C|EH v6 Security Experts or Monkeys with Tool Exposure

sexion8

I edited and reworded this from a previous post. This will seem like some form of rambling, attack on EC-Council's cert, but its just an opinion. An opinion based on factual information and experience not only with EC-Council, but experience in the industry for well over 10 years professionally in security and too many to count in IT. As I wrote this, I thought long and hard about backlash involved in writing this, the naysayers who won't understand it, many thoughts ran through my mind, but I figured I'd take a hard look at the C|EH v6 since many have asked me about it. Without further ado, let's begin.

Take a common sense, logical view to the C|EH V6 exam. There are now 67 modules associated with the C|EH exam and according to EC-Council, you can take their 5 day course from the hours of 9am - 5pm and pass the exam. The mathematical break down to learn the C|EH if you follow EC-Council: 40 hours to cram 67 modules: 35 minutes per module. Is this realistic? Of course not, yet according to EC-Council's own wording: This class will immerse the student into an interactive environment where they will be shown how to scan, test, hack and secure their own systems. The lab intensive environment gives each student in-depth knowledge and practical experience with the current essential security systems. Really? Considering there are no pre-requisites, e.g., 1-2 years systems administration, 1-2 years networking experience, an exam taker will have to cram understanding the OSI layer, TCP/IP and networking as a whole in 35 minutes. A miraculous feat in training if you ask me. (http://www.eccouncil.org/Course-Outline/Ethical%20Hacking%20and%20Countermeasures%20Course.htm)

This premise of offering so called practical experience is highly disturbing considering that again, EC-Council makes no mention of candidates acquiring or having any kind of experience in any field be it networking, security, systems, nothing is mentioned. Continuing: Students will begin by understanding how perimeter defenses work and then be lead into scanning and attacking their own networks, no real network is harmed. Students then learn how intruders escalate privileges and what steps can be taken to secure a system.

Now I ask myself, how can a student understand the concepts of role based access controls, permissions, domains, LDAP and other technologies in this amount of time, I mean seriously think about this. How can a student learn to optimally "secure a system" when they're basing their experience on pre-configured lab machines. I've taken the C|EH v5 and I can tell you first hand its filled with tools. All flash no cash. This testing methodology EC-Council is offering conveys a false sense of "security" expertise. A candidate should understand the systems they're "hacking" or "securing" for one, they should know the networking involved with that system down to understanding at an RFC level TCP/IP and the OSI layer to truly understand the technicalities of it all. Otherwise, what is the point of the exam, to point out how many different modules a certifying body can place into an exam? How many tools can the exam creators discover, capture screen shots and label someone an expert at 35 minutes worth of knowledge on the TOOL - not the fundamentals.

The biggest misconception about this entire course is that it will make someone a security expert. While EC-Council may have the best intentions in the creation of the exam, exposing candidates to the different areas of security, the expectations of a candidate truly knowing and understanding even the minimal concepts to pass an exam after again, 35 minutes of teaching on each subject is insane. Snake oil at best. Moving on: Students will also learn about Intrusion Detection, Policy Creation, Social Engineering, DDoS Attacks, Buffer Overflows and Virus Creation. When a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.

I disagree. There is no way I can think of someone leaving this course becoming "experienced" enough to call themselves a C|EH at its concept. What this course will produce is someone with a wide array of useless knowledge, akin to someone saying "I know TCP/IP like the back of my hands, it consists of packets!" Using pre-defined, often outdated tools does not make someone an experienced security professional let alone a hacker, monkeys can be trained to use tools. Because of the nature of the C|EH's structure, one million tools, 3/4's of them obsolete, I can see more security professionals snickering at the exam and the holders of the C|EH (all versions). A devaluation of the security professional.

Right now I'm currently in parallel studies on my own leisure for the NSA IAM, CISM and OPST with my seat for the CISM confirmed in December. From all I've read and learned, I value my OSCP more than the C|EH and look forward to the OPST exam. The OPST is more structured and realistic using real world experience coming from the most respected and trusted names in the industry. The creators of the OPST exam hold a lot more clout and credibility in my eyes than those of EC-Council. These are my two cents. Now, I've been in the security industry now for quite some time in fact, I've met some of my peers who would have been in diapers when I got involved in computing professionally. It doesn't take a rocket scientist to cobble together every security tool under the sun, give a base introduction to said tool, ask two questions on that tool, and label someone an expert.

