Re: Certified Ethical Hacker - C|EH


I agree with what a lot of the people on here have said.

That being said, it's not just about your "technical skills" or "experience". You need to network.

Noid did touch on it, when he said :
It's not just pen-testing or IT... Whatever industry you want to work in/with/for you need to create a strong network of contacts. Hopefully you'll have fostered that network enough that at some point, when you are looking for a position they will actively help you. Hell, just getting your resume into the right persons hands is a big win. It's not JUST about WHAT you know [though (in most cases) you do need to have the skills to get/keep the job), it's also about WHO you know.

You may also want to pickup a copy of (InfoSec Career Hacking) http://www.amazon.com/dp/1597490113/ as two of the authors have already replied to you in this thread.

Re: Certified Ethical Hacker - C|EH

I'm a little late to this thread, but figured I'd give some advice. I've done interviews of prospective network engineers/NOC analysts and I've taught certification courses (Cisco and Microsoft) at small and large technical schools.

CEH is pretty low on the totem pole... especially if you don't have experience/education to back it up. I'd have more respect for someone with A+, Network+, etc certs.

A big red flag for me is a person who is certed up the ying-yang, but doesn't have technical experience. Some schools (cough LAN-WAN Professionals) will get you certified and fudge the resume by putting you down as a Network Consultant for 1-2 years.

One guy with a CCNP walked into our office and asked if we were hiring for network engineers. I gave him a little interview since he had the balls to find us. I always ask why they want to get into IT. I'm looking for enthusiasm, ability to adapt, troubleshooting skills and most of all someone who isn't in it just for the money. This guy couldn't telnet into a router. Seriously, WTF.

Another question I ask people is if they have built their own computer. If they have, I ask

1. What parts
2. Where did you buy everything from
3. How long did it take
4. What areas gave you problems
5. What are some things you learned while building the pc

You can tell if the candidate is a true geek if he starts talking about gpus, quad-core processors, watercooling, etc... For me, it's a HUGE red flag if someone has never built a computer.

If the candidate brings a laptop to the interview... I ask them about it. CPU, OS, ram, hard drive, favorite apps, favorite websites. It's pretty amazing how many people don't know shit about laptop they are carrying around.

As an instructor, I found the best students were the ones who didn't need to be there. People who know how to work their computers, find answers on Google, know basic shortcuts. I get so many students that don't know how to do basic tasks. For Cisco classes, the A+ and Network+ were prerequisites, but these days salespeople will let anyone in. These folks slow the entire class down because they've never worked command line or telnet.

I could go on and on, but it would raise my blood pressure :) Damn I should be a reddit IAMA - Microsoft/Cisco instructor.

Re: Certified Ethical Hacker - C|EH

Wow, I learned a lot from reading this post and would like to say thank you for your great insight everyone.

Re: Certified Ethical Hacker - C|EH

Thanks for the awesome feedback.

It really means a lot that you guys have taken time out of your schedule to give your opinions.

I think what I get from all the answers is that it's about showing that I am committed and passionate about hacking/penetration testing/learning. I am also coming to the conclusion based on all your responses that it takes time to work ones way into the job which they aim for, and it's best to start anywhere, as long as that "foot is in the door" that can give me the chance to work my way up to my desired job through showing passion and commitment. I also get that it's not about having the paperwork saying I can do this and can do that, but it's about putting it into action, which I completely understand as if I learn something on paper, I may be faced with the same problem but presented differently if it is on screen or wherever and not have a clue what to do.

So yeah, I really appreciate the feedback I have received in this thread and I will continue to do what I am doing and showing will to learn new things and expand my knowledge to what is needed to be in my ideal job.

Thanks again to everyone who answered! It really was a great help!

Re: Certified Ethical Hacker - C|EH

I will chime in on this thread. Chris and Noid are pretty much close to the bone on this. And I humbly have a pointer or two to add, if I may.

If you are not passionate about your craft, it will show. And I don't want to work with people who are not passionate about their craft. I don't want to work FOR people who are not pleased about my passion for my craft, nor have minimal knowledge of my craft. And you will run across those types of people in your career sojourn.

My experience has been that security or networking certifications on one's CV are buzz words that may get you an interview. After that, you are on your own personal experience and knowledge.

