Certified Ethical Hacker?

Friday, April 30, 2010

Rod MacPherson


I know that this post is a little newbish for this audience, but it's simply a repost from my own blog http://rodstech.blogspot.com which is aimed at less technical users.


Yes, there is such a thing.

Although, I'd say that it certifies neither that you are a hacker, nor that you are ethical.... but it does show that you have been exposed to a wide variety of tools that malicious hackers might use to invade your network, so that you will recognize them if you ever come across them, and you will be able to use them to test your own defenses.

("testing" someone elses defenses without written approval is illegal!)

I strongly recommend that, as a minimum, every network security professional should have this certificate.  It took me very little time, most of which was spent finding and playing with some of the programs, and very little money (less than $300 including the test and the review guide) to get this, and, while it is not the most prestigious certification on the planet (My CISSP is something I prize far more), preparing for it was a good review of all the "hacker tools" I'd read about in the past 10 years, and reminded me of some tools for network administration that I'd neglected that have made life much easier (like Microsoft's PSTools)


So what does an Ethical Hacker do?

An Ethical Hacker tests a corporation's network defenses under contract by that corporation to identify weaknesses in the company's information security, so that the company can fix the problems before a malicious hacker (or cracker) finds and takes advantage of that weakness.


Why would a compnay need to hire an Ethical Hacker?

They don't want to be the next TJX. Some government regulations require companies in certain industries to have Penetration Testing (simulated hacking) done on a regular basis. The Payment Card Industry Data Security Standard (PCI-DSS) requires larger companies to have at least regular vulnerability assessments done. Ethical Hackers can help with some of these goals.


Why did I get certified?

I want to take the EC-Council Certified Security Administrator (ECSA) course later this year, and probably then become a Licensed Penetration Tester (LPT). To do that I needed to first get the CEH certificate.


Possibly Related Articles:
Security Training
Certification Training
Post Rating I Like this!
Bill Wildprett, CISSP, CISA Rod, thanks for your perspective. I'm also a CISSP, studying for the CISA, and have thought about getting the CEH or working towards the GPEN. Then there are the ISECOM certs...

I've heard some folks disparage the CEH while others praise it. I like your perspective on the value of the tools study. I think about how I've used BackTrack and about how much more there is to it as a toolset than what I've done, same thing with Metasploit.

Keep On Keepin' On!
K S Abhiraj Very true Rod!
One gets to know, the number of resources/tools available in this field.
Fred Williams Global Knowledge here in Raleigh and elsewhere has the certified ethical hacker training class. I won it through this site on a contest a few months back and I'm glad now that I signed up for this class. I'll post another comment about it when I take it in August: https://www.infosecisland.com/blogview/2982-Thanks-for-InfoSecIslandcom-for-an-exciting-training-class.html
Taz Wake Rod, I want to say thanks for your perspective as well.

I wholeheartedly agree that my CEH will probably never be as important to me as CISSP. I am not, yet anyway, planning to progress to LPT as I dont feel able to dedicate the time towards improving my own skills and learning new ones.

For me the CEH was simply so I would have a better understanding (using the course as a revision session was very good) and would be able to discuss matters with more skilled pentesters on a slightly stronger footing.
Rakesh Goyal
You have assumed that (1) only corporations use network; (2) Only network needs to be tested for weaknesses (vulnerabilities); (3) Hacker is ethical; (4) "Ethical" Hacker has an edge over the "Malicious" Hacker; (5) Ethics are codified and well accepted; (6) may be some more... ;-))

Well that is the definition. On paper looks good. But, in reality ......?????

One can certify the understanding of basic hacking skills, as per today's technological environment (tomorrow these skill will be "totally" obsolete ). But even GOD (if you believe in him/her/it/...) can not certify "Ethical" part of it. There are many cases, where the so called "Ethical" Hackers proved to be "Malicious" Hackers (I am using your terminology).

Following questions arise out of this -

What are these ethics? Who has codified these? Who has accepted and approved these? Are ethics not changing with time and place? Are these static or change as per the requirements of technology, time and place?

Further, how any one who certifies these "Ethical Hackers", is qualified to certified either hacker part of it or ethical (sic) part of it or both parts? On what strength this qualification to certify is drawn? Is it based on marketing / publicity or some real stuff?

