Certified Ethical Hacker, Huh?

There's still and will continue to be a shortage of ethical hackers. We need more such professionals! They are people who, using tactics, techniques and procedures also employed by malicious hackers, strive to improve organizations' security posture. People who, in ethical hacking, identify, analyze, evaluate, report and even recommend treatments for security vulnerabilities.

To work as an ethical hacker, a person usually has to pursue certification in some way. Then, they will do everything possible to be named a "certified ethical hacker." Oddly enough, or perhaps not, this is word-for-word the name given to a widely recognized, maybe the most, ethical hacking certification worldwide. However, after a couple of readings, the following question came to me: Should the person who has this certification be called a "certified ethical hacker"? Before giving a possible answer to this question, let's get down to business by understanding what this certification is all about.

The Certified Ethical Hacker (CEH or C|EH) certification was created by the International Council of E-Commerce Consultants (EC-Council) in 2003. The EC-Council says this "credential is recognized as the gold standard of ethical hacking" and "the CEH program is the world's first and longest-running sole ethical hacking certification." The CEH program actually has three certifications: CEH (ANSI), CEH (Practical), and CEH (Master). The first two are obtained by passing the corresponding exams. The last one is simply a certification received after obtaining the previous ones. Each is valid for three years and can be renewed after that time. Let's look at the ANSI and Practical credentials in more detail.

We could say that this is the dominant CEH certification. It has the addition "ANSI" in its name for the accreditation it received from the American National Standards Institute. The CEH (ANSI) has existed for about 20 years and is obtained by passing a closed-book theory exam. This exam consists of 125 multiple-choice questions and has a maximum duration of 4 hours. As a prerequisite to apply for it, the individual must take an EC-Council's official CEH training course (the CEH version 12 course was launched in September 2022) or demonstrate at least two years of work experience in IT security and pay a non-refundable fee. (It is worth noting that such official training is usually only a five-day boot camp.) In order to pass, the test taker must achieve at least a percentage of correct answers, which, some say, can vary from 60% to 85%.

The CEH (ANSI) exam is said to generally cover the following topics:

This certification, which appeared much later, in 2018, is instead achieved by passing an open-book, hands-on exam. In this exam, where the test taker can google, read and view online material, they must apply their skills in 20 challenging scenarios. What they cannot do is take handwritten notes or contact other people. There is a maximum of 6 hours and a 15-minute break. The exam is always proctored on a meeting platform, which will be in recording mode, so the individual must have an active webcam and microphone. There are no prerequisites to apply for the CEH (Practical) exam, although it is specially designed for those who have already obtained the CEH (ANSI) certification. To pass, the individual must complete at least 14 challenges correctly.

In the CEH (Practical) exam, a real corporate network is emulated with virtual machines (VMs) and applications within the browser-based environment of EC-Council called iLabs. Specifically, it is said that two VMs are provided to solve the challenges and answer the questions: one VM in Parrot OS and the other in Windows 7. In neither of them, there is Internet access; it is from the host of the test taker that this can be done. EC-Council says that the following aspects are evaluated:

Some people also suggest taking into account processes such as OS banner grabbing, service and user enumeration, cryptography attacks, steganography and packet sniffing. In several recent posts, it is often noted that what is needed to pass this exam is knowledge of the proper use of specific tools. These include Wireshark, Nmap, John the Ripper, Hydra, sqlmap, Metasploit, WPSscan, Veracrypt, and SNOW, among others (here is a list that may be useful in this regard). Concerning helpful applications or spaces to practice, some mention Damn Vulnerable Web Application (DVWA), TryHackMe, and Hack The Box.

DVWA is a vulnerable PHP/MySQL web application that helps to practice identifying "some of the most common web vulnerabilities, with various levels of difficulty, with a simple straightforward interface." TryHackMe, on the other hand, is an online platform with free and subscription models to learn and improve cybersecurity skills with hands-on exercises or "hacktivities" in various labs or rooms. For example, there are some labs to practice using tools such as Nmap and Hydra and applying procedures such as cracking hashes, SQL injection, basic pentesting, or, in general, exploiting OWASP Top 10 vulnerabilities. Hack The Box is a similar space to the previous one. Apart from this, people with the monetary resources to access iLabs may have the advantage that, as some remark out there, CEH (Practical) is "usually 90% what they practice there."

The challenges in the CEH (Practical) exam are similar to capture-the-flag (CTF) exercises, which, as we will see below, leads to their criticism. Some people in their publications highlight sample questions similar to the following:

In this post's first paragraphs, we emphasized the high value the EC-Council places on its CEH certification ("the gold standard of ethical hacking"). They state this "is a required baseline certification for many different job roles" in an IT security team (e.g., security analysts, information security officers, and pentesters). And, precisely, that's how it seems to be viewed by human resources (HR) departments or non-technical leaders in plenty of organizations. Nevertheless, many cybersecurity professionals do not feel the same way. Even so, I think Robert Willis' opinion in the book Tribe of Hackers Red Team may be accurate:

But why is there a dissension, and why are CEH certifications a source of derision among some specialists? These, rightly, can be foundational certifications that open doors for many people to the world of IT security. They serve to validate basic knowledge, especially for beginners in the area of ethical hacking. But here's where part of the rub arises. CEH certifications confer the title of "Certified Ethical Hacker" or even "Certified Ethical Hacker Master," as if obtaining them were proof enough to declare that someone is an ethical hacker or even an expert in the field.