If anyone ever criticized the CISSP for being a mile wide and an inch deep, I beg them to look at the concept that EC-Council is putting forward. A realistic expectation for someone to take this exam if it truly held its weight would be for the candidate to have at minimum six years experience with a mixture of industry experience, even then with the modules cobbled together, it's not asking for enough. From systems administration, to network administration and design, incidence response roles, programming to truly understand buffer overflows, the pre-requisites could go on and on.

Sadly I see the C|EH imploding within a few years as did the MCSE when everyone began labeling it the "Must Consult Someone Experienced" certification with everyone under the sun with zero knowledge acquiring this certifcation. At the core, EC-Council's concept seems to offer an unparalled level of expertise, but knowing the structure of the v5 exam, its content, after having taken the exam, I truly don't believe it's worth the paper its printed on, nor will the v6 be. Perhaps test takers care solely about the gimmicky "Got Hacked" t-shirts or the telephone book thick like books, whatever the case is, someone would have to be extremely clueless to expect a C|EH v6 to be an expert. Either that, or C|EH v6'ers will be uber security geniuses worthy of PhD's in information security at the end of a bootcamp.

Before many get bent out of shape, be honest with yourself, look at a module:


Module 17: Web Application Vulnerabilities

Web Application Setup
Web application Hacking
Anatomy of an Attack
Web Application Threats
Cross-Site Scripting/XSS Flaws
An Example of XSS
Countermeasures
SQL Injection
Command Injection Flaws
Countermeasures
Cookie/Session Poisoning
Countermeasures
Parameter/Form Tampering
Hidden Field at
Buffer Overflow
Countermeasures
Directory Traversal/Forceful Browsing
Countermeasures
Cryptographic Interception
Cookie Snooping
Authentication Hijacking
Countermeasures
Log Tampering
Error Message Interception
Attack Obfuscation
Platform Exploits
DMZ Protocol Attacks
Countermeasures
Security Management Exploits
Web Services Attacks
Zero-Day Attacks
Network Access Attacks
TCP Fragmentation
Hacking Tools
Instant Source
Wget
WebSleuth
BlackWidow
SiteScope Tool
WSDigger Tool – Web Services Testing Tool
CookieDigger Tool
SSLDigger Tool
SiteDigger Tool
WindowBomb
Burp: Positioning Payloads
Burp: Configuring Payloads and Content Enumeration
Burp: Password Guessing
Burp Proxy
Burpsuite
Hacking Tool: cURL
dotDefender
Acunetix Web Scanner
AppScan – Web Application Scanner
AccessDiver
Tool: Falcove Web Vulnerability Scanner
Tool: NetBrute
Tool: Emsa Web Monitor
Tool: KeepNI
Tool: Parosproxy
Tool: WebScarab
Tool: Watchfire AppScan
Tool: WebWatchBot
Tool: Mapper

63 concepts, tools, methods and counter-methods in this module. 35 minutes per module as inferred from EC-Council's own wording to learn and understand it all. Seconds to learn every tool, concept, method to make you an "expert." When you finish this course please contact me concerning shares of the Brooklyn Bridge at a deep discount.

Don't fret though, before one takes the test, EC-Council will verify where they work. Whether or not they will verify someone's duties and experience in the industry, is an altogether different story. A story I seriously find hard to believe. Good luck in attempting to label yourself an expert at anything in the security field by passing this exam. You'd better have a vast amount of experience which surpasses ISC2's requirements for the CISSP to back it up otherwise a C|EH v6 alone will be worthless no matter how much marketing is put behind it.

C|EH v6 seems akin to someone in medical school studying neurology, coming across a picture of the heart and labeling himself a cardiologist. Not only a cardiologist, but also a neurologist without even finishing up his studies and passing the necessary exams, having the right experience to qualify. Wonder what v7 will be.

J. Oquendo
SGFA, SGFE, C|EH, CHFI, OSCP
joquendo at e-fensive dot net

darkerosxx

Nice post.

