Infosec Institute CEPT Course with false advertising and bad information. Elmwood Park Illinois

Review of InfoSec Institute's CEPT Course:

The course outline was clear in that you only needed to have the CEH certification prior to attending this course. It states that this is an expert penetration tester course. 3 days of the 5 day course was spent on buffer overflows and looking at assembly code. We didn't even scratch the surface of what it means to be a penetration tester.

This was very heavy with Assembly code which is good but the course should have been named "Breaking down the code: Debugging 101". This was not a course in penetration testing at all. No training was given about the OWASP top 10, reporting, common attacks/vulnerabilities or anything that a penetration tester should know. Everyone in the class was very disappointed by the curriculum of the course vs. the advertisement.

The instructor did not follow the curriculum. We did not go over ANY XSS or SQL Injection techniques, advanced or otherwise. We spent nearly the entire class going over assembly code. He spoke briefly about format string vulnerabilities about 2 hours before taking the exam (we only spent about an hour on it before taking lunch for an hour prior to the exam). He could not directly answer our questions and did not offer assistance during the labs without being explicitly asked and then he almost never knew the answer. He got very upset when people had to have him repeat information because they did not understand. No one in the class had anything nice to say throughout the course so it wasn't just me. He showed a great deal of contempt and frustration.

The course material (lab guide) has many misspellings and errors in the code that we were expected to use. Several of the scripts and code that was used needed modification to make it work. In some cases the code in the book was so poorly written that by the time we had rewritten it to make it work it wasn't the same code anymore. There were even referenced figures (images that the book references as an example) missing. It appears as if the book was not reviewed prior to printing and given to the students. The 'Shabang' (#!/usr/bin/perl  or  #!/usr/bin/python) was missing from several of the scripts. Code cannot be wrong in a teaching book. That is completely unacceptable since code must have the proper syntax and spelling or it will not work.

The computers in the lab were old and unstable and caused issues since they only had 4GB of Ram and we were trying to run 2 Windows VM's and a linux VM which the computer could not handle. Half of the time in the labs was spent troubleshooting the lab computers and why they kept crashing (not as intended). The exploits were old and were detected by outdated AV software even after the encoding was done and the lab said they would be undetectable. Even an old version of Windows Defender was able to detect the backdoor. The instructor made excuses about this and said that it demonstrated the concept - This is not acceptable as the course states that it would be teaching the latest methods. A good demonstration of the concept would have been showing us something that worked - not an exploit from a decade ago.

 ****The Windows 7 VM was not activated and kept showing a "This copy of Windows is not genuine" message. It made everyone in the class wonder if the software had been pirated which is very unprofessional for an ethical course.****

The ECSA exam was also scheduled with this course. Unfortunately, not everyone could participate even though the course outline was VERY specific that this course INCLUDED 2 certifications (ECSA and CEPT). Infosec charged extra for the ECSA. Apparently, according to one of the students, all you had to do was argue a little bit and they would give you what was advertised. Other than that, you would be charged extra (like I was) for the second exam. The ECSA exam was only reviewed with a few slides that did not cover the breadth of the course or the exam.

I was told there was no need for coding experience or programming knowledge. This is not the case as most of the class was struggling except for the one person with prior assembly experience. Much more than just a CEH should be required.

The hotel room was very nice and the staff was very polite. The meals, however, were pasta and chicken for almost every meal. It was good but not much variety. The hotel itself had its own issues. The internet took me back to the dial-up days with taking 25 minutes to download 2 Mb. Images loaded from the top down and we were unable to download some of the content required for the course (such as AVG for the backdoor encoding portion). All night long sirens went off and you could hear people racing up and down the street all night. Location was not the best. This, of course, was not Infosec Institute's fault but after some very quick research I found similar reviews that should have been considered prior to booking that hotel.

The person who booked the rooms had mangled the dates. My email for the room said from 22-29 Sept. I scheduled my flight around this and when I showed up to the hotel I was told that the last night was the 27th. I was able to get that fixed but I had a roommate on the 27th-28th because one of the students had to vacate his room an hour before the CEPT exam on the 27th since Infosec wouldn't extend his stay even by one night. This, too, is unacceptable. Everyone should be given the same opportunity and the dates should have been the same for everyone in the course unless specified by the student.

To top it all off, this certification (CEPT) has no verification mechanism. If I present this to someone, how do they verify that it's legitimate and that I didn't just print it out? This somewhat invalidates the certification since anyone can print one off or just say that they have it on a resume.

Overall, I would have to say that this course was disappointing to say the least. It seems that the instructor was inadequate, the course books were poorly written and/or had no review process for quality, the lab machines were not able to handle the labs properly, the hotel bookings were inconsistent and the hotel itself should have been researched prior to the course being scheduled there.

I have contacted Infosec Institute by phone and email the first Monday after the course. It took a couple of days to hear form them and when I did, the only thing they offered was for me to retake the course. That, of course, is not something most people can do since that requires yet another week off work.