Further, even current generation of hacking is not a mechanical process. No tool can find all vulnerabilities. Tools always have false positive and false negatives. One needs, not only understanding of technology but lot of common sense to think like (if not better than) a "Malicious" Hackers. Can these skills / traits be taught? If yes, is it possible to train in all these in a few hours/days course and then giving certificate? If these skills / traits can not be taught, are people screens for these skills / traits before joining these so called x hours certification course?

I can raise some more questions. But, first, I would love to have response to these questions.

Rakesh Goyal
Perpetual student of Information Security

Taz Wake Rakesh,

I agree with you about the assumptions but I think that is going to be the case with anything.

The CEH is a professional certification issued by the EC-Council. When Rod made some descriptions of it, I read it that he was setting the scene, so the assumptions are valid.

Its very true that bodies other than corporations use the network but its corporations who are looking to hire CEHs, not home users. Same with the testing - the course and certification do look at more than the network but by its nature any certification is going to be limited.

The ethical issue is a long winded one and can lead to debates that last for the lifetime of the universe.

Basically, as I understand it, the "ethical" part of the CEH is simply there to state you will operate under a code of behaviour as laid down by the governing body. This is the same as pretty much any other certification - CISSP or even a medical licence.

They are not ethics in the abstract sense which philosophers may agonise over. It leaves the practitioner with a fairly clear set of behavioural guidelines that they can adhere to or relinquish the certification. Yes there are CEH who will break the rules, just like there are doctors who will commit crimes. When discovered and found guilty one of the punishments is removal of the certification.

The fundamental ethical requirement of the CEH is that you only carry out testing on systems for which you have formal, documented approval from an appropriate person. This would (as I understand it) include any networks / systems you use to leapfrog your attack making the testing slightly unreal. However, you dont need to worry about never being discovered so there is less reason to mask the source of your attacks.

As for the tools issue - yes, it is an issue however it just underscores the limited nature of the certification. Being a CEH means you have an understanding of tools available to hackers, you have an understanding of what to do to combat them and an understanding of how to defend your network against vulnerabilities.

Nothing, no tool or person, can find all vulnerabilities. Everything, people or tools, will find false positives and false negatives.

This is where the skill and experience of the information security professional comes in.

(all of the above is IMHO course)
Rakesh Goyal Taz,

1. Thanks for addressing some queries. Some of the queries are still unanswered. But, some more questions crop up. See a few of these -

2. Why only "Ethical" Hackers are "certified?" as "Ethical Hackers" and other are not certified as "Ethical Doctors" or "Ethical Lawyers" or "Ethical IS Auditors or Ethical CISA/CISSP/CISM/..", etc. Whether this "Ethical" word is noun, pronoun, adjective or adverb?

3. Even if the code of ethics is there and approved, what is the monitoring mechanism?

4. Who will decide that the code of ethics is broken?

5. “You (government) have to be lucky all the time, We (terrorists) only have to be lucky once” – Irish Revolutionary Army (IRA). (This manifest the responsibility and capabilities of security professionals, whether in IT or land or air or anywhere).

6. Going personal - what is EC-Council? Is it a body of professionals and/or association like CPA, ISACA, ABA or a body corporate? A new chapter can be opened on this with endless debate.

(Allow me to copy your phrase - IMHO)

Taz Wake Hi Rakesh,

The CEH is a first step qualification towards becoming a Licenced Penetration Tester (licenced by the EC-Council). Dont get too hung up on the choice of certification title - we could have the same debate about any other: Why are CISSPs called professionals but Doctors arent called Doctor Professionals? Why are PRINCE2 Practitioners called practitioners but Lawyers arent called "Legal Practitioners"? It could go on for eternity and simply reflects a decision by a certification body. Of note, they also offer the same qualification under a different name (Certified Network Defence Architect) to overcome issues the US Government apparently had with the "hacker" part of CEH. I think the idea is to highlight to the unthinking corporate HR departments that this is not a course which teaches people how to "blackhat" their way into networks (and it really isnt).

Monitoring is in the same way ISC2 and ISACA monitor ethical behaviour. If someone complains they investigate otherwise they assume it is ethical.

I presume it is the EC-Council who decide if someones acts violate the code of ethics.

EC-Council : http://www.eccouncil.org/

The International Council of E-Commerce Consultants (EC-Council) is a member-based organization that certifies individuals in various e-business and information security skills. It is the owner and creator of the world famous Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI) and EC-Council Certified Security Analyst (ECSA)/License Penetration Tester (LPT) programs, and as well as many others programs, that are offered in over 60 countries through a training network of more than 450 training partners globally.

