The GIAC Hacker Techniques, Exploits and Incident Handling (GCIH) was created to provide assurance that a certified individual holds the appropriate level of knowledge and skill necessary for anyone with hands on technical responsibilities in the key or essential areas of information security.
All GIAC certifications expire in a period of 4 years. Candidates must review the information and retake the exams in order to remain certified. Although there are other entry level certifications available, GIAC is the only information security certification family including advanced technical subject areas.
Registering for the Certification
If you are ready to attempt the GCIH certification, follow these steps.
- Self assess your subject matter knowledge by reviewing the list of Certification Topics below. If you do not have practical industry experience in one or more of the areas, we encourage you to read and study these topics.
- Follow the enrollment procedures found at www.giac.org/reginfo/challenge.php
- Take your practice tests before attempting the certification. The GIAC Practice Tests allow you to have an understanding of what to expect on the examination. GIAC Practice Tests are a proven aid in helping to master material covered on the GIAC exams and earn the valued certifications. Why worry about expensive purchase of retakes and wasted time when you can take a practice test beforehand at a fraction of the cost of the actual exam. The GIAC Practice Tests allow you to have an understanding of what to expect on the examination to significantly improve your chances for success.
The practice tests are taken on-line and are designed to simulate the format of the actual GIAC exams with the same number of tests, multiple-choice questions and time-limits. The practice test questions, which are selected from our Online Training quiz bins, are written by the same authors who write the GIAC exams. During the practice tests, each time you choose a wrong answer, you will receive the correct answer and an explanation that will help to reinforce the subject matter presented in the question. The practice tests also include a counter that shows the current number of questions that you answered correctly, wrong and how many questions are left in the test. You will only have one attempt at each practice test, if you need more attempts you will need to purchase another set. If you purchase a new practice test set, the on-line system will quiz you again on the questions that were originally answered incorrectly while asking new questions.
Certification Topics
| Certification Objectives | Outcome Statement |
|---|---|
| Adore Rootkit | The candidate will be able to identify the capabilities of the Adore rootkit. |
| AFX Windows Rootkit | The candidate will understand the capabilities and architecture of the AFX rootkit and know how to defend against it. |
| Anatomy of an Attack | The candidate will understand all the steps involved that that attackers take to gain and maintain access to hosts. |
| Attacking LEAP with ASLEAP | The candidate will understand how the ASLEAP tool is used to break the LEAP security protocol used for wireless communications. |
| Attacking Web Sessions | The candidate will be able to identify four techniques for hacking web sessions, proxy tools work are used for hacking web sessions, and how to defend against such attacks. |
| Backdoor Suite Defenses | The candidate will understand how to defend against backdoor suites. |
| Backdoor Suites | The candidate will be able to identify popular backdoor suites and their capabilities. |
| Backdoors & Trojan Horses | The candidate will have a detailed understanding of how Backdoors are used to gain access to systems and how to defend your systems. |
| Buffer Overflow Defenses | The candidate will be able to identify general techniques to defend against buffer overflows. |
| Buffer Overflows and Parsers | The candidate will have a concept of what parser programs are, how buffer overflows are used to exploit them, and how to defend against problems with parser programs. |
| Burneye | The candidate will understand what Burneye does, identify its capabilities, and understand how to defend against the tool. |
| Cain & Abel | The candidate will understand the function of each tool used in this duo, identify capabilities of each tool, and how Cain can be used to obtain hashes and crack passwords. |
| CGI Programs Defined | The candidate will understand what a CGI program is and how it is run by a web server. |
| Covering Tracks in Unix/Linux | The candidate will understand how attackers hide files and directories on Unix hosts and how they attempt to cover their tracks. |
| Covering Tracks in Windows | The candidate will understand how attackers hide files and directories on Windows hosts and how they attempt to cover their tracks. |
| Covering Tracks on the Network | The candidate will understand how attackers use tunneling and covert channels to cover their tracks on a network and the strategies involved in defending against them. |
| Covering Tracks with Stegonography | The candidate will understand the concepts behind Steganography, the main methods of steganography, understand how to use stools, and understand how to detect and defend against steganography. |
