GCIH Certification Bulletin
(Part 2 of Candidate Handbook)
The GIAC Hacker Techniques, Exploits and Incident Handling (GCIH) was created to provide assurance that a certified individual holds the appropriate level of knowledge and skill necessary for anyone with hands on technical responsibilities in the key or essential areas of information security.
All GIAC certifications expire in a period of 4 years. Candidates must review the information and retake the exams in order to remain certified. Although there are other entry level certifications available, GIAC is the only information security certification family including advanced technical subject areas.
The practice tests are taken on-line and are designed to simulate the format of the actual GIAC exams with the same number of tests, multiple-choice questions and time-limits. The practice test questions, which are selected from our Online Training quiz bins, are written by the same authors who write the GIAC exams. During the practice tests, each time you choose a wrong answer, you will receive the correct answer and an explanation that will help to reinforce the subject matter presented in the question. The practice tests also include a counter that shows the current number of questions that you answered correctly, wrong and how many questions are left in the test. You will only have one attempt at each practice test, if you need more attempts you will need to purchase another set. If you purchase a new practice test set, the on-line system will quiz you again on the questions that were originally answered incorrectly while asking new questions.
- Type:
- Certification
- Target:
Individuals responsible for incident handling/incident response; individuals who require an understanding of the current threats to systems and networks, along with effective countermeasures.
GIAC Certified Incident Handlers (GCIHs) have the knowledge, skills, and abilities to manage incidents; to understand common attack techniques and tools; and to defend against and/or respond to such attacks when they occur.
- Requirements:
- 1 proctored exam - 150 questions - 4-hour time limit - 72.7% (109 of 150 questions) minimum passing score
- Renewal:
- Every 4 years
The topic areas for each exam part follow:
| Exam Certification Objectives | Certification Objective Outcome Statement |
|---|---|
Backdoors & Trojan Horses | The candidate will have a detailed understanding of how Backdoors are used to gain access to systems and how to defend your systems. |
Buffer Overflow Defenses | The candidate will be able to identify general techniques to defend against buffer overflows. |
Covering Tracks in Unix-Linux | The candidate will understand how attackers hide files and directories on Unix hosts and how they attempt to cover their tracks. |
Covering Tracks on the Network | The candidate will understand how attackers use tunneling and covert channels to cover their tracks on a network and the strategies involved in defending against them. |
Covering Tracks with Steganography | The candidate will understand the concepts behind Steganography, the main methods of steganography, understand how to use stools, and understand how to detect and defend against steganography. |
Denial of Service Attacks | The candidate will have a detailed understanding of the different kinds of Denial of Service attacks and how to defend against them. |
Espionage Incidents | The candidate will understand the definition of espionage and strategies to deal with these incidents. |
Exploiting Systems using Netcat | The candidate will be able to properly use the Netcat utility and know how to defend against it. |
Exploiting Windows Shares for Shell Access | The candidate will know how to use Administrator passwords on Windows shares to spawn a Net cat shell and how to defend against this attack. |
Format String Attacks | The candidate will have a detailed understanding of how format string attacks work and how to defend against them. |
General Trends in the Hacker Underground | The candidate will understand the general trends happening in the hacker underground. |
Incident Handling and the Legal System | The candidate will understand how the Law affects Incident Handling, identify specific laws important to Incident Handling, and have a general understanding of what those laws address. |
Incident Handling Defined | The candidate will understand what Incident Handling is, why it is important, and be able to distinguish incidents from events. |
Incident Handling Phase 1 Preparation | The candidate will understand best practices to take in preparation for an Incident, know why they are important, and understand the consequences of ignoring them. |
Incident Handling Phase 2 Identification | The candidate will understand important strategies to gather events, analyze them, and determine if we have an incident. |
Incident Handling Phase 3 Containment | The candidate will understand high-level strategies to prevent an attacker from causing further damage to the victim after discovering the incident. |
Incident Handling Phase 4 Eradication | The candidate will understand the general approaches to get rid of the attacker's artifacts on compromised machines. |
Incident Handling Phase 5 Recovery | The candidate will understand the general strategy to safely restore operations that were affected by the incident. |
Incident Handling Phase 6 Lessons Learned | The candidate will develop a report of the incident and conduct a "lessons learned" meeting to improve Incident Handling capabilities. |
Intellectual Property Incidents | The candidate will understand how Intellectual Property is approached by Government and Commercial Sectors, memorize the four types of Intellectual Property, understand the scope and definitions of each type, and understand how the Incident Handling process is applied to Intellectual Property. |
IP Address Spoofing | The candidate will understand what IP Spoofing is, three different types of spoofing, and strategies to defend against it. |
Kernel-Mode Rootkits | The candidate will understand how kernel mode rootkits operate, what their capabilities are, and how they are installed. |
Network Sniffing | The candidate will know what network sniffing is, how to use the dsniff and sniffit tools, and how to defend against sniffers. |
Password Attacks | The candidate will memorize the three methods of password cracking and understand the details of each approach. |
Reconnaissance | The candidate will understand basic reconnaissance techniques using public resources - WHOIS, DNS, Web Sites, Google, Sam Spade. |
Scanning: Network Mapping, Port Scanning, and Passive Fingerprinting | The candidate will understand tools and techniques used for network mapping, port scanning, and passive fingerprinting techniques and how to defend against them. |
Scanning: Wardialing and Wireless discovery | The candidate will be able to identify capabilities of the THC scanner and defend against war dialers. |
Session Hijacking, Tools and Defenses | The candidate will understand the definition of session hijacking, two methods commonly used, why it is effective and be able to identify common hijacking tools and understand the strategies to prepare for, identify and contain hijacking attacks. |
User-Mode Rootkits | The candidate will understand how user-mode rootkits operate, what their capabilities are and how to defend against them. |
Using Firewalk | The candidate will be able to use Firewalk to determine firewall policies. |
Virtual Machine Attacks | The candidate will understand the virtual machine environment from an attackers perspective, including targets and detection, and how to defend against threats. |
Vulnerability Scanning With Nessus | The candidate will understand the basics of how Nessus is used as a vulnerability scanner and know how to defend against it. |
Web Application Attacks | The candidate will understand the value of the Open Web Application Security Project (OWASP) and become familiar with different Web App attacks, such as account harvesting, SQL injection, Cross-Site Scripting and other Web Session attacks. |
Worms, Bots & Bot-Nets | The candidate will have a detailed understanding of what worms, bots and bot-nets are, and how to protect against them. |
Where to Get Help
Training is available from a variety of resources including on line, course attendance at a live conference, and self study.
Practical experience is another way to ensure that you have mastered the skills necessary for certification. Many professionals have the experience to meet the certification objectives identified.
Finally, college level courses or study through another program may meet the needs for mastery.
The procedure to contest exam results can be found at http://www.giac.org/grievance.php.
