EC-Council CEH

Certified Ethical Hacker Domain 4: Information Security Tools, Systems and Programs

July 8, 2019 by Lester Obbayi


This domain in the Certified Ethical Hacker (CEH) certification reviews the different classes of tools, systems and programs involved during the different phases of hacking or during host and network protection. Being the largest domain in the exam, candidates will be required to put in significant work and will then be reviewed on their understanding of various concepts as well as their choice of appropriate tools for problem solving (in both offensive and defensive approaches).


An Overview of the Domain

This domain carries a weight of 28.91% of the total exam. You should expect a total of 36 test items here, with 7 testing Information Security Systems, 5 testing Information Security Programs and 24 testing Information Security Tools. Let’s discuss these sections, taking note of important tools and concepts.

Information Security Systems

In this section, we discuss the common information security systems that the exam is most likely to review. Candidates will be tested on their understanding of firewalls, intrusion detection and prevention systems, SIEM solutions and authentication servers. Once they have studied these technologies, they can be sure of scoring highly on any questions originating from this section. Let’s now discuss each of these, taking note of important points.

a) Firewalls

A general understanding of how firewalls function will be tested in the exam. Candidates are required to know the placement of a firewall in a network and any possible repercussions that may be introduced on the network. Candidates should, for example, understand why network firewalls are primarily placed in between the DMZ and internal network.

There are also some common rule sets that are familiar across different firewall solution vendors. For example, an organization may implement the “Allow SSH Traffic” rule to allow SSH access from any IP address to all instances within a data center. A general understanding of the common firewall rules will be quite beneficial.

Candidates also need to be aware of the existence of host-based and application firewalls, as well as their applications and capabilities.

b) Intrusion Detection System (IDS)

The understanding of what an IDS does in a network and how it handles data is something candidates will definitely be tested on. Basically, this is a system that is installed within a network (or on a host in the case of a host-based IDS), and monitors for network intrusions in the form of malicious activities or policy violations. This system can then report the violations to a System Administrator or allow a SIEM in the same network to collect the data, for later analysis.

Important to note is the two major classifications of IDSes, namely Network Intrusion Detection Systems (NIDS) and Host-Based Intrusion Detection Systems (HIDS). Candidates will be required to know the application areas of these two variants of IDSes and vendor examples of each, and how IDSes, IPSes and firewalls compare.  

Candidates will also be required to familiarize themselves with the two main detection methods that IDSes employ. They should be familiar with how to evade these detection methods. These are:

  1. Signature-Based Detection
  2. Anomaly-Based Detection.

c) Intrusion Prevention System (IPS)

Intrusion Prevention Systems are able to prevent policy violations by discovering possible intrusions, logging and reporting information about these attempts and blocking access to restricted data. Candidates must be able to discuss the different classes of IPS systems and where their application is best suited. For instance, each one of the following should be well understood:

  1. Network-based IPS (NIPS)
  2. Host-based IPS (HIPS)

As we have seen with IDSes, candidates will also be tested on the different detection methods that IPSes can utilize. The detection methods are:

  1. Signature-based Detection
  2. Statistical Anomaly-based Detection
  3. Stateful Protocol Analysis Detection

Finally, knowledge of how to evade IPSes as well as their limitation might prove useful in other domains as well.

d) Security Information and Events Management (SIEM)

SIEMs are able to combine both Security Information Management (SIM) and Security Event Management (SEM) in order to be able to perform the following functions:

  1. Data aggregation
  2. Correlation
  3. Forensic analysis
  4. Retention
  5. Alerting.

Once all this data has been collected and analyzed, it can then be presented in informational charts. Candidates need to have a general understanding of how SIEMs work (their use cases) and should be in a position to give examples of SIEM solutions available for use today.

e) Authentication Servers

Candidates are required to be able to discuss their understanding of what an authentication server is and how the common ones differ. For instance, candidates need to know why RADIUS is used in certain environments rather than TACACS+, and how LDAP and Active Directory compare.

Information Security Programs

Candidates will be required to understand the different programs that are used in securing hosts against malicious attacks. Candidates therefore need to have an overview of the different malware classifications, how they operate and how they differ, as well as the programs available that can stop them. The programs that will be tested will include:

  1. Antivirus programs
  2. Anti-spyware
  3. Anti-riskware
  4. Ad blockers
  5. Anti-rootkit

These programs are constantly evolving, and today’s antiviruses are able to combine the functionality of each of these, even adding more capabilities. It is up to candidates to learn more about these in order to develop a deeper understanding of how these programs work and evolve.

Information Security Tools

Here we shall take a look at the different classes of hacking tools that will be reviewed in the exam. These sections describe the nature of the tools candidates that will be evaluated on.

a) Tools for Performing Footprinting and Reconnaissance

The aim of the exam as portrayed in this section is to evaluate the candidate’s ability to collect as much information as possible while hacking. This is in order to make it easier to invade an organization’s network or systems through what is known as footprinting. The tools that will be reviewed here are also commonly used to learn as much about a target as possible. This is referred to as reconnaissance.

b) Tools for Performing Enumeration

This section in the exam reviews tools commonly used to perform enumeration (discovery) of services within a network. Candidates are required to be able to enumerate information on protocols on the network such as SMB shares, SNMP configurations and FTP and DNS services. The tools available to do this are generally more intrusive than those that perform reconnaissance and footprinting above, so the candidate should know when it is best to resort to a less-intrusive tool.

c) Tools for Conducting Network Scanning

Candidates will be evaluated on their abilities to perform system and network vulnerability scanning. The purpose here is to make sure that candidates can combine different tools in order to identify hosts on the network, discover open ports, services and vulnerabilities on target systems and determine the network topology, including the range of IP addresses in use.  

d) Tools for Performing Web Application Hacking

Candidates will be evaluated on their ability to enumerate and exploit common Web application vulnerabilities using various common tools. This section also reviews the candidate’s skill in implementing the right tools to evade Web Application Firewalls (WAFs) in order to avoid detection.


This is one of the domains that candidates will be required to conduct good research and have a good study on due to the significant bulk in content. The first two sections will require a good deal of studying and understanding of concepts and definitions, while the last section will get a bit technical, requiring candidates to understand the outcome of tasks required and which tools to implement. Once these concepts have been understood, candidates will be ready to take on the exam.



  1. CEH Exam Blueprint v3.0, EC-Council
  2. Intro to Next Generation Firewalls, eSecurity Planet
  3. Stefan Axelsson, Intrusion Detection Systems: A Survey and Taxonomy.
  4. Harold F. Tipton and Micki Krause, Information Security Management Handbook, Sixth Edition
Posted: July 8, 2019
Articles Author
Lester Obbayi
View Profile

Lester Obbayi is a Cyber Security Consultant with one of the largest Cyber Security Companies in East and Central Africa. He has a deep interest in Cyber Security and spends most of his free time doing freelance Penetration Tests and Vulnerability Assessments for numerous organizations.

Leave a Reply

Your email address will not be published. Required fields are marked *