Friends Don’t Let Friends CEH

I was recently asked this question and it’s one I’ve been asked before, so I figured I would jot down some notes here for the next time I’m asked. Hopefully, this is helpful to you. Remember, these are just the opinions of one person (but they are corroborated against peers who mainly share the sentiment).

Just say “no”

Now cut to the chase: Friends don’t let friends pursue the CEH (“Certified Ethical Hacker”). Just say no.

Before you throw rotten tomatoes, my CEH holding friend, hear me out …

The reality is, there is no value quotient in it. It’s a paper cert based on a multiple choice test. A decent test taker who crams and memorizes some tool/technique names can likely pass. And that means a newly minted CEH holder will show up for their first day of their new pentest gig and not know *how* to actually be successful. They’ll either miss vulnerabilities and lure their customer into a false sense of security (the most dangerous outcome, in my opinion), or they simply won’t know how or where to begin. All a CEH really means is that you share some vocabulary with penetration testers — that’s it.

Anyone taking an honest look at how the CEH came into prevalence will note a few things:

  1. It was one of the first pentest certs on the scene.
  2. It was offered up by a US company making it eligible for US .mil and .gov contracts.
  3. As a result of #1 and #2 it found its way into the “thou shalt have some sort of certification for this federal government job, so go down to Pearson Vue and take a point and click multiple choice test” list.

That’s really it.

Now, you can be a CEH and be an exceptional penetration tester — sure, but it’s not because of the CEH cert. It’s because of you, and more specifically, everything you learned (probably self-taught) outside of that CEH program.

And please note all of those reasons come before another very important reason: the title of CEH itself is pompous, presumptuous, and wreeks of poseurdom. Certified. Ethical. Hacker. This could be a diatribe for another day, but do you go to the “ethical lawyer” or “ethical mechanic?” Maybe hire an “ethical contractor” to work on your house? That modifier has always bothered me simply because one’s character should stand on its own, not because some certifying entity says “I am this tall to ride” the ethical rollercoaster. “Ethics” are not that simple nor should they be overstated.

Also, “certified hacker” is just as bad. The term “hacker” is so loaded, I avoided any self affiliation with it for over a decade before I gave in. A hacker is what a hacker does, and likely in true hacker fashion, a hacker does not espouse any certification program, but that’s a whole other topic for another day.

Suffice it to say, if the CEH was called by any other name, it still would not get my recommendation, but it’s not doing itself any favors with that name.

“Okay, so what programs do you recommend?”

Well, it’s January 2018, and the gold standard still is the OSCP (Offensive Security Certified Professional). It’s Offensive Security’s flagship and for good reason. You have to actually DO penetration testing, not just read about it and spit out answers. It takes tenacity above all else — an OSCP holder shows the world that s/he “tried harder” and literally “suffered” through some abonimably-yet-intentionally vulnerable systems, exploited them, and escalated privileges. The hard work aspect may actually overshadow the technical learning, but both are top notch. I always admire the engineering behind their labs — it takes a ton of planning to keep so many vulnerable systems running, but keep their exploit chains a secret so students actually learn for themselves.

But the OSCP is not for the feint of heart, or for the “I don’t want to work hard” crowd, and probably not a good fit for the beginner at all (although I know some beginners who did amazingly well at it and now hold the OSCP).

Second up in my book — and I have no direct experience with it, just basing this opinion on the feedback of my team and peers I’ve met over the years, is the GXPN from SANS. Those close to me who have done both have positive things to say about both, but rank it firmly in second place behind the OSCP. But the point is: you’ll learn good stuff that’s usable in an actual penetration test career in that program.

The GPEN is the GXPN’s little brother, also from SANS. That’s where I’d probably send a beginner (who can afford it, so maybe not a starving college student), but sadly, not all GPEN holders are capable penetration testers. It is entirely possible to sit through that class, take the test, and not be successful in a penetration testing career. It’s a good start point, so if you take it, don’t stop there — keep learning.

There are also some upstarts for the economically challenged student. I’ve actually been surprised by some of the content in eLearnSecurity’s and SecurityTube’s classes — not all are the same, and it is a full time job maintaining relevant content as technology changes, but if your goal is to learn on your own nickel — and NOT care about having recognizable alphabet soup that a recruiter will recognize, then these are great options to consider, especially for the beginner.

So that brings us back to the real question…

What is your purpose in pursing a penetration testing certification?

Is it to break into the field of penetration testing for the first time? If so, I think you’ll find good pentest teams and managers look for evidence of your capability and talent — how you answer technical scenario questions is much, much more valuable than the alphabet soup you used to pad your size 16 font resume to take up a whole page. If you’re in this boat and on your own dime, take one of the well vetted upstart training programs, and focus on learning, not passing the exam. Go above and beyond. Do every lab. Research on the web and take your knowledge beyond what the curriculum would.

Is your purpose to bling up your resume to show some prowess and sift to the top of the resume stack on the recruiter’s desk? If so, don’t take the CEH, because you’ll end up on the wrong recruiter’s desk — it will likely be at an organization where you will be stagnant and not grow. In 2018, the OSCP and GXPN are the most likely to be recognized by a recruiter — and the OSCP more so. The recruiters who have been trained to look for these are the ones whose desk you want your resume to land.

[Side note: I know several technical managers who hire pentesters that have all told me they inquire about the date when the CEH was completed during the candidate interview/selection process. If the CEH was recently acquired, and the candidate doesn’t have a reason like “I worked on a government contract and it was required,” then they generally put that candidate through extra scrutiny before making a hiring decision. In short, the CEH may actually hurt your chances.]

Is your purpose simply to cross train in another discipline in Information Security? Maybe “learn the language” as they say? Maybe you want to be a project manager for a penetration testing practice or team. In those situations — and probably ONLY those situations, the CEH may be acceptable. But I still wouldn’t recommend it to a friend. You are probably better off learning on your own time.

Okay, now you may start with the rotten tomatoes.

Red Team Leader at Fortune 1. I left my clever profile in my other social network: https://www.linkedin.com/in/malcomvetter