Below you will find links to articles published recently on the internet that talks about the GCIH cert:
I PASSED MY SANS GCIH
Over the weekend I finished up my SANS ON Demand course for SEC504: Hacker Techniques, Exploits, & Incident Handling. I also passed my second test to earn my GIAC Ceritifed Incident Handler (GCIH) Silver certification. I'll briefly give my assement of both.
Overall, I really enjoyed the course. SANS offers it in several formats - instructor led at their conferences, instructor led on-line (SANS @Home), independent study on-line (SANS On Demand), etc. For a number of reasons, the SANS On Demand format seemed the best fit for my circumstances (no travel required, flexible study times, etc.).
The on-line material is presented with a slide (I'm guessing the same slides used in all the other presentation formats for the course), an audio track for each slide (seems to be recorded from one or more of the instructor led presentations), and then a Notes section of the screen with more detailed information than what appears on the slide.
The instructor led course is usually taught in six days, so the on-line course is divided into six modules. Each of these is then further divided by topic. So you might have a group of slides on password cracking, for example. Following each set of slides, there is a quiz. You need to pass the quiz with 80% before moving on to the next topic.
One gripe I had was that you couldn't bounce around in the course, you had to pass each section prior to moving on to the next section. While I'm sure this mirrors the way a traditional course is taught, it isn't the way that I would normally self-study, I like to skip around a bit in my study guides. Once you passed a section, you could always go back to it, though. I also had a gripe with the quizes, some quizes only had 3-4 questions, which means you essentially need to score 100% on the quiz to move on (since 80% of 3 or 4 is less than 1 question) . If you have a poorly worded or unclear question as one of those 3-4, then you need to go through all the slides again (although you can skip through them pretty quickly, you don't need to listen to the audio track). Sometimes I got the feeling that the quiz questions were questions that weren't quite good enough to make it onto the certification exams, so there were definitely some poorly worded or debatable questions.
Now that I've got the format out of the way, let me briefly mention the material. The course is on incident handling and the techniques hackers use when commiting a security incident. While I think an understanding of the latter is imporant in incident handling, something about the material left me feeling like these two subjects weren't integrated very well in the course. The first module is completely on incident handling, while the next four modules are on hacker technique and exploits. After each technique or exploit was explained, there would be a slide or two covering how the technique or exploit should be handled during each of the six steps of the incident handling process. For some reason these seemed almost an after-thought (1-2 slides on handling, with maybe 5-10 on the technique or exploit). I guess I would have liked it better if the incident handling of the technique was more prominently featured, maybe more scenarios on how the technique might be detected in real life, or how the technique is tied with others by an experienced hacker. Don't get me wrong, there is some of that covered in the course, but somehow I was left wanting more. Luckily I have some exeperience in this area so I don't feel completely lost having completed the course, but I suspect an inexperienced handler would struggle if this was their first exposure to some of these techniques.
Other than that minor complaint, I loved the material! I thought I knew some of the hacker techniques and tools pretty well, but even I learned a few new tricks with some tools I regularly use. Plus, I picked up a whole new bag of tricks. I'm sure most penetration testers or vulnerability assessors have a favorite tool for a certain function (password guessing, password cracking, port scanning, etc.) and tend to favor it rather than sampling all the tools out there. The beauty of this course is that most likely some of the tools are tools you haven't used before. They may not have features that would cause you to switch, but maybe they do. Plus, as I said earlier, even if you use the tools regularly, you might pick up a new way to use the tool.
Overall I'm not sure what SANS should do with the material. Looking over their certifications and courses, there are often areas that overlap. For example, an Incident Handler might need to know some of the same things that an Intrusion Analyst knows. Also, as I alluded to above, some of the Incident Handling material could actually be a separate course on penetration testing/ethical hacking. I almost feel like the courses should be shorter, with several shorter courses required for each certification.
As for the exam, due to NDAs I'll be very brief. There are two exams to earn the "Silver" level certification. Each is 75 questions and two hours. Since you take the test on-line, essentially it can be open book, open Internet. In spite of that, I don't think you'd have enough time to pass the exam if you didn't know the material. Many of the questions wouldn't be easy to google, they require some analysis of what the question is asking. However, there were some trivia type questions that could be googled fairly easily. I've never liked those types of questions on an exam, I feel that if I need to know some piece of esoteric trivia, knowing where to look it up should suffice. I guess I'd rather see those types of questions replaced with more scenario questions. Overall I thought the exam was good, it was challenging but not impossible. I think the combination of the course and my experience made the exams seem a bit easier than they probably are.
One suggestion I'd make, if you decide to take the course in the On Demand format, pay the extra money to get a copy of the course books. The material is the same as that provided on-line, but you only have access to the on-line material for four months. With all of the info on hacker techniques and tools, I think I'll be referring back to these books more than occasionally.
Looking back, I guess I wasn't as brief as I thought I'd be. Sorry!
Christopher Meyer (GCIH, CISSP)
Original post at: http://forums.windowsitpro.com/web/forum/messageview.aspx?catid=253&threadid=83309&enterthread=y