Certification
Training
Internet Storm Center
Cyber Security Graduate School
Security Awareness Training
IT Audit
Computer Forensics
Penetration Testing
Software SecurityGIAC Certified Incident Handler
GCIH
View Professionals »
Description
GIAC Certified Incident Handlers (GCIHs) have the knowledge, skills, and abilities to manage incidents; to understand common attack techniques and tools; and to defend against and/or respond to such attacks when they occur.
Target
Individuals responsible for incident handling/incident response; individuals who require an understanding of the current threats to systems and networks, along with effective countermeasures.
Course
SEC504: Hacker Techniques, Exploits and Incident Handling
*No Specific training is required for any GIAC certification. If candidates need help in mastering the objectives for this certification, there are many sources of information available. Practical experience is one option; there are also numerous books on the market covering Computer Information Security. Another option is SANS training, or any relevant courses from other training providers.*
Requirements
- 1 proctored exam
- 150 questions
- Time limit of 4 hours
- Minimum Passing Score of 72.7% (109 out of 150 questions)
NOTE:
GIAC reserves the right to change the specifications for each certification without notice. Based on a scientific passing point study, the passing point for the passing point for the GCIH exam has been determined to be 72.7% for all candidates receiving access to their certification attempts on or after 08/03/2009. To verify the format of your current certification attempt, please read the Certification Information found in your portal account at https://exams.giac.org/pages/attempts.
Renew
Every 4 years
Delivery
NOTE: GIAC exams are NOT given the day after the conference ends.
Exams are delivered online through a standard web browser. For exams purchased with SANS training, access to the exam will be available 7-10 days following the end of the conference. Standalone challenge exams are issued within 24 hours upon receipt of payment. You will receive an email from GIAC when your exam has been issued to your portal account. You have 120 days to complete the exam from the time we send notice that it is available. The exams are proctored and should be scheduled using our proctored exam procedure.
Links
- SANS Information Security Reading Room
- Certified Professionals (GCIH)
- Recertification
- Exam Feedback Procedure
- Grievance Procedure
Bulletin (Part 2 of Candidate Handbook)
The topic areas for each exam part follow:
| Exam Certification Objectives | Certification Objective Outcome Statement |
|---|---|
| Backdoors & Trojan Horses | The candidate will demonstrate a detailed understanding of how Backdoors are used to gain access to systems, and how to defend systems. |
| Buffer Overflows | The candidate will demonstrate an understanding of what a buffer overflow is, how they are created, and how to defend against them. Additionally, candidates will demonstrate a high-level understanding of how attackers use common tools to create and maintain a backdoor on a compromised system. |
| Covering Tracks: Networks | The candidate will demonstrate an understanding of how attackers use tunneling and covert channels to cover their tracks on a network, and the strategies involved in defending against them. |
| Covering Tracks: Systems | The candidate will demonstrate an understanding of how attackers hide files and directories on Windows and Linux hosts and how they attempt to cover their tracks. |
| Denial of Service Attacks | The candidate will demonstrate a comprehensive understanding of the different kinds of Denial of Service attacks and how to defend against them. |
| Exploiting Systems using Netcat | The candidate will demonstrate an understanding of how to properly use the Netcat utility and how to defend against it. |
| Format String Attacks | The candidate will demonstrate a comprehensive understanding of how format string attacks work and how to defend against them. |
| Incident Handling Overview and Preparation | The candidate will demonstrate an understanding of what Incident Handling is, why it is important, and an understanding of best practices to take in preparation for an Incident. |
| Incident Handling Phase 2 Identification | The candidate will demonstrate an understanding of important strategies to gather events, analyze them, and determine if we have an incident. |
| Incident Handling Phase 3 Containment | The candidate will demonstrate an understanding of high-level strategies to prevent an attacker from causing further damage to the victim after discovering the incident. |
| Incident Handling: Recovering and Improving Capabilities | The candidate will demonstrate an understanding of the general approaches to get rid of the attacker's artifacts on compromised machines, the general strategy to safely restore operations, and the importance of the incident report and "lessons learned" meetings. |
| IP Address Spoofing | The candidate will demonstrate an understanding of what IP Spoofing is, the three different types of spoofing, and strategies to defend against it. |
| Network Sniffing | The candidate will know what network sniffing is, how to use common sniffing tools, and how to defend against sniffers. |
| Password Attacks | The candidate will demonstrate a detailed understanding of the three methods of password cracking. |
| Reconnaissance | The candidate will demonstrate an understanding of public and open source reconnaissance techniques. |
| Rootkits | The candidate will demonstrate an understanding of how user-mode and kernel-mode rootkits operate, what their capabilities are and how to defend against them. |
| Scanning: Host Discovery | The candidate will demonstrate an understanding of the tools and techniques used for host discovery on wired and wireless networks. |
| Scanning: Network and Application Vulnerability scanning and tools | The candidate will demonstrate an understanding of the fundamentals of network and application vulnerability scanners, common commercial and open source tools, and how to defend against them. |
| Scanning: Network Devices (Firewall rules determination, fragmentation, and IDS/IPS evasion) | The candidate will demonstrate an understanding of how to use Firewalk to determine firewall policies, the general principles of IP fragmentation attacks, why they are used, as well as the ability to identify them. |
| Scanning: Service Discovery | The candidate will demonstrate an understanding of the tools and techniques used for network mapping, port scanning, and passive fingerprinting techniques and how to defend against them. |
| Session Hijacking, Tools and Defenses | The candidate will demonstrate an understanding of the definition of session hijacking, the two methods commonly used and why it is effective. Additionally, the candidate will demonstrate an understanding of how to identify common hijacking tools and the strategies to prepare for, identify and contain hijacking attacks. |
| Types of Incidents | The candidate will demonstrate an understanding of multiple types of incidents, including espionage, unauthorized use, intellectual property, and insider threats and apply strategies to prevent or address these cases. |
| Virtual Machine Attacks | The candidate will demonstrate an understanding of the virtual machine environment from an attackers perspective, including targets and detection, and how to defend against threats. |
| Web Application Attacks | The candidate will demonstrate an understanding of the value of the Open Web Application Security Project (OWASP), as well as different Web App attacks such as account harvesting, SQL injection, Cross-Site Scripting and other Web Session attacks. |
| Worms, Bots & Bot-Nets | The candidate will demonstrate a detailed understanding of what worms, bots and bot-nets are, and how to protect against them. |
Where to Get Help
Training is available from a variety of resources including on line, course attendance at a live conference, and self study.
Practical experience is another way to ensure that you have mastered the skills necessary for certification. Many professionals have the experience to meet the certification objectives identified.
Finally, college level courses or study through another program may meet the needs for mastery.
The procedure to contest exam results can be found at http://www.giac.org/about/procedures/grievance.
