Re: Certified Ethical Hacker - C|EH

I can only speak for my own practices and don't pretend to speak for how others do business but when I get a resume with CEH on it I shitcan the resume. In my opinion it's absolute garbage, so no, I wouldn't get it. I also know I'm not the only person that handles CEH resumes this way.

Re: Certified Ethical Hacker - C|EH

+1 here on CEH. As far as certs go, it's bottom of the heap for me.

Re: Certified Ethical Hacker - C|EH

Thanks!

Saves on quite a lot of money to be honest!

So when you get someone's resume, what do you look for? What makes one stand out from the others? Please tell me it's not experience! Ha!

Re: Certified Ethical Hacker - C|EH

It's experience. It's also education. When I still interviewed (and hired) people, education was high on my list. There are some things that a four year education gives you that you can't easily find any other way. For one thing, you get a decent foundation in math. For another, you show that you can stick to something for four years.

Enough experience will always take the place of education, but a resume with both will get more attention than just one (or the other).

I'd say more (I often do), but I haven't been awake long, and I'm still drinking coffee (which I require to become fully human). Eighteen is *young*. Don't be in such a rush to jump into the fray.

Re: Certified Ethical Hacker - C|EH

I hired an MCSE, CCNA. A+ guy who brought in viruses, lost laptops, ruined RAIDs and didn;t know how to change a user password. All his certs did was let me skip 4 of the 20 questions I had for him on the interview. Wish I never hired him but others were impressed by papers.

Re: Certified Ethical Hacker - C|EH

I look for relevant experience, but that experience doesn't have to be in a previous job history. If you know a lot and like to tinker around, try and find some volunteer opportunity or involvement with a hackerspace. Something that can generate some sort of 'audit trail' that shows you actually know what you're talking about.

If you can accurately format and capture some things you've done outside of a job, than can be verified, then list it!

Re: Certified Ethical Hacker - C|EH

When Hiring (Not necessarily IT people, but any key position) Most organizations look for knowledge, experience and most importantly CHEMESTRY.

Knowledge is important for the task you are being hired.

Experience, not specifically at the job/task your applying for, but a track record of consistency at things you have done, whether it be schooling, involvement in an organization or something else.

CHEMESTRY. You can be the most intelligent, talented and brilliant at the task, but if you can not fit into the organization it will not work for either the employer or employee. I am an old timer, I have seen this over and over. When the person hiring finds a person that has the skills needed and has the personality needed that fits the style of the organization it's a great long term deal for both.

Think about working for IBM vs Google. IBM is more corporate and more structured, you work set hours are required to wear conservative clothes. Google you work in more of a free spirited atmosphere, more leeway on work hours and dress code. Both need good people, but some fit the corporate structure and strive in it and others do better in the more free spirit environment.

What I am trying to tell you, is apply to organizations you can see yourself fitting in and being happy at for a long time.

Re: Certified Ethical Hacker - C|EH

Thanks for the amazing feedback everyone. Really helps a lot!

I'll continue with my studies, show a keen interest in cyber security and tinkering with things and I will throw in CVs and resumes about the place. I'll try to find some places where I would be very comfortable and fit in with ease, rather than somewhere where I would have to change a lot just to fit in.

Once again, thanks very much!

Re: Certified Ethical Hacker - C|EH

When I'm involved in hiring I look for the following:

1. Desire/Passion for the job. I get that you need to work and that you need a job for workin', but why do you want to work *here*. I don't want you to take a job with my department because we were the first ones who offered you a position. I want the person who fills my open role to be doing backflips because *THIS* was the job they were hoping they'd get.

2. Experience. Sorry DJ Damyard, but I am more often than not looking for experience. When we have a position that needs to be filled, odds are its been a long time in coming and we want to hire the guy/gal who can just do the job with minimal fuss. That said when it's a junior position and we know that we're not going to find an experienced person who wants a junior role I personally tend to look for the person who is looking for their big break provided they have #1 and #3 on this list. I don't want to bring you down on this, so please understand in my case I'm typically involved in hiring for senior level positions for folks who are 'mid-career' so thats where my perspective comes from. You're 18 now. By the time you're applying for these types of positions, the experience thing will be a non-issue.