EC-Council has trained over 80,000 individuals and certified more than 30,000 security professionals. Many of these certifications are recognized worldwide and have received endorsements from various government agencies including the US Federal Government via the Montgomery GI Bill, National Security Agency (NSA) and the Committee on National Security Systems (CNSS). And the United States Department of Defense has included the CEH program into its Directive 8570, making it as one of the mandatory standards to be achieved by Computer Network Defenders Service Providers (CND-SP)

Theresa Payton Great article and thanks for shining a light on this.
Rod MacPherson Rakesh,

I agree that not only corporations use networks, I've had a personal network for several years longer than I've had a job. The thing is Home users can't afford the type of professional services that Information Security Pros offer.

I did start off the article with "I'd say that it certifies neither that you are a hacker, nor that you are ethical..." I think that covers what you said in points 3 and 5.

And I certainly never said that a hired hacker has any edge over a malicious one, only that if you find the problem first by paying someone or hunting down the problems yourself, you can eliminate those same problem from being used by malicious folks. They may still find other ways to mess up your day, but you can eliminate some of the risk.

I never ever said that only the network needs testing. CEH doesn't teach you to test the people though. (websites, applications, etc. I'd include in "the network")
Rakesh Goyal Taz,

As I understand, EC-Council is a private company. It is neither a professional association nor statuary body. It gives Certificate and not license (These is a big difference between the two).

The requirements for CEH as per their website is simple -
"To achieve the Certified Ethical Hacker Certification, you must pass the CEH exam 312-50" (cut and paste from http://www.eccouncil.org/certification/certified_ethical_hacker.aspx).

http://www.eccouncil.org/about_us.aspx says "The International Council of E-Commerce Consultants" (EC-Council) is a member-based organization" but does not define membership details anywhere, at all. How a person can become a member? What are his/her rights/duties/obligations? SILENT.

http://www.eccouncil.org/about_us/ec-council_management.aspx will give you the details of owners / managers.

You said you presume. Let us not presume anything. Let us work on hard facts, which are available.

I have nothing against EC-Council but most of the time, the name EC give false impression to user.

EC-Council many times gives an impression of relationship with European Commission.

Nowhere the code of ethics is stated in the website. I would like to get updated on it, if it exist.

I do not discredit CEH. Who am I to do it? Only thing, I do not recognize CEH (which you get with few hours class room training) as a certificate to employ any person for "Ethical" Hacking. US government may do so, but they have to devise some quality control criteria, at some point of time.
Today, it is - "Something is better than nothing" scenario.



My purpose was not to be critical to you. But, I place some observations. Some of these align with your thought.

Well, regarding, corporate usage of network - apart from corporate and home users, there are government, defense, research labs, education, health care and other industries, which are also big users and normally not counted as corporates. Similarly, apart from network, there are websites, applications, data-centers, which you have defined in response. Does all these can even be touched in few hours CEH programme?

The reason to react from my side was - that though your article was well intended but it was not sending the complete message to the novice user / reader.

Rakesh Goyal
What to do? Being an auditor and student of Infosec,

K S Abhiraj Rakesh Sir,

Things you have specified in here are all truly said, yet the last statement makes me think {viz. I do not discredit CEH. Who am I to do it? Only thing, I do not recognize CEH (which you get with
few hours class room training) as a certificate to employ any person for
"Ethical" Hacking. US government may do so, but they have to devise some quality control criteria, at some point of time.}
Sir, how can one call anyone 'ethical' ?, till now what i have seen, being NO one is ethical in nature. Sometimes or the other one has to perform some kind of unethical task to get to know the 'thing'.. yet the only thing a firm could do is *trust* its employees, moreover some monitoring which is usual, by their higher officials or any other trusted party (to get sure about their *affection*)...
And now the US gov. thing, have anyone said they recruit CEH's directly..?? The quality you are speaking in here for US officials is the experience they are having to judge a person's capability by forth seeing his experience in the industry makes them eligible... yet the *trust* thing exist in here too..
So, it'a almost impossible to check for ones trustiness, as one being a HUMAN, not a machine whose scope is limited, could get affected by many outlived things...
Cary Hendricks I attended the CEH training and believing it would be a good bit of experience and addition to my existing set of skills.

My observations are as follows:
* The course is a good starting point for the not very serious hacker.
* The course is about passing the exam and getting the certification.

