CEH or OSCP ?

  • 3 minute read

In the early 2000s, I had decided to take the CEH training from EC-Council at an educational institution in Altunizade, and I had high expectations for this course. Normally, this training, which is given in 5 days abroad, was turned into a 3-month course, if I remember correctly. I thought that by taking this course, I would be able to strengthen my knowledge of how to find and exploit vulnerabilities in software, and how to develop exploitation techniques. However, when one day the instructor showed us how to use the winnuke program, and told me that my expectations should be lowered, I realized that this course would not contribute much to me. In fact, although the training materials had interesting modules such as exploit writing and reverse engineering, these modules were not covered in the course. The reason for this was that EC-Council had decided that the modules between 22 and 26 should be self-study. If I remember correctly, the CEH version at that time was v4 (2003), and when the course began, v5 (2005) was released, so our training materials were updated. To get the certificate, you had to pass a multiple-choice exam (I think it still is).

Over the years, because of the weak training content, the availability of exam questions and answers that can be downloaded from the internet, and a exam system based on theoretical knowledge, I had negative opinions about this training and certification. Setting aside the exam system, the training content was not useful for people who had no knowledge of ethical hacking, and perhaps my expectations from the training were too high, so it disappointed me.

Years have passed and last year, I think it was around the beginning of June, version 6 was released. When looking at its content, while there were 26 modules in v5, v5‘te 26 modül varken v6 consists of 67 modules and its content is quite satisfactory compared to 2005, but as in v5, the most enjoyable and informative modules are not shown to participants as part of the course (modules 1-21 are mandatory, the rest are self-study).

Due to my job, the first question most people ask me is whether I have a CEH certification. For years, I explained why I did not have a CEH certification due to the reasons mentioned above and this year, at the beginning of the year, through my research on ethical hacking training and certification, I came across a training that I found very satisfying in terms of content and exam system, Offensive Security 101, also known as Penetration Testing with Backtrack. As its name suggests, it is a training prepared by the creators of Backtrack, and it can be taken either abroad or online. If you take the training online, you can read the training materials in pdf format, watch the modules in video format, and connect to their servers through VPN to apply what you have learned. It offers advanced knowledge, from discovering security vulnerabilities with Fuzzing, preparing exploitation applications with python, to finding return addresses with ollydbg, compared to CEH. The exam system is incomparable to CEH, as it is entirely based on practice, on the day of the exam, VPN definitions are made to give you access to the exam environment, and if I remember correctly, you were given 4 questions. One question asked you to research a buffer overflow vulnerability in an application and write an exploitation application that allows for remote code execution, while another question asked you to take over a Linux server in the lab and send them a line from a text file located in the root folder, and while doing this, using automated scanning tools (nessus, core impact) is prohibited, in short, the training is very successful from content to the exam.

In conclusion, If you are just starting out, your knowledge level in ethical hacking is low, the instructor is qualified (being a pentester should definitely be a preference), and occasionally, will be able to go beyond the course schedule, even if some modules are self-study (I don’t know if EC-Council allows this), I would recommend the CEH training and certification (you can also make do with the training because of the mediocre exam system). However, if you have some knowledge in ethical hacking and want to certify this with practice, I strongly recommend the OSCP training and certification.

image_pdfShow this post in PDF formatimage_printPrint this page
Total
0
Shares
Tweet 0
Share 0
Share 0
Share 0
Share 0
Related Tags

Mert is a well-known and respected Cyber Security Researcher, Speaker and Blogger. He has been living and pursuing his career in the United States with an Alien of Extraordinary Ability visa (EB-1A), an employment-based green card, since October 2022.

As of February 2023, Mert has been working at SOCRadar® Extended Threat Intelligence as the Head of Security Research & Operations. SOCRadar is a cybersecurity company committed to democratizing threat intelligence and providing superior cybersecurity solutions to thousands of companies in hundreds of countries. SOCRadar's mission is to provide organizations of all sizes with the tools to counter cyber threats.

In his current position, Mert has been advising the CEO on strategic decisions that align with the company's mission, objectives, and overall goals.

He has often overseen strategic initiatives by working closely with various departments, such as product development, sales, and marketing. Also, he has been managing the day-to-day operations of the Security Analyst, Support, and Professional Services teams to ensure efficiency, quality, service, and cost-effective management of resources.

In addition, he has been driving innovation across the product by promoting new ideas and features.

Besides that, he has been managing, mentoring, and supporting a cadre of threat researchers, threat hunters, security analysts, and technical content writers who research cyber threats, vulnerabilities, and trends.

From October 2020 to September 2022, Mert demonstrated his expertise as an Executive Vice President / CISO of IT Security & Risk Management Group which incorporates Cyber Defense Center, Cyber Security Technologies, Cyber Security Architecture, Information Security & Risk Management teams (40 HCs) at Intertech. Intertech is an Information Technology subsidiary of DenizBank, owned by Emirates NBD

From January 2018 to September 2020 as the Vice President, Mert was responsible for the management of Akbank's Cyber Defence Center (CDC) which incorporates Vulnerability Management, Threat Detection, Threat Response & Intel, and Security Engineering teams. (26 HCs)

From 2007 to 2017 Mert was responsible for performing and managing penetration tests, malware analysis, security incident detection, and response as a Technical Lead in the Threat & Vulnerability Management team at IBTech. (Information Technology subsidiary of QNB Finansbank)

From 2014 – 2016 Mert instructed Malware Analysis course in Cyber Security Graduate Program at Bahcesehir University.

In 2003 Mert’s career journey began by discovering a security vulnerability on the e-portal web application of the Yeditepe University where he was studying at that time. After sharing his findings with the executives of the university, he was awarded an achievement grant and recruited as an Ethical Hacker. Mert graduated from Yeditepe University, Information Systems and Technologies in 2006 and Yeditepe University, Master of Business Administration program in 2010.

From the beginning of 2011, Mert spoke at more than 30 technical cyber security conferences. In addition, he was invited as a guest speaker to more than 40 universities to share his cyber security career journey and his profession “Ethical Hacker” to the students as a role model.

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like
Read More

Antimeter Tool

Generally I prefer writing my articles in Turkish and I support my articles with proof of concept codes, videos and small tools. In my previous article, I created a small tool called antimeter which scans memory for detecting and also killing Metasploit’s meterpreter. I did not expect that much interest…
Read More
0
0
0
0
0
Read More

WhatsApp Scammers

Introduction I recently received my share of calls and messages from foreign cell phone numbers, disturbing almost everyone, especially in Turkey, who has used the WhatsApp application in recent days. Of course, as in my articles on other scams (Exposing Pig Butchering Scam, LinkedIn Scammers, Instagram Scammers), I rolled up…
Read More
0
0
0
0
0