IT Employment·20,064 discussions

Which certification for an Ethical Hacker

Locked

Which certification do you think would be most appropriate for an Ethical Hacker (someone hired to legally test a system’s security). Would it be a Security+, a CISSP, or a CEH? Would it be a combination of each, and if so, in what sequence?

Topic

Certified Ethical Hacker!

In reply to Which certification for an Ethical Hacker

Well, you can be a Certified Ethical Hacker (CEH) now!
http://www.eccouncil.org/CEH.htm

But I think that that certification is for its humor value only, not as a true testament of skill.

If you really want to shine as a good security expert, go for the CISSP. I plan on doing so this year.

CEH

In reply to Certified Ethical Hacker!

I would suggest on starting with security+. Then try to do CISSP, before doing the CISSP exam just read what steps you need to go through with the International Information System Security Certification Consortium, to see if you will be able to qualify to write the CISSP exam.

Sorry

In reply to Which certification for an Ethical Hacker

Sorry, I have nothing of any use to add, as I read your post (being in Canada) I saw it as

“C,EH?”

That’s why we spell Canada that way.

C-eh-N-eh-D-eh

Good luck with your certs, again I apologize for not having anything useful to say.
(welcome to OzMedia 😛 )

CISSP if..

In reply to Which certification for an Ethical Hacker

…if in this position you will be explaining security concepts to people on different levels of the company. If you are looking for something that proves your practical knowledge, think about the SANS certification – maybe Incident Handler or Intrusion Analyst, which will require a practical to prove you have the skills to back up the resume.

The Word Hacker

In reply to CISSP if..

The first thing that has to go is lose the word “Hacker”.Then you can think of letters to aasign. There’s just no way anybody would or will ever accept any other interpretation of the true meaning of “Hacker” In the computer world, it’s the equivalent of thief and break & enter.
Too bad,the law doesn’t see it yet.If I were you,I would get very creative and and come up with an entirely new name for the type of person who was once a “hacker” and now has changed. Who Knows, you might be hepling out many others who are contemplating the same thing.Programming re-programmer (CPRP) might be start.You have an oppertunity here one rarely get’s in this business. The chance to be totally originally. Seize the moment.
Good Luck
Aaron a Baker

Funny how the word “Hacker” has changed.

In reply to The Word Hacker

When I started with electronics I most looked forward to the “Hardware Hacker” corner in the publication Popular Electronics. At ten years old I diligently breadboarded my first computer- essentially some wired switches and a row of lights. No individual could afford a computer then, but we hacked radio, tv, sound systems and many imaginative automation devices you could only get if you could build them.

Eventually the early PC’s came out and after much reading and practice before I ever got my Atari personal computer I learned to take some shortcuts and share some programming hacks with friends. I made it through college with many late nights on early IBM’s in the computer lab although I was not a tech student. Nothing made me feel better (well, almost nothing!) than hearing a fellow comuter electronics buff exclaiming: “Nice Hack!” knowing that I had delivered a rather clever soltuion to the task at hand- and that they appreciated it.

Nowadays I never utter that once wonderful word outside a select few that actually understand it. It has become, even to those that use it without thinking it’s evil, a word of limitation, of extremely narrow definition and limited creativity. It is no longer a badge of honor, but a “wink wink” nod of evil intent that may possibly be used for good somehow and even more- be used for monetary gain.

I no longer think the word is recoverable. It has, like many symbols, become so far removed from it’s original meaning and assigned a negative connotation so deeply that it can no longer be used by one serious about our profession. This makes me very very sad.

The early creativity and joy is something I still find at times in our profession, If you look past the stress and difficult scheduling etc. you will still find young people who’s eyes are wide with wonder, amazement and joy about the creative solutions they can build. I encourage them to get together, communicate and invent things- all the real stuff that is still a part of what a hacker once was- but I am largely silent on the term these days.

In my mind Hacking will never mean:

1. Using someone elses scripts without understanding them
2. Breaking into things you shouldn’t.
3. Purposly destroying other peoples work.

I think it’s time we in the computer industry laid the term to rest. I hope the kids come up with some new term to annote the appreciation of creativity. Until then, perhaps you should say you have an emphasis in Security, are a Security Expert, or a related description to align yourself more closely to the field you desire work in. You may want to consider GIAC for a cert.

Indeed it has

In reply to Funny how the word “Hacker” has changed.

When I first started my career in programming, there were two terms used to describe folks who were “above and beyond” in terms of hardware skill, software skill, and an unfathomable hunger for knowledge; Hacker, and Cracker.

Hacker meant someone who actively pursues knowledge and skill in order to create better solutions.

Cracker meant someone who actively pursues knowledge and skill in order to cause damage to an innocent or an adversary.

As near as I can tell, the term Cracker has been dropped from tech jargon because of the identical racist term “cracker” which means one of anglo-saxon descent with extreme racial views (also known as a white bigot).