Unfortunately, I have become very disillusioned with many of the security certification associations and the organizations that pander to them. Any certification (save some advanced Cisco certs where you do a "practical") only really demonstrates that you know how to study to come up with the "right" answer. It doesn't demonstrate that that you actually have two brain cells to rub together to come up with a real-world, real client solution. Nor have the experience to do so. I humbly suggest if one is able, to save the certs until after one has determined the course of one's career.

Find a mentor. Find a mentor. Find a mentor. I cannot stress this too much. I have been incredibly blessed by the mentoring I have received from some of the people I have met here and others not here. Seek a mentor. You may find one or several for a season or for life, but find a mentor.

I may be pilloried for this comment, but here goes: Formal education at an advanced level does indeed demonstrate that one has the moxie to see a thing through. However, I would add that with OpenUniversity and other bastions of free learning available to people, a college degree may or may not be in one's best interest due to the costs regarding finances, time, stress and frustration.

It's amusing to point out that I have asked a non-college grad who had a passion for mathematics but no degree to diagram a complex mathematical formula to resounding success. And have asked a college graduate in mathematics to diagram the same formula, only to meet with confusion and not so much success. And here we go back to point one. :-) The former was successful because of their passion for their subject. The latter was not because it was part of their proscribed coursework to get a degree -- Not passion.

If you are going to study, study something that jazzes you off the walls, the ceiling, has you up at all hours and makes you fall in bed with a huge grin on your face. You spend more than half of your life at your craft, you know?

Yes, yes, yes: keep learning, keep growing, keep giving of your time, your talent, your passion wherever you can find a place to give it, to gain practical experience, will definitely show up well: on a resume, in a face-to-face interview, and most especially in a life well lived.

I apologize for the length of this and respectfully leave the podium.

Regards,

Valkyrie
__________________________________________________
sapere aude

Re: Certified Ethical Hacker - C|EH


So how do you really feel about the CEH cert?

Re: Certified Ethical Hacker - C|EH

Good point. I don't actually shitcan because they have the cert. I shitcan them because they are proud of having a shitty cert (the CEH specifically). If they were worth a shit they'd have realized that cert isn't, and wouldn't have included it on their resume.

Thanks for helping me get this out correctly.

Re: Certified Ethical Hacker - C|EH

DjDamyard,

I think it's clear from the answers in this post that there are as many different views on what is wanted/needed to be hired as there are different types of people applying for the same job.

Bottom line, work hard to be the best you can, always keep educating yourself in your field of interest, keep an open mind and learn from others willing to share knowledge and experience and don't be an A$$.

Earn your good reputation from hard work and showing your competency, not "grandstanding" by trying to show a company's vulnerabilities just so they will hire you. If you are hired for that "grandstanding", lookout when they fire you after with a "What have you done for me lately".

Best of Luck, I hope you find what you're looking for in a career.

Re: Certified Ethical Hacker - C|EH

I think passion for a particular position can be reflected in an individuals desire to go out and get "certified", I agree though, just having a certification won't get you through an interview with me.

It will get your resume considered and forwarded to me by HR, and it will influence the way I interview you, if you say you have an MCSE, CCNA, NCDA, CEH, etc etc expect me to question you on those specific technologies, failure to answer those questions in a phone screen or in person interview will always result in me recommending you not be hired.

In short, in my opinion certs are a good thing, but not the only thing.

Of course my opinion is colored by the fact that I have alphabet soup after my name :D

I think shitcanning a persons resume because they *have* a particular certification is just plain stupid (no offense) because to me holding certifications illustrates a desire to learn and understand technology and manufacturer best practices.

Re: Certified Ethical Hacker - C|EH

Look at what happened to Adrian Lamo, also known as the Homeless Hacker. He went around finding vulnerabilities in networks and websites and told the owners about them. He wasn't doing it for money, he was just doing it for security awareness in general to no benefit of his own. Some businesses were probably both surprised and happy that they told him, and he moved onto another network. Eventually he ran into a business that wasn't pleased at what he did and pressed charges. I believe he served some time but I don't remember exactly. Anyone know a bit more of the details?

Geohot had a bunch of legal problems with Sony before he went to work for Facebook as well.

Re: Certified Ethical Hacker - C|EH

That's just plain old fashioned blackmail. The stories you've been told likely came from Hollywood originally. You're young. Work your way up the chain, take your licks and learn from it. A career isn't what you see on TV where the only people in the field are in their early 20's screaming something about dynamite going boom every 10 minutes, you've got time.

