Information Security

Defending the digital infrastructure


Get started Bring yourself up to speed with our introductory content.

Opinion: Emerging ethical hacker certification may be off-course

Scott Sidel thinks the ethical hacker certification isn't all it's cracked up to be; breaking systems and fixing them is the best approach to learn the ways of the infosec pro.

"I'm a Certified Ethical Hacker."

I feel a bit silly saying that, because the CEH isn't as esteemed as the CISSP or CCNA. Earning the "ethical hacker" moniker is kind of like wearing a t-shirt that says, "I'm a hacker." You either are or you aren't; neither the t-shirt nor the certification is going to make you a hacker.

Even worse, the training I received seemed hardly adequate even for this lowly credential, and the certification exam barely stressed my knowledge and understanding.

My expectations were high when I signed up for Intense School's Professional Hacking course. Based on the brochure, I anticipated six days of continuous exercises in which my classmates and I would scrutinize networks, devise attacks, circumvent security measures and penetrate targets. The challenge, I assumed, would be progressively harder exercises. This, I thought, would prepare me for the International Council of Electronic Commerce Consultants' "Ethical Hacking and Countermeasures" exam.

Where Professional Hacking's exercises were a letdown, its tools and instruction materials were simply disappointing.

My instructor was Clint Dupuis, best known for his site -- a preferred reference for CISSP candidates. We were holed up during some of the best days of summer in a hotel conference room. Fortunately, the course wasn't all PowerPoint, and was peppered with several hands-on exercises.

However, frustration quickly grew as the course devolved into one of those "20 countries in 10 days" tours. We covered a lot of ground, but the amount and the level of hacking fell far short of my expectations. Relearning the OSI structure of a packet isn't useless, but I thought we'd focus more on exploiting and smashing the stack. And I didn't find much utility in lectures that simply raised the idea that hackers use packets in unintended and malicious ways. Demonstrations and real-life exercises would have been a much more effective teaching tool.

I itched for a hands-on lab where we would use TCPDump and some packet-crafting tools to create a buffer overflow and inject code. Talking about hacker tools is well and good, but it doesn't take you to the next level of understanding. You can't adequately defend against what you don't thoroughly understand, but you better understand the things you're forced to do.

Where Professional Hacking's exercises were a letdown, its tools and instruction materials were simply disappointing. For some reason, Intense School provided us with tools that haven't been updated or supported in years. I would have liked to have seen exactly how to spoof e-mail from a server you don't own, to have hands-on exercises creating buffer overflows and inserting code, and learning how to defeat a conventional IDS. At the very least, I wish they'd shown me how to spot malicious activity so I can write my own IDS signatures in Snort.

Did the course prepare me for the CEH exam? Perhaps, but I'll never really know. Since I took Intense School's CISSP Boot Camp, I was already familiar with most of the Professional Hacking course material--not exactly inspiring. We spent precious hours on information-gathering techniques, some of which involved casing target companies using Google. Useful, but not cutting edge.

Still, the course did force me to do some things that I rarely do, like a code review on a sample "banking" Web site, trying to find the 10 hidden flaws. And I usually don't get the chance to diagnose several SQL hacks, which covered some new ground for me.

The exam was equally disappointing. My experience and CISSP training were more than adequate to pass the CEH exam. It asked about 50 multiple-choice questions, which ranged from ridiculously easy to amazingly bizarre. Fortunately, Dupuis is lobbying to beef up the test.

If you're having trouble getting motivated to cover the fundamentals of information gathering and protection, then paying a few grand to review hacker methodologies is helpful. The bottom line, though, is you've got to break stuff (and fix it again and again) to be an infosecurity pro -- or an ethical hacker. This course and certification don't meet that expectation.

About the author:
Scott Sidel is a technical editor for Information Security and senior security manager at Computer Sciences Corp.

Article 10 of 11
This was last published in October 2003

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

The EC-Council points out on its website that certification programs are meant to protect the public, not the profession. This opinion piece focused on the role of certification and related training in getting people started with the profession. Is the test out of touch with what’s essential to responsibly practice ethical hacking or do too many people have unrealistic expectations about what CEH will do for their knowledge and career?

Get More Information Security

Access to all of our back issues View All