This is unfortunate as the two terms were abundandly clear. Now we’re faced with the continually refining the classifications of hackers (i.e. hardware hacker, software hacker, ethical hacker, transaction hacker, communications hacker, network hacker, etc.) which benefits no one.

vote

In reply to Indeed it has

a soiaer : Soia: Stealing others information anonymously

a podaer :Poda: Pilfering others data anonymously

a podiser:Podis: Pilfering others data in secret

a beodotser :baeodots: breaking and entering others data on the sly

im not bored really

Ethical Hacking Cert

In reply to Which certification for an Ethical Hacker

There would be none. I agree with the previous post about a SANS education. Practical knowledge is best, and SANS provides that type of training. The CISSP or even a CISA would help to demonstrate your understanding and hopeful explanation of the security issues when you actually perform the pen test.

cert’s

In reply to Which certification for an Ethical Hacker

How about getting the Ethical Hacker certification?

-J.D.

At ease

In reply to Which certification for an Ethical Hacker

From my experiance expecialy with all the new teck data and programs out there these days it will not make to much differance what kind of credentials you carry until you get known. It is to easy to falsify any form of ID or credentials.To out your prospects at ease you will need to have an contact page fro them to get into and do thir won PI work about you to verify who you really are.

CISSP Code of Ethics

In reply to Which certification for an Ethical Hacker

The CISSP has a fairly comprehensive Code of Ethics. Aa a certified CISSP, you must subscribe to and observe this code. This could be valuable in reassuring a potential employer as to your ethical status. Check it out at https://www.isc2.org under Information, Ethics.

CISSP is also a comprehensive exam of the security field, helping to demonstrate that you have knowledge of more than just hacking. As a prospective employer or client, I might value the hacking skills, but would want to find a broad background and understanding as well.

more than just computer skills

In reply to CISSP Code of Ethics

IMHO, I agree with both the SANS and CISSP approach. What you want to prove to potential employers:

1) you can interface with business/management
2) you have social skills and understand how to use them (as social engineering is just as big a part of hacking as computer skills)
3) you have computer (hacking) skills or at least an understanding thereof.

The CISSP will demonstrate #1 and #2. SANS will show #3.

The most lucrative work (and best references) come from involvement at the MIS-director or above management level. Often, computer security investigations by organizations outside of the company’s own MIS/IS/IT dept. is handled above the MIS/IS/IT director level to maintain independence. The best jobs are ones that the CIO or other executive brings in ***with the knowledge and agreement of the MIS/IS/IT director***!!!. Otherwise, you can get caught in a political mess when it comes to presenting the results. Ultimately, most MIS/IS/IT directors are happy to have your results when they are in on the project as your results will often justify additional IT investments for the company.

Often a good way to start is with a local university. Do some security consulting for them first with the understanding that you want to use them as a reference. Build on that.

Bottom line: ethical security consulting is really as much or more about business acumen than hacking skills if you want the results of your investigation to do more than gather dust on someone’s desk!

(BTW, most (non-IT) executives won’t recognize the security cert.s yet. Bring along bullet point summaries of the cert. qualifications with the cert. logos to meetings with potential clients.)

Good luck!

I agree, but one more thing….

In reply to CISSP Code of Ethics

I agree with Joe on the CISSP cert. One other thing you might want to consider in addition to certification would be joining the local chapter of the HTCIA (High Technology Crime Investigation Association). Visit http://htcia.org/ for info.

You will have to be sponsored by a current member to join, but these are the folks with many good contacts, a lot of good information to share, and being a member of such an organization would help you to be accepted for that kind of work. Your ethical hacking knowledge would also be helpful to other members of HTCIA also.

Get ordained

In reply to Which certification for an Ethical Hacker

Get ordained as a priest or a minister in a
real church. Then I might trust you with my
computer systems. Or hell just be honest enough
to pass a background check.

Background Check

In reply to Which certification for an Ethical Hacker

I think, if you’re going to make the shift to security, you’d be best to get certification advise from folks in the security industry – not technologists. That’s ’cause you’re talking about more than just a niche certification, you’re talking about a whole career change.

The folks you’d want to talk to (here, in Texas):
1. State Board of Private Security – These guys license Security Guards and P.I.’s.
2. Dept. of Public Safety – These guys license non-federal cops.
3. National Security Agency – These are the folks who will ultimately grant or withold a security rating.

While a Microsoft, Oracle, Cisco, Novell, CompTIA or other certification would give you some credibility with the technology – hackers usually don’t need to be technological wizards. They use most of the same technologies the rest of the world uses.

What’s *unique* about hackers, or embezzlers, or terrorists, or whatever other kind of crook (or cop) is a willingness to go to lengths others would not.

For instance, a “hacker” trick is to steal someone’s wallet or purse and use the info contained therein to hack away. Are you willing to take that step?

If so – there may be a job in security that’s just waiting for you.

