.

Interesting blog bashing the CEH cert

<<

blackazarro

User avatar

Sr. Member
Sr. Member

Posts: 368

Joined: Sun Aug 13, 2006 5:31 pm

Post Wed Dec 13, 2006 4:36 am

Interesting blog bashing the CEH cert

Wow, I was surfing the net searching for addtional information on CEH cert and I stumble upon this blog.

http://blogs.ittoolbox.com/security/investigator/archives/run-away-from-the-ceh-certification-9639

What's your opinion about he CEH cert?

As for my opinion, it all depends on how you approach to studying for this cert. I've used ethicalhacker.net and its member's recommendation and advice and learned a lot so far. I have taken the self studying approach and have read couple of books related to ethical hacking besides the CEH courseware and I've also set-up a virtual lab at home, and I'm glad to say that I'm having a blast. Like Don have said it before, it is important to study more than one resource for any given certification.

I know that the CEH is heavily focus in hacker tools, but it is essential to know what the hacker are using as their arsenal for attacking their targets. Look at it this way, I'm a security analyst and studying for CEH has helped me detect and identify tools that hackers might be using against our clients. For example, one of our client was being hit by a high amount of syn-ack packets coming from interesting ports without ever sending syn packets to initiate the connection. After reading about different scanning options in Nmap, I could, as an initial analysis, speculate that the attacker is performing a "idle scan" whereby spoofing the IP of our client's machine for reconnaissance purposes against the target host that is sending the syn-ack packets, thus making our client a victim of a third party effect. Without having prior knowledge of tools that hacker uses, I probably couldn't make such an assumption. Remember, to catch a hacker, you got to think like a hacker.
Security+, OSCP, CEH
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Wed Dec 13, 2006 9:33 am

Re: Interesting blog bashing the CEH cert

wow, that made the EC-Council look like a bunch of money grubbing hacks. Discounting the fact that some of those posters might have been ex instructors, I wasn't that impressesed with Bavisi's post, or the person claiming to be him. The "Mile2" president had a much more professional and concise response. That aside it confirmed my beliefs that the CEH cert is just learning a bunch of tools, but I will reserve final judgement until I take the course and exam. I think everyone on this form should read that blog flame. Of course apply the usual internet skeptism. But I can't help when reading it and think that the EC-Council are scamming chumps who put out dated courseware with lots of errors.
<<

Kev

Post Wed Dec 13, 2006 10:58 am

Re: Interesting blog bashing the CEH cert

The idea of the Ceh is to be a supplement to someone that already has good skills in networking and operating systems.  I have never seen it as a “stand alone” kind of cert.  If you have a high degree of knowledge in networking, etc.., and then gain a lot of knowledge  about the most common hacker tools, you will have grown a great deal. You should have increased your ability to secure your network immeasurably.  Does having a CEH cert mean you are now some leet haxor. No way!  But this industry needs some kind of structured approach to this dark art and that’s why I support the idea.
<<

LSOChris

Post Wed Dec 13, 2006 4:08 pm

Re: Interesting blog bashing the CEH cert

wow, heated discussion on that blog.  i remember seeing that when it came out back in May/June.

i'll throw my opinion in here about it.

*I think there are very very few certs out there that should bring the word "expert" to someone's mind when they see it in someone's signature block.  one's like CCIE and the RHCE come to mind.  Ones like CEH, CPTS, CISSP, etc do not come to mind.  they should mean to someone they have a broad general knowledge of those types of subjects and that they passed a test demostrating that. 

*All certifcations are out to make money, no cert vendor does anything not to make money.  its stupid to sit there and say that company x is only doing this for the money, or company y is greedy.  they all want to make money with their cert. 

*If i recall correctly, and i may be wrong, aside from some of the SANS training and certs, CEH was the first mainstream attempt at a hacking cert.  If anyone has never tried to write any type of course, lesson plan, documentation, i can say from experience that its hard and takes a LONG time to do it right.  Does that excuse EC-Council from plagerizing and lack of grammar in its text, no, but  as someone who has written course material i can see how it could come about.  its also very easy to come after someone has written courseware and say that it sucks and how they could do much better (Mile2--and they did) but its much harder to actuall CREATE that material in the first place.

*I have said it before and i'll say it again.  a 5 day bootcamp is not going to make anyone an expert.  and it seems like alot of the comments in that blog are from people that thought they would be coding up exploits and hacking the planet on day 6, that's just silly. 

*Also from experience with bootcamps i doubt that most people really have the background required to get the most out of a real hacking course.  while this doesnt condone just teaching tools, again i can see how you can get led down that road.  you could spend a  whole week talking about  networking before you ever get into using tcpdump or etheral and to really understanding how a packet crafting tool works and what it can really be used for--that could take another week.

