Thoughts on Certified Ethical Hacker v10

I recently undertook this certification. Long overdue, I had an opportunity to pursue CEH over a decade ago, but opted to take the Red Hat Certified Engineer (RHCE) Standard Track at the time. How did it go?

CEH follows on from the Certified Network Defender (CND) certification, also offered by EC-Council. CND is worth a look, particularly if you are designing a corporate training programme.

The course plus exam bundle run by, in my case, the authorised provider IT Governance Limited was great, and the venue in the City was excellent. I can highly recommend IT Governance and their CEH package. The exam in their package is taken afterwards at a convenient time, using a voucher code submitted to Pearson VUE.

The IT Governance package covered, what did I think about the CEH course design (syllabus) and exam?

Walking into this certification I had over six years as a university lecturer under my belt, designing courses and setting exams, working to national accredited standards. So my take on the certification syllabus would always be biased, but trying to keep an open mind, here is my take on CEH:

  • It covers some useful ground, and overall it’s a good grounding in a number of important topic areas
  • Some of the concepts are relatively advanced for those new to the field and others are entry level
  • Some of the concepts covered would be easily defeated in a good enterprise infrastructure, but I could appreciate CEH had to cover some of the historical ground to provide context
  • EC-Council’s v10 “use anywhere” virtual labs are a facility that many FE colleges and universities would dearly love to have, and a key strength, though the content in some parts can be repetitive. This is a vast improvement on previous versions of CEH, as I understand.
  • The electronic portals (ASPEN etc.) are complicated to use, but the volume of content means there are probably few other alternatives apart from also-complex VLEs like Blackboard

I sat the 125-question exam at Pearson VUE centre. This was a straightforward and easy option and worked well, providing the result immediately. For the exam answers you can revisit at any time during the online exam, to check answers, which is a useful feature.

The upper limit on the exam is four hours and the pass rate is 70% and above. I had my initial set of answers entered in under 30 minutes, though the extra time is probably a good thing for those inexperienced with exam conditions. I can see a student new to the area needing at least two hours to complete the exam, and the further time provides reassurance.

What book did I use to prepare for this exam? I used the Sybex CEH Study Guide, which is probably the best book in this area and you can get ePub and PDF versions from the publisher. It’s a fairly well-written book, though there are some unusually brief sections in there (e.g. subnetting).

I used CEH v9 Study Guide (Ref. 1) which was a good grounding for the exam, though the quiz sections in that particular book could do with improvement.  I don’t recommend Certified Ethical Hacker Foundation Guide (Ref. 2).

If you’re new to the area, I’d also recommend the following text books from course reading lists for my university courses: Forouzan provides probably the most accessible book on the TCP/IP Protocol Suite (Ref. 3) and  Kurose and Ross is the classic academic text book in introductory networking (Ref. 4), with Forouzan being the most appropriate match to CEH in my view.

How much time should you devote to this certification? Highly experienced information security folk should be able to take a suitable introductory course, then spend a week or so reviewing the study guide, and pass well. The key challenge will not so much be knowing the answer, but knowing the answer that the CEH exam design expects. In this situation I’d recommend doing what I did and treat the course as a one week residential and dedicate the evenings to reviewing the virtual labs. It might be a 50 hour week but you’ll pick up a few useful bits of information, even if much of the material is familiar.

If you’re new to information security and don’t have much in the way of technical background knowledge, I’d recommend taking a course and then following up with the virtual labs and further reading over at least a two month period. Again, I recommend you treat the course as a residential and use the whole week of time productively.

If you’re a manager, where does CEH fit into your cyber security staff development plans? Any pen test scoping and supervision should require CND or CEH. I’d say CEH should follow Certified Network Defender (CND) also from EC-Council.

In your training programme, CND at graduate to 2 years post-graduation, and CEH within 5 years post-graduation, but that is only my take. You also will need staff to supply sufficient experience for CEH, if not opting for the accredited training course option (currently this experiential requirement is 2 years in the field for CEH).

Overall, it’s a good course and one that should form part of any corporate training programme. There are many accredited training providers that offer useful introductions for a wide range of employees.

If you are keen to build up a high-end pen testing practice in-house, then EC-Council’s OSCP certification is highly regarded and something to work toward using other EC-Council certifications.

References

1 – CEH v9: Certified Ethical Hacker Version 9 Study Guide by Sean-Phillip Oriyano, May 2016. ISBN: 978-1-119-25224-5

2 – Certified Ethical Hacker (CEH) Foundation Guide by Sagar Rahalkar, Dec 2016. ISBN-13: 978-1484223246

3 – TCP/IP Protocol Suite 4th Edition, Behrouz Forouzan, 2010. ISBN-13: 978-0070706521

4 – Computer Networking: A Top Down Approach, Jim Kurose and Keith Ross, 7th Edition or later, May 2012. ISBN-13: 978-0273768968