Certified Ethical Hacker Domain 2: Analysis/Assessment
About the Domain
The second domain of the Certified Ethical Hacker exam is designed to test an applicant’s knowledge of what goes into performing a penetration test or ethical hack. This domain is assigned sixteen questions, or about 12.73% of the total exam. The topics covered in this domain include both the procedural aspects of an assessment (what to do when) and the techniques necessary to complete each assessment step.
This section of the exam is focused on the methodologies and steps necessary to perform assessments as an ethical hacker. This includes everything from risk assessments to Red Team operations. The domain is broken into two parts which test both knowledge of how to perform assessments and analysis, and knowledge of the methodologies for performing technical assessment.
Information Security Assessment and Analysis
The first half of this domain consists of testing the applicant’s ability to perform assessments and analysis. This section will consist of eight questions (6.4% of the exam) and covers data analysis, systems analysis and performing risk assessments.
The first two topics in this section (data and systems analysis) test your ability to perform an assessment. We’ll cover the steps of an assessment in the next section, but you should know about identifying a vulnerability to exploit. In the early phases of the assessment, you need to know how to gather information about a target (both technical and non-technical) and parse through it for useful nuggets that can reveal vulnerabilities. For this section, you need to know how to gather open-source intelligence (OSINT), how to scan a network or host and interpret the result, and how to use the collected knowledge to build a plan for the assessment.
One of the most important things to know for this section of the exam is the difference between “active” and “passive” activities. According to EC-Council, an “active” activity is anything that can put packets from you on the target network. Port scanning is active; sniffing Wi-Fi traffic is passive. The distinction is at the network level, not the risk of being caught. Dumpster-diving (a potentially high-risk activity) is considered passive for the CEH exam. Not knowing the difference between “active” and “passive” activities can cost you questions on the exam.
The final point covered in this section is the topic of risk assessments. Part of being an ethical hacker is having the ability to analyze the potential impact of a vulnerability and provide recommendations on which vulnerabilities need to be addressed first. You should know that vulnerabilities are ranked based on probability of occurrence and potential impact, with the ones with the highest probability and impact being ranked the most dangerous.
As a potential CEH, the EC-Council also wants you to be familiar with the concepts of Annualized Loss Expectancy (ALE), Single Loss Expectancy (SLE) and Annual Rate of Occurrence (ARO). The ALE is the amount of money that a given issue (such as vulnerability or equipment failure) is expected to cost an organization per year and is calculated as the product of the SLE and the ARO. The SLE is the price of fixing one occurrence of the issue, and usually consists of the sum of the cost of replacement parts, the salary of the workers fixing the issue and the salary of anyone who cannot work due to the issue (i.e., loss productivity due to ransomware or a power outage). Finally, the ARO is the probability that the incident will occur in a given year: if you have an event that occurs once every four years, you multiply by 0.25. Knowing how to perform this calculation is a must for the CEH exam.
Information Security Assessment Process
This section of the domain is focused on performing an assessment in the “right way.” Eight questions (6.4%) are devoted to this topic on the exam.
The EC-Council has set methodologies for performing a variety of different types of assessments. A good starting point is knowing the phases of an ethical hack. According to the EC-Council, these are:
- Scanning and Enumeration
- Gaining Access
- Privilege Escalation (optional)
- Maintaining Access
- Covering Tracks
In the exam, you’ll be expected to know these phases and their order and be able to identify what occurs and common tools used in each phase.
EC-Council also differentiates a penetration test from an ethical hack. According to the EC-Council, there are three stages to a penetration test:
In the pre-attack phase, an ethical hacker performs data gathering and reconnaissance in preparation for the actual hack. The attack phase covers everything from gaining initial access through achieving the goals of the penetration test. Finally, post-attack includes cleanup/covering tracks and reporting.
The exam commonly asks which stage of a penetration test certain actions are performed in. These questions often mix stages from an ethical hack and a penetration test, so it’s important to memorize which set of steps are for an ethical hack and which ones are for a penetration test.
How to Prepare
Nothing compares to hands-on experience for learning the concepts, and this is especially true for this domain of the exam. While it’s certainly possible to memorize all of the procedures and techniques for performing an assessment, it’s much easier to remember them if you’ve done it once or twice before.
If you’re at all prepared for Domain 7 of the exam, you know that you can’t just practice on some random company without permission. To practice collecting OSINT, try to find out everything that you can about yourself or a family member using publicly-available data sources. To practice a full assessment, set up a test lab of vulnerable machines that emulates a company network and work your way through the phases, from scanning through completing final objectives. This type of exercise will give you both the procedural and technical foundations that you need for this domain and is a great way to practice the tools that you’ll need to know for Domain 4.