*teaching exploits on old OSes. this one comes up a bit all over the place. an exploit is an exploit is an exploit...a remote exploit on Windows 2k in the grand scheme of things is the same as an exploit on Windows 2003.  if you arent going to go into painful detail of the differences of exploiting things on the different OSes, the getting a remote shell on a Windows 2000 box is the same as Windows 2003.  what you do with that shell is really what's important and not really discussed in any of those courses in great detail.  another good reason is that there arent that many reliable exploits for win2k3 out there in the wild.

I guess that's enough of that, i am interested in what other people think about the blog.  Frankly i think people expect too much out of a 5 day course and expect to be spoon fed all that knowledge at the same time.  becoming a good security professional takes YEARS of work, studying, breaking things, getting stuck on a problem and working thru it, and just having the interest to keep plugging on thru it. 

hope that makes some sense and helps someone...
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Wed Dec 13, 2006 5:11 pm

Re: Interesting blog bashing the CEH cert

I had no idea the blog was that old. I don't disagree with anything you've said. I do expect one thing however with certs and thats credibility. I expect the group that creates the cert to be legitimate and not some "diploma mill" type shadow corporation. I'm not convinced either way on the EC Council however, I'm starting to doubt them. Establishing creditability is much easier for vendors, because people know the product, however it takes more for vendor neutral groups like Comptia or ISC2 to appear on the up and up. And with SANS, you know the instructors, and they are fairly well respected in the security community. I don't see that with the EC Council at all.

Also one thing I don't like about the curriculum is the glut of tools. Nobody uses that many tools. At least nobody I know. They should purge a lot of them and only focus on a few best in class ones for each particular scenario.

For me an ideal cert would display the following qualities:
- Industry wide respect
- Difficulty level should match a bell curve(i.e. 90% shouldn't pass with high scores)
- Be current and error free
- Align with skills that are in demand
- Include a lab or real world component
- Include an experience requirement

Also a big bonus would be if they made an effort to prosecute test sites that are selling their exam questions, which in effect devalues everyone's cert.

So how many certs out there meet this criteria? Probably only a small hand full.
Last edited by oleDB on Wed Dec 13, 2006 5:12 pm, edited 1 time in total.
<<

LSOChris

Post Wed Dec 13, 2006 5:24 pm

Re: Interesting blog bashing the CEH cert

oldDB,
excellent comments and i agree with you completely...

It is crucial for a cert vendor to not be a cert mill and be on the up and up.

they should trim down the tools, you dont need to discuss 10 different port scanning tools when most people use nmap.

now one thing i forgot to mention is that while EC-Council "certifies" the instructors to a point ( i think they have to take an official CEH class and pass the test), if people are getting crappy CEH training its not necessarily EC-Council's fault its the company that is conducting the training. EC-Council should definitely respond to complaints and either take away that companies ATC status or decertify that instructor if they arent on the up and up
<<

Kev

Post Wed Dec 13, 2006 8:20 pm

Re: Interesting blog bashing the CEH cert

I had one other thought on this subject.  I don’t think it really matters who the Ec-council is and where they are located. So what if they are incorporated in Nevada, which is wise from a tax perspective any way. What matters is whether their test is a valid way of determining if someone has at least the basic skills of what it takes to be an ethical hacker. 

I would agree that as far as a place for education they have proven to be poor at best. The material they provided was not well laid out at all. This never bothered me because I never looked to them to teach me how to hack.  Most of the boot camps being offered are from independent schools that while they might be EC-Council approved, are not the EC-Council.  Hacking is an art! It takes years to be good at. Would you think you could take a 5 day class at the Juilliard Music conservatory and then be a concert pianist? 

To me certs are just an indication of a basic skill level. Just like someone that just graduated from medical school. Does that mean that Dr knows everything and you would trust him to operate on you? No, he needs to do his internship and keep growing.

I have known a number of very experienced network admin that have taken this test and have felt it was very valid including me.  I have yet to meet someone that has taken this test and has passed it that has said it was a hoax or had no value.  There are a number of CEH people on this board and some have been involved with computers for years and I have yet to see a post where they felt the CEH was a joke.  If you have taken the CEH test and passed it, but felt it had little value as a gage of at least basic skills, please post on this thread! 