| Covert Channel Defenses | The candidate will understand the strategies involved in defending against covert channels. |
| Covert Channels Introduction | The candidate will understand the basic principles behind tunneling and covert channels. |
| CpuHog | The candidate will understand how the CpuHog tool causes a denial of service condition and how to defend against such attacks. |
| Cracking LANMAN with Cain | The candidate will understand how LANMAN hashes are used, weakness in LANMAN, and how Cain is used to crack LANMAN hashes. |
| Cracking NTLM with Cain | The candidate will understand how NTLM authentication is used, strengths and weaknesses of NTLM, and the importance of Salts. |
| Cracking with Hash Tables | The candidate will know how pre-generated hash tables can be used to crack passwords faster and identify common tools used for this technique. |
| Creating a Buffer Overflow Exploit | The candidate will memorize the three steps involved in creating a buffer overflow exploit and have a detailed understanding of how those steps are performed. |
| Creating Backdoors | The candidate will have a high-level understanding of how an attacker would use tools such as inetd, tftp, Netcat and Xterm to gain backdoor access to a host. |
| Creating Backdoors with Inetd | The candidate will be able to configure Intend to allow for backdoor access into a host. |
| Creating Backdoors with tftp and Netcat | The candidate will have a high-level understanding of how an attacker would use a buffer overflow attack against tuft to gain backdoor access to a host with Net cat. |
| Creating Backdoors with Xterm | The candidate will have a high-level understanding of how an attacker would use a buffer overflow attack against the X windows server and use Xterm to gain backdoor access to a host. |
| Cross-Site Scripting Attacks | The candidate will have a detailed understanding of how XSS attacks are implemented and how to defend against them. |
| Defenses From Covering Tracks on Systems | The candidate will be able to identify the best approaches to defend against attackers attempting to cover their tracks. |
| Denial of Service Attacks | The candidate will have a detailed understanding of the different kinds of Denial of Service attacks and how to defend against them. |
| Distributed Denial of Service Attacks | The candidate will understand how Distributed DoS attacks work, the architecture and capabilities of the TFN tool, and how to defend against such attacks. |
| DLL Injection & API Hooking | The candidate will understand the techniques used by attackers to implement Windows rootkits by exploiting DLL's and API's. |
| DNS Cache Poisoning | The candidate will understand what DNS cache poisoning is, how an attacker implements the attack, and how to defend and deal with the attack. |
| DNS Reconnaissance | The candidate will understand basic DNS recon techniques and how to defend against them. |
| DoS Suites | The candidate will understand what kind of Denial of Service attacks DoS Suites execute, identify common DoS Suite tools, and know how to defend against them. |
| Editing Accounting Entries in UNIX | The candidate will memorize which files on a Unix host store accounting data that attackers commonly edit to cover their tracks and will understand how they are edited. |
| Editing UNIX Log Files | The candidate will understand how attackers attempt to cover their tracks on Unix hosts by editing log files and which log files are commonly changed. |
| Emergency Action Plan | The candidate will be able to put into practice the techniques essential to the Emergency Action Plan developed by the Incident Handling community. |
| Espionage Incidents | The candidate will understand the definition of espionage and strategies to deal with these incidents. |
| Executable Packers | The candidate will understand the concept of a packer and be able to identify popular packer tools, as well as techniques to unpack them. |
| Exploiting Windows Shares for Shell Access | The candidate will know how to use Administrator passwords on Windows shares to spawn a Net cat shell and how to defend against this attack. |
| Format String Attacks | The candidate will have a detailed understanding of how format string attacks work and how to defend against them. |
| Future Attack Trends | The candidate will be able to identify likely trends in future attacks. |
| General Trends in the Hacker Underground | The candidate will understand the general trends happening in the hacker underground. |
| Google Reconnaissance | The candidate will understand the basics of using Google as a recon tool and how to defend against it. |
| Hands-On with Nmap and TCPDump | The candidate will be able to use tcpdump to analyze scans generated by nmap. |
| Hiding Files in NTFS | The candidate will understand how attackers hide files and folder on the Windows NTFS filesystem using alternate data streams and how to find these files. |
| Hiding Files in UNIX | The candidate will understand common techniques attackers use to hide files and directories on Unix hosts. |
| IIS Unicode Exploits | The candidate will understand how Unicode attacks are used against IIS web servers and how to defend against them. |
| Incident Handling and Evidence | The candidate will understand the two types of evidence, which types are best, and general strategies to handle evidence. |
