While the term “Hacker” got its roots many decades ago, stemming from the manipulation of hardware, evolving into captain crunch whistles and long-distance calls, it wasn’t until the early 2000s that computer hackers would be recognized as a profession. When EC-Council started the Certified Ethical Hacker, it seemed as though everyone ignored the first two words; “Certified Ethical” and simply focused on the third; “Hacker.” The label “Hacker” carried with it a stigma, in the minds of business professionals, “Hacker” denoted a bad character, someone out to damage things, break into a system and steal sensitive information or someone trolling the dark web doing ominous things. Many organizations steered clear of endorsing any form of Hacking or testing on their networks out of fear. Ethical Hacking was seen as an oxymoron, how could a hacker be ethical people would ask, to be honest, occasionally, we still get that question.
EC-Council launched the Certified Ethical Hacker in 2003 amid the skepticism and doubt and provided a beacon to cybersecurity professionals to establish legitimacy in their testing process as well as a way to communicate to the world a framework under which a new practice was born, Ethical Hacking. Fast forward 15 years, Ethical Hacking is now standard practice across Enterprises, Governments, and small organizations alike although it is normally included as a practice in ongoing network assessment, penetration testing, or other risk assessment practices.
Many organizations and governments participate in both defensive and offensive cybersecurity activities, either through network configuration, risk assessment, vulnerability analysis, Penetration testing, proactive network defense, or in the case of government entities, Computer Network Defense, Computer Network Exploitation, and Computer Network Attack commonly known as CND, CNE, and CNA.
At the outset, EC-Council created a framework for Ethical Hacking, ultimately the 5 Phases of Ethical hacking showing a repeatable, measurable methodology for identifying vulnerabilities and the corresponding exploits available. By establishing a methodology and standard definitions, the C|EH has defined an entire profession. More than a quarter of a million cyber security professionals in 145 countries have been trained to be Certified Ethical Hackers. A simple search for the credential on LinkedIn will reveal more than 70,000 working professionals that hold the certification across varying levels in many of the world’s leading companies and government entities. In a nutshell, C|EH has been the go-to credential for nearly 20 years, following are the top 10 reasons you should consider the Certified Ethical Hacker for yourself or your organization.
- Job Recognition
Many Job seekers, especially in Cyber Security find it tough to differentiate themselves, prove their value, and make progressive career moves. Often, the job assignments security professionals take also come with Gag-Orders, or Non-Disclosure Agreements. The nature of the job places our professionals in confidential environments, accessing sensitive data, unearthing the weaknesses in the organizations they work for. When attending an interview, if they are asked: “So tell me about your last job” they have to be very selective about how they respond or risk legal action from their former employer. These are all part of the “Ethical” part of the job. Identifying capabilities, skills, knowledge, experience, and if they are a right fit for the organization can be tough in a mostly unregulated industry. Because of this, EC-Council has been working to advise companies around the world why these skills will be valuable to their IT Security team and what knowledge a certified professional will have. Coupled with the right experience, hiring a certified professional can provide organizations a huge shortcut when it comes to new employee training, certified candidates often assimilate faster into existing teams because of the baseline skills and knowledge they already possess.
A quick search on LinkedIn (April 2019) shows 4,276 current jobs in the United States alone that require C|EH as a decisive selection criterion. Job roles that require C|EH on LinkedIn include Senior Penetration Tester, Security Consultant, SOC Tier 2 Analyst, Cybersecurity Response Manager, Auditor, Network Security Operations, Vulnerability Tester, and of course Ethical Hacker.
Getting paid six figures to hack seems like a dream for many, but to many more it is a reality. C|EH has made a list for ten years now of top paid IT certifications to hold. According to Payscale.com, the current average starting salary for someone holding the C|EH credential is $90,000 per year. Add a bit of experience and some relevant certs and skills, that number skyrockets well into the mid to high 100’s. Current salary trends are fluid, mainly influenced by supply and demand, but there is a significant shortage of qualified cybersecurity professionals and a plethora of companies willing to hire top talent in this area.