So again, I don’t care about the Ec-council and who they are so much as I care about the validity of their test and how it is a gage of a candidates’ basic skill level. Is it valid? I would say yes it is valid and as valid as any other cert and it seems to be even getting better. 
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Thu Dec 14, 2006 12:29 pm

Re: Interesting blog bashing the CEH cert

I couldn't disagree with you more. Does a Comp Science degree from MIT or South Hampton Institute of Technology hold more value or credibility? I think you know the answer to that. Its for that same reason, I'm pursuing a graduate degree from a well known school over several years, while watching my coworkers get an MBA\Masters in 1 year by writing a life paper, attending  classes that count as 3 credit hours but only meet once, and getting a diploma with a college name on it nobody has ever heard of. Credibility counts. By your logic, If I created a kick ass cert and named it Certified Elite Hacker by the ODB Council it would hold the same value as a real CEH, just because I made the test interesting and valuable. So I would personally like a little more transparency on who the EC Council is and what their qualifications are exactly. The blog flame casted serious doubt on them as a bunch of name droppers and possible scammers. Also, just to make it clear, I'm not bashing the test itself, as I have never taken it. I will defer to your guys knowledge, however it appears early on errors have a been a problem, which happens occasionally with other certs as well.
Last edited by oleDB on Thu Dec 14, 2006 1:19 pm, edited 1 time in total.
<<

LSOChris

Post Thu Dec 14, 2006 1:37 pm

Re: Interesting blog bashing the CEH cert

graduate schools and colleges have to be accrediated to verify what they are teaching is worth putting on a diploma.

certifications, to my knowledge, do not have a governing body to regulate and ensure that their certs are worth a crap except for the security community or industry.  there might be boards and groups like CompTIA or ISC2 but they only govern their OWN certifications not others or the whole body of certifications out there.

personally i dont care if EC-Council is some dude in Micronesia just making bank, if the community/industry thinks that the concepts you are supposed to know and that the test actually tests those concepts is relevant then that is what should be important. And right now it seems that at least part of the security certification community think they are.

i think if your credibility in uncertain you wont get the community behind you though. I do agree with you though that it would be nice to have a bit more information on who EC-Council actually is.
<<

Kev

Post Thu Dec 14, 2006 6:51 pm

Re: Interesting blog bashing the CEH cert

Well I once read a blog that claimed that all of us humans were being raised for alien food. Internet anonymous blogs really have little value to me no matter how well written they might be.  Any way, I think I need a little more credible independent research before I jump to any conclusions or develop grave doubts.  I still maintain that I have heard only good things from people that actually have had dealings with the EC-Council.  Their test is credible and its not something you just send them money for.  A diploma mill makes it easy to get a diploma by just paying them money. The EC-Council test is not a lay down. It’s not easy. You have to have a reasonable amount of knowledge to pass it.  I am reserving judgment until something a little more substantial is revealed  about them rather than some internet anonymous blog.  Perhaps Don can request  a spokes person from there to make a post?
Last edited by Kev on Thu Dec 14, 2006 6:53 pm, edited 1 time in total.
<<

skel

User avatar

Jr. Member
Jr. Member

Posts: 60

Joined: Wed Aug 30, 2006 11:31 am

Post Fri Dec 15, 2006 3:53 am

Re: Interesting blog bashing the CEH cert

Agree with Kev about how dependable an  anonymous blog is. But this thread has raised some interesting questions and proper answers have not been forthcoming. ( I agree that the Staff of the EC Council cannot be replying to every blog entry)

Looks to me like EC Council has its own dark corners and has not come clean out of them.

Eg : While the reply by Jay Bavisi states that
"The team in the US is based out of Laramie, Wyoming (where ECU licensed was granted).NY is a mere call answering service."


See the following press release - last Para http://www.eccouncil.org/pressroom/ecc-gk-press-release.htm

About EC-Council :

The International Council of Electronic Commerce Consultants (EC-Council) is a professional organization established in USA, with headquarters in New York hosting members and affiliates worldwide.


This blog also talks about the quality of the official text and I commented on this copy-paste style text book on a previous post just after completing my exam. http://www.ethicalhacker.net/component/option,com_smf/Itemid,49/topic,702.0/
Even before seeing this blog I felt this text books  were far  below the standard expected by a professional body.

My two cents on the topics is , A professional body which promotes ethics has practice ethical standards above all. It seems that EC Council has not done that.

Since there is worldwide recognition of EC Council now, they should cleanup the act at least now
Skel
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Fri Dec 15, 2006 8:38 am

Re: Interesting blog bashing the CEH cert

I found that blog and posted a reply somewhere near the bottom. After doing so, I found that you can go to ECC's site and maneuver your way to 'Press Releases.' That has some information in there that counters a lot of arguments from that blog against ECC. Also, CEHv5 is written much better than v4.

Return to Other

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software