However.. some bits will bite you if you have some experience of systems and hacking. Simply because the questions are somewhat textbook and do not take account of what you may have experienced. In some cases it was just *wrong*.

Sometimes I wish I had gone for something more intensive like the OWASP cert, but then in the context of what *you* want to do and if you are really hardcore (why do the course apart from getting the cert..?) you have to weigh up how much time and money you are going to spend in doing what you want to do..

Lee Mangold I'm in the process of taking the CEH now. I'll say this: If someone came to me with only a CEH, I wouldn't be too impressed. I think the value here is the CEH perspective in addition to another certification (CISSP, GSLC, CISA, etc).

I'll say this, though... A CEH certification will not make anyone a "leet" hacker or even a decent pentester. But it is certainly a good starting point..
Rod MacPherson I have to agree. CEH alone is not impressive. It's a beginner cert. Security+ would impress me more. You only need to take the actual classes if you have less than 2 years security experience. That alone should put it into perspective. But for what it actually is, it was worth the $300 I spent. I only hope that ECSA is worth the $3500 I'll be spending from my employer's budget (class included) later in the year.
Adam Nguyen Rakesh,

Do we expect our politicians to be ethical? Are they ethical? Maybe some of them, or none of them? Certainly, as a body they hold much more power than any computer geek could ever dream of, and perhaps some more. Should we have Certified Politician certification? Does it help?

People who are ethical will probably remain so, and those who haven't been, won't. I think you're taking issues with the nontrivial name here; it doesn't matter what you call it, expressed or implied. What really matters in the long run is how the people who hold positions, degrees, and certifications decide to uphold their values as a body. You'll always get a few rotten tomatoes in a batch, literally and figuratively. A few bad ones doesn't necessarily mean you have to throw out everyone else; you remove them and move on.

BTW, I have the CISSP but not the CEH yet. I'd be proud to tell people I hold the CEH, but I also make it very clear that it doesn't mean I'm an expert nor ethical in what I do --- you would have to look at my track records for that. It's too much to assume that a piece of paper can certify anything; but it's a small step in that direction. That's why in a resume the focus is always on actual work experience. If I ever find my cv in the same pile with 10 finalists, here's to hoping that the manager realizes I've invested time, effort, and money into bettering myself in many ways, one of which is the CEH.

Instead of nitty-picking the name of this or that certification, look at the feedback of those who've achieved it and moved on to other certs. They've clearly stated that it's an entry level cert aimed at promoting knowledge and commitment to bettering the trade (hence the 'ethical' part). People move on to bigger and better things, but you can't run until you've walked. CEH is really a walking certification.
Rakesh Goyal No one questions CEH certificate certifies knowledge of technology or profession or business (level is immaterial for this discussion).

I have seen no politician or businessmen or any other professional claims that they have been certified as Ethical so-and-so. Though, all of these supposed to be ethical (whatever it means). So, if they do any unethical act, they can not claim that some body certified them as ethical and even this act is ethical. But, in case of CEH, the question is - (a) you can certify technical / professional skills (whatever the level rookie to super-specialist) but how can one certify that a person is ethical. Further, what is the baseline for ethics?

On certification body - Most of the people confuses EC Council is a part of EC (European Commission). The name itself is confusing. I have check with EC and they categorically stated that EC Council has nothing to do with them. On my query that - will they take any legal action of this confusion or copyright voilation, there is silence from EC. Is using EC credentials to promote a private business ethical? If the certificate provider is not ethical (this is as per my own baseline. You may have your own. There is no standard baseline for ethics), in their confusing people, what they certify as "ethical" in CEH, opens a big question mark.

On philosophical note, even GOD can not certify anyone as ethical. Does this mean EC Councils certifiers becomes super GODS?

You have the right to have your own views.
Just ponder your self.
Taz Wake Rakesh, I still think you are getting to fixated on the word "ethical" in the title of a certification. If we used its alternative name ("Certified Network Defense Architect") would that solve all your issues here?

Given that other certifications (CISSP, CISM for example) require the holder to adhere to a code of ethical standards do you feel they have become super gods as well? ISC2 and ISACA even have test of ethical behaviour in their certification exams.

I havent encountered anyone (employer, recruiter or colleague) who has confused EC-Council with the European Community. It may be possible, but I think that if the EC itself objected they would have said something in the last 9 or so years.