Cyber Security, notably Ethical Hacking has seen a tremendous surge in demand and popularity over the past 15 years. This rapid climb has created many opportunists and businesses willing to take your money. They question you need to ask is what value do they provide? How do you know what they are selling will benefit you in the long run? This is a question posed to certification bodies around the world every day. If we (EC-Council) are going to create a personnel certification, how can we ensure we are steering the program properly and not misleading tens of thousands of people? The answer is simple, independent third-party validation. No, we are not talking about customer testimonials, we are talking about ANSI, or the American National Standards Institute, specifically, ANSI 17024. While most schools are regulated by the Department of Higher Education in their State, or the US Department of Education, or an Accreditation body that follows US Dept of Ed rules, professional training and certifications are different. ANSI 17024 regulated organizations follow rigorous standards around the development and maintenance of their exams. Exam blueprints are carefully crafted through a 10-step process that includes:
- Industry Job Role Identification
- Job Task Analysis
- Standards Mapping
- KSA Identification (Knowledge Skills and abilities)
- Courseware Development
- Lab Development
- Exam Development
- Qualified Panel review
- Continuous review, monitoring, and improvement
EC-Council is on a mission to better define the work roles in the Cyber Security workforce and establish baseline certifications that help propel the industry forward. We find that having our certifications. ANSI accredited force the program through an important pre-launch process that curates effective, trustworthy programs that provide real on the job benefits to our certification holders. We strongly advise our customers to “Ask before they buy” when selecting professional certifications, especially in the cybersecurity space. Many companies have started in the past ten years only to disappear a couple of years later because of their design philosophies.
- Recognition by DoD and NCSC
When it comes to Cyber Security in the United States, the US Department of Defense is the single largest employer. The DoD is widespread and their requirements are vast when it comes to Cyber Security workforce. To ensure the workforce meets a minimum baseline standard, DoD Directive 8570 was created providing high-level categorization of IA job roles and requiring professional certification for 100% of the IA workforce. For 11 years, EC-Council has played a critical role in certifying the top tier Cyber Security workforce, known as Cyber Security Service Providers, or CSSP functions. Recently, we have added our Executive Leadership, CCISO, as well as our forensics cert, CHFI to this list in their respective categories, but for C|EH, under 8570, we are a required Baseline certification for over 300 published Cyber Security Job Roles in four out of the five CSSP categories. The Department of Information Security Assurance, DISA maintains the list of valid credentials here: (https://iasae.disa.mil/iawip/pages/isbaseline.aspx)
Also, in a showcase of trust and confidence, NCSC provided the NCSC Certified Training accreditation to EC-Council’s globally renowned Certified Ethical Hacker (C|EH) and Certified Security Analyst (ECSA) programs. The NCSC Certified Training is based on the industry-recognized and highly-respected IISP skills framework, which not only illustrates the array of skills required of information security professionals to succeed in their respective job roles but also evaluates the precise quality of the program’s training and courseware against NCSC’s standards.
The National Cyber Security Centre (NCSC) is an organization of the United Kingdom Government that provides advice and support for the public and private sector in how to avoid computer security threats. Based in London, it became operational in October 2016, and its parent organization is NCSC.
NCSC is one of the three U.K. Intelligence and Security Agencies – beside MI5 and the Secret Intelligence Service (MI6). NCSC Certified Training (GCT) is an initiative in the U.K., aimed at reducing the cybersecurity skills shortage. It certifies cybersecurity training programs at two levels — awareness (creating a foundation in cybersecurity) and application (an in-depth study for professionals and specialists in the field) — to differentiate the highest quality of cybersecurity training from others. During the accreditation process, the training program’s course material, quality of trainers, and course administration are rigorously assessed.
- Mapping to Industry Frameworks
Furthering the development of Ethical Hacking as a profession, the Department of Homeland Security (DHS) in cooperation with the National Institute of Standards and Technology (NIST), as well as Office of the Director of National Intelligence (ODNI) in cooperation with private industry published the NICE framework – National Initiative for Cyber Security Education. This effort resulted in multiple NIST publications helping to further categorize and add standardized definitions to the common Areas of expertise, Job roles, and their associated Knowledge, Skills, and abilities required to be effective in the respective roles. Commonly referred to as the NICE/NIST framework. Executive leadership from EC-Council participated in many of the formative meetings and working groups that led to the publication of this framework and it is commonly used in our development cycles. The C|EH Course curriculum maps 100% to the “Protect and Defend” Domain ensuring relevancy for any organization following the job role categorization of NIST Special Publication 800-181. These frameworks contribute to the definition and professionalization of job roles and activities in Cyber Security and EC-Council is an active, and proactive contributor to these activities.
