Disclaimer: I have not finished reading this book, and I'm not sure I want to.
I bought CEH Certified Ethical Hacker Study Guide on Amazon because it is the most recently published (2010) of several CEH study guides and because it has been through more than one edition. Had I been able to leaf through the book for about five minutes, I would have put it back on the shelf.
Consider these passages:
"Most hacking attempts occur from within an organization and are perpetuated by employees, contractors, or others in a trusted position." (p 8)
"Buffer overflows and SQL injection are used primarily against application servers that contain databases of information." (p 11)
If you know enough about information security to see the problems with the above statements, would you want to spend your time reading the rest of this book? More importantly, if you don't know enough about information security to see the problems with the above statements, should you entrust your professional development to this book?
Here's another profound insight:
"Many ethical hackers acting in the role of security professionals use their skills to perform security evaluations or penetration tests. These tests and evaluations have three phases, generally ordered as follows: Preparation, Conduct Security Evaluation, Conclusion." (p 17)
How about a Review Question from the end of Chapter 1:
5. The security, functionality, and ease of use triangle illustrates which concept?
A. As security increases, functionality and ease of use increase.
B. As security decreases, functionality and ease of use increase.
C. As security decreases, functionality and ease of use decrease.
D. Security does not affect functionality and ease of use.
Ready for the answer?
"B. As security increases, it makes it more difficult to use and less functional." (p 29)
Are you catching my drift? If a book has problems like this with the easy concepts, how much confidence should be placed in its more technical sections?
I'm not here to flame Kimberly Graves, who might otherwise be a very fine author. However, based on my experience with the first three chapters, I'm not inclined to commend this book to the potential reader. I really hope there are better study guides out there.
I'll close with a message from Neil Edde, Sybex Vice President and Publisher:
"With each of our titles, we're working hard to set a new standard for the industry. From the paper we print on, to the authors we work with, our goal is to bring you the best books available." (p v)
Keep trying, Neil. And you might consider boosting the copy editing budget while you're at it. Start your editors off with this paragraph:
"Checking for open ports is the second step in the CEH scanning methodology. Port scanning is the method used to check for open ports. The process of port scanning involves probing each port on a host to determine which ports are open..." (p 69)
- - - - -
Well, I've made it to the fifth chapter, and I AM stopping. Although the book was revised in 2010, it appears that parts of it have not been updated since the heyday of Windows 2000. The text itself reads more like a set of lecturer's notes, hastily pulled together for publication.
As a study guide, it's starting to create more questions than answers about what's going to be on the exam. I may come back to it later, but at this point I'd rather not clutter up my head with useless (and possibly questionable) material.
I would caution the people who are using this text as an introduction to "ethical hacking" -- this book may (or may not) help you get that cert, but it's not giving you a very useful picture of the field. There are much better information security books out there. Unfortunately, none of them appear to be CEH-specific.
I'd recommend skipping the first 100 pages of the CEH Study Guide. Try Gray Hat Hacking (3rd edition) for a far more realistic introduction to the field of ethical hacking. Then go to Hacking Exposed (6th Edition) for coverage of footprinting, scanning, and enumeration. You'll come back to these books anyway, if you stay in this field, so it's not money wasted. Use the CEH Study Guide to help you outline your own crib sheet for the test. But watch out, because a lot of things have seem to have happened since this text was written.
If anyone has run across a well-written, up-to-date CEH book, do us a favor and let us know.