| Incident Handling and the Legal System | The candidate will understand how the Law affects Incident Handling, identify specific laws important to Incident Handling, and have a general understanding of what those laws address. |
| Incident Handling Defined | The candidate will understand what Incident Handling is, why it is important, and be able to distinguish incidents from events. |
| Incident Handling Phase Five: Recovery | The candidate will understand the general strategy to safely restore operations that were affected by the incident. |
| Incident Handling Phase Four: Eradication | The candidate will understand the general approaches to get rid of the attacker's artifacts on compromised machines. |
| Incident Handling Phase One: Preparation | The candidate will understand best practices to take in preparation for an Incident, know why they are important, and understand the consequences of ignoring them. |
| Incident Handling Phase Six: Lessons Learned | The candidate will develop a report of the incident and conduct a ""lessons learned"" meeting to improve Incident Handling capabilities. |
| Incident Handling Phase Three: Containment | The candidate will understand high-level strategies to prevent an attacker from causing further damage to the victim after discovering the incident. |
| Incident Handling Phase Two: Identification | The candidate will understand important strategies to gather events, analyze them, and determine if we have an incident. |
| Incident Handling Phases at a Glance | The candidate will memorize the names and sequence of the six primary phases in Incident Handling. |
| Insider Threat Incidents | The candidate will know the definition and nature of an insider threat, memorize the names and understand definitions of the four types of insider threats, understand common methods used by insiders, and understand strategies to detect insider incidents. |
| Intellectual Property Incidents | The candidate will understand how Intellectual Property is approached by Government and Commercial Sectors, memorize the four types of Intellectual Property, understand the scope and definitions of each type, and understand how the Incident Handling process is applied to Intellectual Property. |
| Intro to Linux | The candidate will understand the basics functions of Linux. |
| Intro to VMWare | The candidate will understand the basic the fundamentals of VMWare. |
| Introduction to Bots and Bot-Nets | The candidate will know how bots are being distributed via worms, common bot capabilities, and how bots are being used to control infected hosts. |
| Introduction to Buffer Overflows | The candidate will understand what a Buffer Overflow is and have a high-level understanding of how they work. |
| Introduction to Denial of Service Attacks | The candidate will understand the general concept of four different kinds of Denial of Service attacks. |
| Introduction to Nessus | The candidate will understand the basics of how Nessus is used as a vulnerability scanner and know how to defend against it. |
| Introduction to Packet Fragmentation | The candidate will understand the general principles of IP fragmentation attacks and why they are used. |
| Introduction to Password Cracking | The candidate will memorize the three methods of password cracking and understand the details of each approach. |
| Introduction to Port Scanning | The candidate will know what port scanning is and how it is used. |
| Introduction to Rootkits | The candidate will understand what rootkits are and what platforms they are found on. |
| Introduction to Session Hijacking | The candidate will understand the definition of session hijacking, two methods commonly used, and why it is effective. |
| Introduction to the TCP 3-Way Handshake | The candidate will understand how the TCP protocol establishes a new session using state flags. |
| Introduction to Vulnerability Scanners | The candidate will be able to define vulnerability scanners and identify which vulnerability scanner all current scanners are based on. |
| Introduction to War Driving | The candidate will be able to identify common wireless misconfigurations and the discovery capabilities of two scanning tools. |
| Introduction to Windows NULL Sessions | The candidate will be able to define NULL sessions, understand how they are used by attackers, and identify two common tools used for this. |
| Introduction to Worms | The candidate will know the definition of a work, identify and understand the major types of worms and their characteristics, including worms we are likely to encounter in the future. |
| IP Address Spoofing | The candidate will understand what IP Spoofing is, three different types of spoofing, and strategies to defend against it. |
| IP Fragmentation Attacks | The candidate will be able to identify two types of fragmentation attacks, a common tool used to perform them, and how to defend against them. |
| Kernel Mode Rootkit Defenses | The candidate will be able to identify several techniques for defending against kernel-mode rootkits on different platforms and detecting them. |
| Kernel Mode Rootkits | The candidate will understand how kernel mode rootkits operate, what their capabilities are, and how they are installed. |
