Preface: This article is entirely my opinion, based on my direct experiences with EC-Council courseware, training, and examinations. I currently hold an EC-Council certification. This might change if they ever read this and manage to round up enough outsourced Indians to figure out who I am.
Background
As you may or may not know, I am not your run-of-the-mill backend web admin fiddling around with web servers, but actually a senior-level information security professional. Security is in my title at my current job. I live and breathe blue team operations and corporate security policy for a large and profitable organization. I hold multiple certifications from multiple organizations that validate my experience in my role and I continue to seek out more for fun and bragging rights. I have handled full scale incidents and implemented policies and systems that have stopped breaches before they occur. I even use Lain.la as a bouncing off point for ideas I then implement at work.
Some time ago, I was provided an employer-paid seminar for training in pursuit of an EC-Council certification.
(For those not aware of the EC-Council, here is the Wikipedia short definition: "The International Council of Electronic Commerce Consultants (EC-Council) is an American organization that offers cybersecurity certification, education, training, and services in various cybersecurity skills. EC-Council is headquartered in Albuquerque, New Mexico, and has certified over 237,000 professionals from 145 countries.")
This training was not my choice, but it was free (and there was booze), so I believed I had nothing to lose and happily obliged. This article will detail that experience, from training, to content, to the exam. Per EC-Council NDA, I cannot tell you actual questions off of the exam, however, I can certainly give you an idea of what was wrong with it. The training, the exam structure, and the company themselves, are the focus of today's long overdue rant article. TL;DR: They suck, and these certs have next to no value.
The Training
The instructor-led, in-person training was free to me, as it was sponsored by my company. It took place over a three day period, for roughly eight hours a day, in a fancy hotel stocked to the brim with free drinks. The environment included one large eBook for course materials, and a homegrown lab environment (CyberQ - and no, not the cloud BBQ thermometer) replicated on demand for you to use for course tool simulations. It seemed like a promising environment for learning.
The start of the course discussed basic information security principles such as the CIA (Confidentiality, Integrity, Authenticity) triad, with some call-outs to non-repudiation and availability. Defense-in-depth, policies and procedures, attack vectors, risk management, and so on, were all quite solidly done. The charts were well made and I had no complaints about the information provided. I even enjoyed their definitions of organizational policies such as "permissive" and "paranoid", which described whitelist/blacklist postures in the context of network privileges. They describe exactly what you think they do.
In general, I found the course material, when referring generally to concepts, was on target. Granted, it is hard to screw this up, as best practices are enshrined in multiple security standards frameworks such as ISO 27002 or NIST 800-53. But, they did a fine job anyway with this section. Where things get very strange is when they start trying to apply their concepts to tooling.
The Tooling
I'm going to list a few tools here that were mentioned as "industry standard" in the EC-Council training. If you have ever actually used one of these in an enterprise environment, feel free to send me an email justifying your use of snake oil.
- Buck-security, a 300 line perl script written seven years ago with zero follow-up commits that I kept mishearing as "fuck security". https://github.com/davewood/buck-security
- Microsoft Baseline Security Analyzer, a tool in which Microsoft has written an article regarding how to remove it. https://learn.microsoft.com/en-us/windows/security/threat-protection/mbsa-removal-and-guidance
- MagicTree, a Java Swing based application used to take notes during incident response, in which half of their FAQ is regarding known bugs. https://www.gremwell.com/magictree_faq
- PILAR/EAR, another Java Swing based application from Spain that uses comic sans on its homepage. https://www.pilar-tools.com/en/
- Helix 3 Enterprise, a strange toolkit with a website that has buttons that say "Reveal the truth" instead of just "Read more", and a copyright date of 2014. There is also a vBulletin forum that probably has some great reading (read: pointing and laughing) material. https://www.e-fense.com/products.php
I could go on and on. The vast majority of tools purported to be "in use by real security professionals" are complete dead-ends, leftovers of a bygone era with purchasing portals now simply kept online to pour money in someone's pocket. Pure security theater. And here's the worst part: These tools are asked about on the exam! You are expected to know what each outdated, dogshit tool does for when they sling a poorly worded multiple choice question at you.
The Labs
CyberQ is their platform for delivering lab exercises in a browser. It auto-provisions multiple machines for you that are networked together with tools loaded and ready to go. You can flip between them easily. While launching the labs was a bit slow (understandable, 3 VMs will take a moment to replicate), the orchestration was quite impressive. Push button, receive VMs that were interactable in a browser, with Windows and Linux and remote reset options and their own isolated network ready to go. They were hosted on Hivelocity, which is a name I've heard before, actually, when speedtesting VPSes off of BuyVM. The hypervisor in use was KVM. I suspect a third party built this platform for them, but it is bespoke and entirely for EC-Council purposes, which I can respect. Here's a small screenshot (ignore the arrow. Taken from a support forum):
The labs themselves, however, were a complete sham, due to the above tooling problems. The other students in the class, unfamiliar with anything they were being shown, really weren't able to participate much, and we were given all of 10 minutes to do 1 basic operation like install an MSI and fiddle with whatever it installed. Honestly, if you replace the labs with real-world scenarios and real-world tools and systems, and throw people at it for an hour or so, they'd have themselves a pretty nice environment. (They did have one for Nessus which was nice enough).
