Professional Documents
Culture Documents
com/)
Get advice (https://www.softwareadvice.com/?modal.industry_id=11&modal.type=faststart)
If there was ever a time to get into the IT security field, it’s now: The
Bureau of Labor Statistics (https://www.bls.gov/ooh/computer-and-
information-technology/information-security-analysts.htm) expects the
sector to grow 18 percent by 2024, and according to a survey
(http://www.hp.com/hpinfo/newsroom/press_kits/2014/RSAConference2014/Ponemon_IT_Security
by the Ponemon Institute, demand for talent so outweighs supply that 40
percent of IT security positions are expected to go unfulfilled in 2014. The
pay isn’t bad, either: the average information security analyst in the U.S.
makes over $96,040 (http://www.bls.gov/oes/current/oes151122.htm)
per year.
While many IT security certifications exist, the three main ones for ethical
hackers are:
If you plan on skipping the classes and taking the exam without training,
you’ll need to submit proof (https://cert.eccouncil.org/application-
process-eligibility.html) that you have at least two years of experience in
IT security.
A big benefit with the CEH certification is flexibility: there are options for
self-study, video lectures you can watch at your own pace and instructor-
led lessons you can take online. The EC-Council even provides the option
of bringing training to your business or organization. Upgrades for
physical courseware, additional practice exams and tablet usage are also
available.
Instructor-led lessons take place from 9 a.m. to 5 p.m. over the course of
five days, and students can access online labs for up to six months. The
latest version of the test consists of 125 multiple-choice questions.
Students have four hours to complete the exam and must receive a score
of at least 70 percent to receive the certification.
The cost of the CEH depends on the level of instruction needed: it ranges
from $825 for the basic self-study coursework all the way up to $2,895
for instructor-led courses, online lab access, a test voucher and a test
prep program. If you don’t buy the voucher, the test itself costs $500, and
all students must pay a $100 application fee.
The CEH certification provides the most general knowledge of the three
highlighted here. “It’s not focused on a specific software product,
technology or skill domain,” Coggin explains. “It provides a broad survey
of various domains in computer security.”
To this end, the course covers everything from how to scan networks and
identify basic viruses to hijacking web servers and penetration testing.
The Benefits
The greatest value the CEH certification holds is being able to put it on
your resume. When it comes to getting a job as an ethical hacker, “CEH is
the original standard,” says Albert Whale, president and chief security
officer at IT Security, Inc. (http://www.it-security-inc.com/) Petraglia
agrees, and says it’s “probably the best recognized” of the three
certifications.
According to PayScale
(http://www.payscale.com/research/US/Certification=Certified_Ethical_Hacker_(CEH)/Salary#by_Jo
median pay for CEH-certified professionals is as follows:
However, as some bloggers (http://markhaase.com/2013/08/10/ceh-
review/) have noted (http://pwndizzle.blogspot.com/2012/09/ceh-vs-
oscp-vs-gpen.html), the certification has its caveats. The course is heavy
on text and video instruction, without a lot of hands-on practice. Another
complaint is that material is outdated and too simple to be useful for day-
to-day use.
Summary: If you’re looking to break into the field of ethical hacking, the
CEH certification offers a great opportunity to get ahead of other
applicants, but don’t expect to learn everything you need to know from the
course materials alone.
Regardless of which route you take, you’ll also have to spend $599 to take
the GPEN certification test. Should you choose to skip the course and go
straight for certification, the cost of the test rises to $1,049.
The open book exam consists of 115 multiple choice questions. You
must complete it within three hours and score at least a 74 percent to
receive certification.
Through over 30 labs (and a final, team-based “capture the flag” event),
students will get hands-on experience in every facet of pentesting, from
detailed reconnaissance and scanning to writing a perfect penetration
testing report from a management and technical perspective.
“The focus of the class is to learn how to do penetration tests that have
high business value,” Skoudis explains. “We teach technical excellence so
it has real business impact. The goal is to get you ready to do a
comprehensive pentest.”
