Tuesday, April 27, 2010

Certified Ethical Hacker?

Yes, there is such a thing.

Although, I'd say that it certifies neither that you are a hacker, nor that you are ethical.... but it does show that you have been exposed to a wide variety of tools that hackers might use to invade your network, so that you will recognize them if you ever come across them, and you will be able to use them to test your own defenses.
("testing" someone elses defenses without written approval is illegal!)

I strongly recommend that, as a minimum, every network security professional should have this certificate.  It took me very little time, most of which was spent finding and playing with some of the programs, and very little money (less than $300 including the test and the review guide) to get this, and, while it is not the most prestigious certification on the planet (My CISSP is something I prize far more), preparing for it was a good review of all the "hacker tools" I'd read about in the past 10 years, and reminded me of some tools for network administration that I'd neglected that have made life much easier (like Microsoft's PSTools)
Update: April 29, 2010

So what does an Ethical Hacker do?
An Ethical Hacker tests a corporation's network defenses under contract by that corporation to identify weaknesses in the company's information security, so that the company can fix the problems before a malicious hacker (or cracker) finds and takes advantage of that weakness.

Why would a compnay need to hire an Ethical Hacker?
They don't want to be the next TJX. Some government regulations require companies in certain industries to have Penetration Testing (simulated hacking) done on a regular basis. The Payment Card Industry Data Security Standard (PCI-DSS) requires larger companies to have at least regular vulnerability assessments done. Ethical Hackers can help with some of these goals.

Why did I get certified?
I want to take the EC-Council Certified Security Administrator (ECSA) course later this year, and probably then become a Licensed Penetration Tester (LPT). To do that I needed to first get the CEH certificate.


5 comments:

Unknown said...

In addition to the C|EH, and CISSP, what certifications will help my company most with the following focus areas:

#Threat, Vulnerability and Risk Assessment
#Penetration Testing
#Governance, Risk, and Compliance Auditing

Cheers

Rod MacPherson said...

I'd say that the GIAC certs (GSEC etc.) and CISSP are good for Threat, Vulnerability and Risk Assessment
For Pen Testing, Look for an LPT or GPEN, or OSCP.
Governance, Risk, and Compliance Auditing is probably best covered by the ISACA certs (CISA, CISM,...)

Unknown said...

Thanks, Rod. I'm going for the OSCP later this month. As for the other certifications, I'll see what the training budget is like for my company. If you would put the CISA/M, CISSP, and GIAC certs toe2toe... would you say the CISSP comes out ahead?

Rod MacPherson said...

It depends on what you do. If you are an auditor take the CISA. If you are looking for general security management take the CISM.
GSEC and CISSP cover about the same sorts of materials from my understanding. CISSP holds a little more brand recognition, and I'm told GSEC goes a little more in-depth on the technical stuff.
The problem with the CISSP is that it's "a mile wide and an inch deep", but that's also it's strength. You learn a little about everything to do with security, which is good if you are going from a job that concentrates on 1 or 2 domains to a management job overseeing several of them, but it's not going to train you to do anything technical.

Jhon said...

Hackers are not doing any ethical work, then how they can be ethical hacker? and how can be certified. Very interesting post. OSCP Certification is very important course.