Contents

CEH Review

About a year ago, I posted my thoughts on the CISSP certification. I recently took the CEH certification, and so I’m taking a few minutes to reflect on this certification as well.

Should you take it? Should you hire somebody because they have it?

Spoiler alert: no and hell no.

Obtaining The CEH

Unlike the CISSP – at least at the time last year when I took it - the CEH exam is at least computer-based and graded instantly. (Score one for IT, I guess?)

That’s the only positive I have to say about this exam. In every other aspect, the CEH is shockingly poor in quality in all three of the following areas: registering for, preparing for, and taking the exam.

Registering

Registering for this exam was a hassle. In order to register, most candidates are required to first take the CEH class, which runs in the $2500-3000 range. Alternatively, you can opt for “self-study”, for which you pay $100 and have a coworker or manager vouch for your knowledge of the domain. In addition, the exam itself costs $500. So most candidates will pay about $3500 for the privilege of taking the CEH exam, although if you opt for self- study you can sit for the exam for the low low price of $600. I elected for self-study.

Even at $600, I would not take the CEH exam if I didn’t work for an employer that would reimburse me. The quality of the exam is just too low to justify $600.

EC-Council doesn’t allow you to register or pay online. (Score zero for IT, I guess.) Instead, you need to e-mail or fax your registration (including credit card information) to EC Council… laughable, right? In 2013, for a computer security certification, you are expected to send your payment details in plain text over analog phone lines.

Instead, I wrote, “please call me,” on my form with my phone number. Sure enough, somebody called me the next day and I provided my payment information over the phone on Jan 3rd. I saw the charge appear on my statement within a few days, and I figured everything was hunky dory, so I waited for them to let me know when they had approved my application. A modern, high-tech organization like EC-Council can easily take 4-6 weeks to process a 1 page form, so I waited patiently.

About 7 weeks later, on Feb 25th, I send a second email to the EC-Council to inquire about the status of my application. I did not receive a reply. I waited about 4 weeks after that with no reply, so I sent a third email on March 29th. I actually received a response the same day letting me know that my application was still being verified. (They have to contact the people I listed on my application in order to verify that they will, indeed, vouch for me.) I would say 11 weeks is more than enough time to do this, so I was beyond impatient at this point.

I finally had a direct phone number for a customer service specialist at EC-Council, so I called to ask why the process was so slow. It turns out that she was still waiting to hear back from one of my contacts. I asked her to verify the contact information, and it turns out that she had transcribed this person’s email address incorrectly (it was sent to a domain that doesn’t exist), and was apparently unfazed by the bounced e-mail that resulted.

Loooooong sigh. Mumble some curse words. Deep Breath.

Within the next week, my application was finally verified and I was able to register to take the test at a local Insyte testing center. ($600 and 12 weeks, for those keeping score at home.)

Preparing

Preparing for the exam is a minor hassle, because EC Council won’t actually tell you what subjects are covered on the exam or give you any reasonable number of sample questions! The only information that they disclose is the 19 topic areas covered on the exam. You are expected to figure out what’s actually covered by taking the $3000 class. I found a decent book on Amazon that appears–in retrospect–to accurately describe the contents of the exam, but I really had no idea heading into the exam.

EC Council also isn’t very clear on the format of the exam. My book says 125 questions, as does the EC Council website. But when I got to the testing center, I discovered that there were actually 150 questions! It’s not really a big deal, but it’s a worrying sign when the exam is such a closely guarded secret.

To be fair to EC Council, the version of the test that I registered for many months ago was version 7, and they have since released version 8. Perhaps that accounts or the discrepancy on the test’s length. However, they should not have removed all version 7 information from their site, and they claim that versions 7 and 8 are almost identical and differ only in some obscure ISO compliance artifacts. Also, some pages on the EC Council website are ambiguous about which version they refer to: you’ll see version 7 in the title bar and version 8 in the body.

Obviously EC Council is a business trying to make money, so they’re not just going to give away their entire test bank, but for $600 you would imagine they could at least give me something to work with. Nope, you need to pony up $3000 if you want to have any idea how to prepare for the test. I did the best I could with the book I had and talking to people who had passed the CEH exam.

The Testing Facility

EC Council partners with testing centers around the world to proctor the exam. My exam was at an awful Insyte testing facility in Alexandria, VA. I arrived 30 minutes early and wasn’t greeted by anybody in the waiting area for about 15 minutes (due to the unmanned reception desk). There appeared to be some confusion about why I was there, even though I had a reservation to take the test at 10AM. The proctor asked for my wallet, phone, keys, book bag, etc. so that he can lock them up while I’m taking the test. He “locked them up” by putting them underneath a desk in an unoccupied room with an open door. (In case you have not been following the narrative closely: this is a security certification!)

