Will I get a job with CEH? no expierence?

I am interested pursuing CEH but no expierence. if I take a class and pass the test, what are the chances of getting a job?

Find more posts tagged with

Comments

laughing_man

I think everyone will agree with me in saying the no cert by itself will "get" you a job. A cert helps to validate skills, check a box for an HR person and nothing more really. Sure you learn stuff, but nothing beats experience.

That said, going out and working to get a cert on your own shows initiative, so thats good. Do you work in IT in any capacity now? Say at a help desk or as a support tech? Security is a tough nut to crack as many InfoSec folks move from being sysadmins to working in Security. It pays to know how systems work before you start securing them.

I will speak for myself that I had 5 years experience as a desktop support guy, and then only 18 months as a sysadmin until I moved to Security. I lucked out, but then again, I work as a junior analyst, which is the bottom of the totem pole for our security department. But hey, no complaints from me as it garners good experience. But I also knew folks and that is how I got in.

So I find the key to nailing a good job in IT (security or otherwise) is experience first, who you know is a very close second if not tied, then certs/education. But having CEH won't hurt you.

halaakajan

CEH is a ethical hacking certificate. If i am the employer I will expect that you have mastered Windows OS and/or UNIX OS. You can only secure or make a report of something which you have mastered.

Just an opinion

the_hutch

Most likely not. For starters, it is very unlikely that you will start your IT career in security. And that is all CEH is...a security certification. You'd be better off working on A+ or Network+...starting in a helpdesk and working your way up. I'm not suggesting that you shouldn't go for it, if that's what you are interested in. But its not the best way to start if your goal is to get your foot in the door.

jdubb45

In "my opinion" setup a hack lab, study, and then go for the exam. I don't know if you have a degree or not but i would suggest getting at least a B.S in something related. Realize this isn't the 1990s where large companies are going to spend time training you up or waiting for you to have experience. You will miss your mark waiting. If you can bypass the bull crap why not? You don't want to get a bad taste in your mouth concerning the IT industry trust me! Palletizing/unpalletizing newly imaged PC's over and over, or the best one doing all the PM's busy work is should not be a persons typical idea of working their way into the IT/IS field. I see too many techs with MCSE's, A+, Net+..etc at low end help desk positions while, ungrateful companies take full advantage of them and run them to the ground with low wages and stress. This really messes up their careers in the long run. Meanwhile Mr/Ms MBA degree straight out of the MBA factory with no management experience or enterprise level project management gets to bypasses all the bull of a working entry level and gets to tell you what and how to do it and get more money than you. Plus A+ at what was $18/hr is now $10/hr. Is it worth spending 125+ a cert to make $10? Why not follow IT trends like my lovely Indian folks do. They get what they need in order to get were they want. I love there ethics. How many SQL/CCNP/Programmers from India are starting at help desk? They come in with no expierence but with relevant certs and a degree and start at 50k+. OK enough whining really I would also like to suggest finding a sponsor with your interest so they can mentor you and also endorse you so you can get the SSCP or CISSP. Why start at A+ or Net+? Don't waste time chasing the wind thinking a mcse, ccna, a+,net+ etc is the ticket into infosec. I don't have a mcse, ccna..etc i have a degree and a sec+. Guess what? Im in infosec with no exp, working towards my CEH and CISSP. This is not the route I took but i see it alot. If an English/History/physiology/economist/MBA major can make the switch to a CISSP position with no security experience, so can you!

YFZblu

the_hutch wrote: »

Most likely not. For starters, it is very unlikely that you will start your IT career in security. And that is all CEH is...a security certification. You'd be better off working on A+ or Network+...starting in a helpdesk and working your way up. I'm not suggesting that you shouldn't go for it, if that's what you are interested in. But its not the best way to start if your goal is to get your foot in the door.

Right, but by the time he works his way up and gets an interview with the security team, they'll expect him to have the security credentials to be considered. In my experience anyway..

I started with a large company on the business side, moved to the helpdesk and worked my way up. Eventually I applied for a position as a Security Analyst - The security team essentially asked me to get my GSEC and get back to them.

