GCIH was my first choice, but I took CEH because my departmental budget was not finalized.  I am really enjoying the CEH material and look forward to GCIH.  I missed out on the Orlando SANS, but maybe my manager will shell out the cash for the at home training.  Especially since I would be using my own time, but the companies money.  When sending someone to training they weight the costs of the actual course and how much the employee makes that week.

Once I am done with CEH, I'll take a low approach with Counter Hack Reloaded.

Thank you all for the information regarding GCIH.  My team is moving towards a security operations center (CIRT level 1) role and I think once I self study I can get my manager to pop for the cheapest SANS training option.

Thanks for the link to the CNDA application.  I may be able to swing it, as long as their interpretation of US Govt. Agency is loose.  I work for a big company who is good friends with the government and I have enough ties to an agency/program to be able to keep "secrets".

Does anyone have experience with converting a CEH to CNDA?

From what I read those whacky Germans took a broad brush stroke to paint the laws.  It's like trying to end war by outlawing anger.

let me paraphrase Michael Gregg from the Exam Prep CEH.  Script kiddies are like a series of furious shot gun blasts and true hackers are like a well placed shot in the night.  Basically, give a script kiddie a tool and they will make a lot of detectable noise while using it.  Letting these automated tools get in the hands of unskilled script kiddies should not be of much concern because, as security professionals we should have protected ourselves and our companies from the hurd of elephants.

In response to giving the tools to Admins, nothing will replace the skills of a security expert.  Admins may be able to use the tools to spot check their systems, but in order to properly plan and protect they still need us.

Just my quick two cents.

The contest has definitely changed me from a casual lurker, to a member, and frequent poster.  Every day I discover a new sub board, ask new questions, make new answers, and discover an article I have never seen before.

I'm well impressed with the site.

Thank you!

Welcome to the CEH track.  I am on the same track myself.  I think that would be a good option, but since you have a limited budget I will recommend the cheapest options first rather than spending a ton of money up front.  Check your local library (either county or college), for $1.50 in late fees you can get a good CEH education.  I would highly recommend the CEH Official by Kimberly Graves to give you a good understanding of what you need, then fore a deeper dive you have the Exam Prep CEH by Michael Gregg.  Gregg gives a really good explanation of everything you read in the Graves book and them some.  Including exercises at the end of each chapter.  I haven't been through the exercises yet, but I would imaging if you just downloaded Backtrack you would be able to follow along.

If you are unable to locate the books at the library then you may be able to use Craigslist or Freecycle to get the books for free.  (Information Security is all about giving back!)

If you are employed in a technical role, you may be able to get the company to purchase the materials for you.  At the very least see if your company has access to Books24x7.  There are a few CEH books on there and they add new books each week!

I am lucky that where I work there are others who have taken the CEH, we have Books 24x7, I have a good college library, and my company also provides money for a training budget.

Good luck and don't give up your dream!

Thank you for the luck.  I'll post a full review after the test.

I've considered that.  I would just need some more ram.  Speaking of virtual machines, does anyone have recommendations?  I used to use a open source software which had a bunch of preconfigured images.

Oh, I just remember Backtrack having a virtual machine configuration... hhmm...

Thanks!!!

<devil's advocate>
Personally, I think this business model based solely on residential pen testing is a horrible idea.  It's not just you.  I used to frequent the Netstumbler forum where every week a different newbie discovered Netstumbler and came up with the same plan.  Think about it from the users perspective.  If they would have cared enough to setup encryption then they would have read the quick start guide that came with their hardware.  All routers I have setup come with it, you don't even need to read the bigger manual.  I don't know why someone would decide to pay $25 or $50 for it (Well, unless some helpless grandmother was cornered by the Nerd Herd).

Additionally, a business model based only upon securing wireless access points is not going to earn you much.  Maybe you should consider doing a basic computer service, which might include anti-virus update / installing patches / removing spyware / scandisk-defrag-del temp files.

I don't think starting your own business is a bad idea, just look at it differently.
</devil's advocate>

I'm all set for the CEH V5 on March 20th, a little over a month away.

