Home > Blogs > On the EC-Council's Certified Ethical Hacker (CEH) Certification

On the EC-Council's Certified Ethical Hacker (CEH) Certification

You might notice that the International Council of Electronic Commerce Consultants' (EC-Council's) Certified Ethical Hacker (CEH) certification is conspicuously absent from the list of approved vendor-neutral certification programs that qualify an individual for DoD Directive 8570 compliance. In my humble or not-so-humble opinion, the U.S. Department of Defense was wise to overlook the CEH; let me explain why.

First of all, let's cut through the baloney: with small exception, most IT certification programs represent a business model and one or more revenue streams for a technology vendor or vendor consortium. The EC-Council, such as it is, is no different from most other programs in this regard

Who is the EC-Council? Are they a respected authority in information security? Are they a leading technology vendor? Are they a non-profit consortium of IT industry leaders? Who vouchsafes EC-Council's authority in the industry? The truth that might strike you as surprising is that the EC-Council started with two guys from Malaysia. And no industry body, at least in the USA, accredits EC-Council in any way, shape, or measure.

According to the ANSI Web site, EC-Council has applied for ISO/IEC 17024 accreditation, but is considered a "preliminary applicant" at this time.

Second, although I have yet to sit for the CEH exam myself, I have several friends who are CEH instructors and/or candidates and they tell me that the CEH exam (Exam #312-50; register with VUE or Prometric; $250 registration fee) contains a significant number of typographical and/or logical errors in the live exam. This lack of editorial support for an exam that is distributed nationally by recognized exam registrars is, to me, completely unacceptable and inexcusable.

In my opinion, the CEH represents a "boutique" certification that is not worth the time, money, and effort to attain, at least for most IT professionals.

I can hardly count how many students I have seen in my former EC-Council-accredited training center who were all hot and bothered about earning their CEH so they could become hip, slick, and cool "Ethical Hackers." Many of these folks hid black-hat hacking aspirations beneath their thinking caps, truth be told.

The naiveté of these certification candidates, in combination with EC-Council's marketing, lead these fine men and women to think that prospective employers will knock down their doors with job offers once they have their CEH in hand. Truth is, I would hazard a guess that not too many hiring managers in the U.S. (a) have ever heard of the CEH; and/or (b) place much value in this title when compared to, say, Security+ or CISSP.

In my view, there is much to be suspicious of when we consider EC-Council as a legitimate organization. For instance: is EC-Council headquartered in Malaysia, New York, Nevada, or New Mexico?

Finally, let's consider their official training materials. You will shell out over $2,000 for instructor-led training that uses the "official" EC-Council CEH curriculum. What does the student receive for his or her money?

At last check (CEH v5), each student receives a small crate containing three telephone directory-sized student manuals. Look, friends: I am an instructional designer with a master's degree from Cornell University in curriculum design. I know good curriculum when I see it. The CEH curriculum is not good curriculum.

Most of what you will find in the CEH student manuals is what we in the instructional design field call "fluff" or "filler." There are some nuggets of good information in those books; however, in my opinion the content can be compressed to one-third of its current size. For one thing, screen captures and PowerPoint slide images consume at least 3/4 of every page. For another thing, the books were obviously designed by someone with little to know instructional design experience. Their organization is terrible, to say the least.

Although CEH candidates are not required to attend an official CEH course in order to become certified, you must admit that the high-priced books yields a very tidy lil' revenue stream for EC-Council. High-priced curricula + high-priced exam + mediocre content + hype = business model that isn't taken very seriously by those in the information security industry.