.02

YuckTheFankees

Everyone has given great advice so far. I'm going to continue on what the majority is saying, it would be nice to get the certification (educating yourself is always important) but with no experience it would be hard to get a security job..especially if you have no I.T. experience. Shoot, about a year ago exactly, I had the mentality "I'm going to become a hacker/ security engineer" without any I.T. experience. I started studying the CEH, but then you realize you need to know networking, Linux, Windows, SQL, BASH, maybe another programming language, etc..all at a moderate level at the very least. I'm not saying it can't be done, but I would focus on learning the "core" material, then moving onto security. I have heard this saying a lot on this forum and I feel like I should repeat it.. "how can you secure something you barely know anything about"..let alone hack into something you know little about.

afcyung

@HLRS

Short answer: no. Long Answer: it depends on what you want to do. Do you want to get into pen testing? If so there are much better and more relevant certs like the OSCP. If you are trying to get into security the best place to start is Sec + or GSEC (if you can afford it). The CEH won't teach you how to pen test either, it covers tools and their functions, nothing more.

If an English/History/physiology/economist/MBA major can make the switch to a CISSP position with no security experience, so can you!

Which I wouldn't expect to continue as a norm. As academia develops Cyber Security degrees and the NSA continues to push its certified MSIA programs the corporate world is going to want people who actually are specialized to fill security positions. Not to mention the potential Federal Laws looming that are going to require certified cyber security specialists. It also depends on what they are doing. They may have an excellent understanding of quantitative risk analysis something a business/economic degree probably covers making it relevant. Sometimes a degree is just proof you were able to complete something over 4 years.

My opinion on the CEH/EC-Council. Its largely a cert you can skip. I am not saying it won't add value to you but there just seems to be better certs in every topic the CEH tries to cover. For general Pen Testing you have the OSCP and the other certs they offer like CTP. You have the GPEN and other SANS Certs that cover other areas of security like the GCIH. When I was preping for the CEH, often I was asking myself, "Ok....why did I just read that exploit about Windows NT?". Even though, someone, somewhere, is still probably using it, it felt largely irrelevant. I didn't feel I was learning anything new, and the new stuff I did learn felt irrelevant. Also the company EC-Council has been getting bad rep for some time. You can search and find posts on this site alone taking about problems they have had with the company. Ethics is important, especially if you a security certifying body, EC-Council seems to have difficulties. Others probably have a different view of the cert, and I hope they didnt feel like they wasted their time like I did.

The problem with security personnel who don't have a Sys/Network Admin background is, they lack an intrinsic understanding of what the network is actually doing, how it functions, and how certain "security practices" can break or impede the functionality of the network to a point of uselessness. Understanding of a GPO and objects in a windows domain is one, of many, critical aspects someone tasked with securing a network needs to know. I work with a few people who are like this and it makes my life painful, they don't speak the language of the job and they don't understand what I am trying to accomplish. Is having a CCNA necessary for breaking into security? Nope, but it will make you a better security professional than the guy without any network knowledge.

I will point you to the sticky in the security cert forum. Pay attention to Keatron's Post. http://www.techexams.net/forums/security-certifications/28593-security-certification-where-start.html

jdubb45

I agree with what afcyung has said.
Check this out:
https://www.cool.navy.mil/ia_documents/ia_iat_flow.htm
https://www.cool.navy.mil/ia_documents/ia_iam_flow.htm
https://www.cool.navy.mil/ia_documents/ia_iasae_flow.htm

The government is not playing around they want real IT pros not paperpeople

impelse

I used the certifications to get knowledge and work hard to get the experience, if there is a new project I volunteer at work to do it, sometimes is a mess but eventually pay off, you get the change to apply your knowledge.