I don't see the course making anyone a security expert any more than a CCNA course makes someone a networking expert. It's all marketing jazz, imo. Having said that, I think there is a significant difference between teaching someone hacking technology/theory fundamentals in a week and teaching someone networking fundamentals in a week. Both are near impossible, but one will give you just enough knowledge to possibly go to jail and ruin your life.

I think the class should have some kind of experience requirement, even if it's only 6 months, in an IT or Security related role. This kind of information is not for a person just starting out and I don't think anyone could argue that anyone just starting out would or even should be able to pass the exam to be called a Certified Ethical Hacker.

Daniel333

Wow, that was a long post.

I personally believe all boot camps are scams.

I must argue though the MCSE is still in demand. Monster.com can prove that to you. I can't say the same for the CEH. I don't know if any parallels should be drawn.

I completely agree that an inexperienced person should not even bother.

Like most things, you get what you put into it. If someone uses the certification outlines as a guidelines for their entry level career there is a lot to be gained.

It does seem Ec-Council is out of touch with the industry. What companies/colleges/governments are affiliated with them?

UnixGuy

very brilliant sexion


actually the same goes for most of the certificates. collecting certificates doesn't make you an expert, it just devalue the certificates you have unless you have both the knowledge and expertise.

certificate will never make an expert. I'll never call my self certified microsoft engineer unless and until im confident enough to carry out all the tasks that a systems engineer should do. Including troubleshooting.l

dynamik

Daniel333 wrote:

Wow, that was a long post.

You should check out his other post, which has since been made a sticky: http://techexams.net/forums/viewtopic.php?t=38485

(Sexion, you might want to consider re-posting this new one in that one, so we can have everything in one place. Or maybe ask Johan to merge the threads or something)

Daniel333 wrote:

I personally believe all boot camps are scams.

This isn't a boot camp, it's a REQUIRED course. Which, in my opinion, makes it even worse.

Daniel333 wrote:

I must argue though the MCSE is still in demand. Monster.com can prove that to you. I can't say the same for the CEH. I don't know if any parallels should be drawn.

He's not saying that it's not in demand, just that it isn't as prestigious as it used to be, due to the influx of paper MCSEs. MS has done a lot to restore the certs credibility, and is looking at doing even more in the future (i.e. lab-based exams. Astorrs recently did a beta one).

"Must Consult Someone Experienced" seriously made me laugh though...

darkerosxx

You mentioned it's required and I didn't know that, so I looked it up!

It's required unless you have two years of security experience:

Eligibility Requirements

To be eligible for appearing in the CEH certification examination, you must:

1. Have attended training for the CEH course at any of the accredited training centers. Should you choose to defer taking the examination after your training, and would like to opt for another location; you can apply for the same at a later date at any ATC of your choice by submitting your certificate of attendance to EC-Council.
2. If you have opted for self-study and not attended training, you must have at least two years of information security related experience.

dynamik

Yea, sorry. You can get it waived. I was just speaking from that perspective since I doubt many people would take it if they didn't have to.

sexion8

darkerosxx wrote:

It's required unless you have two years of security experience:

When I did my bootcamps, we had people who had zero - absolutely NO experience w/security even IT as a whole taking the bootcamps followed by the exam. Waiver? Bootcamp provider... In my entire class, there were about 10 of us... Solely ONE person had a little experience because he was a CCE and he didn't care about the C|EH he was there for the CHFI. After the class we spoke and he stated his disappointment for the CHFI.

I'm not knocking the cert believe it or not - neither the C|EH or CHFI, what I'm trying to convey is, take out of it what you will and can, but since one intends on taking it, take it for the right reasons. Take it to learn something. The bootcamps weren't my choice, I had the CISA, CISM, OSCP, CISSP all lined up. ISC2 threw me into hiatus momentarily, CISA conflicted with the OSCP so I swapped it over @ Vigilar for the CISM. NSA IAM is pending me getting off my rear and scheduling it. My purposes for getting the exam, currently I have a process being patented concerning penetration testing. My company is paying for the patents and the certs, so they're hoping to throw me into a kind of CISO role - of which I don't care for. They'd like to be able to state: "Uber certified and patent holding xxxxx presents!" When they release my product.