I've read the official CEH book by Graves, viewed the Career Academy video series, and I started reading the Exam Prep CEH by Michael Gregg.  I plan on working the lab exercises from Exam Prep on my lab (w2k3 DC, w2k3 ISS and MSSQL, my attack laptop with WinXP, while considering if I want to install Linux or just use a live CD on another PC.

I do vulnerability scanning, so I am familiar with NMAP and various vulnerabilities and exploits.  I've used Ethereal (Wireshark) and I am comfortable with them.  I plan on focusing on Snort, Nessus, and Metasploit.

I am feeling really good about this.

Sounds a lot like CISSP.  Brazil has a count of 238 current CISSPs.

I am burning my way through CEH self study and I am going to test in a few weeks.  I wanted to know if it would be worth my while to also go back for GCIH.  GCIH was my first pick for my next certification, but due to department budget issues not being resolved, I went with my second choice.  Is there a lot of overlap in CEH and GCIH?  I've been told that GCIH focuses more on defense and incident response, where CEH is more of attack (which is what I am finding).

Your opinions are appreciated!

I was planning on going for GCIH, but our companies budget hadn't gone through, so I moved to my backup plan for CEH.  I still want to get a grasp on IR doing self-study with hopes of getting my company to send me to GCIH training.  I wanted to start reading Counter Hack Reloaded, but wanted to know what other recommendations everyone has for IR.

Thank you!

That is always a good option.  Even with the lowest paying help desk jobs they paid for certifications.  Other than that, most companies would require you to stay a year, or pay them back, and the cert should be related to your duties.

Thanks for the advice.  I do not like to use practice tests a lot.  I use them as just a quick check to see if I need to improve in any areas.  I do not like to rely on them as the gospel of how the test will be.

The only free certifications I have seen that are actually worth something tend to be the beta certifications where they give you the certification if you pass the test.  I think Microsoft does this and one other group....

Free training on the other hand is around if you look for it.  There are videos on YouTube, of course like http://www.youtube.com/user/fslabs.  These combined with Real Player plus and you can download the videos (or use some other free tools from www.sf.net).  For a variety of infosec how to's I would recommend Iron Geek's Hacking Illustrated guide (http://www.irongeek.com/i.php?page=security/hackingillustrated).  Yes, his speech is unique, but do not underestimate the information.  Another one of my favorite video sites is the CERT Virtual Training Environment https://www.vte.cert.org/vteweb/.

Listening to podcasts like:

* Security Now! - http://grc.com/securitynow.htm
* PaulDotCom Security Weekly - http://www.pauldotcom.com/
* Crypto-Gram Security Podcast - http://crypto-gram.libsyn.com/
* Network Security Podcast - http://netsecpodcast.com/
* CyberSpeak Podcast - http://cyberspeak.libsyn.com/
* Hak5 Video Podcast - http://www.hak5.org/
* Blue Box: The VoIP Security Podcast - http://www.blueboxpodcast.com/
* SearchSecurity Podcasts (including Security Wire Weekly) - http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1146071,00.html
* The Silver Bullet Security Podcast - http://www.cigital.com/silverbullet/

Reading, your local library may be surprisingly up to date on books.  You could get a lot of security training for $1.50 in late fees.

Also read blogs, learn from others.  One of my favorite blogs is the Security Monkey over at Toolbox.  Look up all his old case files and watch him catch the bad guys with his faithful sidekick Scraps, http://it.toolbox.com/blogs/securitymonkey.  Also Security Bloggers Network is an RSS feed for security blogs, http://networks.feedburner.com/Security-Bloggers-Network.

EDIT:  I forgot there are plenty of user groups out there where you can join for free, Linux User Groups (LUG) or even the shadier side of hacker groups like Binrev (www.binrev.com/forums) or 2600 (www.2600.com).

Oh, also, you can use/abuse books stores which carry information security magazines.  they won't kick you out for reading a magazine, like Hakin9.

Whew, that was a lot of information.  Maybe I should make an article about this.