after a few weeks of studying. Was looking at CEH for the next one but the comments here have me feeling like it's a bit more of a badge than actual relevant information.

I want to take the CISSP as that's more highly regarded, but I'm seeing that they require you to prove that you have 5 years experience in cyber security before you're granted the certification? I'm looking around for some more clarity regarding that before I get going on that course ware.

What's your take?

Find more posts tagged with

Comments

Rewire

Sorry for double post but it seems there's no edit function?

I do NOT have a degree in IT unfortunately as I went to college for something else. All I have is a worthless Associates that's in a field I could never find a position in. I DO have IT experience of close to 20 practical years (working on computers since I was 9), but of course, it's not on paper so no one cares. I also have about 7 years of IT work experience, but 4 of them are self employed, and none of it is in cyber security so I'm not sure if that's credible.

So I'm looking for certifications that get me in the door without me having a degree. I'm trying to go for the most recognizable ones and the most desired, so that's why I got the CompTIA ones first. I feel like the CISSP is the next best thing, but I still need to figure out that experience thing.

VictorVictor5

Rewire,

As far as CISSP goes, if you don't have the 5 years experience, you can still sit for the exam, but you'll be a CISSP Associate until you hit the 5 year mark. If you have a CompTIA cert (I think Sec+, and/or Net+) that counts as one of your creditable years. Your education could count if you had a B.S. or higher, but again, only 1 year. So in essence, they'll give you 6 years to get the 5 year experience, but you'll have 1 year out of the way since you have CompTIA certs.

I looked into this as I'm going to be going for CISSP after CEH (employer paying for CEH).

VV5

atippett

VictorVictor5 wrote: »

Rewire,

As far as CISSP goes, if you don't have the 5 years experience, you can still sit for the exam, but you'll be a CISSP Associate until you hit the 5 year mark. If you have a CompTIA cert (I think Sec+, and/or Net+) that counts as one of your creditable years. Your education could count if you had a B.S. or higher, but again, only 1 year. So in essence, they'll give you 6 years to get the 5 year experience, but you'll have 1 year out of the way since you have CompTIA certs.

I looked into this as I'm going to be going for CISSP after CEH (employer paying for CEH).

VV5

This is wrong and can get you in a lot of trouble. You CANNOT claim "CISSP Associate." You can only claim "Associate of ISC2." You can't even tell anyone what test you took to get the Associate (CISSP, SSCP, CCSP, HCISPP, CAP, or CSSLP). If you get to an interview and the interviewer asks which test you took, you CANNOT say. If that person has their CISSP, they can report you.

LonerVamp

Just curious, why can't you say what test you took? Could you just answer the question, "What cert will you be pursuing later on?" And just say you want to get your CISSP?

atippett

Associates of (ISC)² are NOT certified and may not use any Logo or description other than “Associate of (ISC)²”. Under no circumstances may they identify which exam they have successfully passed or use any Logo, other than “Associate of (ISC)²”, in any manner. Failure to abide by this rule may result in the candidate being prohibited from ever attaining any (ISC)²certification.

https://www.isc2.org/uploadedfiles/(isc)2_public_content/legal_and_policies/logoguidelines.pdf

TacoRocket

Also I wouldn't take it on our word alone when it comes to the CEH. Don't get me wrong, I'm not a big fan but you have to decide if it makes sense in your career at this time. It may have relevance and people might contact you over it. It may not

xxxkaliboyxxx

Coming from a IT Governance and compliance background I found my studies pursuing the C|EH extremely valuable. I had very little securtiy tools experience and studying generic tools, researching further and probably most importantly doing hands on lab with a more current toolkit, unreplaceable.

I could of just gone straight to Off-Sec or the likes, but I had zero pentesting experience. Using C|EH studies provides anew elementary to intermediate outline.

Now that I am schedule for SANS SEC504, I feel pretty confident going in.

just my 2 cents.

VictorVictor5

Whoa thanks for the heads up atippett - boy did I read that wrong!

So here's my question. Can we still take the CISSP exam if we don't have the 5 years of experience?

VV5

gespenstern

My take is it never been indated to start with.

But it's on DoD 8570 and often mentioned in JDs.

PC509

Outdated? The tools and such used are very old, but still very relevant. Some of the techniques are less used today than they were 10-20 years ago. But, the cert itself is still relevant and the knowledge is still relevant and very useful.

Going through the cert, a lot of it was familiar from the tools I used in the early 90's when I was first getting into computer security (as a curiosity more than a career). Those tools have been updated and are still in use today for some things.

It's still a useful cert. I wasn't impressed by the difficulty and it wasn't bleeding edge, but it is still useful.

IronmanX

Will you learn to use tools that only exploit older systems?
Yes
Does learning a tool that can only work against Windows XP systems make that tool outdated?
Absolutely not..........

IronmanX

gespenstern wrote: »

My take is it never been indated to start with.

But it's on DoD 8570 and often mentioned in JDs.

