I spent week 4/2018 on EC-Council Certified Ethical Hacker (CEH) training. After over 13 years in CSO position looking corporate security mostly from governance and risk management perspective, this may not be the most obvious choice. Let me explain.
Last spring Finnish Information Security Association awarded me as the CISO of the year 2017. As if the honor wouldn't been enough, I also got a free place on CEH course (sponsored by Arrow ECS). I postponed the opportunity nine months, but decided to attend the training now before the offer expires. Course normal price is 3,500€ after all.
I haven't been on full week's training in ages. I think the previous time was in 2011 when I attended SABSA security architecture training. By the way, got my first security certification, CISSP, 20 years ago. I attended the first ever CISSP training held in Finland 1998.
It certainly was interesting (and tiresome) week. Huge amount of information and loads of hacking/auditing/pentesting tools not to mention hands-on labs. The courseware had about 1800 slides and 20 hours' worth of labs. The instructor presented maybe one third of the slides with quick pace pointing out the most important stuff. The material was from 2015 and therefore a bit outdated, but the instructor filled in the gaps. Expectation was, that after nine-to-five day in classroom, students would continue studying and doing labs at home in the evening. I spent hour or two every evening to browse through the days material and did some labs.
The following topics were covered:
|
|
|
I was surprised how well I still remembered network protocols, attack methods and basic auditing tools. It's after all over 15 years from my consultancy days and more than 20 when I knew Unix security inside out. Of course, I follow information security threats, trends and technology closely all the time. Security expertise requires lifelong learning.
I expected that the course would have emphasized ethical questions more. It's CEH, not CH, right? Ethics of hacking was discussed briefly a few times, but not so thoroughly as one would have expected. CEH code of ethics can be found here.
At the end of the week we had an opportunity to take certification test. There's 4 hours to answer 125 multiple-choice questions and have to get 75% correct in order to pass. Here's a site where you can test your skills, if you will. Whatever certification test you are taking, I've found that practice tests are very useful way to prepare yourself. You need to set your brain in to the right mode and understand how you are expected to answer.
I finished the certification test in 1,5 hours and passed with score 93,6%. So, I'm Certified Ethical Hacker now :-)
Don't worry. I'm not going after bug bounties. I'm leaving that to those with real hands-on skills. Had a fun week, though, and have even more respect for whitehat hackers who help organizations via bug bounty programs or responsible vulnerability disclosure.
However, next time I'm hiring security auditor, CEH certificate is not enough to impress me :-)