Persistence

In reply to Which certification for an Ethical Hacker

It’s all about persistence and motivation. I just started fresh out of college and working for a company that does such testing and I don’t have any of those certifications. I found a local company that provides these services, went into my interview with the attitude that I won’t take “no” for an answer and I landed the job. I am actually in the process of getting my Security+ by the end of the summer. For the CISSP I believe you need 3-4 years on the job experience to qualify for the test itself. It makes sense to do it in this order because Security+ is comprised of five domains, where CISSP has ten domains.

You must be an MBA …

In reply to Which certification for an Ethical Hacker

– Disclaimer: I put no value of any kind on any of certifications touted by our industry.

The idea of a certificate for ethical hacking is at least ludicrous and at most completely stupid.

If certifications were to exist that would grant any hacker a nod from management, every dangerous hacker on the planet would get one. If you don’t see this, then remove your blinders.

This idea should be relegated to the ranks of “Official Bikini Inspector”.

umm. MBA=no…

In reply to You must be an MBA …

…so you “disclaim”(think) certs are of no value? Hmmm…I disagree. IMHO,It means someone went the lengths to at least prove they know the basics. It’s all up to them to prove hands on if they know the stuff. Paper Certs vs Hands On is a valid argument…but all up to the employer ultimately to give the prospect a shot, then the prospect has to put his certs where his mouth is…how many “basic” managers would really know what a hash is anyway? IT managers sometimes know the criteria.It’s not necessary for them to know everything about the how-to’s…otherwise you would make the manager the security professional…just my 2 cents

Abso-friggin-lutely

In reply to umm. MBA=no…

How many job ads have you seen that say no certification required; we’ll take your word for it? Not many I’ll bet. They do serve a purpose…well, most of them do anyway. They are at least a way to judge a person’s ability to learn & regurgitate if not an accurate representation of their skills but hell, even Babe Ruth crawled before he could walk.

I can also, however, totally see the point of paper certs being BS sometimes. As an IT educator, I regularly see people who are getting certs that I wouldn’t let tie my shoes, much less work on my beloved machines. Unfortunately, they make the grades to pass the classes although they obviously lack the skill set God gave a brick. Not much we can do about that though what with the legal issues and such that are involved. Probably indicative of our entire education system as a whole (hole?).

Memorization and shortcuts

In reply to Abso-friggin-lutely

It’s been my experience with “certified professionals” (roughly 30 to 40 of them in my local area) that they are very adept at memorizing study guides and keyword recognition. This enables them to fork over the cash and pass a test on whatever given subject.

I have worked with a couple of “certified professionals” that demonstrate that their certification actually means something more to them than a higher billing rate, but they are far outnumbered by the individuals that just want the piece of paper so they can justify higher costs.

My biggest issue with the certs is that the individual gets in the door long enough to be both expensive and useless. It leaves management wondering how the hell they got into this mess and trying to find a way to save face, which often leads to coming down on the people that work for them.

Hmmmm. I guess my real problem is with the managers conducting interviews who only know the buzzwords and none of the content, and who are unwilling to bring in their own folks who understand at least some of the content because they’re worried about how it may look.

At any rate, I’m still left at the end of the day with the decision as to whether or not to get certified. I regularly come to the conclusion that I’d rather buy my family a nice dinner than to pay the price to test and receive what has become little more than a pendant for the “I love me wall”.

Kacey

BTW: For those who don’t know, the “I love me wall” is a military term used to describe the wall in one’s home for the display of medals and certificates that one has earned.

MBA

In reply to umm. MBA=no…

College degrees will always be worth more then certs. Having a B.S. degree is like having a High School diploma, and most companies won?t even look at you unless you have one. Basically unless your inventing next generation technology, you don?t work in ?I.T.? you most likely hold some form of customer service position. I work in the hottest thing going right now from a business prospective IT managed services at HP. My job title is Network Engineer; I spend my day staring at HP open view maps for major corporations that use to have so called IT departments. When something turns red I page the last two guys that work in the so-called IT department, and they fix it. The rest of the time I work with customers to write processes in regards to outages, once we get them stable we ship it off to Asia to be monitored. My advice get a college degree and get into management that?s what I?m doing, like information security James Madison U. The Information Security MBA

I hack

In reply to Which certification for an Ethical Hacker

In discussion to all of this….
I hack for a security firm in Ontario, Canada…We perform ethical hacks and vulnerability assessments for all range of customers and although the majority of clients base their decisions on references, some of the big guns now require that a CISSP is mandatory (especially for security clearances). Anyone who has hacked and taken a CISSP Exam will know that the two are very different but it does solidify that you might and I repeat might have ethics…For those of you starting???Work in an environment that will give you the opportunity to get experience and look into either the CISSP or SANS…and remember: if you are not prepared to “social” a company through lies, deception and stealing….(outlined in a contract of course), forget it….

[Author]

Replies