PenTest+ vs CEH Certifications: What's the Difference?

There are 20 million IT professionals worldwide, many of them with aspirations of becoming an ethical hacker.

In order to be marketable, or keep up with your company's demands, it is necessary to continue your training. This can be in the form of classes or studying for and taking tests.

The CEH Certification, or Certified Ethical Hacker Certification, is a certification that objectively tells employers you know how to hack computers, especially if you take the CEH Practical Exam. This is important for companies who are unaware of their vulnerabilities. After passing this exam, you will often get hired to find and fix security issues. Consider Alpine Security’s CEH Training to help you get CEH certified.

CompTIA's PenTest+ is also an exam that certifies you have the necessary skills to work as an ethical hacker. This exam, however, is newer and aims to make up for what the CEH certification lacks. It was launched in the summer of 2018. Thus, many IT professionals are wondering if they, or their staff, should take this test instead. The CEHv10 Practical makes the CEH a “practical” certification now though, but the Practical is not required to become CEH certified. Like Alpine’s CEH course, Alpine Security’s PenTest+ course is taught by real-world, expert penetration testers.

Read on to find out how the tests differ and which one is right for you.

Who Can Take the Exams?

Both exams have a recommended prerequisite for test takers.

The CEH certificate requires that you either prepare for the exam with a certified online training course or in person. If you would like to bypass this requirement, you must submit an employer letter stating that you have worked in information security for at least two years.

If you lack this experience, you can contact E-Council who supplies the test. You can submit your educational background, and they can assess your eligibility individually. Many individuals who have recently graduated with degrees in information security or technology will be eligible to take the test immediately.

The CompTIA PenTest+ does not have any required prerequisites to take the test, but they do recommend a few things.

Firstly, they recommend that you have 3-4 years of experience in information security. You do not have to take any tests before this one, but they do recommend you take the CompTIA Security+ test before the PenTest+.

You should also have knowledge of Network+ and Security+.

How Much Does PenTest+ and CEH Certification Cost?

A CEH Certification costs $500. Additionally, most recommend that you enroll in a course that will help prepare you for the exam that costs extra. If you decide to self-study, you will pay a one time $100 fee in addition to the $500.

The CompTIA PenTest+ costs $346, independent of any extra training that you may require to pass the test. A preparation course is not included with the exam price.

What Does the CompTIA PenTest+ Show I Can Do?

The CompTIA PenTest+ shows future employers, or your current employer, that you have a broad range of skills. In addition to showing you can "ethically hack" (or find and exploit IT vulnerabilities), it also shows you know how to assess weaknesses and manage them.

A CEH certification can prepare you for penetration testing, but not a job in vulnerability assessment and management.

CompTIA PenTest+ prepares you for more job roles than the CEH certification alone. However, you may want only to become certified for specific positions.

According to CompTIA, those who have taken their PenTest+ are eligible for the following roles: security consultant, auditor, security analyst (II), vulnerability assessment analyst, application security vulnerability analyst, vulnerability tester, network security operations, penetration tester and security consultant.

The PenTest+ shows off a wider range of skill than the CEH certification, but that doesn't make it the best choice for everyone. Although the CEH certification offers fewer job role potentials, this may be fine for individuals who only want to work in that field.

What Am I Qualified to Do After Taking the CEH Certification Exam?

After taking the CEH certification exam, you will be eligible to work in several roles, most of which involve penetration testing.

Once you pass the exam, you can work as an ethical hacker, site administrator, auditor, security consultant, network security specialist and a penetration tester.

What Do the Tests Consist Of?

The CEH certification consists of 150 multiple choice questions. Test takers have four hours to complete the exam. You must take the test at an accredited testing location or online after you've taken a certified online course. In order to pass, you must score at least 70%.

The CompTIA PenTest+ consists of both hands-on simulations and a multiple choice portion.

Test takers will answer 85 multiple choice questions during the testing process.

They will also participate in performance-based simulations. These simulations will be similar to what they may experience working with a company to identify vulnerabilities in software.

The complete PenTest+ certification takes a little bit less than three hours. Candidates are scored on a scale between 100 and 900. They must score 750 to pass the exam.

One of the significant differences is that the CEH certification can be studied for and passed without much hands-on experience. While you do need hands-on experience to qualify as a self-study student, no experience is required for simply enrolling in any of the courses.

The CompTIA PenTest+ ensures that the test-taker actually has the applied ability to perform the job. The CEH certification lets the future employer know that you can take a test and pass a multiple choice exam on the topic.

Which One is Right For Me?

Whether you take the CEH certification exam or the CompTIA PenTest+ exam depends on your goals. You should speak to those employed in the field you are interested in to find out which one carries more weight in your desired field.

Keep in mind that the CompTIA PenTest+ is also relatively new, which might impact some employers currently preferring the CEH certification exam.

Instead, focus on which exam might help you in the long-term.

Either way, you will gain valuable resources and tools for your career in cybersecurity.

For more information on all things IT certification, visit our blog.

How to Perform a Cybersecurity Risk Assessment - A Step-by-Step Guide

In 2017 over 179 million confidential documents were released because of data breaches. According to a 2018 study by IBM Security and Ponemon Institute, major data breaches cost an average of $3.86 million and global ransomware damages are predicted to exceed $11.5 billion by 2019.

