CEH Exam Insights: A Nuanced Look at Ethical Hacking Certifications
Introduction
In the ever-evolving landscape of cybersecurity, the Certified Ethical Hacker (CEH) certification has long been a topic of discussion and debate. It is actually one of the oldest certifications out there, being introduced in 2003 by EC-Council. The exam has garnered a lot of criticism primarily due to its reliance on the multiple-choice format. This blog post aims to honestly give my perspective of the CEH certification, addressing the skepticism surrounding its examination method while shedding light on its significance in the realm of ethical hacking.
8,941 jobs listing CEH at the time of writing on LinkedIn
The Controversy: Multiple Choice and its Critics
I am sure you have seen it online (YouTube, Reddit, etc.), statements like “The CEH won’t teach you anything”, “CEH is useless!” and so on. Critics argue that because hacking is a dynamic field requiring hands-on knowledge traditional exam methods are ineffective. While I agree with the sentiment I also think that we should scrutinize this stance. First, I believe that the CEH does not replicate the hands-on nature of hacking but I agree that it serves its purpose which is to be a standardized measure to evaluate foundational theorical knowledge, ensuring a common baseline for ethical hacking professionals.
So let me be honest here, the CEH did teach me a lot of things especially as a beginner. Most people “memorize” the material just to pass the exam and act surprised that they didn’t retain anything after. During my preparation I “studied” and came out with some solid knowledge, I supplemented the theoretical knowledge with some labs to deepen my understanding of the concepts.
My second point might be biased but hear me out. Apparently HR departments love the CEH, it is listed on most security jobs. I am convinced that finding a job in cybersecurity today is a number game, so you have to work on two fronts which are: how you appear to potential employers and your actual technical skills. Especially, if you are a self-taught cybersecurity individual you need to put as many chances on your side as possible. Nothing is preventing you from getting the CEH as an HR checking certification and actually developing deep technical skills.
My final point on this whole CEH thing is simple. Get it if you are not paying for it (as it costs $950-$1,199). You will learn if you actually apply yourself and it will serve its HR bypass function.
Overview of the CEH exam
The exam tests you on 20 areas of ethical hacking ranging from Footprinting and Reconnaissance to Cryptography. You can get a full list of the modules here starting at page 6. The exam has 125 questions and you will have four hours to complete it.
The official training you get when you purchase your voucher is exactly what you will be tested on, nothing more. A few things I noticed during my exam:
It is very tools focused - You will need to know different tools used for various tasks (scanning, session hijacking, enumeration etc.).
You will get a lot of questions about commands - Beyond knowing tools you need to know how they are used to achieve x or y.
The cryptography and malware concepts can be hard to grasp at first especially if you are a beginner, put more focus on these modules.
Conclusion
While I acknowledge that the criticism about the CEH is valid, I think it does provide some value by helping you with HR and teaching about a lot of topics related to ethical hacking. You should go for it if you are getting sponsored. I encourage you to have a balanced view of certifications, and make informed decisions based on your career goals and personal situation. At the end of the day, you know what is best for you. I also recommend complementing that CEH with hands-on experience by doing labs.