Re: Certified Ethical Hacker - C|EH

The ages of people on here run the full gamut. We have users ranging from their teens to a few nearing retirement.

For me, personally, I got started in tech at 22 by working as a technician. I started off as an in-house tech for a services company fixing computers that came in for repair. I later advanced to being a field technician who went directly to customer sites to fix computers and printers. The work sucked, was long hours, and the pay was shit but I got good experience troubleshooting different issues. On the side I was playing with Linux (which was new at the time) and doing networking at home w/ my roommates. The company I was with had a networking group so I used to hang around them and pester them with questions whenever I was having an 'in-house day' (i.e. no field calls). Most of them were familiar with things like Windows networking (pre-NT4), Novell NetWare (the reigning champ of the time), and Banyan Vines. No freeware/Open Source versions of that stuff so it was all new to me. On several occasions they reached out to the services group to tap me to help them when they ran across UNIX stuff. If I had stayed with that company there was a very good chance I would have eventually ended up in the networking services group.

During this time I was also going to Defcon and building my network of contacts and friends. I got poached by a large company to become a security analyst at Defcon one year and officially had my first *paid* job doing security. Yup, I got a job from going to Defcon.

Eventually my department got downsized and I was given the opportunity to move back east or take a severance package. With the .com boom just starting off I took the severance package and rode the .com wave and got a ton of experience (and a lot of worthless stock options). Since then I've worked steadily for large companies, expanded my skillset, and also began learning those oh-so-important business skills..


Frankly, I'd be leery of you if you didn't. It would be like someone applying to be a brain surgeon without ever having been a regular surgeon before. If the first time you've ever cut into someone is when you perform your first brain surgery, I'd be horrified. I'd rather see that you've spent 10 years removing appendixes and fixing up people who've been in car crashes while you were going to brain surgeon school at night.

First off, to understand security, you need to understand the thing we are applying security to. If you want to find flaws in things you need to know how they work first. Theres an old saying that admins make the best hackers. The reason for this is because they understand how everything works to such a level that going around things in their way is frequently seen by them as just part of the job and not even as hacking. Realize that doing Information Security/Assurance is a *specialty* within the fields of programming and networking. You work towards doing that as a goal, you don't start there.

This is just dumb.

Re: Certified Ethical Hacker - C|EH

Note, I said to go to college if you can. Not having a degree isn't a deal breaker with me. Not having a degree is a deal breaker with some folks though, plus there does seem to be a certain point where not having it stifles career growth depending on what you want to do with your career. That said college isn't for everyone. It certainly wasn't for me when I was in my late teens/early 20s.

That was intended as sarcasm. It's a level of 'old thinking' that I used to come across a lot early on in my career. There was a belief that if you did it and didn't get paid for it, the experience somehow didn't count. There was also a belief that unless you formally went to school for it, there was no possible way you could be any good at it.

This largely came from the institutionalized beliefs that the only way to learn something was to go to college and the only way to prove that you were good at something was to show that someone agreed enough to have paid you to do it. I suppose at one point this logic made sense when it came to computers, as if you didn't learn computers in college or in the military where the hell did you have access to one? I mean, those things are huge! Now that a 16 year old can build a virtual corporate network on the same consumer hardware he uses for video games, the rules are different.

Re: Certified Ethical Hacker - C|EH

Noid, you say that you want folks who can learn, but they you say you want them to have gone to college. What skills do you want people to have before they see you, and what do you feel they can learn out of college that still has value to you?

Re: Certified Ethical Hacker - C|EH

Can I ask the age of most of the people on here?...

Or maybe it's better if I asked at what age you began to climb in your own business/started off in a job which has led you to where you are now?

Interesting. So if I want to be hired as a white hat for some company, I can still list IT related jobs even if it does not include anything to do with pen testing or whatever?... That's reassuring.

Thanks for the feedback guys! It really is a MASSIVE help and is GREATLY appreciated.

Heard stories of when a guy/girl approaches an organisation with a list of vulnerabilities in their system and says (s)he can help the organisation with their security. Very risky approach, probably not my scene. And I'm guessing nobody recommends this grey hat approach, but has anyone had any experience of anything like this?

I know "Geohot" got employed by FaceBook shortly after his Sony hack, lucky bastard. Any other examples?