I took the CEH training from ISSA and know I am taking the OSCP, I did not do any exam yet, I am learning what I can, a lot of companies call me for this training, and I am honest, I do not have real experience in pentest but they see the System/Networking experience, that's complement a lot.

jdubb45

Again keep in mind of your goal. A CISSP/MBA/CISM at my last job (lead migration technician) told me don't waste time going 100 million miles in 100 billion directions. Take a look at these two different jobs. One is a penetration tester. The other is clearly a network engineer.

Penetration Tester jobs - Dice.com (PEN TESTER)

Network Engineer - CCNP/CCNA jobs - Dice.com (NETWORK ENGINEER)

A newly network tech has their work cut out for them they have to start by getting 5-7yrs experience at that current level not one under it. At the end of the day will it lead to security? Why would a pen tester waste his or her time going in the opposite direction when they could have focused their attention on the prize and be on their way to what they really want to be. Does not the material such as SSCP, Security+...etc not cover what is needed to be a basic/intermediate IT security pro? Don't let academia and peoples obsession with following a certain standardization track steer you away from what you want to be. That you have to be an expert or know that system before you can secure it may be true for a MCITP-security focus or CCSP! But what about the person just breaking into it and reporting they broke into it? Do not kids do this with their script kiddy abilities and lack of "standardized" skills? If I want to set up firewalls, VPNs, IPS/IDS systems for a living then I can see learning a specific technology like checkpoint, McAfee appliance, cisco firewalls, etc. You here the claim that a pen tester has to have to have "knowledge" of a lot of different technologies. I agree mainly but mainly core major fundamentals ie.. TCP/IP, Scripting, authentication/encryption methodologies ..etc, not a specific technology unless you want to go that way. So it would make sense to train as a security pro instead of an systems administrator or a net engineer. I'm an assessment engineer at the place i work currently and I use tools such as Nessus, Nmap, wireshark, metasploit, cain/able, xhydra...etc. This is my primary focus, not configuring a firewall, or ips/ids, or setting up a million servers. It's a specialization just like CCDA, or MCITP is. When I'm done with my findings for a client its up to "them" to pass it on to their network, sever, and other various IT personnel. I keep moving on. I keep getting to do what I love to do with my curiosity, and get paid for it.

docrice

I don't mean to hurt any feelings, but I'm going to be blunt - technical information security roles generally require a culmination of experiences in order to be effective at the job. "Doing security work" is not a button-pushing exercise. It's not simply banging commands on a keyboard watching the green-text-on-black terminal window and gaining shell while loud music plays in the background. I think many people find the potential sexy allure of infosec without understanding the overall mission.

For example, if you make a vulnerability assessment you will be considered extremely naive if you take the scanner results at face value without understanding context of the particular business unit / organization and tangible risks. If you can't back up your findings with a thorough explanation of the intricacies of the technology that's affected, you're adding no value. Someone, somewhere will eventually disagree with a vuln assessment finding and you better be able to justify it, otherwise credibility goes down. Reputational damage is a considerable issue in the industry since brand trust has serious marketing implications.

While times are changing and perhaps entry-level security positions are becoming more attainable for those with less-than-ideal experience levels, there is no trust for someone who does not have practical knowledge of how a business works, how messy IT can be, why so many bad-practices are common (with business justification), required processes and procedures, the need to scramble for compliance and taking shortcuts, and generally having been in the trenches.

Far too often these days I see people wanting to get into security without going through the basics of learning to troubleshoot systems and networks. Everyone wants to be a pentester or white-hat hacker. Certifications and / or self-studying will only help, but in no way do they by themselves make someone qualified. There's a lot more to security work than pressing the Go! button on a tool and watching the results flow back.

Networks, systems, applications, and data are a complex weave of interconnected pixels, all constantly changing color and in simultaneous motion. To be effective, you must not only see the larger picture but also dive down to the micro-level and figure out the nuances. This isn't something you learn from a textbook, class, or exams. The real test comes from putting yourself through a living ecosystem that has consequences when one link in the chain breaks. Those consequences include anything from minor annoyance to complete service outages to formal non-compliance issues and legal action. No Cisco class or hacking course is going to teach you to be fully ready for the real-world since you need more than just raw technical skills - the ability to communicate, work in a group, and understand and align with business drivers are just as important. Putting all that together requires experience that just can't be conjured up and experienced in imagination.