- Extensive Program + Materials
With the advent of the subscription economy, there are many “online programs” that offer counterfeit programs passing themselves off as complete training programs. These All you can eat, $19.99/ month plans may provide some basic awareness and, in some areas, a good deal of knowledge, but in our experience over the years, comprehensive cyber security training is just not available in these formats. One of the reasons C|EH training programs are not offered in these subscription programs is the level of effort and cost to operate our training approach. We have extensively studied various learning styles and applied the most effective content design formats to our courseware helping us explain complex topics in cyber security through the use of diagrams, charts, reference sections and explanations. Accompanied with our Official Training program run across the globe by Certified EC-Council Instructors, our programs are curated for maximum learning efficacy and complete content coverage mapping back to the standards mentioned above. This approach ensures what you learn in our course, you can use on the job as soon as you leave the classroom.
- Ease of Access (Online-Proctored Testing)
At EC-Council, we don’t take the testing process, or our ANSI accreditation lightly. To uphold and ensure the integrity of our exam, all of our exams are proctored. We strike a balance between availability and integrity by offering a custom exam platform where our exams can be delivered anywhere in the world provided you meet the minimum criteria required for us to ensure your identity and the integrity of the exam while you take it through our global proctoring network. EC-Council has also been a VUE partner for over 15 years delivering our exams in accredited VUE Delivery centers for those who cannot take online proctored exams.
- Hands-On Training via iLabs
Gone are the “Death-by-PowerPoint” days. Today’s students demand technologically rich, sound learning experiences. Teaching tactical cyber security skills can be a challenge, by virtue, we teach our students to break things, as they enhance their skill set, they learn to exploit targets without breaking them, but starting out, they break things… A LOT…. This learning process can be pretty taxing on the facility where they learn, the IT Admins responsible for the Machines and VM’s if proper setup is not complete. This is exactly why we created iLabs. Via iLabs, we spin up a completely private virtual cloud of machines for every student. Embedded in this private cloud is over 2200 hacking tools, malware, viruses, trojans, target machines, Hard drives, etc. all used as part of the learning experience. Example, as we teach students about SQL Injection attacks, our course will teach what SQL Injection is, common command lines used to test for the vulnerability, but in iLabs, we provide our students an attack machine as well as a target machine with a preconfigured website (moviescope) that is setup to be vulnerable to SQL injection. Students are able to perform the attack, create users, escalate privilege and eventually hack into the server through the web front end. Having ready access to vulnerable targets helps students identify what they are looking for, how it may behave, and the ability to repair the code, eliminate the vulnerability and ultimately remediate the risk. This is all available 24×7 through a completely automated Cyber Range tool – iLabs. No need to wait for the lab to open, schedule time, or wait for setup, our tools work through a simple web connection in the browser. We offer more than 140 exercises and labs in C|EH alone to help students master the skills acquired in the C|EH course.
- Strong Global Community
Being a Certified Ethical Hacker, you will be in good company. There are a variety of communities across the globe that are proud to represent their status as Certified Ethical Hackers. With over 70,000 professionals on LinkedIn with our credential and a quarter million that have gone through the program, C|EH is a well-known credential. Becoming active in the information security community, holding recognized credentials has the potential of opening up a world of opportunities to you.
- Performance Based Assessment – C|EH Master
C|EH Master is one of the newest additions to the C|EH program. With rising demand for performance-based training and certification, EC-Council introduced the C|EH master in 2019. In order to achieve master status, you must pass the C|EH exam and the C|EH Practical Assessment. Successfully passing both will award you the C|EH Master designation.
The C|EH Practical Assessment is a 6-hour exam conducted 100% on EC-Council’s own Cyber Range. While challenging the practical, you will have 10 primary activities to perform across 20 scenarios. In addition to the activities, you will have to know WHEN, WHY, and HOW you perform each task to achieve a specific objective related to each of the 20 challenges you will face.
- Demonstrate and understanding of attack vectors
- Perform network scanning to identify live and vulnerable machines in a network
- Perform OS Banner grabbing, service, and user enumeration
- Perform system hacking, steganography, steganalysis attacks, and cover your tracks
- Identify and use viruses, worms, and malware to exploit systems in the target environment
- Perform Packet Sniffing
- Perform a variety of web server and web application attacks including directory traversal, parameter tampering, XSS, and others
- Execute SQL Injection attacks
- Execute cryptography attacks
- Perform vulnerability analysis to identify security loopholes in the target network, communication infrastructure, and end systems
C|EH Master credential holders have proven both knowledge through their C|EH Exam as well as sufficient Skills and abilities after passing a rigorous practical assessment in the domains of C|EH.