Published: 01 Oct 2003
"I'm a Certified Ethical Hacker."
I feel a bit silly saying that, because the CEH isn't as esteemed as the CISSP or CCNA. Earning the "ethical hacker" moniker is kind of like wearing a t-shirt that says, "I'm a hacker." You either are or you aren't; neither the t-shirt nor the certification is going to make you a hacker.
Even worse, the training I received seemed hardly adequate even for this lowly credential, and the certification exam barely stressed my knowledge and understanding.
My expectations were high when I signed up for Intense School's Professional Hacking course. Based on the brochure, I anticipated six days of continuous exercises in which my classmates and I would scrutinize networks, devise attacks, circumvent security measures and penetrate targets. The challenge, I assumed, would be progressively harder exercises. This, I thought, would prepare me for the International Council of Electronic Commerce Consultants' "Ethical Hacking and Countermeasures" exam.
My instructor was Clint Dupuis, best known for his www.cccure.org site -- a preferred reference for CISSP candidates. We were holed up during some of the best days of summer in a hotel conference room. Fortunately, the course wasn't all PowerPoint, and was peppered with several hands-on exercises.
However, frustration quickly grew as the course devolved into one of those "20 countries in 10 days" tours. We covered a lot of ground, but the amount and the level of hacking fell far short of my expectations. Relearning the OSI structure of a packet isn't useless, but I thought we'd focus more on exploiting and smashing the stack. And I didn't find much utility in lectures that simply raised the idea that hackers use packets in unintended and malicious ways. Demonstrations and real-life exercises would have been a much more effective teaching tool.
I itched for a hands-on lab where we would use TCPDump and some packet-crafting tools to create a buffer overflow and inject code. Talking about hacker tools is well and good, but it doesn't take you to the next level of understanding. You can't adequately defend against what you don't thoroughly understand, but you better understand the things you're forced to do.
Where Professional Hacking's exercises were a letdown, its tools and instruction materials were simply disappointing. For some reason, Intense School provided us with tools that haven't been updated or supported in years. I would have liked to have seen exactly how to spoof e-mail from a server you don't own, to have hands-on exercises creating buffer overflows and inserting code, and learning how to defeat a conventional IDS. At the very least, I wish they'd shown me how to spot malicious activity so I can write my own IDS signatures in Snort.
Did the course prepare me for the CEH exam? Perhaps, but I'll never really know. Since I took Intense School's CISSP Boot Camp, I was already familiar with most of the Professional Hacking course material--not exactly inspiring. We spent precious hours on information-gathering techniques, some of which involved casing target companies using Google. Useful, but not cutting edge.
Still, the course did force me to do some things that I rarely do, like a code review on a sample "banking" Web site, trying to find the 10 hidden flaws. And I usually don't get the chance to diagnose several SQL hacks, which covered some new ground for me.
The exam was equally disappointing. My experience and CISSP training were more than adequate to pass the CEH exam. It asked about 50 multiple-choice questions, which ranged from ridiculously easy to amazingly bizarre. Fortunately, Dupuis is lobbying to beef up the test.
If you're having trouble getting motivated to cover the fundamentals of information gathering and protection, then paying a few grand to review hacker methodologies is helpful. The bottom line, though, is you've got to break stuff (and fix it again and again) to be an infosecurity pro -- or an ethical hacker. This course and certification don't meet that expectation.
About the author:
Scott Sidel is a technical editor for Information Security and senior security manager at Computer Sciences Corp.