Then he walks me into another room where I am seated in front of a computer, along with 3 other test takers, and he disappears, with no further instructions. I’m distracted by the sound of some large machinery just on the other side of the paper thin wall that I’m seated in front of. It sounds like a commercial air conditioner that’s being murdered slowly, and it drones, wheezes, and sputters for the duration of the test.

EC Council has chosen to partner with this company, and this is what $600 buys you: slow, discourteous service by people who clearly hate being at their job and actually having to do their job, as well as an unproctored test environment that is as quiet and peaceful as a construction site.

The Questions

As I expected, most of the questions are written and edited incredibly – laughably – poorly. Many of the questions have the tell tale grammatical problems of being written by a non-native English speaker (missing articles and putting adjectives in the wrong places). I’m not a xenophobe, but for $600 I would like an exam with good grammar so that I can spend more time answering questions and less time parsing questions.

Many of the questions are intentionally confusing, and not in a good way. In some cases, there are multiple answers that are reasonably good; in other cases, there are no answers that are very good. This is par for the course on poorly edited technical exams (the CISSP is no different). You are encouraged to “select the best answer”, which is a euphemism for saying, “read the mind of the person who wrote this question.”

There was one question on the exam that was so bad that it stuck out in my mind above all others. It was such a simple, objective question, and none of the provided answers could possibly be construed as correct. I spent longer on this question than any other questoin in the exam, and I even came back to it one more time after finishing all of the other questions. I spent so much time looking at it that I can almost quote it verbatim:

What is the length of an MD5 hash?

(There was some picture attached to this question that, as far as I could tell, was completely irrelevant to the question.)

A) 32 bit

B) 64 byte

C) 48 char

D) 128 kb

Note that the first 3 options aren’t even grammatically correct. This is like saying you live 3 mile from your office, or the guards at Versailles rotate every 15 minute.

But this question really bugs me because the answer is unambiguously 128 bits. You can convert this into other units, such as 16 bytes or 0.015625 kilobytes, but there’s no subjectivity in this answer! The writer of this particular question apparently thought it would be more confusing–and thus better–to make each answer in a different unit. (Of course, I think it would still be a perfectly reasonable question if all units were the same, but that’s just me.)

Answers A-C are clearly not correct, because the only possible correct answers are 16 bytes or 128 bits.

Answer C is a deceptive, however, due to the use of the unit “char”, which it not a universally identified measure of information. It could be construed in this context to have the same meaning that it has in many programming languages, which is to say that it’s an unsigned byte that probably contains an ASCII character. MD5 hashes are typically rendered for humans as 32 (not 48) character strings of hexadecimal numbers. I object to this answer on principle, however, because the char representation of the hash is not the hash itself, it is merely a representation of the hash. I could also store the same hash in a UTF-16 string and then it would be 64 bytes instead of 32. The question is way too ambiguous to make any of these assumptions.

Answer D looks close, but the unit there is “kb” not bits or bytes, which means answer D is actually the farthest from being correct.

Does this test really reflect $600 worth of value? It certainly doesn’t reflect $600 worth of testing facilities or copy editing.

Hiring A CEH

Like the CISSP, the CEH is one of those certifications that sounds more impressive than it actually is. (A certified “hacker”! Oh my!) Yes, you’ll need to know quite a bit of random trivia in order to pass it, but you certainly don’t need to learn much theory, nor do you need to go very deep in any specific areas. The lack of depth is probably unavoidable for any certification on such a broad topic, but as with the CISSP, obtaining the CEH does not correlate with any useful job skills. Quite the paradox!

If the CEH doesn’t correlate with job skills, then should employers consider it during hiring? A good interviewer will be able to evaluate a candidate’s technical aptitude and knowledge with well-designed questions and exercises.

Maybe the CEH is good for screening potential candidates? Still no. If the CEH is one of your mandatory screening criteria, then you’re losing lots of qualified candidates who would rather spend time learning useful computer skills versus purchasing a piece of paper with the letters C.E.H. stamped on it.

As with the CISSP, I think the most valuable aspect of the CEH is simply what it says about the candidate’s attitude (for better or for worse). This person took the initiative to study for (and pay for) a certification because they thought it would either improve their knowledge and skillset or they thought it would improve their salary. As long as a candidate understands that a certification is not the ultimate test of knowledge within a domain, then posessing any of these certifications is a positive sign. However, if a candidate is taking certifications because they think they will have obtained mastery, or because they are purely interested in a higher salary, then the CEH is actually a bad sign.

The CEH should be just one small factor out of many evaluation criteria.

Conclusion

As with the CISSP, the people who benefit most from the CEH… are the people who sell you the certification.

For everybody else, the CEH is a waste of your time and money.