I seriously hope I don't discourage someone, security can be fun depending on what you enjoy doing. I personally enjoy penetration testing, networking and network forensics(analysis). I have no problem doing other tasks as I've done them anyway including CISO level audits, policy design and infrastructure management. I've also have to play the CISA role and audit our IT system - and no I don't mean a security assessment, I mean a full blown audit, financials, policy reviews, ACL reviews, etc., etc... Security can be fun, for these particular certs, especially the C|EH v6, take your time and learn things the right way. Learn as much as you can, DO NOT solely rely on a bootcamp.

On a brighter note, I discussed this same exact post with Clement Dupuis from Professional Security Testers, CCCure, etc., who's tremendously talented, teaches the course and he offered up some interesting counterpoints many will want to read.

http://www.professionalsecuritytesters.org/article-topic-10.html

My two cents remain... Learn as much as you can for your own sake - for the sake of being what you're projecting yourself to be by acquiring certain certs - a security expert.

More ramblings (I do this a lot)
1) Don't do these courses for the sake of whoring a cert. - Not only will you devalue the talents of others (guilty by certification association), in the long run you will look idiotic NOT knowing what you're supposedly certified in.
2) Don't rely solely on bootcamps - Learn as much as you can on your own, understand common core terms and protocols. In the long run it will help you big time.
3) Take everything with a grain of salt, my original post, my attitude towards this cert, someone else's response to my ramblings... Read between all lines period.
4) Don't believe everything you read - including "requirements"...
5) Make sure when ordering a Black Eye from Starbucks - they don't jerk you a shot of expresso. A lot of caffeine goes a long way when pulling all nighter study sessions under the influence of Front 242, KMFDM, Funker Vogt and Assemblage23[/b]

dynamik

sexion8 wrote:

On a brighter note, I discussed this same exact post with Clement Dupuis from Professional Security Testers, CCCure, etc., who's tremendously talented, teaches the course and he offered up some interesting counterpoints many will want to read.

http://www.professionalsecuritytesters.org/article-topic-10.html

Thanks for being level-headed about everything and sharing alternate viewpoints with us. That's an interesting read.

sexion8 wrote:

5) Make sure when ordering a Black Eye from Starbucks - they don't jerk you a shot of expresso. A lot of caffeine goes a long way when pulling all nighter study sessions under the influence of Front 242, KMFDM, Funker Vogt and Assemblage23

I think that's the most important piece of advice you've shared so far

I haven't heard anyone mentioned KMFDM for quite awhile. I'll have to check those others out.

sexion8

dynamik wrote:

sexion8 wrote:

I haven't heard anyone mentioned KMFDM for quite awhile. I'll have to check those others out.

When I took the OSCP exam, I made a 60 hour playlist of industrial music which started with KMF's "Professional Killer" track... The list contains (still have it saved): Assemblage23, KMFDM, God Module, Azoic, Imperative Reaction, Interface, Juno Reactor, Mind.In.A.Box, Negative Format, November Process, Parallel Project, Psyclon Nine, Run Level Zero, Seize, Suicide Commando, Tactical Sekt, System Syn, VNV Nation, Velvet Acid Christ, XP8, Bach, Mozart, DJ Tiesto, Kanye West How's that for variety... I have about 3-4 songs each but the majority of tracks are grinding 120+ BPM's industrial, noisy, grinding dark tracks.

I took the exam at my office, turned out the lights, with an Altec Lansing system playing at full volume on a Sunday 1PM, I was support to start at 10am but have my timing skewed. I spent about 13 hours straight on the exam, went home, turned on my stereo there, remote desktop'd in to work and finished it up from there. I slept for less than 2 hours as I was upset I had one more machine left. Having one machine untouched sort of ticked me off right until the last few minutes, of which 60 minutes before the exam expiry I had to write my LEO on what I did, why, how, etc. The OSCP was definitely a fun exam and I wish more certification bodies had realistic labs like it.

bashtie

can you give me/us some information or links for the oscp, i searched the forum for it, but there is not really much to any information.

seems to be interesting if there is a task you need so much time for

sexion8

bashtie wrote:

can you give me/us some information or links for the oscp, i searched the forum for it, but there is not really much to any information.

seems to be interesting if there is a task you need so much time for

http://www.offensive-security.com/documentation/offensive-security.pdf (Class Information on page 4 describes the cert challenge to obtain the OSCP)
http://www.offensive-security.com/faq.php#lnk8 (FAQ: C|EH vs OSCP (a))
http://tinyurl.com/xyberpix (review)
http://www.google.com/search?q=oscp+penetration+site%3Alinkedin.com (OSCP on LinkedIn)

(a) Take note: A cert is a cert is a cert. The C|EH is vastly different from the OSCP. C|EH is based on tools. What tool performs what. Knowing what a tool does it different from actually using it in the real world. The OSCP exam focuses on specific tools with real experiences using them. Again: Grain of salt... They both will give you what you get out of them.

