Passed GIAC Certified Incident Handler (GCIH)

unsupported Posts: 192Member
I just got back from the testing center where I passed my GCIH certification. I got an A. I missed a few out of the 150 questions, and finished in 2 of the allotted 4 hours. Some of the questions I missed were just stupid on my part (I completely misread them), the others were educated guesses because I could not find the answer in the material.

I basically took the SANS Self Study route. My study plan was reading and indexing Counter Hack: Reloaded by Ed Skoudis. It was beneficial because some test questions were lifted directly from the book. Combined with the SANS SEC504 course material, the Counter Hack index filled in some gaps. I listened to the Ed Skoudis SANS SEC504 MP3s and read through the SANS SEC504 course ware. I also had the course CD-ROM, but I did not use it because I had good exposure to the tools when I was doing my C|EH. I indexed all the slides from the course material as well as putting page markers in the course material and in CH:R. I also had printed out all the SANS **** sheets, the wiki on NetCat, and commonly used backdoor ports. I wish I would have had commonly used port print-out, but I survived without it.

The test itself was exactly like the practice test, but more difficult. The practice test was more cut and dry, What do you use X for? While I felt the actual test was more applying the knowledge, ex. if you wanted to do x and y, what would you use? I felt my test was covered all topics evenly, and that all the tools were well represented, the IH process, and the details of each phase of IH. The testing center was annoying. In Florida we just had out first cold front of the fall and they had the HEAT ON! Luckily, I wore shorts. I wish I would have had more room to spread out my books, but I managed. Once I knew I passed, I took a break, went to the bathroom, and re-arranged my work area.

All in all, I enjoyed the experience. I am looking forward to the live training event in DC for GCIA. Then.. who knows what else I might go for. GCFA? GCFA? Maybe back to EC-Council for CFHI? Or should I go for the GOLD?! Or just focus on school until I'm done.
-un

“We build our computer (systems) the way we build our cities: over time, without a plan, on top of ruins” - Ellen Ullman

Comments

  • Paul Boz Posts: 2,621Member
    I'm glad to hear that you enjoyed your SANS learning experience. I'm taking the GCFW on November 13th and have been blown away at the quality of the material and instruction. I haven't learned a lot of individual technologies and concepts but I have learned many new ways to apply them.

    The testing center where I have to go is also cramped. I, like you, will be sweating just not having enough space to lay out my materials. I've integrated that into my practice exams though - working with a small volume of space.

    When are you doing the live training for the GCIA? I blew my training budget on Cisco tests and the GCFW but in January when my $4000 resets I'm signing up for the GCIA immediately. I'd be very interested in what you think of the GCIA. I don't know anyone that has taken it so my interest in the course stems from personal interest in the material. I think GCFW and GCIA will complement each other nicely.

    Is your employer paying for SANS or are you out of pocket?
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    [email protected]
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
  • dynamik Posts: 12,314Banned
    Nice review. I've really been impressed with the SANS material, just from what I've seen by peeking at Paul's stuff.

    Are you doing incident handling/forensics now? That seems like an interesting area to be involved in.

    Congratulations on the pass!
  • GAngel Posts: 708Member
    I'd love to take the GCIH as it seems to be all I do these days even challenge it for $900 but without any real study material ouside of SANS it'll stay on the backburner. And my training budget would get decimated if I used it on that especially when I have so much other things to do.
  • Paul Boz Posts: 2,621Member
    GAngel wrote: »
    I'd love to take the GCIH as it seems to be all I do these days even challenge it for $900 but without any real study material ouside of SANS it'll stay on the backburner. And my training budget would get decimated if I used it on that especially when I have so much other things to do.

    In my experience unless you know someone that will lend you the course books and MP3s you're really screwed on a straight up challenge. You have no way to know what's going to be on the exam, no way to prepare for how they'll ask questions, and no idea what is expected.
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    [email protected]
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
  • GAngel Posts: 708Member
    Paul Boz wrote: »
    In my experience unless you know someone that will lend you the course books and MP3s you're really screwed on a straight up challenge. You have no way to know what's going to be on the exam, no way to prepare for how they'll ask questions, and no idea what is expected.

