Certified Ethical Hacker credential proves nothing

A couple of months ago, a reader asked me what I thought of the "Certified Ethical Hacker" credential, offered by the International Council of Electronic Commerce Consultants -- the so-called "EC-Council."

The short answer: I don't.

As readers may remember, I don't hold a high opinion of most certification programs to begin with. I'm convinced that they're a crutch for lazy hiring managers and clueless HR departments. I don't believe that multiple-guess tests are a substitute for experience, no matter how adaptive the testing software may be.

But pretending to "certify" someone as ethical is downright dishonest. It's one thing to give a character reference to someone you know personally or professionally. It's another to claim they'll behave ethically under every conceivable situation.

Passing up an opportunity to do a crime when it's likely you'll be caught isn't being ethical, it's merely being sensible. It only becomes ethical when you decline the job knowing that you can't be caught.

Remember that the most valuable skill for a hacker isn't fluency in one programming language or another -- it's the ability to "social engineer" the unsuspecting into trusting them. What better way to fly under the radar than to have a piece of paper from the EC-Council saying you're kosher?

Human nature -- in this case, the desire to present ourselves as others would like to see us -- means that those pursuing an "Ethical Hacker" certification are going to be on their best behavior, no matter how larcenous their ultimate intentions.

Even someone who isn't planning the crime of the century can be tempted into stretching his or her ethical boundaries if the payoff looks good enough. It's amazing how many times professionals who should know better try to pull a fast one, only to announce their regrets at sentencing.

I don't take the hard-line course that insists hackers are evil incarnate and, once caught, deserve Hannibal Lecter-esque restraint. In fact, I'm surprised I didn't hear from more of security's right wing when I discussed hacker rehabilitation earlier this year. But I also dislike rewarding people for keeping their hands out of the cookie jar.

Anyone who cites an "Ethical Hacker" credential in a resume is planting a seed of doubt in the minds of those doing the hiring. This may be a good thing if you're trying to get work with an IT security shop, but I'm not sure it's worth the tuition. Frankly, if someone came into my lab waving that piece of paper (as if I could afford to hire anyone above the pay grade of part-time cable weaver), I'd probably order up a double helping of background checks.