The high cost is a formidable barrier, but the SEC560 course provides a
nice balance between theory and hands-on practical application, and
does a good job developing the “soft skills” necessary to thrive as an
ethical hacker in the business world.
“SANS training is awesome,” Bangia says. “The instructors are the top
people in the field and know technology better than anyone in the world.”
You’ll most likely be taking this course online, as live training is only
available in Las Vegas. The price you pay depends on how long you want
access to the online labs: it ranges from $800 for 30 days up to $1150 for
90 days. This price includes online video lessons, access to the labs and
the certification test. You can also purchase additional lab access time if
you need it.
An important thing to note is that the OSCP certification bucks the trend
of a normal multiple-choice test. Instead, you’re given a virtual network
with varying configurations and are tasked with researching the network
and identifying vulnerabilities and hacking in order to gain administrative
access. You must also detail your findings in a comprehensive
penetration test report, just like you would do while on the job.
“It’s one thing to successfully exploit a vulnerability, but then you learn
how to escalate privileges [exploit bugs to gain unauthorized access] and
use that as a stepping stone to the next objective. You learn how to
automate a great deal of tasks, sift through large amounts of data and
identify targets using scripts you write yourself.”
The Benefits
Be forewarned: the OSCP isn’t for the faint of heart. The hands-on
approach takes a lot of time and trial and error—but this can extremely
beneficial in the long run.
“I think the best part of the course is that it’s completely hands-on,”
Westin says. “Offensive security needs to be learned in an actual, legal
environment, where you’re hands-on with the tools in real scenarios.”
According to PayScale
(http://www.payscale.com/research/US/Certification=Offensive_Security_Certified_Professional_(OS
median pay for professionals with OSCP Certification is as follows:
The hands-on modules and training coupled with the OSCP’s unique
simulation exam provides real world experience that other certifications
may lack.
“To get a concealed carry permit, you don’t need to prove you know how
to use a gun,” Westin says. “You just pay your fee, get fingerprinted and
some learn some basic safety principles. But hands-on certifications like
the OSCP are more involved, where you need to not only know how the
gun works, you also need to be able to put it together, pass accuracy tests
and demonstrate your ability to use it in real life scenarios.”
Low cost,
Teaches soft skills,
Flexible course options, hands-on
Pros excellent
widely recognized exercises and
instructors
exam
At the end of the day, these certifications are merely a supplement to real-
world experience—not an alternative. Even then, having a wealth of
security knowledge and a passion for the industry can only get you so far.
“Felt Hat
(http://en.wikipedia.org/wiki/Cowboy_hat#mediaviewer/File:Felthat.jpg)” by
Ealdgyth (http://commons.wikimedia.org/wiki/User:Ealdgyth) used under
CC 3.0 (http://creativecommons.org/licenses/by/3.0/)cropped/resized.
Leading Security Solutions
Get Pricing
(https://www.softwareadvice.com/security/price-quotes/)
(https://www.softwareadvice.com/)
(https://twitter.com/softwareadvice)
(https://www.facebook.com/SoftwareAdvice)
(https://www.linkedin.com/company/software-advice)
(https://www.instagram.com/softwareadvice/)
About Us (https://www.softwareadvice.com/about-us/)
Careers (https://www.softwareadvice.com/careers/)
For Vendors (https://www.softwareadvice.com/vendors/)
Research & Articles
(https://www.softwareadvice.com/resources/)
All Categories (https://www.softwareadvice.com/categories/)
About Us (https://www.softwareadvice.com/about-us/)
Careers (https://www.softwareadvice.com/careers/)
(https://twitter.com/softwareadvice)
(https://www.facebook.com/SoftwareAdvice)
(https://www.linkedin.com/company/software-advice)
(https://www.instagram.com/softwareadvice/)
content-compliance-faqs/)