These are just some examples of the destruction that cyber attacks can cause.

However, cybersecurity breaches can do more than just cost your company millions of dollars. They are responsible for the loss of intellectual and proprietary data, can ruin your company reputation, erode stakeholder confidence and lead to litigation if confidential information is compromised. Data breaches give attackers a low-risk, high-reward opportunity and recent trends indicate that successful intrusions are increasing at an exponential rate. For example, between 2010 and 2017 there was a 70% increase in data breaches in healthcare industry, leading to countless HIPAA violations and consumer litigation.

As we've already shown cybersecurity attacks can happen at any time to any company and the effects can be devastating.

But what are cybersecurity attacks? And how can you prevent your company from becoming a victim?

Cybersecurity attacks are socially or politically motivated attempts to breach the security of a network. Although attacks vary in technique and sophistication, Symantec characterizes them in five distinct stages: Reconnaissance, Incursion, Discovery, Capture, and Exfiltration. Many incursions go completely undetected - in fact, notifications of major data breaches often come after compromised material has been shared on the Dark Web.

Organizational leaders must understand that comprehensive, risk-based decisions are vital to balancing the force multiplying effects of information systems with the risk of those systems being inherently vulnerable to exploitation.

If you want to prevent or reduce the likelihood of an attack, you have to risk management strategy: how your organization will frame, assess, respond to and monitor risk over time.

How Can My Organization Frame Risk?

The first step of developing a sound risk management strategy is to frame risk. During risk framing, organizations strive to understand the risk context - that is, detailing how risk decisions are made. Here, organization’s identify the following:

Risk Assumptions: How your organization currently perceives risk factors such as threats, weaknesses, loss expediencies, consequences (fines, penalties, loss of confidence), and exploit probability.

Risk Constraints: Organizations limitations, such as resources, that will impede your ability to deal with risk.

Risk Appetite: The amount of risk an organization is prepared to accept.

Risk Tolerance: The organization’s willingness to accept risk after implementation of controls and countermeasures. Note that tolerance is often defined by regulatory and legal requirements.

Priorities: The importance of core/critical business functions.

How Can My Organization use the Risk Frame to Assess Risk?

Now that your organization understands the context and details of the risk it can be assessed. Through the assessment process, your organization should a risk determination by coupling the potential impact and the likelihood that a risk will be exploited.

Risk Assessment Process

How will my organization respond to risk?

Now that your organization understands the risks and the probability of occurrence, decision makers should form a Risk Response Strategy for an organization-wide, repeatable, response to risk. There are four ways that your organization can respond to risk:

Acceptance: The risk is within the organizational risk tolerance.

Avoidance: The risk exceeds the organizational risk tolerance. Safeguards and countermeasures aren’t available or their implementation cost exceeds the expected benefit.

Mitigation: Risk is reduced through the application of controls, enhanced safety features, implementation of technical safeguards, or use of countermeasures.

Transfer: Also known as risk sharing, risk transfer occurs when organizations reassign the responsibility and liability to other entities. A great example is purchasing a flood insurance policy for a data center. It would be costly or impractical for an organization to install monitoring sensors and sump pumps below raised flooring, but it would be feasible to transfer the flood risk to an insurance company in exchange for an annual premium.

Now That My Organization is Managing Risk, How Can We Monitor it?

Risk is very dynamic and fluid and the risk environment changes hundreds, if not thousands, of times throughout the day. Now that the heavy lifting is out of the way, your organization should develop a Risk Monitoring Strategy. Your organization’s strategy should focus on program compliance, effectiveness, monitoring frequency, and how it will address changes to the internal and external environment.

The results of the monitoring efforts will likely trigger a need to amend the organization’s Risk Management Strategy. Perhaps the most beneficial quality of the Risk Management Process is it’s cyclical nature. If the process has been successfully frozen in the organization’s processes, procedures, and culture, the process can be easily repeated.

The Data Breach Upwards Trend

According to the 2018 Cost of a Data Breach Study by the Ponemon Institute, the average total cost of a data breach rose 6.4 percent this year alone. The mean time to identify the breach was 197 days and the mean time to contain it was 69 days - that’s 266 days total! 75 percent of breaches were successful because of either human error or malicious criminal attack and the majority of them could have been mitigated or eliminated through the embracement and application of Risk Management.

We can help you understand your organizational risk by performing a Vulnerability Assessment on your organization’s endpoints. After reviewing our findings, we will prepare you a Vulnerability Assessment Report detailing the tested devices, discovered vulnerabilities, and our prioritized recommendations.

Vulnerability Assessment Information Request Vulnerability Assessment Information or Service Request

Name *

Name

First Name Last Name

Organization Email Address *

Phone

Phone

(###) ### ####

Subject * Message * Is this an Urgent Request? Yes No

Thank you for contacting us. We will be in touch shortly.

Have a great day!

If you’re interested in developing your personnel to effectively manage your organization’s risk management program, we highly recommend the Certified Authorization Professional certification. By making your employees Risk Management Framework (RMF) experts, they will be versed in containing information and information system risks to the parameters of your organization’s threshold. Please contact us today for more information.

Alpine Security Offers EC-Council's Certified Chief Information Security Officer (CCISO) Certification