GCIH Certification Bulletin
(Part 2 of Candidate Handbook)
The GIAC Hacker Techniques, Exploits and Incident Handling (GCIH) was created to provide assurance that a certified individual holds the appropriate level of knowledge and skill necessary for anyone with hands on technical responsibilities in the key or essential areas of information security.
All GIAC certifications expire in a period of 4 years. Candidates must review the information and retake the exams in order to remain certified. Although there are other entry level certifications available, GIAC is the only information security certification family including advanced technical subject areas.
The practice tests are taken on-line and are designed to simulate the format of the actual GIAC exams with the same number of tests, multiple-choice questions and time-limits. The practice test questions, which are selected from our Online Training quiz bins, are written by the same authors who write the GIAC exams. During the practice tests, each time you choose a wrong answer, you will receive the correct answer and an explanation that will help to reinforce the subject matter presented in the question. The practice tests also include a counter that shows the current number of questions that you answered correctly, wrong and how many questions are left in the test. You will only have one attempt at each practice test, if you need more attempts you will need to purchase another set. If you purchase a new practice test set, the on-line system will quiz you again on the questions that were originally answered incorrectly while asking new questions.
- Type:
- Certification
- Target:
Individuals responsible for incident handling/incident response; individuals who require an understanding of the current threats to systems and networks, along with effective countermeasures.
GIAC Certified Incident Handlers (GCIHs) have the knowledge, skills, and abilities to manage incidents; to understand common attack techniques and tools; and to defend against and/or respond to such attacks when they occur.
- Requirements:
- 1 proctored exam - 150 questions - 4-hour time limit - 70% (105 of 150 questions) minimum passing score
- Renewal:
- Every 4 years
The topic areas for each exam part follow:
| Exam Certification Objectives | Certification Objective Outcome Statement |
|---|---|
Backdoors & Trojan Horses | The candidate will have a detailed understanding of how Backdoors are used to gain access to systems and how to defend your systems. |
Buffer Overflows | The candidate will demonstrate an understand of what a buffer overflow is, how they are created, and how to defend against them and will have a high-level understanding of how attackers use common tools to create and maintain a backdoor on a compromised system. |
Covering Tracks on Systems | The candidate will understand how attackers hide files and directories on Windows and Linux hosts and how they attempt to cover their tracks. |
Covering Tracks on the Network | The candidate will understand how attackers use tunneling and covert channels to cover their tracks on a network and the strategies involved in defending against them. |
Covering Tracks with Steganography | The candidate will understand the concepts behind Steganography, the main methods of steganography, understand how to use stools, and understand how to detect and defend against steganography. |
Denial of Service Attacks | The candidate will have a detailed understanding of the different kinds of Denial of Service attacks and how to defend against them. |
Exploiting Systems using Netcat | The candidate will be able to properly use the Netcat utility and know how to defend against it. |
Format String Attacks | The candidate will have a detailed understanding of how format string attacks work and how to defend against them. |
Gaining Shell Access on Windows | The candidate will know how to use Administrator passwords on Windows shares to spawn a Netcat shell and how to defend against this attack. |
General Trends in the Hacker Underground | The candidate will understand the general trends happening in the hacker underground. |
Incident Handling and the Legal System | The candidate will understand how the Law affects Incident Handling, identify specific laws important to Incident Handling, and have a general understanding of what those laws address. |
Incident Handling Defined | The candidate will understand what Incident Handling is, why it is important, and be able to distinguish incidents from events. |
Incident Handling Phase 1 Preparation | The candidate will understand best practices to take in preparation for an Incident, know why they are important, and understand the consequences of ignoring them. |
Incident Handling Phase 2 Identification | The candidate will understand important strategies to gather events, analyze them, and determine if we have an incident. |
Incident Handling Phase 3 Containment | The candidate will understand high-level strategies to prevent an attacker from causing further damage to the victim after discovering the incident. |
Incident Handling Phase 4 Eradication | The candidate will understand the general approaches to get rid of the attacker's artifacts on compromised machines. |
Incident Handling Phase 5 Recovery | The candidate will understand the general strategy to safely restore operations that were affected by the incident. |
Incident Handling Phase 6 Lessons Learned | The candidate will develop a report of the incident and conduct a "lessons learned" meeting to improve Incident Handling capabilities. |
Intellectual Property Incidents | The candidate will understand how Intellectual Property is approached by Government and Commercial Sectors, memorize the four types of Intellectual Property, understand the scope and definitions of each type, and understand how the Incident Handling process is applied to Intellectual Property. |
IP Address Spoofing | The candidate will understand what IP Spoofing is, three different types of spoofing, and strategies to defend against it. |
Kernel-Mode Rootkits | The candidate will understand how kernel mode rootkits operate, what their capabilities are, and how they are installed. |
Network Mapping with Cheops-ng | The candidate will be able to use Cheops-ng to map networks and understand how to defend against this tool. |
Network Sniffing | The candidate will know what network sniffing is, how to use the dsniff and sniffit tools, and how to defend against sniffers. |
Password Attacks | The candidate will understand the methods of password attacks for cracking and exploiting password hashes, as well as understand the details of each approach and how they apply to both Windows and Unix/Linux systems, including common tools used for password attacks. |
Reconnaissance | The candidate will understand basic reconnaissance techniques using public resources - WHOIS, DNS, Web Sites, Google, Sam Spade. |
Scanning: Wardialing and Wireless discovery | The candidate will be able to identify capabilities of wardialing tools such as the THC scanner, wireless discovery and sniffing, and defend against war dialers and wireless reconnaissance. |
Scanning: Network Devices (Firewall rules determination, fragmentation, and IDS/IPS evasion) | The candidate will be able to use Firewalk to determine firewall policies and understand the general principles of IP fragmentation attacks, why they are used, and be able to identify them. |
Scanning: Vulnerability scanning and tools (Network, Web, Null sessions) | The candidate will understand the fundamentals of vulnerability scanners (network, web and Windows null sessions), common commercial and open source tools, and know how to defend against them. |
Session Hijacking and DNS Cache Poisoning | The candidate will demonstrate an understanding of DNS cache poisoning and session hijacking, tools commonly used for these attacks, and how to defend against them. |
Types of Incidents (Espionage, Unauthorized Use, and Insider Attacks) | The candidate will demonstrate an understanding of multiple types of incidents, including espionage, unauthorized use, and insider threats and apply strategies to prevent or address these cases. |
User-Mode Rootkits | The candidate will understand how user-mode rootkits operate, what their capabilities are and how to defend against them. |
Web Application Attacks | The candidate will understand the value of the Open Web Application Security Project (OWASP) and become familiar with different Web App attacks, such as account harvesting, SQL injection, Cross-Site Scripting and other Web Session attacks. |
Worms, Bots & Bot-Nets | The candidate will have a detailed understanding of what worms, bots and bot-nets are, and how to protect against them. |
Where to Get Help
Training is available from a variety of resources including on line, course attendance at a live conference, and self study.
Practical experience is another way to ensure that you have mastered the skills necessary for certification. Many professionals have the experience to meet the certification objectives identified.
Finally, college level courses or study through another program may meet the needs for mastery.
The procedure to contest exam results can be found at http://www.giac.org/grievance.php.