| KIS Rootkit | The candidate will understand the strengths of the KIS rootkit, and identify its capabilities. |
| Log Editing in Windows | The candidate will be able to identify which files are edited by attackers to cover their tracks and what methods are used to edit these files. |
| Loki | The candidate will be able to identify the capabilities of the Loki tool and understand how it works. |
| LRK Rootkit | The candidate will be able to identify LKR's components and capabilities and understand how the rootkit operates. |
| Malware Overview | The candidate will understand the definitions of the main types of malware and their characteristics. |
| Metamorphic Worms | The candidate will be able to identify characteristics of metamorphic worms and understand the general concept behind how they operate. |
| Netcat Trojan | The candidate will understand how Net cat can be used as a Trojan if it is renamed to disguise itself and open a backdoor. |
| Network Mapping with Cheops-ng | The candidate will be able to use Cheops-ng to map networks and understand how to defend against this tool. |
| Network Reconnaissance with Nmap | The candidate will have a basic understand of how to use nmap for port scanning and so fingerprinting and will understand general techniques to defend against port scanners. |
| Network Sniffing | The candidate will know what network sniffing is, how to use the dsniff and sniffit tools, and how to defend against sniffers. |
| NULL Session Defenses | The candidate will understand strategies to defend against NULL session enumerations. |
| NULL Sessions with Enum | The candidate will be able to use the Enum tool to extract NULL session data from a Windows host. |
| NULL Sessions with Winfingerprint | The candidate will be able to use the Winfingerprint tool to extract NULL sessions data from a Windows host. |
| OWASP Overview | The candidate will understand what the OWASP is and why it is valuable to Web Application security. |
| Packet Fragmentation & Attacks | The candidate will understand the general principles of IP fragmentation attacks, why they are used, and be able to identify them. |
| Passive OS Fingerprinting | The candidate will know what passive fingerprinting is and why it is useful, identify a common tool used for this, and understand how to defend against it. |
| Password Guessing | The candidate will understand the password guessing techniques used by attackers and how THC Hydra can be used to help automate this process. |
| Ping of Death Attacks | The candidate will understand how Ping of Death attacks work and how to defend against them. |
| Polymorphism and ADMutate | The candidate will know the definition of polymorphism, understand the concepts behind ADMutate's implementation of polymorphism, and how to defend against ADMutated exploits. |
| Port Scanning & Nmap | The candidate will know what port scanning is, how to defend against it and have an in-depth knowledge of how to use the port scanning tool called Nmap. |
| Reconnaissance | The candidate will understand basic reconnaissance techniques using public resources - WHOIS, DNS, Web Sites, Google, Sam Spade. |
| Reconnaissance Using Sam Spade | The candidate will know what capabilities the Sam Spade tool has for reconnaissance purposes. |
| Reverse WWW Shell | The candidate will understand how reverse www shell works as a covert channel. |
| Rose Attacks | The candidate will understand how Rose attacks work and how to defend against them. |
| Session Hijacking Defenses | The candidate will understand strategies to prepare for session hijacking attacks, identify them, and contain them when they are found. |
| Session Hijacking Tools | The candidate will be able to identify common session hijacking tools in use today and what their capabilities are |
| Session Hijacking, Tools and Defenses | The candidate will understand the definition of session hijacking, two methods commonly used, why it is effective and be able to identify common hijacking tools and understand the strategies to prepare for, identify and contain hijacking attacks. |
| Setiri Backdoor | The candidate will be able to identify the strengths and characteristics of the Setiri backdoor app and understand how it works. |
| Smurf Attacks | The candidate will understand the technical details of how smurf attacks work and how to defend against them. |
| Sniffing Backdoors | The candidate will understand how sniffing backdoors differ from regular backdoors, identify common sniffing backdoor tools, understand how sniffing backdoors work, and understand how to defend against them. |
| Solaris Kernel-Mode Rootkits | The candidate will be able to identify capabilities of the Solaris Kernel Module Rootkit. |
| SQL Injection Attacks | The candidate will understand how SQL injection attacks work, how to identify such vulnerabilities, and how to defend against such attacks. |
| SQL Slammer | The candidate will understand the characteristics of the SQL Slammer worm, what kind of impact it had, and how it spread. |
| Stegonography with Hydan | The candidate will understand how Hydan uses steganography to defeat exploit detection, how effective the tool is, and how to defend against it. |
| SYN Flood Attacks | The candidate will understand the technical details of how SYN Floods work, how to identify them, and how to defend against them. |