I do want to point out that one lab was actively malicious, in that it is teaching candidates that it is a good tool. The tool was known as the Ekran System, an employee monitoring tool designed for middle managers with nothing better to do except micromanage-by-dashboard. It is presented under the guise of a DLP / Insider threat solution. Have a gander here: https://www.ekransystem.com/en
We were instructed to throw a working email address into their demo box to retrieve a demo key. Of course, doing this would then open you to assault by their sales team, and probably violates their terms of use. Aside from that, the tool itself should never be implemented in a production environment. There are far superior alternatives, such as data loss prevention solutions, PII classification systems, EDR with device control (USB), and paying your workers a fair wage so they don't get motivated to steal your shit. See also: SOC 2 reports.
The Exam
Ugh. This was the real crap cherry on the shit cake. For starters, this was my first experience with remote proctoring, because I couldn't be bothered to go to a test center, and I actually have a throwaway OS on a laptop for this sort of thing now so I don't feel like I'm opening myself up to a breach. Here's the list of issues I had with it:
- LogMeIn Rescue is used for the remote control and management of proctored computers. Wonderful.
- It is delivered via "Exam Specialists", another bespoke EC-Council tool. It looks more like I'm getting a prostate exam here rather than a cybersecurity exam.
- 1-2 outsourced Indians will be guiding you through the remote proctoring session. I really wanted to stealthily record or probe what they were doing to my computer, but I didn't quite care enough to do so, and just wanted it over with.
- They make you do the classic 360 degree room scan so you're not hiding an answer booklet or reference material, by rotating your webcam a bunch. Quaint.
- You have to keep your camera and microphone on for the entire exam. I hope they enjoyed Nugget meowing in the background, and me scratching my chin in quiet contemplation (read: barely contained rage).
I get that testing integrity needs to be maintained while allowing convenience, but honestly it's just shit. You provide these remote agents access into your machine the same way you provide a real malicious actor a backdoor. with little to no limitations. If I caught someone doing this on company property I'd hand their ass to them. It's a backdoor, plain and simple. Very ironic.
The exam itself: Terrible. Spelling mistakes, grammar mistakes, ambiguous questions, questions with both right answers and correct answers in the same question (read: right answers are what you'd actually do in a real setting. Correct answers are what they want you to do instead). Questions pinned on tools nobody would ever use. It's a miracle I even passed, and that's as someone who would, at this point, be an exam taking expert. I can whole heartedly say I am never taking another EC-Council exam ever again.
The Real Problem
So this is where we get to the real meat of what I'm trying to say here. Just as some people believe Israel is not a legitimate state, I believe the EC-Council is not a legitimate security organization. With the flaws in their outdated material, they are actively setting up cybersecurity hopefuls to fail by leading them down the wrong path. The theory in their material is all generally okay, but the execution of that theory will get you fired when you, bright eyed and bushy tailed, bring up these Mickey Mouse tools at a change review board meeting, or run them without asking for permission and blow up the IT infrastructure. You can even see this happen in real time. Have yourself a gander at this fellow, who passed the same exam I did.
https://www.youtube.com/watch?v=CdQV4Ci3v0M
I like his energy and spirit. He seems like a hopeful junior employee. The problem is - he is woefully unqualified to be doing what he is doing, and would be lulled into a false sense of professionalism with the "EC-Council high" in his sails. I could criticize the missteps he makes in the video, but honestly it's like kicking a puppy. He's going to sit in his windowless office and run OpenVAS/Greenbone (if he figures out how to install it), and then pray to his deity of choice that active scanning doesn't crash anything he scans. Then the reports will get printed out, say there's 100,000 problems, and he'll be tasked for the next five years trying to fix a few and getting zero support doing so, to which he'll then take down production in the name of security and get into a shouting match with whoever is in charge of prod. He needs a guide, an ego check, and a goal worth reaching to get back on course.
The integrity of their testing is also to be questioned. Ignoring plagiarism allegations and the horrible multiple choice questions presented to the test taker, their material is ALL over the internet, and a cottage industry has popped up selling exams, test banks, training, and more. Despite all the NDA stuff they make you sign, they have a real data loss prevention issue. Very ironic. Here's an example: https://www.ebay.com/itm/174103291733.
At the end of the day, the EC-Council exams simply certify you as a professional test-taker and EC-Council blowhard. It barely teaches security along the way, and can shit out employment candidates who are negligently malicious in the execution of their job duties and look like this while doing it:
Really, the only goal of the EC-Council appears to be to make money, as their exams and materials are the most expensive out of all of the major players (The CEH exam is $1,200, almost 2x the price of the CISSP, an actual, respected certification), despite being a deceptive and decrepit cybersecurity company. I know if I do any security hiring, I'll need a candidate with any EC-Council certification to explain why they have one, and what they learned from it. If the answer isn't "I learned what cert not to get", their resume will be relegated to the circular file.
-7666