Following the logic of the EC-Council prerequisites and people's comments on the Internet, these certifications are not strictly geared towards hackers or pentesters. Moreover, they are not directly intended to make a person a certified ethical hacker. "Passing this exam," says one ethical hacker on his blog, "will not make you a hacker at all; it will show that you're interested enough in hacking to learn some basic syntax and lingo." The EC-Council itself states that "CEH is meant to be the foundation for anyone seeking to be an ethical hacker." Therefore, the CEH certification is not a reliable guarantee that the individual who holds it is, in fact, an ethical hacker. But how the heck can it be so? Doesn't that go against the name of the certification?

In light of this, I am shocked to find statements like this: "Many employers are willing to pay a premium for candidates with CEH certification because they know that these individuals have the skills and knowledge needed to protect their networks and data." Not necessarily so! Such individuals may be just newbies, some of whom might honestly claim they are not hackers. A true certified ethical hacker or pentester should have experience as such in the "real world" or have achieved different and higher certifications than this one. The problem is that many of them are not as well known or are more challenging to obtain than the CEH. CEH certifications, following Willis' comment, are more of a "wild card" to add to the CV in order to increase the chances of being hired, not in itself a certification in ethical hacking. Someone may want to get one of these certifications not to be an ethical hacker but simply to become recognized for a position closer to cybersecurity, for which they could aim just for the CEH (ANSI).

Another striking issue is that the CEH (ANSI) certification, not the CEH (Practical), continues to enjoy the greatest demand and recognition, a certificate based simply on a multiple-choice exam. Exams of this type are among the passive testing strategies, which involve merely recognizing information after reading and memorizing material on specific topics. It is even absurd to come across observations like this one on the web: "If you understand the concepts, you should be able to identify the incorrect answers. The goal is to at least identify two incorrect answers out of the four answers, leaving two possible options, thus giving a 50/50 chance of selecting the correct answer." It's as if they were advising the potential test taker, "Read enough about the topics and keep a coin in your hand just in case."

On the CEH (Practical) side, as mentioned before, the challenges are similar to CTFs ("find 'x' or figure out 'y'"), and the methodology they require from the test taker ends up being quite far from that usually applied by hackers in the "real world." As noted on Medium by a woman named Tsitsi Flora, "They do not require a lot of thought, just knowing which tools to use will get you by." Others even go so far as to say that, for those with experience, at least in Hack The Box and TryHackMe, for instance, they turn out to be easy-mode exercises or even a joke. Regarding knowledge and skills, the CEH (Practical) usually comes in comparison to the OSCP (Offensive Security Certified Professional), a certification more preferred and respected by experienced pentesters.

The OSCP, compared to the CEH (Practical), is more rigorous, more difficult, more realistic (not such a guided process), and, of course, more time-consuming (the test taker has 23 hours and 45 minutes to complete the exam), so it requires more preparation. It is even said that "If you have been hacking for years and take the OSCP, there's a good chance you may still fail." Something that is supposed to be very unlikely to happen in the case of CEH. Thus, some genuinely interested in becoming hackers speak of attaining the CEH Practical or Master's merely "as the appetizer for OSCP." Meanwhile, "Prospective employers are asking for CEH-certified applicants far more often than OSCP holders" (sometimes without specifying which CEH certificate they require).

Now, on pricing issues, is it worthwhile for a beginner to aim to enter cybersecurity and build basic knowledge with the help of the CEH certification? Flora, for example, referring to the CEH (Practical) she had recently achieved, states that "For $550, no." "For just $99, maybe. Still not a straight yes." (We won't go into further pricing details here, which you can check on the official sites of the certifications mentioned). Certifications like CompTIA Security+, about the same level as CEH (ANSI), are said to be a hell of a lot cheaper. It's worth noting that several posts I read, such as Flora's, about CEH (Practical), were published by people who managed to get it at low prices (e.g., $99), thanks to scholarships. They also say that beyond the recognition, there seems to be no real value in obtaining the CEH Master if the person already has the OSCP, for example. Likewise, they suggest that people opt for a beginner certification, such as the eJPT (eLearnSecurity Junior Penetration Tester), instead of CEH (Practical), and then move on to OSCP.

Finally, in order to answer the fundamental question of this post (i.e., should the person who has this certification be called a "certified ethical hacker"?), based on all the above, we should say no, not necessarily. A person, even having the CEH Master, should not always be called a "certified ethical hacker." That should not be the appropriate name, at least in many cases. These CEH certifications per se would not allow us to properly label a person as a certified ethical hacker, but rather their experience or other credentials. We should keep in mind that an individual may not have any certificate and yet be sufficiently prepared and be considered a true ethical hacker or pentester. So, according to EC-Council's purposes and requirements to grant these CEH certifications, the latter's names should be different. Just to name an alternative, the CEH (ANSI) could be called instead "Certified in Offensive Security Basic Knowledge" and the CEH (Practical), "Certified Junior in Hacking Tools," or something like that.

It's that name! Gosh, "Certified Ethical Hacker" seems to say too much, and that's why it's pretty appealing. Part of the CEH's exaggerated fame may lie precisely in the "marketing behind [its] name." Add to that the fact that it has been around for a long time and, of course, that organizations like the U.S. Department of Defense and the U.S. National Security Agency, for example, approved it as premier security certification. In any case, if you have sufficient resources or a scholarship, you can opt to obtain the CEH certifications, which will be useful, at least in terms of recognition. By the way, if you are interested in entering the world of cybersecurity and even becoming an ethical hacker, Fluid Attacks has the doors open to you. Just contact us!