If you dont like the certification title dont get it (there are other variations from SANS and 7Safe as well as many other organisations). If you dont like the certification body title, go elsewhere. One side note, most will use the phrase "ethical hacking" as part of their certification process (SANS Security 560, 7Safe CSTA etc).
Rakesh Goyal Taz Wake,

I live in a vibrant democracy. In a democracy, you have right to have your own view, so am I.

But your tone indicates that either you are working for EC Council or you are on their payroll or you are their advocate and have a big bias for them. I have no comment on your biased views. You are entitled for your views and mixing of your confusion.

Having adhere to code of conduct for ethics is vastly different that claiming that I AM ETHICAL. I wish, you understand the difference.

EC Council is not my problem. I am least bothered for any certification (though, I have many). But, they are all marketing tools. The biggest certificate comes from an unhacked site and the customer.

But, I do bother, when people with some worthless certificates come to me for job interview and expose not only them but the certifier behind them. You can have your "intelligent" guesses here, if you don't bring your bias and mix issues.

If you have not encountered anyone, who confuses EC Council with EC, it may also mean "frog in the well" syndrome apart from your bias (due to any reason)?

You have a right to abuse me. That's your choice and why should I mind?
Taz Wake Rakesh, I never meant to say you didnt have a right to your own views and I fail to see how anything I wrote could be interpreted that way. If I did give that impression, I am sorry and it was never my intention.

We could argue for years on the philosophical issues that surround everyone having an equal right to express their opinion on a third party platform but I suspect that would get us nowhere on this topic.

I will *try* to keep things ordered and hopefully reduce some of the confusion here.

1 - I am not now, nor have I ever been an employee of the EC-Council. I passed the CEH exam but I am unlikely to maintain it as I dont feel it offers *me* any continued value. I have no bias for them and hold no other certifications with them. Any tone you perceive is non-existent.

2 - I have no idea what confusion, or bias, you are accusing me of having, but I note with a sense of irony you say this while also saying *I* am abusing *you*.

3 - It is not, in my understanding at least, a claim that the person is ethical in all aspects of their life. The title is "Certified Ethical Hacker" which meets a fairly well understood use of the time across the security and IT sectors. It does not mean the person wont cheat on their spouse and I would be amazed at an employer who felt it did.

4 - As an employer it is entirely down to you what value you place on the certifications held by prospective employees. Some will rate a CISSP over a CISM and other the opposite. There is no truly objective standard - some people find training for the CEH very education, others dont. It doesnt mean the cert is worthless, except in the specific instance of the role you are recruiting for - if I want a network engineer, holding a CPA will be worthless for candidates but the certificate is still of value for other roles.

5 - Personally I think you are mistaken if you dismiss candidates because they have certificates you find worthless, but that is your business choice to take. If you are happy to risk losing a very good potential employee then fine. I have no issue with that at all.

6 - Overall, and this is just based on my experience, having a CEH will help in the majority of security related job applications. Not as much as holding a CISSP or CISM but more than having no certificate. If there are two otherwise equal candidates and one has the CEH the other doesnt, it may tip the balance. There are, again in my experience, jobs that specifically ask for CEH (or other EC-Council certs, mostly LPT or CHFI though). I have yet to see one that says holders of such certs need not apply.

7 - I totally agree that the fact I havent met anyone who has made the confusion simply means that no one I have met, not everyone. I had thought I'd made it clear by stating the limited sample nature of the group. As I said, it may be possible that people confuse the two groups but within the security industry I strongly feel it is unlikely. Apart from anything else why would the European Commission suddenly form a council to hand out certificates? There is a Council of the European Union but it has never been called the EC Council and is a very different thing. I very much doubt the European Commission or the European Union will object but they may and it will be interesting to see the outcome.

8 - Lastly, I havent intended to abuse you and I am sorry if it appears I have. I think you are wrong and you are fixated on the middle word of the title of a low level certification, but that is all. I havent accused you of bias or selective confusion.

Some questions I would like to repeat:

Would you drop all your objections if the CEH was renamed? (eg CNDA)

Do you have similar objections against the courses / certifications issued by SANS / 7Safe (etc)?

Every certification makes claims using words that, if taken out of the context of the cert, are open to argument. The CEH means you are certified as an "ethical hacker" by the certification body. It does not mean you are either ethical or a hacker in any other circumstances. Being a Doctor of Physics doesnt mean you can perform open heart surgery.
Page: « < 1 - 2 > »
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.