People who interview candidates for general IT positions can be discriminating. Infosec folks who interview candidates for IT security positions can be even more discriminating. We've learned that while training and certifications can be a positive thing, they're only indicators. Real on-the-job effectiveness and operational fluency is highly dependent on past work experience in the relevant subject area. You can't fake your way through this, because if we suspect something is amiss, we squeeze the question train even harder. Our job is to vet out the suspicious and validate the remaining. That's our mindset. You're not going to be ready with just a piece of paper representing you.

Pursue the CEH for knowledge and help your curiosity grow, but understand that certifications are not job-qualifiers. It may help mark an HR checkbox in some cases, but your ability to produce results and provide value to the hiring organization is what really counts. Otherwise you'll just end up being another expense on the budget sheet.

Don't mean to burst bubbles, but we all have to pay our dues. I think I might write this up in a more comprehensive rant somewhere else...

(I just noticed that this is post 666 for me - maybe that's why I'm cranky)

SephStorm

jdubb45 wrote: »

I agree with what afcyung has said.
Check this out:
https://www.cool.navy.mil/ia_documents/ia_iat_flow.htm
https://www.cool.navy.mil/ia_documents/ia_iam_flow.htm
https://www.cool.navy.mil/ia_documents/ia_iasae_flow.htm

The government is not playing around they want real IT pros not paperpeople

Very interesting, the way the Navy is doing it. Very unlike the Army. In any case, I have to disagree on the paper-people vs. the IT pro. The dod is full of compliance certs. 8570 in my view will hurt a lot of it pros coming out of the military.

jdubb45

en·try-lev·el (

-l

l)adj.Appropriate for or accessible to one who is "inexperienced" in a field or new to a market:

quinnyfly

Short answer.....no. It seems that experience weighs in higher on a hiring managers list than certs. To increase your employment chances, try and obtain both.

Best of luck, never stop trying, if you have passion, it will eventually happen.

jdubb45

I wish JDMurray would comment on this post.

"BA in Anthropology and MSIT in Information Security. Many years as a music major too."
"IT Certifications: CISSP, SSCP, EnCE, CWSP, CWNA, CWTS, Security+, Network+, Server+, A+, DHTI+, PDI+"

YuckTheFankees

I'm pretty sure he would agree with the majority. Yes it's nice to have a certification but we all know the chance of getting a security job with the CEH + no I.T. experience = < 1%. It's like getting the Comptia Network+ and expecting to get a network engineer job, not happening.

doobies

afcyung wrote: »

@HLRS

Short answer: no. Long Answer: it depends on what you want to do. Do you want to get into pen testing? If so there are much better and more relevant certs like the OSCP. If you are trying to get into security the best place to start is Sec + or GSEC (if you can afford it). The CEH won't teach you how to pen test either, it covers tools and their functions, nothing more.

Which I wouldn't expect to continue as a norm. As academia develops Cyber Security degrees and the NSA continues to push its certified MSIA programs the corporate world is going to want people who actually are specialized to fill security positions. Not to mention the potential Federal Laws looming that are going to require certified cyber security specialists. It also depends on what they are doing. They may have an excellent understanding of quantitative risk analysis something a business/economic degree probably covers making it relevant. Sometimes a degree is just proof you were able to complete something over 4 years.

My opinion on the CEH/EC-Council. Its largely a cert you can skip. I am not saying it won't add value to you but there just seems to be better certs in every topic the CEH tries to cover. For general Pen Testing you have the OSCP and the other certs they offer like CTP. You have the GPEN and other SANS Certs that cover other areas of security like the GCIH. When I was preping for the CEH, often I was asking myself, "Ok....why did I just read that exploit about Windows NT?". Even though, someone, somewhere, is still probably using it, it felt largely irrelevant. I didn't feel I was learning anything new, and the new stuff I did learn felt irrelevant. Also the company EC-Council has been getting bad rep for some time. You can search and find posts on this site alone taking about problems they have had with the company. Ethics is important, especially if you a security certifying body, EC-Council seems to have difficulties. Others probably have a different view of the cert, and I hope they didnt feel like they wasted their time like I did.

