Step Back, I’m certified

I’m referring to one of my favorite Dilbert strips in the title of this entry.
I passed the Certified Ethical Hacker ECO-350 exam this morning.
There seems to be a few set reactions to the CEH.
1. “Not the H(acker) word”. These are the same people who get upset when colleges teach their students how to defend a network or system, by teaching them how to break into it. They probably think they are safer in a gun free zone.
2. HR departments and recruiters seem to love the cert.
3. Some think its a poser cert. I dont know about that. I think its a beginner cert, and I found it really easy. As with any certification the quality of the person holding the cert is not guaranteed.
4. Some think EC-Council (the group administrating the CEH) is a scam. That is traced back to a blog post by securitymonkey in 2006. Personally I think he makes a poor case.
The CEH does not require the classroom training or purchasing study material from them. Most of my studying is in being an information security professional for many years. There are a couple things that I’d point to as particularly helpful.
1. Sensepost – Hacking by the Numbers at Blackhat. That was at the first Blackhat Federal. I forget the year.
2. A Masters level course at James Madison University in which the semester was essentially a capture the flag/ defend the flag exercise. That was in 2006 (man time flies).
3. Read the Official CEH book.
I dont necessarily like getting too many certs, but its one way to demonstrate continued learning and development to management types. Unfortunately, I think career wise I’d be better off with a soft skills certification than any more technical ones. Anyone have any suggestions that wouldn’t cause me to submit comic strip ideas to Dilbert because it is so absurd?


  1. I’m thinking of CISSP, management/HR seem to love that one most of all.
    CEH is ok, try OPST if you want something with more teeth.
    Or if you want to go process perhaps try ISO27001 LI or LA.

  2. I picked up the CISSP in 2005, and recertified once since then. Agree that one is very desirable if you’re needing to be marketable.
    I had originally been thinking a ISO27001 cert or a NSA cert. Now I’m thinking about the CISSP-ISSEP concentration.
    Hadn’t heard of OPST, I’ll look at it. If I were to do another pentest related cert I had been intersted in SANS GPEN, particularly if work would send me to the conference – SEC 560: Network Penetration Testing and Ethical Hacking. While it looks like Ed Skoudis is not teaching this track most of the time, it would be pretty cool to hear it straight from him.

  3. I agree the CISSP is necessary if you want to be marketable these days. I can imagine the CEH would be as well if you’re a consultant or working on a contract basis.
    Personally, I wish my pay was tied to getting certifications (or being the guy you pay to take a cert exam!). The reality, at least where I work, is that in this economy a degree is worth a whole lot more than any cert.

  4. When I first started out, I read an article describing Certification, Education and Experience as the pillars of an information security career.

  5. Yeah – I can see that. As for “soft certs” that actually mean anything, the ITIL certs seem to mean something to a lot of organizations. The PMP is probbly the best non-technical cert I’ve seen BUT you have to have project management experience to even attempt it (kinda funny since most places won’t let you DO any PM work unless you have the PMP cert).

Comments are closed.