GIAC Certified Incident Handler (GCIH)
Incident handlers manage security incidents by understanding common attack techniques, vectors and tools as well as defending against and/or responding to such attacks when they occur. The GCIH certification focuses on detecting, responding, and resolving computer security incidents and covers the following security techniques:
- The steps of the incident handling process
- Detecting malicious applications and network activity
- Common attack techniques that compromise hosts
- Detecting and analyzing system and network vulnerabilities
- Continuous process improvement by discovering the root causes of incidents
*No Specific training is required for any GIAC certification. There are many sources of information available regarding the certification objectives' knowledge areas. Practical experience is an option; there are also numerous books on the market covering Computer Information Security. Another option is any relevant courses from training providers, including SANS.*
- 1 proctored exam
- 150 questions
- Time limit of 4 hours
- For all GCIH exam attempts activated on or after August 2nd, 2012, the Minimum Passing Score is 72%
About the GCIH Exam: All GIAC exams are delivered online and must be proctored through GIAC's exam partner, Pearson VUE. Click here to schedule an exam.
- There are 150 questions on the exam and a time limit of four hours.
- Based on a scientific study, passing point for the GCIH exam is 72%
- Exams purchased with SANS training will be available 7-10 days following the end of the conference.
- GCIH Challenge exams are available to potential candidates that are experienced Incident Handlers.
- The GCIH Exam may be scheduled anytime within a 120 day window once a candidate has paid for the examination attempt
- To verify the details of your certification attempt, read the Certification Information found in your portal account at https://exams.giac.org/pages/attempts.
Certifications must be renewed every 4 years. Click here for details.
NOTE: All GIAC exams are delivered through proctored test centers and must be scheduled in advance.
GIAC certification attempts will be activated in your GIAC account after your application has been approved and according to the terms of your purchase. Details on delivery will be provided along with your registration confirmation upon payment. You will receive an email notification when your certification attempt has been activated in your account. You will have 120 days from the date of activation to complete your certification attempt. GIAC exams must be proctored through Pearson VUE. Please click the following link for instructions on How to Schedule Your GIAC Proctored Exam http://www.giac.org/information/schedule_proctored_exam.pdf. GIAC exams are delivered online through a standard web browser.
- Certified Professionals (GCIH)
- Exam Feedback Procedure
- Feedback Procedure
- Proctored exam procedure
- SANS Information Security Reading Room
Bulletin (Part 2 of Candidate Handbook)
Exam Certification Objectives & Outcome Statements
The topic areas for each exam part follow:
- Incident Handling: Identification
- The candidate will demonstrate an understanding of important strategies to gather events, analyze them, and determine if we have an incident.
- Incident Handling: Overview and Preparation
- The candidate will demonstrate an understanding of what Incident Handling is, why it is important, and an understanding of best practices to take in preparation for an Incident.
- Buffer Overflows and Format String Attacks
- The candidate will demonstrate an understanding of how buffer overflows and format string attacks work and how to defend against them.
- Covering Tracks: Networks
- The candidate will demonstrate an understanding of how attackers use tunneling and covert channels to cover their tracks on a network, and the strategies involved in defending against them.
- Covering Tracks: Systems
- The candidate will demonstrate an understanding of how attackers hide files and directories on Windows and Linux hosts and how they attempt to cover their tracks.
- Denial of Service Attacks
- The candidate will demonstrate a comprehensive understanding of the different kinds of Denial of Service attacks and how to defend against them.
- Exploiting Clients on the LAN
- The candidate will demonstrate an understanding of how attackers use IP spoofing techniques and utilities such as Netcat to exploit clients on the LAN.
- Incident Handling: Containment
- The candidate will demonstrate an understanding of high-level strategies to prevent an attacker from causing further damage to the victim after discovering the incident.
- Incident Handling: Recovery and Lessons Learned
- The candidate will demonstrate an understanding of the general approaches to get rid of the attacker's artifacts on compromised machines, the general strategy to safely restore operations, and the importance of the incident report and lessons learned meetings.
- Network Sniffing
- The candidate will know what network sniffing is, how to use common sniffing tools, and how to defend against sniffers.
- Password Attacks
- The candidate will demonstrate a detailed understanding of the three methods of password cracking.
- The candidate will demonstrate an understanding of public and open source reconnaissance techniques.
- Scanning: Host Discovery
- The candidate will demonstrate an understanding of the tools and techniques used for host discovery on wired and wireless networks.
- Scanning: Network and Application Vulnerability scanning and tools
- The candidate will demonstrate an understanding of the fundamentals of network and application vulnerability scanners, common commercial and open source tools, and how to defend against them.
- Scanning: Network Devices
- The candidate will demonstrate an understanding of techniques and tools used to map firewall policies and evade IDS/IPS detection.
- Scanning: Service Discovery
- The candidate will demonstrate an understanding of the tools and techniques used for network mapping, port scanning, and passive fingerprinting techniques and how to defend against them.
- Session Hijacking and Cache Poisoning
- The candidate will demonstrate an understanding of tools and techniques used to perform session hijacking and cache poisoning, and how to respond and prepare against these attacks.
- Techniques for maintaining access
- The candidate will demonstrate an understanding of how backdoors, trojan horses, and rootkits operate, what their capabilities are and how to defend against them.
- Virtual Machine Attacks
- The candidate will demonstrate an understanding of the virtual machine environment from an attackers perspective, including targets and detection, and how to defend against threats.
- Web Application Attacks
- The candidate will demonstrate an understanding of the value of the Open Web Application Security Project (OWASP), as well as different Web App attacks such as account harvesting, SQL injection, Cross-Site Scripting and other Web Session attacks.
- Worms, Bots & Bot-Nets
- The candidate will demonstrate a detailed understanding of what worms, bots and bot-nets are, and how to protect against them.
Where to Get Help
Training is available from a variety of resources including on line, course attendance at a live conference, and self study.
Practical experience is another way to ensure that you have mastered the skills necessary for certification. Many professionals have the experience to meet the certification objectives identified.
Finally, college level courses or study through another program may meet the needs for mastery.
The procedure to contest exam results can be found at http://www.giac.org/about/procedures/grievance.