IT security qualifications are not just limited to the CISSP from isc2 the EC-council also have a range of specific security related qualifications starting with the CeH (certified Ethical hacker) & counter measures. The counter measures subtext hopefully services to alley fears (often the organisations management) that the syllabus isn’t designed to teach you how to hack. You simply cannot hope to understand the vulnerabilities in your IT operation without developing an understanding of the techniques that are used by hackers.
I have recently sat and passed the CeH v7 exam without undertaking a specific training course, this means my experience (validated by my employer) and qualifications (such as my existing CISSP) have to be validated by the EC-Council to give me an authorisation code to be able to book the exam with a prometric test centre.
One of the helpful features of prometric is the ability to reschedule the exam as you need too within their rescheduling criteria. I booked the exam and moved it half a dozen times until I was ready. If your about to change employers and don’t hold a CISSP (which I think means you don’t need the experience validated) you might want to consider getting the authorisation code ahead of time.
Version v8 of the CeH is now also out so it will only be matter of time before CeH v7 is retired.
How does CeH compare to CISSP ?
CeH to me fits well with the Certified Information Systems Security Professional examination. As you’d expect It is quite specific on hacking, techniques, tooling and counter measures. I left it a couple of years between taking CISSP and CeH intentionally and didn’t find I’d forgotten anything. Holding of on the CeH gave me a qualification to aim at which I find it brings focus to studying and will of course help with my ongoing career development requirements to maintain the CISSP qualification in good order. I found the prospect of the exam a lot less daunting, particularly as you know you can retake it without too much trouble, unlike the CISSP which requires your attendance at specific test centre.
do I need to take the CeH course to pass the exam ?
I didn’t. And personally don’t think it’s necessary for everyone especially if you have taken a qualification previously and are able to dedicate yourself to the self study. If you are planning on taking the CISSP and have limited training budget or time I’d go with the CISSP training as its so broad (just checkout the manual!).
CeH isn’t easy but as it is a more focused certification and with are simpler retake option you could choose to undertake your own development. If this is your first security qualification or training is a possibility of-course you should go for it. A good instructor and interaction with your fellow students can be a valuable experience while your also able focus your attention on study.
CISSP v CeH ?
I wholly recommend the CeH but if I had to do just one it would be the CISSP. CeH is well worth doing and I strongly recommend it but CISSP covers more bases and has more market credibility. It’s an unfortunate product of popularity and online testing across many test centres that test questions and answers seem to find their way onto the internet – this unfortunately does devalue the qualification in some people’s eyes. CISSP has its foundation in paper based with a very small number of test centres, it has now moved into online testing through Pearson Vue. If you do take the exam please respect the NDA.
is CeH worth it ?
Yes, undoubtably. It gives you an insight into an important area of IT security within a framework that has built up over several years. Not only do the EC-Council offer the CeH but they offer further certifications in forensics and security administration for example. They have produced a nice career path graphic to help illustrate the point.
Do I need to be a Hacker or developer to do CeH?
Definitely not. You do need to understand principles and syntax have a high level knowledge of SQL may be an advantage in some areas but it’s not essential. You will need to understand TCPIP, ports, control and networking but only to a level that I at least would think any IT professional would need a working knowledge of.