    Exactly I'm not going to spend that money on a 50/50 chance at best. Does anyone know if SANS has a policy against sharing there material?

    And if not where we could get a hold of it.
  • Paul Boz Posts: 2,621Member
    GAngel wrote: »
    Exactly I'm not going to spend that money on a 50/50 chance at best. Does anyone know if SANS has a policy against sharing there material?

    And if not where we could get a hold of it.

    Pretty sure they don't like having their material distributed. If they were cool with it no one would spend $3500 on self study and exam challenge.
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    [email protected]
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
  • unsupported Posts: 192Member
    Paul Boz wrote: »
    When are you doing the live training for the GCIA? I blew my training budget on Cisco tests and the GCFW but in January when my $4000 resets I'm signing up for the GCIA immediately. I'd be very interested in what you think of the GCIA. I don't know anyone that has taken it so my interest in the course stems from personal interest in the material. I think GCFW and GCIA will complement each other nicely.

    Is your employer paying for SANS or are you out of pocket?

    I'm going to the December CDI SANS event in D.C. My employer is paying for the SANS training.. well.. there was some horse trading with another department, so my manager does not have to pay for the SANS training, but they are popping for the test and travel.

    I believe it that you have known anyone who has taken GCIA, because there is only 2,059 certified professionals (twice that for GCIH). I will give my impressions of the training at the end of December, and then a review of the exam within 4 months after that.

    I have enough to pay for out of pocket with my schooling, until the end of the semester when I get reimbursed.
    -un

    “We build our computer (systems) the way we build our cities: over time, without a plan, on top of ruins” - Ellen Ullman
  • unsupported Posts: 192Member
    dynamik wrote: »
    Nice review.

    Thank you
    Are you doing incident handling/forensics now? That seems like an interesting area to be involved in.

    I have been moved into a first level IHish role. I handle a lot of the noise that our corporate incident response team does not have the time to handle. Mainly, half my time is working a project to detect and eliminate peer-to-peer software and the other half is reviewing/tuning IDS alerts. I hope to be moved into a traditional IH role soon, either by dumb luck (org changes) or by hard work.

    Previously I was doing a lot of log monitoring and vulnerability scanning.
    Congratulations on the pass!
    Thank you.
    -un

    “We build our computer (systems) the way we build our cities: over time, without a plan, on top of ruins” - Ellen Ullman
  • GAngel Posts: 708Member
    I applied for there work study program for:
    (GPEN)(GSEC)

    Gpen course is end of november in my city so we'll see. I'm not expecting to get through as it's so close to the actual date but worth a shot and a steal at $700. GSEC is next year march so hopefully have a better shot at that.
  • Paul Boz Posts: 2,621Member
    I've roadmapped the GCIH and will be buying the course in January when my training budget resets. I spoke with a GCIA yesterday and he told me that the GCIA re-hashes 99% of the material from the GCFW, so it would really be a serious waste of $3500 since I will have the GCFW by then. I verified by looking at the day to day breakdown. There is nothing unique in the GCIA that the GCFW doesn't cover.
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    [email protected]
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
  • tpatt100 Posts: 2,989Member ■■■■■■■■□□
    I want to pursue some SANS training but no way on my own. My new job which I start soon said I would be required to go for the position I got which is cool with me. I was going incident handling/reporting at my last job. Or they could just be blowing smoke
  • GAngel Posts: 708Member
    I've just realized we have access to all kinds of online content and GSEC is in there. Too bad its the only SANS one but maybe i'll try and challenge it after CISS.P
  • GAngel Posts: 708Member
    I've just gotten an email that i'll be facilitating at the GPEN course in toronto in just over a mth from now .

    It's a week before my CISSP exam so i'll be hitting the books big time over the next mth trying to get prep'd for both.
  • dynamik Posts: 12,314Banned
    GAngel wrote: »
    I've just gotten an email that i'll be facilitating at the GPEN course in toronto in just over a mth from now .