To that effect, when starting out remember to start slow. Find the job you want and the job that you can do. Don't be worried about career growth early on. The days of starting in the mail room and working up to CEO are long gone. Take the job that will get you experience and worry about climbing the corporate ladder later. Sure you might get lucky and fall into a role that allows you to get promoted up and up as you grow, but more likely you'll promote yourself down the road when you quit and take a better job. These days that's how you move up in the business world. I fully understand that in my current role my pathway to promotion is to take another job within the company thats higher up the ladder. Also avoid taking the job that's on the very upper edge of your experience, especially early on. When you've been doing this for nearly 20 years you get to fuck up from time to time, but when you're just starting out it doesn't look good..Find the job that will give you experience but is a job you can do. While there you'll get opportunities from time to time to showcase that you've got other skills that will let you regularly 'meet and exceed expectations'.

3. Education/skills. Used to be that unless you went to college for it, you sucked at it. How can you have experience with Linux servers when you didn't go to college?!?. It may still be that way in some parts but at least here on the west coast of the US, education is where you find it. Obviously, if you can, go to school and get a degree in something. I dropped out of college and did just fine...till a few years ago when I realized that to get to where I want to be I need a degree. So at nearly 40 I get to go back to school and finish the degree I should have completed in my 20s. But let's say you're active with your local LUG, or you volunteer down at the animal shelter doing free IT work on their computers (or pro bono IT work for doctors, dentists, and lawyers in exchange for services..hint hint)..that's experience regardless of the fact that you're not getting paid*. Basic certs are good when you are just getting started as it get's you past the HR phone screener. The HR person doesn't understand fuck-all about the position they are interviewing you for..they have a checklist of 'must haves' and 'nice to haves'..if you get most of the check boxes filled you get to interview with someone who actually knows what the hell is going on..So things like A+, Security+, Network+, CCNA, etc are all good things to have. That said, avoid hiding behind certs or using them like alphabet soup in your resume. A guy who's been doing this 15 years or so will have an alphabet soup of credentials after his name..but when the new guy has it, well it looks suspicious. Also, realize that those certs are solely for getting past the HR people..a hiring manager will expect you to have the skills regardless of the cert so be prepared to demonstrate them if asked rather than falling back on 'but I have my Network+'.

Bonus Cautionary Tale: I once interviewed a candidate for a security analyst position. The candidate was young and had only a year or two of networking experience. He had no formal security experience but he did have a CISSP. The fact that he had no experience specific to security was not a deal breaker for this role as the skills needed for it could be taught. The right candidate needed to have prior experience with networking, a good understanding of security concepts, and most importantly a passion for security. To me, he interviewed poorly. When I drilled him on 'What if..' and 'How would you..' scenarios he constantly fell back to the fact he had a CISSP. I finally had to explain to him that whomever at the CISSP class told him that getting your CISSP meant that money would rain down from the sky and that you'd never have to answer anyone's questions ever again fucking lied to him. I explained that waving your CISSP around was to be seen as a challenge and that I was accepting that challenge. He now needed to prove to me that he knew what he was talking about and it was pretty clear that he learned what he needed to learn to pass the test. Despite me not recommending him for hire, my boss hired him anyways. He lasted 2 months. I don't think he did a damn thing during the 2 months he was employed. Moral to the story, don't be that guy.


*Although I do still encounter companies that have an attitude that unless you got paid to do it, it doesn't count. That attitude is changing, slowly..but it's still there..

P.S. I forgot to add..and this is important..never stop learning. Take any and every opportunity to learn something new. Common trap IT folks fall into is becoming the subject matter expert on something and then resting on their laurels. They think 'I'm the only guy who knows how the VMS system works..I have job security, they *can't* get rid of me because I'm the only guy who can keep that thing running! Check and mate, Mr. Corporation!'. Then one day in the break room you over hear 'Hey, did you hear we're finally getting rid of that POS VMS system after all these years? Good thing too, it was old and worthless. Can't wait to replace it with something newer and faster. Man I feel sorry for that old guy who admins the thing, it was the only thing he was good at..'

Seen it and it's sad..

Re: Certified Ethical Hacker - C|EH

Noid I completely agree. If you know a lot and have passion for what you are doing then the person giving the interview will be blown away. Remember make it seem that they need you more then you need them.

