Rant & Moan Time!

   Having been sold a C|EH boot camp on the basis that I would be learning the theory & skills to become a Penetration Tester at considerable cost to myself (~$4,500) I am now somewhat bemused 

 As it turns out I was taught 20-something modules of the v6 course's 67 modules because that is what is in the exam and was expected to learn the rest myself. When I do study the rest of the modules they are filled with as many obsolete tools as they is obsolete/irrelevant information.

  I now basically have to shell out more money on something like an OSCP to get any validity. C|EH is cool to tell you friends about but of limited commercial value.

  The general opinion, in our traditionally British way which, was backed up by my fellow Czech and American delegates:

a) That EC-Council jumped on the back of the 911 band-wagon and are only interested in making money.
b) The guys on the E|CSA course said you could pass it with C|EH knowledge. So why run the course ? The LPT is a license to print money with $500 for no additional input other than another certificate.
c) The fact that there was potentially offensive pornographic material on the v6 DVD was totally unacceptable!

  The relatively newly introduced and well hidden requirement to maintain your certification by, one way or the other, lining the EC-Councils pockets doesn't help. This is exacerbated by the fact that by the time I have actually learnt enough to become an 'Ethical Hacker' I would no longer be certified as one.

  If you want 'security professionals' how about providing real-world relevant information that will actually help you protect your companies/clients data and reputation?

  I am under no illusion that any certification will lead you into a job and, furthermore, understand that I need to go out and learn the techniques and information to be an Ethical Hacker and stay relevant. So other than a certificate and a car sticker what did I get for my money?

I still would not be able to get a job as a Pen Tester?
I still have little direction as to what I need to do to become a Pen. Tester other than become a genuine hacker, apply for some jobs and hope for the best?
Shouldn't training be about the dissemination of information and the de-mistifying of the Hacker myth?

  Is there another body who I should have spent my limited time and $$s on? If so, how do people like the EC-Council survive and shouldn't people within the industry take a stand to ensure that they either improve or disappear? If not, shouldn't places such as this or SANS be instrumental in instigating such a body/training?

  Rant & Moan over

p.s. I hope Don doesn't censor me as it is simply an honest opinion/observation.

Krizzc
MCSE:Security, CCNA, C|EH

Certainly some bold comments in there, considering the company of this website. Let me see what all I can answer...


The CEH will certainly not make you a penetration tester and is not even advertised as such by EC-Council. If this is how the course was sold to you, then that's exactly what it was - a training center "selling" it to you.


Correct me if I'm wrong, but you just stated you attended a "boot camp," which by definition is to prepare you for the exam. Most people will give you advice that you should be familiar with the material prior to attending a boot camp, for the exact reason just mentioned. It would be nearly impossible to make it through 67 modules in a week-long course.


I've not seen the v6 courseware, but I'll take your word for it. The CEH is meant to be an overall introduction to ethical hacking. To properly understand how everything works, you need to study the history as well. You need to start somewhere, and sometimes that means understanding older tools and older vulnerabilities.


EC-Council did form some new things around then, but so did many other organizations as security was brought to the spotlight of everything we do. They are certainly not only interested in making money, they are interested in advancing the information security community.


I will agree to this on an extent. You need to have further, in-depth knowledge of the tools to pass the ECSA. Can this be done with CEH knowledge, certainly! If you've used the tools enough to know how to use them and how to understand the output. I've always said the ECSA is more of an extension to the CEH than a separate certification. It focuses more closely on specific tools rather than giving you the broad overview the CEH includes.


The LPT also performs small background verification to make sure you have no criminal record and that you are a trustworthy person. In addition, you have to take the LPT course (or the ECSA/LPT course) to learn not only the business aspect of penetration testing but also the proprietary LPT testing methodology. Hopefully the LPT will require a practical exam soon as well.


I absolutely agree. Please send me a pm with the specific information in regards to this and I will follow-up on it with EC-Council to make sure it gets taken care of.


Again, you're missing the point. This is not to make money for EC-Council. This is to gain accreditation for the EC-Council certifications, thus increasing their value. They are currently striving to earn the ANSI accreditation so that they can also conform to the US DoD/IA standards. Part of ANSI requirements is to have a continuing education program. If anything, you should be happy about this as it should increase the value of your certification.


I've said this many times, but it really depends on the instructor of your class. If you get a great instructor, they will go above and beyond the CEH material to bring more real-world experiences to the classroom. If you have a bogus instructor, they'll follow the slides/labs and not really add anything to it. Again, the goal of the CEH is to get you acquainted with the world of hacking, not make you a professional penetration tester.


Absolutely correct.


Hard to say without knowing your background and what sort of experience you have. But there must have been something about the CEH that interested you. Surely within 67 modules there would have to be something there that you didn't know before.

I'm not trying to directly attack you or any of your comments, so please don't take my reply in that way.

