While the term “ethical hacker” may, at first blush, seem to be an oxymoron, the idea on which the expression is based is that “to beat a hacker you need to think like one.” In fact, that is the tagline used by The International Council of E-Commerce Consultants (EC-Council) to introduce their ethical hacker certification.
The Certified Ethical Hacker term was initially used to describe someone who possessed the skills necessary to be a hacker but whose moral code constrains them to stay within the bounds of legal activity. Over the years, the term ethical hacker has come to include all security professionals that provide offensive services, whether red team, pentester, or freelance offensive consultant.
The EC-Council organization certifies professionals in various e-business and security skills and knowledge. Their stated mission is “to validate information security professionals who are equipped with the necessary skills and knowledge required in a specialized information security domain that will help them avert a cyber conflict, should the need ever arise.”
The EC-Council has certified over 237,000 security professionals from private and public enterprises. They boast members working at IBM, Microsoft, the US Army, the FBI, and the United Nations.IN THIS GUIDE
What is the Certified Ethical Hacker certification?
CEH stands for Certified Ethical Hacker, and it is arguably the best known of all the available EC-Council certifications. It was designed to indicate that the holder understands how to look for weaknesses and vulnerabilities in computer systems and is proficient with the tools used by a malicious hacker.
LOOKING FOR MORE? CHECK OUT OUR COMPLETE ETHICAL HACKER GUIDE
Employing cybersecurity professionals who have the knowledge required to deploy adversarial hackers’ tools and methods is extremely valuable to any security team. Intimate knowledge of the offensive strategies likely to be used against their systems is critical to building an adequate defense. By overwhelming support and acceptance of the CEH certification, the security industry has signaled its need to have a reliable way to recognize individuals with these skills.
Holding a CEH certification indicates the holder has acquired essential skills required to work in the following roles, among others:
- Security Analyst
- Computer Forensics Analyst
- Security Specialist
- Penetration Tester
- Security Engineer
- Security Code Auditor
- Malware Analyst
- Security Consultant
Industry acceptance of the CEH has reinforced the idea that ethical hacking is not just a useful ability but a respectable profession. Acceptance has provided legitimacy to the subset of computer and network skills once pursued only by malicious actors.
What are the CEH exam requirements?
CEH certification applications are evaluated to meet one of three categories. A candidate must meet one of the following criteria to be eligible to take the examination:
Suppose the candidate is under the age of 18. In that case, the candidate is not eligible to attend an official training course or attempt the certification exam unless they provide written consent from their parent or legal guardian and a supporting letter from their nationally accredited institution of higher learning.
CEH certification requirements are less stringent than many other popular cybersecurity professional certifications. For this reason, the CEH is often considered an entry-level certification but is undoubtedly a must-have for anyone seeking work with offensive characteristics.
How much does obtaining a CEH certification cost?
Any professional certification’s overall cost will vary depending on the level of experience and previous training a candidate brings to the process. In addition to the application fee, exam fee, and training course costs, independent study materials are likely to be purchased, and the cost of maintaining the certification to be considered.
There is a $100 non-refundable application fee for all exam applicants. The application approval process typically takes five to ten working days after the EC-Council receives all required information. Once the application is approved, a candidate must purchase an exam voucher from the EC-Council Online Store or an authorized training partner. EC-Council does not set a minimum exam voucher price for its authorized partners; however, a voucher costs $1,199.00 from the EC-Council Store.
Lastly, training from the EC-Council or a training partner should be arranged. Often the cost of the exam voucher is included in the price of the CEH course. Suppose the candidate applied for the exam using their work experience as the qualifying factor, and they choose not to take an official EC-Council training course. In that case, they can immediately schedule their exam after approval.
The EC-Council CEH training course covers both defensive and offensive methodologies and strategies. While candidates learn about controls and countermeasures, they are also taught how to bypass and defeat these defenses. The base CEH online instructor-led training course package is $1,899.00. It includes one year of access to training modules, courseware, iLabs, and an exam voucher.
The EC-Council Certified Ethical Hacker Live Course is $2,999. Check with EC-Council for the availability of the Live Course during the Coronavirus pandemic.
CEH certification is maintained by earning 120 Continuing Professional Education (CPE) credits within three years. The credits can be achieved in many ways, including attending conferences, writing research papers, teaching training classes in a related domain, reading materials on related subject matters, and attending webinars. In most cases, the acquisition of CPE credits will cost several hundred dollars each year.
The question that candidates must ask themselves when considering any professional certification is, “will it be worth it in the end?” For the CEH, the answer is most commonly a resounding “yes.” This favorable ROI is particularly true for candidates who desire to work in roles that require an understanding of offensive methodologies to help bolster their organization’s defensive posture.
Deep dive into CEH exam
The CEH exam is a 125-question multiple-choice exam. Candidates have four hours to complete the CEH exam. Since all questions are multiple-choice, test-takers rarely run out of time during the exam. Many candidates report needing only two to three hours to complete this test.
EC-Council uses several different exam forms. An exam form is a bank of questions administered as a version of the test. EC-Council uses a process of rating each question to ensure that each of their multiple exam forms reflects an equal assessment of the test taker’s knowledge.
Post exam reports indicate that topics covered include hacking methodologies, scanning methodologies, port scan types, and expected return responses. Knowing how to work with tools such as Nmap, Wireshark, Snort, OpenSSL, Netstat, and Hping is reported as being useful for test-takers.
People that have taken the exam invariably report that the exam is challenging and that adequate study before sitting for the exam is necessary—many people study for months in preparation for the CEH exam.
Successful candidates often report that a measured study program that consists of a few hours each day over a long period of time is helpful. There are many practice tests available online.
When taking the exam at a physical testing center, the exam will be proctored by authorized personnel at the testing center. Exams can be taken at Pearson VUE testing centers. EC-Council has Pearson VUE test centers located within many of their Accredited Training Centers.
A CEH exam passing score can range from 60 percent to 85 percent depending on which exam form, or bank of questions, is administered for that specific exam. Because the difficulty of any bank of questions will vary, so will the corresponding passing score.
CEH salary information
Because the CEH certification applies to a wide variety of security roles across many organizational types, the average salary will also vary. To be sure, obtaining this certification will qualify a candidate for advancement to higher-paying positions or entitle them to additional pay in their current role.
With the high demand for experienced cybersecurity professionals in the market today, obtaining a CEH will open doors for entry and mid-level positions. As a security professional’s career develops, there are additional professional certifications that should be considered. Read more about how to choose the best cybersecurity certifications here.
According to the job site Indeed, the average salary for cybersecurity professionals in roles that often require or compensate for CEH certification are as follows:
The US Bureau of Labor Statistics indicates that the job outlook for Information Security Analysts is expected to grow 31 percent, 2019 to 2029. This anticipated increase is much faster than the average rate of job growth.
For security professionals desiring to indicate to their current or future employer that they possess the knowledge and skills required to think like an adversary, the CEH is likely the best choice for professional certification. For many, it is only one stepping stone toward their “top of the industry” goal, but a crucial step, not to be missed.
Holding a CEH will set a cybersecurity professional apart from the crowd as someone with abilities beyond just following established processes. Instead, they are someone that can think creatively about how to stay one step ahead of an adversary.