2024-01-08

Taking about my experience with the Certified Ethical Hacking certification from EC-Council

• CEH
• cybersecurity
• hacking
• certification

Background

When ChatGPT started gaining traction last year, I experienced a mini-crisis and decided to partially transition into cybersecurity to protect myself against potential AI coding overlords. While I possessed coding competency, I believed that the security field would offer greater resistance against the proliferation of Large Language Models (LLMs) in software. Given my enjoyable experience with a computer security class in college, it felt like a good decision at the time.

And indeed, it was! As I delved into learning concepts in my Certified Ethical Hacker (CEH) course via EC-Council, I found immense enjoyment in expanding my knowledge and perspectives. However, I should have conducted more thorough research when choosing which certification to pursue.

Course Overview

The initial test for the CEH exam involves a 120-question multiple-choice examination. To prepare for this, EC-Council provides a hefty 3000-page textbook along with densely informative labs. All the information covered is potentially fair game for the exam, so it is in your best interest to absorb as much as possible.

I completed the readings and labs within approximately 2 months. Subsequently, I engaged with the exam preparation module to prepare for the test. I soon realized that my notes were inadequate, and my initial approach to the course pass-through was flawed. It took an additional 4 months of index card studying to finally pass the exam.

The Cracks Start Appearing

There’s no avoiding this: the information seemed quite outdated to me. Despite undergoing 11 revisions, EC-Council failed to emphasize modern hacking concepts and tools adequately. Instead, they seemed content with explaining hacking methodologies that were relevant 20 years ago, with only fleeting references to modern protocols.

Consider NetBIOS, for instance. Is it valuable for hackers to understand this outdated protocol? Yes, but the excessive emphasis on it highlights EC-Council’s lackadaisical approach to revising and modernizing their course materials.

The exam questions often delve into highly specific areas, testing your knowledge of tool functionalities, command-line arguments for cybersecurity software, steps in hacking processes, and general knowledge of tools like nmap. My written notes proved insufficient to memorize all this information; I resorted to using flashcards. Thankfully, Anki, which I used previously to memorize GMAT-related content, served me well in this endeavor. I went through the entire book again to discern which pieces of information could potentially appear on the test (my index cards are publicly available here).

Ultimately, the first part of the CEH exam tests information recall. This method doesn’t effectively test knowledge, but I managed to navigate it using spaced repetition.

A Sidebar on the Exam Prep Website

I have to admit that the CyberQuotient test prep site is terrible. The explanations provided for correct/incorrect answers are vague at best and missing/incorrect at worst. Navigating the site is challenging, and it lacks a feature to compile questions for study purposes (which would be extremely useful, considering the module questions rotate).

The Labs

While the labs are interesting, the information presented within them is not easily digestible. On several occasions, I found myself stuck and had to refer back to the instructional videos provided by EC-Council. However, these videos merely required replication of on-screen actions rather than genuine learning and application of concepts. It felt akin to following a “Simon Says” routine.

My Results

So, how did I fare? Well, I scored 67% on my first attempt (a failing grade), then dedicated 3 more months to studying my flashcards, eventually passing with a 77% on my second attempt (after paying a $100 exam retake fee, naturally). I probably could have organized my study routine better, but my learning habits were fragmented at best. The second time around, I honestly had luck with easier questions. But you know what they call someone who barely passes the CEH exam? A hacker… or a sucker.

Conclusion

If you search for ‘Is CEH worth it?’, you’ll encounter numerous opinions discouraging it and instead recommending CompTIA Security+. Although I haven’t taken a CompTIA course myself, I feel confident aligning myself with that perspective. Spare yourself the frustration of dealing with outdated materials and lessons. Don’t repeat my mistakes.

Nevertheless, I plan to attempt the CEH practical exam since I have a free exam voucher. Wish me luck!

LLMs were used to spell and grammar check this blog post.