I edited and reworded this from a previous post. This will seem like some form of rambling, attack on EC-Council's cert, but its just an opinion. An opinion based on factual information and experience not only with EC-Council, but experience in the industry for well over 10 years professionally in security and too many to count in IT. As I wrote this, I thought long and hard about backlash involved in writing this, the naysayers who won't understand it, many thoughts ran through my mind, but I figured I'd take a hard look at the C|EH v6 since many have asked me about it. Without further ado, let's begin.
Take a common sense, logical view to the C|EH V6 exam. There are now 67 modules associated with the C|EH exam and according to EC-Council, you can take their 5 day course from the hours of 9am - 5pm and pass the exam. The mathematical break down to learn the C|EH if you follow EC-Council: 40 hours to cram 67 modules: 35 minutes per module. Is this realistic? Of course not, yet according to EC-Council's own wording: This class will immerse the student into an interactive environment where they will be shown how to scan, test, hack and secure their own systems. The lab intensive environment gives each student in-depth knowledge and practical experience with the current essential security systems. Really? Considering there are no pre-requisites, e.g., 1-2 years systems administration, 1-2 years networking experience, an exam taker will have to cram understanding the OSI layer, TCP/IP and networking as a whole in 35 minutes. A miraculous feat in training if you ask me. (http://www.eccouncil.org/Course-Outl...s%20Course.htm)
This premise of offering so called practical experience is highly disturbing considering that again, EC-Council makes no mention of candidates acquiring or having any kind of experience in any field be it networking, security, systems, nothing is mentioned. Continuing: Students will begin by understanding how perimeter defenses work and then be lead into scanning and attacking their own networks, no real network is harmed. Students then learn how intruders escalate privileges and what steps can be taken to secure a system.
Now I ask myself, how can a student understand the concepts of role based access controls, permissions, domains, LDAP and other technologies in this amount of time, I mean seriously think about this. How can a student learn to optimally "secure a system" when they're basing their experience on pre-configured lab machines. I've taken the C|EH v5 and I can tell you first hand its filled with tools. All flash no cash. This testing methodology EC-Council is offering conveys a false sense of "security" expertise. A candidate should understand the systems they're "hacking" or "securing" for one, they should know the networking involved with that system down to understanding at an RFC level TCP/IP and the OSI layer to truly understand the technicalities of it all. Otherwise, what is the point of the exam, to point out how many different modules a certifying body can place into an exam? How many tools can the exam creators discover, capture screen shots and label someone an expert at 35 minutes worth of knowledge on the TOOL - not the fundamentals.
The biggest misconception about this entire course is that it will make someone a security expert. While EC-Council may have the best intentions in the creation of the exam, exposing candidates to the different areas of security, the expectations of a candidate truly knowing and understanding even the minimal concepts to pass an exam after again, 35 minutes of teaching on each subject is insane. Snake oil at best. Moving on: Students will also learn about Intrusion Detection, Policy Creation, Social Engineering, DDoS Attacks, Buffer Overflows and Virus Creation. When a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.
I disagree. There is no way I can think of someone leaving this course becoming "experienced" enough to call themselves a C|EH at its concept. What this course will produce is someone with a wide array of useless knowledge, akin to someone saying "I know TCP/IP like the back of my hands, it consists of packets!" Using pre-defined, often outdated tools does not make someone an experienced security professional let alone a hacker, monkeys can be trained to use tools. Because of the nature of the C|EH's structure, one million tools, 3/4's of them obsolete, I can see more security professionals snickering at the exam and the holders of the C|EH (all versions). A devaluation of the security professional.
Right now I'm currently in parallel studies on my own leisure for the NSA IAM, CISM and OPST with my seat for the CISM confirmed in December. From all I've read and learned, I value my OSCP more than the C|EH and look forward to the OPST exam. The OPST is more structured and realistic using real world experience coming from the most respected and trusted names in the industry. The creators of the OPST exam hold a lot more clout and credibility in my eyes than those of EC-Council. These are my two cents. Now, I've been in the security industry now for quite some time in fact, I've met some of my peers who would have been in diapers when I got involved in computing professionally. It doesn't take a rocket scientist to cobble together every security tool under the sun, give a base introduction to said tool, ask two questions on that tool, and label someone an expert.
If anyone ever criticized the CISSP for being a mile wide and an inch deep, I beg them to look at the concept that EC-Council is putting forward. A realistic expectation for someone to take this exam if it truly held its weight would be for the candidate to have at minimum six years experience with a mixture of industry experience, even then with the modules cobbled together, it's not asking for enough. From systems administration, to network administration and design, incidence response roles, programming to truly understand buffer overflows, the pre-requisites could go on and on.
Sadly I see the C|EH imploding within a few years as did the MCSE when everyone began labeling it the "Must Consult Someone Experienced" certification with everyone under the sun with zero knowledge acquiring this certifcation. At the core, EC-Council's concept seems to offer an unparalled level of expertise, but knowing the structure of the v5 exam, its content, after having taken the exam, I truly don't believe it's worth the paper its printed on, nor will the v6 be. Perhaps test takers care solely about the gimmicky "Got Hacked" t-shirts or the telephone book thick like books, whatever the case is, someone would have to be extremely clueless to expect a C|EH v6 to be an expert. Either that, or C|EH v6'ers will be uber security geniuses worthy of PhD's in information security at the end of a bootcamp.
Before many get bent out of shape, be honest with yourself, look at a module:
Module 17: Web Application Vulnerabilities
Web Application Setup
Web application Hacking
Anatomy of an Attack
Web Application Threats
Cross-Site Scripting/XSS Flaws
An Example of XSS
Command Injection Flaws
Hidden Field at
Directory Traversal/Forceful Browsing
Error Message Interception
DMZ Protocol Attacks
Security Management Exploits
Web Services Attacks
Network Access Attacks
WSDigger Tool – Web Services Testing Tool
Burp: Positioning Payloads
Burp: Configuring Payloads and Content Enumeration
Burp: Password Guessing
Hacking Tool: cURL
Acunetix Web Scanner
AppScan – Web Application Scanner
Tool: Falcove Web Vulnerability Scanner
Tool: Emsa Web Monitor
Tool: Watchfire AppScan
63 concepts, tools, methods and counter-methods in this module. 35 minutes per module as inferred from EC-Council's own wording to learn and understand it all. Seconds to learn every tool, concept, method to make you an "expert." When you finish this course please contact me concerning shares of the Brooklyn Bridge at a deep discount.
Don't fret though, before one takes the test, EC-Council will verify where they work. Whether or not they will verify someone's duties and experience in the industry, is an altogether different story. A story I seriously find hard to believe. Good luck in attempting to label yourself an expert at anything in the security field by passing this exam. You'd better have a vast amount of experience which surpasses ISC2's requirements for the CISSP to back it up otherwise a C|EH v6 alone will be worthless no matter how much marketing is put behind it.
C|EH v6 seems akin to someone in medical school studying neurology, coming across a picture of the heart and labeling himself a cardiologist. Not only a cardiologist, but also a neurologist without even finishing up his studies and passing the necessary exams, having the right experience to qualify. Wonder what v7 will be.
SGFA, SGFE, C|EH, CHFI, OSCP
joquendo at e-fensive dot net