The problem with security personnel who don't have a Sys/Network Admin background is, they lack an intrinsic understanding of what the network is actually doing, how it functions, and how certain "security practices" can break or impede the functionality of the network to a point of uselessness. Understanding of a GPO and objects in a windows domain is one, of many, critical aspects someone tasked with securing a network needs to know. I work with a few people who are like this and it makes my life painful, they don't speak the language of the job and they don't understand what I am trying to accomplish. Is having a CCNA necessary for breaking into security? Nope, but it will make you a better security professional than the guy without any network knowledge.

I will point you to the sticky in the security cert forum. Pay attention to Keatron's Post. http://www.techexams.net/forums/security-certifications/28593-security-certification-where-start.html

I just wanted to log in and give my two cents.. but others clearly have beat me to it... re read this post... he speaks the truth.. and his dod avatar says he's had experience with the craziez..

laughing_man wrote: »

I think everyone will agree with me in saying the no cert by itself will "get" you a job. A cert helps to validate skills, check a box for an HR person and nothing more really. Sure you learn stuff, but nothing beats experience.

That said, going out and working to get a cert on your own shows initiative, so thats good. Do you work in IT in any capacity now? Say at a help desk or as a support tech? Security is a tough nut to crack as many InfoSec folks move from being sysadmins to working in Security. It pays to know how systems work before you start securing them.

I will speak for myself that I had 5 years experience as a desktop support guy, and then only 18 months as a sysadmin until I moved to Security. I lucked out, but then again, I work as a junior analyst, which is the bottom of the totem pole for our security department. But hey, no complaints from me as it garners good experience. But I also knew folks and that is how I got in.

So I find the key to nailing a good job in IT (security or otherwise) is experience first, who you know is a very close second if not tied, then certs/education. But having CEH won't hurt you.

Also good info...

THe answer is NO. For example... im on a mission that has immediate needs. CEH and a few other certs are a good entry to get on the mission.. however experience is the other foot that keeps the door from closing.

no exp.. no play.. and the we have these people that come in with certs... and resumes.. indicating experience.. with no references. We drill them in interviews.. and they get exposed. Cissps... and CEH... (which is more of an entry level cert imo.. we call it the certified skript kiddie... sec+ pt2). Sometimes the certs hurt you b/c people try you in interviews. I say that from experience...

I personally don't respect a cert once a braindump has been confirmed for it... hence you get drilled in interviews.

CEH... for security job.. no..

for helpdesk job yes.... a lot of posters on here seem to want to skip the work experience thing and hop in the cockpit. And that leaves our systems just as vulnerable.. putting noobs in places they don't belong.

I went from sysad to helpdesk/sysad to network/sysad to sysanalyst/security/sysad/networkad/ to vulnerbility analyst to IHnandler.

My sysad time helps me understand the whole ... cve, vulnerability , targeted exploit, fishing/spam mail, hacking, pwned relationship.

you have to have a good foundation to completly understand and respect the security as a whole. Everyone plays their parts down to the helpdesk that first note and handle triage when a system gets poped/pwned.

Good sysad = less surface for attack... bad sysad = vulnerable networks...

As for pentesting... no one wants a newb... its weird but it comes down to you bringing down the network... and i've seen it happen.. and policy's change b/c some pentester took down a network by accident. And no one wants to be caught pentesting... so you gotta be invisible and that takes time.

You wanna pentest.. and get on the red team..

