Recently I decided that I'd start a new certification and lo and behold I saw somebody had tweeted stating that Cisco was now offering an 'Ethical Hacker' certification so I figured, why not?
I wasn't going to be going into this as a fresh faced greenhorn rookie, I actually have some experience in penetration testing. I am a certified Junior Penetration Tester by eLearnSecurity (now INE) and I've held pretty high spots on CTF platforms like TryHackMe and Hack The Box as well as a handful of courses done both free and paid (even SANS 😲).
I already have VMs of Kali Linux, Parrot etc etc so I am well versed and familiar with the tools I would be working with.
So the only logical thing to do in these circumstances is do a 'knowledge check'
Yes thats right.
I'm a madman.
I went straight to the exam section of this course and blasted it out.
Amazingly Cisco is pretty lenient with this and they allow you to take multiple attempts at the exam as far as I can tell there isn't any cool down however in my example I only needed 1, 1 attempt and I got it done 😎
There are probably very few people in this world that can say they just went straight to the exam and managed to land a passing score from what I recall my score was actually 96.x%
It wasn't a straight 100% because let's face it no one is perfect but also it was well above the 70% to actually earn the certification.
Upon completing the course I decided that I'd go back and actually have a rifle through the course material.
Now the material itself is actually well planned out, it's covered a vast spectrum of different things quite well all to what I would call the 'junior level' even though this is marketed as an 'intermediate level' course.
Of the things that are covered in this course I thought it was quite interesting to see a very large section on Social Engineering attacks as well as going over the exploitation of Wired and Wireless Networks, looking into Application Based vulnerabilities, Cloud, Mobile and IOT but now as time goes on I feel like these would be things that would be covered at the 'fundamental level' ayway.
The 'lower level' so to speak, as you need to have touched and played with everything to gain a better understanding of it as well as find what specific niche, if any, really tickles your fancy.
There's a very good section on Post Exploitation Techniques and obviously things like covering your tracks and removing your exploits and jotting everything down. The actual reporting side of things is very important and it's one of the things that I wish I could have done better when I did my OSCP attempt.
All in all it's really good content.
Again, I didn't expect it to have some of the things that it does like the Social Engineering Section, using the browser exploitation framework (BeEf), how to do a phishing campaign... Good stuff really!
Now for this thoughts section I'm going to get a little more 'open' about things I guess you could call it.
Now there is a reason for that because I think this would be a better value for you as a 'new' person looking to get certified in cybersecurity then something like the CEH.
Yes that's right, I said it, the CEH and this course seem to have a lot in common but also that being said my OSCP Training Documents also have a lot in common with this course.
That appears to be the trap that we fall into with the 'junior' and 'intermediate' level courses and exams, they all seem to be the same thing run by different suppliers, some cost more and some cost less.
Honestly this was a fun way to spend the morning it got me used to how Cisco thinks about things and how the format for some of their exams questions might go in prep for the CCNA/CCNP like; how they might present a multiple choice question to you, or how they might present a web link question where you have to do an 'answers A, B, C' and link them to the relevant answer.
All in all and I said it just a few lines up I think because this is a free certification you should 100% go for it!
You don't have to spend hundreds and hundreds of pounds earning the CEH or something like that, yeah every recruiter in their mum knows what a CEH is and for some weird reason every employer wants the CEH even though it is a colossal bag of sh*t (in my opinion), actually let me rephrase this part, maybe the CEH is ok, but ISC2 are ABSOLUTELY untrustworthy (in my opinion) after the stunt they pulled to cover up board member elections (the million free certified in CC certs thing, free but you have to pay renewals for a minium of 3 years, so in 3 years time ISC2 has a big pile of money) I still don't like them BUT the CEH is also a multiple question and answer exam so.... value for money wise is going to Cisco every time.
This Ethical Hacker certification from Cisco has the potential to absolutely dethrone and replace the CEH. It has question and answer formatting for the exam but the material has you spinning up testing VMs etc and If enough people pick up on it, spread the word and make it so that it IS something that employers and job recruiters are looking for and know what it is, it is going to be 100% worth your time and effort.
All in all, it's 'Dan approved'.