Re: Certified Ethical Hacker - C|EH

Can I ask the age of most of the people on here?...

Or maybe it's better if I asked at what age you began to climb in your own business/started off in a job which has led you to where you are now?

Interesting. So if I want to be hired as a white hat for some company, I can still list IT related jobs even if it does not include anything to do with pen testing or whatever?... That's reassuring.

Thanks for the feedback guys! It really is a MASSIVE help and is GREATLY appreciated.

Heard stories of when a guy/girl approaches an organisation with a list of vulnerabilities in their system and says (s)he can help the organisation with their security. Very risky approach, probably not my scene. And I'm guessing nobody recommends this grey hat approach, but has anyone had any experience of anything like this?

I know "Geohot" got employed by FaceBook shortly after his Sony hack, lucky bastard. Any other examples?

Re: Certified Ethical Hacker - C|EH

Noid, you say that you want folks who can learn, but they you say you want them to have gone to college. What skills do you want people to have before they see you, and what do you feel they can learn out of college that still has value to you?

Re: Certified Ethical Hacker - C|EH

Note, I said to go to college if you can. Not having a degree isn't a deal breaker with me. Not having a degree is a deal breaker with some folks though, plus there does seem to be a certain point where not having it stifles career growth depending on what you want to do with your career. That said college isn't for everyone. It certainly wasn't for me when I was in my late teens/early 20s.

That was intended as sarcasm. It's a level of 'old thinking' that I used to come across a lot early on in my career. There was a belief that if you did it and didn't get paid for it, the experience somehow didn't count. There was also a belief that unless you formally went to school for it, there was no possible way you could be any good at it.

This largely came from the institutionalized beliefs that the only way to learn something was to go to college and the only way to prove that you were good at something was to show that someone agreed enough to have paid you to do it. I suppose at one point this logic made sense when it came to computers, as if you didn't learn computers in college or in the military where the hell did you have access to one? I mean, those things are huge! Now that a 16 year old can build a virtual corporate network on the same consumer hardware he uses for video games, the rules are different.

Re: Certified Ethical Hacker - C|EH

The ages of people on here run the full gamut. We have users ranging from their teens to a few nearing retirement.

For me, personally, I got started in tech at 22 by working as a technician. I started off as an in-house tech for a services company fixing computers that came in for repair. I later advanced to being a field technician who went directly to customer sites to fix computers and printers. The work sucked, was long hours, and the pay was shit but I got good experience troubleshooting different issues. On the side I was playing with Linux (which was new at the time) and doing networking at home w/ my roommates. The company I was with had a networking group so I used to hang around them and pester them with questions whenever I was having an 'in-house day' (i.e. no field calls). Most of them were familiar with things like Windows networking (pre-NT4), Novell NetWare (the reigning champ of the time), and Banyan Vines. No freeware/Open Source versions of that stuff so it was all new to me. On several occasions they reached out to the services group to tap me to help them when they ran across UNIX stuff. If I had stayed with that company there was a very good chance I would have eventually ended up in the networking services group.

During this time I was also going to Defcon and building my network of contacts and friends. I got poached by a large company to become a security analyst at Defcon one year and officially had my first *paid* job doing security. Yup, I got a job from going to Defcon.

Eventually my department got downsized and I was given the opportunity to move back east or take a severance package. With the .com boom just starting off I took the severance package and rode the .com wave and got a ton of experience (and a lot of worthless stock options). Since then I've worked steadily for large companies, expanded my skillset, and also began learning those oh-so-important business skills..


Frankly, I'd be leery of you if you didn't. It would be like someone applying to be a brain surgeon without ever having been a regular surgeon before. If the first time you've ever cut into someone is when you perform your first brain surgery, I'd be horrified. I'd rather see that you've spent 10 years removing appendixes and fixing up people who've been in car crashes while you were going to brain surgeon school at night.

First off, to understand security, you need to understand the thing we are applying security to. If you want to find flaws in things you need to know how they work first. Theres an old saying that admins make the best hackers. The reason for this is because they understand how everything works to such a level that going around things in their way is frequently seen by them as just part of the job and not even as hacking. Realize that doing Information Security/Assurance is a *specialty* within the fields of programming and networking. You work towards doing that as a goal, you don't start there.

This is just dumb.