    Sweet! Where did you apply for that?

    (It's too early to google...)
    GAngel wrote: »
    It's a week before my CISSP exam so i'll be hitting the books big time over the next mth trying to get prep'd for both.

    Good luck!
  • GAngel Posts: 708Member
    Under the training/workstudy section of the website. I just put in the request for the three closest to me as it shows them into early next year.

    I applied for toronto/cleveland and ottawa. Toronto was the closest and the soonest one. You have to apply for them individually and in the app state why you want to do the course etc.
  • dynamik Posts: 12,314Banned
    I don't want to say how long I spent on the GIAC site trying to find that link. I got it now though

    Thanks!
  • Paul Boz Posts: 2,621Member
    GAngel wrote: »
    I've just gotten an email that i'll be facilitating at the GPEN course in toronto in just over a mth from now .

    It's a week before my CISSP exam so i'll be hitting the books big time over the next mth trying to get prep'd for both.

    I've studied the GPEN material to the point where I could probably sit and pass the exam. You should enjoy the material, I did. It has a lot of very practical, hands on information in it.
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    [email protected]
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
  • GAngel Posts: 708Member
    Paul Boz wrote: »
    I've studied the GPEN material to the point where I could probably sit and pass the exam. You should enjoy the material, I did. It has a lot of very practical, hands on information in it.

    I feel relatively comfortable with the theory side of it so it's just getting as much hands on as I can. Hopefully I feel comfortable enough to sit it in january and then OSCP in feb.

    I'm just excited to get going. It's my first SANS.
  • dynamik Posts: 12,314Banned
    We had one of our senior guys come up a bit short on the OSCP yesterday, so now I'm freaking out. I've gone through the videos already, and there was a decent amount on configuring your own exploits via a debugger, etc. I did pretty good with the other sections, but that was over my head for the most part. The course is awesome, but I'm not looking forward to the exam
  • veritas_libertas Posts: 5,727Member ■■■■■■■■■■
    dynamik wrote: »
    We had one of our senior guys come up a bit short on the OSCP yesterday, so now I'm freaking out. I've gone through the videos already, and there was a decent amount on configuring your own exploits via a debugger, etc. I did pretty good with the other sections, but that was over my head for the most part. The course is awesome, but I'm not looking forward to the exam

    I didn't know you were going after Dynamik, keep us updated on how it goes. Good luck.
    Currently working on: Linux and Python
  • dynamik Posts: 12,314Banned
    Yea, it officially started on the 11th. I'm going to try to get ICND2 out of the way ASAP, so I can focus on that. I have a lot of ground to cover!
  • wera711 Posts: 23Member ■□□□□□□□□□
    i am a GCIH and I know the certification holds weight in the industry, but their training was useless for me. If you are a network admin with zero security experience, it may be ok. I took the 5 day 504 Hackers Technique course in DC a couple of years ago. You will be better off reading Hacking Exposed. Thats basically all it is. I was really disappointed.
  • dynamik Posts: 12,314Banned
    wera711 wrote: »
    i am a GCIH and I know the certification holds weight in the industry, but their training was useless for me. If you are a network admin with zero security experience, it may be ok. I took the 5 day 504 Hackers Technique course in DC a couple of years ago. You will be better off reading Hacking Exposed. Thats basically all it is. I was really disappointed.

    Bummer. Any other resources you'd recommend for the exam?
  • GAngel Posts: 708Member
    dynamik wrote: »
    Bummer. Any other resources you'd recommend for the exam?

    I was reading the e-hacker website and someone said they self studied using counter hack reloaded.
  • dynamik Posts: 12,314Banned
    GAngel wrote: »
    I was reading the e-hacker website and someone said they self studied using counter hack reloaded.

    Thanks for the follow-up. I actually bought it based on that recommendation. I'm over there too, although I'm mostly a lurker
Sign In or Register to comment.