Yes and you will then be certified as an “Associate of (ISC)²”

As mentioned before you can not use the CISSP logo, but I think you could say in a interview that you took and passed the CISSP exam (Any one see anything in the policy about that??).

xxxkaliboyxxx

IronmanX wrote: »

Will you learn to use tools that only exploit older systems?
Yes
Does learning a tool that can only work against Windows XP systems make that tool outdated?
Absolutely not..........

To expand on this, I am currently reading Counter Hack Reloaded by Ed Skoudis (SANS fellow). he published it in 2005! well I'm here to say that the theory and techniques are still the same. That's right, a book writing in 2005 is still relevant today. TBH I think EC-COUNCIL uses the book for their exams lol.

shoot, even most of the tools mention in a book from 2005 are still being used today lol

atippett

IronmanX wrote: »

Yes and you will then be certified as an “Associate of (ISC)²”

As mentioned before you can not use the CISSP logo, but I think you could say in a interview that you took and passed the CISSP exam (Any one see anything in the policy about that??).

The policy says: "Associates of (ISC)² are NOT certified and may not use any Logo or description other than “Associate of (ISC)²”. Under no circumstances may they identify which exam they have successfully passed or use any Logo, other than “Associate of (ISC)²”, in any manner. Failure to abide by this rule may result in the candidate being prohibited from ever attaining any (ISC)²certification.

Please read bolded area

Moldygr33nb3an

Lol how do you even enforce that?

"I took an ISC exam but I can't tell you which one because doing so is a violation of their guidelines."

That's ridiculous. I don't think they enforce it because LinkedIn is littered with these claims.

Honestly if the interviewer was in the business of reporting those kind of violations, they would probably never bother asking the questions. Otherwise, I'd slap "associate of (ISC)²" under your certifications field on your resume.

atippett

Moldygr33nb3an wrote: »

Lol how do you even enforce that?

"I took an ISC exam but I can't tell you which one because doing so is a violation of their guidelines."

That's ridiculous. I don't think they enforce it because LinkedIn is littered with these claims.

Honestly if the interviewer was in the business of reporting those kind of violations, they would probably never bother asking the questions. Otherwise, I'd slap "associate of (ISC)²" under your certifications field on your resume.

http://www.techexams.net/forums/jobs-degrees/125063-poser-says-what.html

This is a good thread to read

PC509

Some certified people, including those that know the rules and are in charge of hiring others, think that a CISSP should adhere by the rules. It's a small thing, but if you're willing to bypass that rule, what other ones would you break? Would I trust you when it came to security?

I have found that honesty and integrity are vital in this industry.

Enforced? I'm sure there are some CISSP's that place some value with their cert. It doesn't take much to make a report.

I'm not a CISSP yet (2018 goal).

Whether or not it's enforced doesn't mean it's not a written rule that comes with the certification. Some people follow the rules, some people don't. Who do you want in charge of your IT security? Someone you can trust. Someone that can follow very simple and trivial rules.

Just my opinion, anyway.

atippett

PC509 wrote: »

Some certified people, including those that know the rules and are in charge of hiring others, think that a CISSP should adhere by the rules. It's a small thing, but if you're willing to bypass that rule, what other ones would you break? Would I trust you when it came to security?

I have found that honesty and integrity are vital in this industry.

Enforced? I'm sure there are some CISSP's that place some value with their cert. It doesn't take much to make a report.

I'm not a CISSP yet (2018 goal).

Whether or not it's enforced doesn't mean it's not a written rule that comes with the certification. Some people follow the rules, some people don't. Who do you want in charge of your IT security? Someone you can trust. Someone that can follow very simple and trivial rules.

Just my opinion, anyway.

Hit it right on the head.

globalenjoi

atippett wrote: »

The policy says: "Associates of (ISC)² are NOT certified and may not use any Logo or description other than “Associate of (ISC)²”. Under no circumstances may they identify which exam they have successfully passed or use any Logo, other than “Associate of (ISC)²”, in any manner. Failure to abide by this rule may result in the candidate being prohibited from ever attaining any (ISC)²certification.

Please read bolded area

This makes me curious to know why anyone would bother taking the CISSP exam if they didn't have the experience... Am I missing something? Is it just completely pointless to even attempt the exam without the years of experience?

NetworkNewb

globalenjoi wrote: »

This makes me curious to know why anyone would bother taking the CISSP exam if they didn't have the experience... Am I missing something? Is it just completely pointless to even attempt the exam without the years of experience?

The DoD accepts the Associate of IS2 for one of their requirements. And I've heard some employers want their employees to take it even if they don't have the experience to get the full CISSP. Other than those two reasons you are correct, there is almost zero point.

ethical-hacker-73

If all you have is a SEC+ plus, then take the CASP. It will qualify as a DoD 8750 credential and will be a mini-CISSP.

I have CEH, CISSP, CISA, SEC+

TechGuru80

ethical-hacker-73 wrote: »

If all you have is a SEC+ plus, then take the CASP. It will qualify as a DoD 8750 credential and will be a mini-CISSP.

I have CEH, CISSP, CISA, SEC+

Depends on what kind of job. The GSLC from GIAC is for IAM 1-3 and the CASP is not so you would have to look at the requirements for the job. CAP is another certification that covers IAM levels.