| TCP and IP Cover Channels | The candidate will understand how TCP and IP packet headers can be used for covert channels. |
| The Metasploit Framework | The candidate will have a high-level understanding of the workings of the Metasploit framework and why it is an effective tool for building exploits. |
| Tini Backdoor | The candidate will be able to identify strengths and characteristics of the Tini backdoor program. |
| Unauthorized Access Incidents | The candidate will understand the scope of unauthorized access incidents and how to identify/detect common types. |
| Unauthorized Use Incidents | The candidate will understand the definition of unauthorized use, recognize common cases, and apply important strategies to prevent and deal with these cases. |
| Understanding Web Sessions | The candidate will be able to identify and understand the three main techniques of session tracking. |
| Unix Password Cracking with John the Ripper | The candidate will understand how UNIX stores and uses passwords, memorize the cracking modes of John the Ripper, be able to use John the Ripper to crack UNIX passwords, and understand how to defend UNIX hosts against password cracking. |
| User-Mode Rootkits | The candidate will understand how user-mode rootkits operate, what their capabilities are and how to defend against them. |
| Using Firewalk | The candidate will be able to use Firewalk to determine firewall policies. |
| Using Netcat | The candidate will be able to use Net cat for several offensive uses and understand how to defend against them. |
| Vulnerability Scanning With Nessus | The candidate will understand the basics of how Nessus is used as a vulnerability scanner and know how to defend against it. |
| War Driving Defenses | The candidate will be able to defend against wireless reconnaissance. |
| War Driving with Netstumbler | The candidate will be able to use Netstumbler to scan for wireless networks. |
| Wardialing with THC | The candidate will be able to identify capabilities of the THC scanner and defend against war dialers. |
| Web Account Harvesting | The candidate will understand how account harvesting works and how to defend against it. |
| Web Application Attacks | The candidate will understand the value of the Open Web Application Security Project (OWASP) and become familiar with different Web App attacks, such as account harvesting, SQL injection, Cross-Site Scripting and other Web Session attacks. |
| Web Site Reconnaissance | The candidate will understand basic Web Site recon techniques and how to defend against them. |
| Web/CGI Scanning with Nikto | The candidate will understand how Nikto is used to scan Web Sites and CGI's, how it attempts to evade IDS, and identify how to defend against tools like Nikto. |
| Web/CGI Scanning with Nikto | The candidate will understand what a CGI program is, how the Web/CGI Nikto scanning tool works and identify how to defend against such tools. |
| WHOIS Reconnaissance | The candidate will understand basic recon techniques with WHOIS and how to defend against them. |
| Windows Cracking Passwords with Cain | The candidate will understand how Windows stores and uses passwords, be able to use Cain to crack Windows passwords, and understand how to defend Windows hosts against password cracking. |
| Windows Kernel-Mode Rootkits | The candidate will be able to identify two Windows kernel-mode rootkits and their capabilities. |
| Windows NULL Sessions | The candidate will be able to define NULL sessions, understand how they are used by attackers, identify two common tools used for this and understand NULL session defense strategies. |
| Windows Password Cracking Defenses | The candidate will be able to identify and implement best practices to defend Windows hosts against password cracking attacks. |
| Windows Scheduling for Netcat Backdoor Listener | The candidate will be able to use the windows scheduler service to execute a Net cat backdoor listener on a windows host for remote access. |
| Wireless Attacks | The candidate will be able to identify common wireless misconfigurations, understand wireless discovery tools and defend against wireless reconnaissance. |
| Wireless LAN Security Policies | The candidate will be able to put best practices into use to develop an effect security policy for wireless LANs. |
| Worm Defenses | The candidate will be able to identify techniques to defend against worms and how to slow down or limit their propagation. |
| Worms, Bots & Bot-Nets | The candidate will have a detailed understanding of what worms, bots and bot-nets are, and how to protect against them. |
| Wrappers | The candidate will understand the concept of malware wrappers and how they work. |
Where to Get Help
Training is available from a variety of resources including on line, course attendance at a live conference, and self study. SANS offers each of these programs and for further information, www.sans.org will help you find the best option.
Practical experience is another way to ensure that you have mastered the skills necessary for certification. Many professionals have the experience to meet the learning objectives identified.
Finally, college level courses or study through another program may meet the needs for mastery.