Certainly reply with any further comments and I'll do my best to answer anything I can.

BillV

I think that the main point of CEH is to teach how to think like a hacker and a pen tester.   The course is not designed to make you a pen tester, much less a hacker.  What it should give you is an offensive mindset and the desire to further your knowledge on your own.

I define "hacker" as someone who thinks outside the box and solve a problem in a way that is creative and perhaps not common.  The reason hackers penetrate a box is not because they were talk how to do exactly, but because they were taught how to think differently from the programmer that created the software running on the box. 

If you learned how to think offensively and differently as a result of the CEH course, it's well worth the money.

Hey Krizzc,

I can relate on this. I took my first CEH course in college, and it was BAD. Like really horrible. Outdated tools, bad instructors, and horrible course content. Then i took CBT nuggets course which was better, but not great, and VTC's training which was BAD too. (i capitalize bad for a reason)

When i looked further into it I realized there were two kinds of CEH courses. The first being to certify you, prepare you for a test that is shallow, outdated, and boring. The second was to actually teach you something.

Good examples are Sam Bownes' CEH classes and infosec institutes CEH courses.

They add tons of hands on labs, with current tools, hell Sam just added an SSLStrip lab!!

Now i get to teach CEH for my company, and i try and cover everything the test is looking for, but with updated methodology. I'm not a certified instructor mind you, but i make the class fun as hell.

It's all in the instructor, sorry you got a bunk course :/

Just my thoughts take them for what they are worth. . .

To level-set my goal is knowlege and not a cert.

My introduction to "Ethical Hacking" was through CEH v5 and thought it was a great class.  The instructor added his own "real world" content and the last 1/2 day he put together a capture the flag.  He focused on the best tools for the goal and skipped the others.  It was great. 

On the other hand, I decided to take the v6 version of the class.  The proctor (he didn't instruct) read the slides and, since it was his first attempt at v6 failed at the timing, didn't cover the necessary material.  There was no capture the flag so I'm not sure how I could say that I could do more than download and install the 50 + tools covered.

Based on the discrepancies with my two experience, I'm not sure whether the first instructor saw the shortfalls of the class and decided to make it something more that it was intended to be or the v6 instructor was just bad (or a combination of both).

With that being said, I then got introduced to the SANS courses through this site.  I was never a big fan of SANS for multiple reasons but based on what I was reading I thought I would give it a try.  I first took 504 and am currently in 560.  Not even considering the difference in the quality of instructors (don mentioned this earlier) the quality of the classes definately outweigh the ~x2 the price.  The courseware is actually usable; not only throughout the class but as a resource when you go home.  In these classes there is also a capture the flag, at the end, that isn't trivial.  Though these are team events, you will be able to guage your abilities when you walk away.  Based on my experience, these classes are definately newer but, hands down, more mature compared to ec-Council.

Though I haven't experienced it, SANS at home is said to be pretty good for those that don't have direct access to a SANS event. 

Again, just my 2 cents. . .   


Crosby

I'd have to agree with don and the others, in support of EC-Council.  When I took my CEH, I had already done self-study through their materials (both EC-Council text and third party CBT's, etc.)  I went ahead and went to a boot camp, more or less to supplement my learning, and to give myself just a little more time with everything.

While my instructor told us very honestly, on day one, that his main purpose was to get folks to pass the exam (the goal of ALL 'boot camps' in IT,) he also went out of his way to set aside time, both before, after and during down time in each day's class, to cover real-world knowledge, usage and tools.  He gave very relevant information, and has stayed in touch with many of us, since the class ended.  You have to realize, much of a boot camp lies in the quality and education / training of it's instructors.  Additionally, you gain contacts in other parts of the industry, with which to spread and share knowledge afterwards, having a common base point to work from.  I can't count how many times those contacts have paid off for me, as you'll always have folks to go to, who specialize in different areas of pentesting, code review, etc, and whose knowledge comes in really handy, on short notice.  Here, on EH-net, we can benefit from the wealth of knowledge and experience of other members.

But even poorly run boot camps can still result in good opportunities.  This IS my opinion, and is shared by many I work with.  Boot camps offer more than simply training, and although their primary focus is 'certification' and test passing, much can be still be garnered from them, if taken with an understanding that they are, in fact, boot camps.

All of this aside, I'd urge you to contact the provider of the boot camp.  Express your honest feelings to them, regarding what you feel you gained or didn't gain, from their training, and try to help them make their offerings better.  Even if you don't feel technically able to 'better' the training (if you don't feel like you've attained knowledge of a 'master hacker / pentester,) you can certainly offer advice to help them grow their offerings.  While there's no guarantee of change, all we can do is work to better the community, and our opportunities, as a whole.

Thank you, however, for your opinions, and I hope you move forward with your pentesting / security opportunities!