HELP DESK --> sysad (who should perform vuln scans) ---> vuln analyst(50% of the job of pentesting) --> pentester

You wanna b incident handler (you know pcap? if not.. forget about it)

helpdesk --> sysad/network ad (who handles incidents reported to him) ---> IH

you wanna be intrusion analyst (you know pcap? if not... realy forget about it... )

helpdesk/network support desk --> network admin/telecom analyst (who monitors netflow, IDS, analoloies etc) --> full time IDS analyst with no life... HA!!

you wanna be IA? well... thats not hard .. on one likes policy writing... i kid i kid

IA.. can come from COOP positions, sysadmin positions (patch managment wth communication, GROUP POLICY CONTROLS, etc) honestly IA jobs aren't hard to come by .. but require experience in some facet of IT and a cissp.

Cert and accrediation and other jobs that are policy/approval network grading... not hard to come by.. but also require some kinda experience in IT... general and a CEH to understand how people can get in.

tldr: NO.... but it can get you a help desk position that can open doors to sys admin that can open doors to whatever you want to focus in.

doobies

jdubb45 wrote: »

I agree with what afcyung has said.
Check this out:
https://www.cool.navy.mil/ia_documents/ia_iat_flow.htm
https://www.cool.navy.mil/ia_documents/ia_iam_flow.htm
https://www.cool.navy.mil/ia_documents/ia_iasae_flow.htm

The government is not playing around they want real IT pros not paperpeople

this.... this... and this... there is a need to for bodies.. but the way activity has been lately... .gov / .mil is strict as shyt. Rightfully so... ish is not a game.. and recently cyber warfare was used on IRAN... you can see where this is going...

noobs at the wheel?... nawwww.. get your helpdesk job and work your way up. or hit up some dod sponsored CTF events and network.

... oh yeah.. and you might get every cert in the world.. but what about that clearance??..

beads

Security is what you do AFTER you master one of the three pillars of IT (Infrastructure, Development or DBA). Most veteran security practitioners agree!

- beads

HatemTommy

the_hutch wrote: »

Most likely not. For starters, it is very unlikely that you will start your IT career in security. And that is all CEH is...a security certification. You'd be better off working on A+ or Network+...starting in a helpdesk and working your way up. I'm not suggesting that you shouldn't go for it, if that's what you are interested in. But its not the best way to start if your goal is to get your foot in the door.

you took the cream out of the crops
you really said what i felt inside me ..I'm just new here and new in IT life in general but was planning to get certified in A+, CCNA and Linux+ then will kick it in with the CEH

the_hutch

HatemTommy wrote: »

you took the cream out of the crops
you really said what i felt inside me ..I'm just new here and new in IT life in general but was planning to get certified in A+, CCNA and Linux+ then will kick it in with the CEH

Sounds like a decent plan to me. Good luck...

nandan.phirangi

I am CCNA Certified and have 2 years of experience in Network Monitoring and troubleshooting field.

I have interest in Information security. I am planning to pursue CEH.

But I don't have any experience in Info. Security.

Please advise any experienced security professional if I should go for CEH .

impelse

Everything is depend, if you read all the post and you know your IT experience you can have your answer.

Master Of Puppets

Read the whole thread carefully, the answer is in there. Also, notice what docrice wrote.

mantesh

i am desktop support engineer since 2008 will it possible to learn ethical hacker

chopsticks

halaakajan wrote: »

CEH is a ethical hacking certificate. If i am the employer I will expect that you have mastered Windows OS and/or UNIX OS. You can only secure or make a report of something which you have mastered. Just an opinion

Totally agree. You can't hack something you don't know which in turn you can't do protection when you aren't mastering them.

malikbassal

YFZblu wrote: »

Right, but by the time he works his way up and gets an interview with the security team, they'll expect him to have the security credentials to be considered. In my experience anyway..

I started with a large company on the business side, moved to the helpdesk and worked my way up. Eventually I applied for a position as a Security Analyst - The security team essentially asked me to get my GSEC and get back to them.

.02

Hello,
i am from pakistan and my question is, i am interested in ccna and ceh. now i have started training in both, if i get to have lab sessions etc would it help me get a better job in usa? like what sort of job should i hope for? i have also done bba hons in marketing.

E Double U

docrice wrote: »

"Doing security work" is not a button-pushing exercise. It's not simply banging commands on a keyboard

Then it would appear that I've been going about this all wrong.