A year or so ago I attended the coolest and most fun Bootcamp I’ve ever been to.  It was the Certified Ethical Hacker course.  

For someone who is not familiar with security, hacking, pentesting tools this class is an incredible introduction.  For real hackers and pentesters, this class is either a refresher course or total garbage.  I’d say the course material is beginer to intermediate.

Fresh from the Defcon, I must admit that even the hackers that might be considered mediocre (by Defcon standards) probably see this cert as more of a “script kiddie” industry scam, since it barely scratches the surface of their “elite black world”.  Some of those good Defcon hackers wrote the tools talked about in the CEH course material.

My oppinion is that the CEH is a great start for wanna be hackers and pentesters.  Everyone has to start somewhere.  Whether you start with SANS Track 4, Hacker Techniques, Exploits and Incident Handling or The EC Counsil’s Certified Ethical Hacker course, you have to start somewhere.

Whether the EC Council is some sort of shadow organization created to deceive the world, I can not say.  It seems as legit as the ISC2, creators and maintainers of the CISSP.  All I know is that the industry has fully excepted the EC Council and its many certifications.      

Here is what one of my readers wrote me after all my cheerleading for the CEH:

I don’t know if you’ve been reading newsgroups lately, but it seems that the CEH, sold by the “EC-Council”, is somewhat of an elaborate hoax which many are seeing for what it is. A summary: ECCcouncil is a company started in Malaysia by a marketing guy called Sanjay Bavisi.

Trying to get on the security bandwagon, he invented the CEH and made them appear to be “A New York based” council of members. The fact is that they are Kuala Lumpur based company that people have been taken in by and most of the “council members” don’t even know that they are on it. The people writing the courses are NOT pen testers or ethical hackers and the the course content is written in terrible English and a lot of stuff seems copied and pasted straight from the web.

Look at this review of their book on amazon:
********
“Ethical Hacking” is really just a hotch-potch of descriptions of tools that can be found anywhere on the Net. The English is so anguished as to be scarcely recognizable in places – almost as if it’s been translated into Lithuanian by Google, and then back into English again. The peculiar typesetting makes it even more difficult to read.

I just gave up trying to read this book. My advice is not to waste your money in the first place.
*********

Do a search for “scam” and “ceh” and you will see that this bunch are slowly but surely being exposed for what they are. There are legitimate penetration testing qualifications out there, but this one is looking dubious to say the least. Wouldn’t touch it with a barge pole.

I think they were reading this forum.  Like I said, all I know is that the EC-Councils certifications are well respected.  One pentester/hacker/forensics bad ass I met at the FISC has a bunch of EC-Council certs and he is doing very well with the government.

I always hear people crying about how certs are scams or how people who gets certs don’t have real technical skills.  Some say the same about a college degree.  It floors me.  Regardless of what anyone says or believes, these pieces of paper can help you focus your skill set and make you MORE MONEY. 

When you enter the job market, you are competing with hundreds of others who may have the exact same skills; Certs, degrees, licenses will give you the edge you need to destroy those competitors.

I don’t think the CEH is a scam but even if it was the majority of organizations recognize and respect it so that is irrelevant.