UnixGuy

Sexion

Thank you for all your posts and replies, I read all of them and I'm going to follow your advice(s) because they ALL made sense to me. I hope forum moderators will make them sticky posts because they're invaluable. Thanks.

w4nn4b1337

I've also earned the C|EH v.5 certification and can almost come to the same conclusions. However, if you check their website they do claim that the C|EH falls somewhere between the CCNA and the CISSP. They provide a chart of where they believe the C|EH skill sets fall here: http://www.eccouncil.org/certification.htm

In all fairness they do not assume any Joe off the street can take this class and pass this certification. They're assuming you are at the level of knowledge of a CCNA/MCSE.

The C|EH is considered after somebody may be Network+/Security+/A+ certified and then earning the ECcounsils ENSA.

http://www.eccouncil.org/documents/EC-Council%20Certification%20Path%20v2.pdf

It assumes one already has a working knolwedge of the OSI layers and so on. The original post may be accurate with many points but on the idea that EC-Council intends on grabbing any Joe off the street to make them a security pro is false.

sexion8

in·tend
1. To have in mind; plan:

al·low
1. To let do or happen; permit:

Nowhere did I state EC Council plans on non skilled people taking the exam. Do they allow it. Yes. Two distinct differences

zen master

Most of the guys I did the course with were disappointed. I don't know if our instructor or the course is the blame, but I don't feel like I got much out of it.

iowatech

The course I took from Spindustry Training was pretty much bullshit. And that training center is very good and has always had great quality courses. I almost walked (wish I would have) on the second day after realizing that it was just tool after tool after tool after tool with zero depth in anything. And none of the demos worked at all. I couldn't believe how useless the course was.

-end of rant-

rossonieri#1

sexion,

you brought up some valid points here to be consider - although i prefer your point to be in general not specifically CEH exam, but also other cert as well. and, i think a respectable cert like CEH (and perhaps the other cert as well) has been specifically designed so not everyone can join the band. The other certification nowadays is also getting harder & harder even though its only written exam = for example the MS windows MCSA 2000 to 2003 upgrade exam 292 (i've failed this twice myself) - its a beast that no one can pass it easyly. they pretty much require more & more both the theory & hands-on experience.

here are some points that i like :
time - study - experience

Now I ask myself, how can a student understand the concepts of role based access controls, permissions, domains, LDAP and other technologies in this amount of time, I mean seriously think about this

well like i said previously, certification itself is both theory & experiences. by learning certification curriculum in the good way (read the book & doing labs) will also benefits who learned it - eventhough they might not take the exam.

for example : i like MS and cisco curriculum because they thought me from the bottom up - from zero. like you said learn the basic acl, to more advanced context etc. those things are not 1 night reading.

and, the way you break down the time needed for any study : 63 modules and so forth - it convinces me that you are really a pro. so i do like to add you as my friend

cheers!!!

ULWiz

In my opinion the CEH is not suppose to make you a expert. Not sure what person would believe this either. I started looking into the CEH purely for some knowledge on penetration testing and have enjoyed the things i have learned so far.

Enjoyed the post though

rossonieri#1

hi ulwiz,

In my opinion the CEH is not suppose to make you a expert.

yup - agreed. any cert alone hardly makes a person an expert,
but - an expert or master (on their subject) will 65% obtain the cert far easier (the rest is about knowing the exam material).
an expert or a master is what people saying about a knowledgable/know-how person on certain task (not that person alone).

cheers

ps : would you be my friend, ulwiz?

ULWiz

Of course i need friends myself

the_Grinch

I'd say that most places consider the CEH to be entry-level.