Scribd
Upload
401 views7 pages

EC-Council Certified Incident Handler (ECIH) Course Summary

The document provides an overview of the EC-Council Certified Incident Handler course. The course teaches skills for detecting and responding to computer security incidents and covers topics like incident response plans, risk assessment, and forensic analysis. It is intended for incident handlers, security professionals, and others interested in incident handling.

Uploaded by

Vinay Kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
401 views7 pages

EC-Council Certified Incident Handler (ECIH) Course Summary

The document provides an overview of the EC-Council Certified Incident Handler course. The course teaches skills for detecting and responding to computer security incidents and covers topics like incident response plans, risk assessment, and forensic analysis. It is intended for incident handlers, security professionals, and others interested in incident handling.

Uploaded by

Vinay Kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

"Charting the Course ...

... to Your Success!"

EC-Council Certified Incident Handler ( ECIH )

Course Summary

Description

The EC-Council Certified Incident Handler program is designed to provide the fundamental skills to
handle and respond to the computer security incidents in an information system. The course addresses
various underlying principles and techniques for detecting and responding to current and emerging
computer security threats. Students will learn how to handle various types of incidents, risk assessment
methodologies and various laws and policy related to incident handling. After attending the course, they
will be able to create incident handling and response policies and deal with various types of computer
security incidents. The comprehensive training program will make students proficient in handling and
responding to various security incidents such as network security incidents, malicious code incidents and
insider attack threats.

In addition, the students will learn about computer forensics and its role in handling and responding to
incidents. The course also covers incident response teams, incident reporting methods and incident
recovery techniques in detail.

The ECIH certification will provide professionals greater industry acceptance as the seasoned incident
handler.

Topics

 Introduction to Incident Response and  Handling Malicious Code Incidents


Handling  Handling Insider Threats
 Risk Assessment  Forensic Analysis and Incident Response
 Incident Response and Handling Steps  Incident Reporting
 CSIRT  Incident Recovery
 Handling Network Security Incidents  Security Policies and Laws

Audience

This course will significantly benefit incident handlers, risk assessment administrators, penetration testers,
cyber forensic investigators, venerability assessment auditors, system administrators, system engineers,
firewall administrators, network managers, IT managers, IT professionals and anyone who is interested in
incident handling and response.

Prerequisites

There are no prerequisites for this course.

Duration

Two days

Due to the nature of this material, this document refers to numerous hardware and software products by their trade names. References to other companies and their products are for
informational purposes only, and all trademarks are the properties of their respective companies. It is not the intent of ProTech Professional Technical Services, Inc. to use any of these
names generically
"Charting the Course ...

... to Your Success!"

EC-Council Certified Incident Handler

Course Outline
I. Introduction to Incident Response and 2. Step 2: Determine Who Will be
Handling Harmed and How
A. Cyber Incident Statistics 3. Step 3: Analyze Risks and Check for
B. Computer Security Incident Precautions
C. Information as Business Asset 4. Step 4: Implement Results of Risk
D. Data Classification Assessment
E. Common Terminologies 5. Step 5: Review Risk Assessment
F. Information Warfare F. Risk Analysis
G. Key Concepts of Information Security 1. Need for Risk Analysis
H. Vulnerability, Threat, and Attack 2. Risk Analysis: Approach
I. Types of Computer Security Incidents G. Risk Mitigation
J. Examples of Computer Security Incidents 1. Risk Mitigation Strategies
K. Verizon Data Breach Investigations Report H. Cost/Benefit Analysis
– 2008 I. NIST Approach for Control Implementation
L. Incidents That Required the Execution of J. Residual Risk
Disaster Recovery Plans K. Risk Management Tools
M. Signs of an Incident 1. CRAMM
N. Incident Categories 2. Acuity STREAM
1. Incident Categories: Low Level 3. Callio Secura 17799
2. Incident Categories: Middle Level 4. EAR / Pilar
3. Incident Categories: High Level
O. Incident Prioritization III. Incident Response and Handling Steps
P. Incident Response A. How to Identify an Incident
Q. Incident Handling B. Handling Incidents
R. Use of Disaster Recovery Technologies C. Need for Incident Response
S. Impact of Virtualization on Incident D. Goals of Incident Response
Response and Handling E. Incident Response Plan
T. Estimating Cost of an Incident 1. Purpose of Incident Response Plan
U. Symantec Global Disaster Recovery 2. Requirements of Incident Response
Survey – 2009 Plan
V. Key Findings of 3. Preparation
W. Incident Reporting F. Incident Response and Handling Steps
X. Incident Reporting Organizations 1. Step 1: Identification
Y. Vulnerability Resources 2. Step 2: Incident Recording
3. Step 3: Initial Response
II. Risk Assessment 4. Step 4: Communicating the Incident
A. Risk 5. Step 5: Containment
B. Risk Policy 6. Step 6: Formulating a Response
C. Risk Assessment Strategy
D. NIST’s Risk Assessment Methodology 7. Step 7: Incident Classification
1. Step 1: System Characterization 8. Step 8: Incident Investigation
2. Step 2: Threats Identification 9. Step 9: Data Collection
3. Step 3: Identify Vulnerabilities 10. Step 10: Forensic Analysis
4. Step 4: Control Analysis 11. Step 11: Evidence Protection
5. Step 5: Likelihood Determination 12. Step 12: Notify External Agencies
6. Step 6: Impact Analysis 13. Step 13: Eradication
7. Step 7: Risk Determination 14. Step 14: Systems Recovery
8. Step 8: Control Recommendations 15. Step 15: Incident Documentation
9. Step 9: Results Documentation 16. Step 16: Incident Damage and Cost
E. Steps to Assess Risks at Work Place Assessment
1. Step 1: Identify Hazard

Due to the nature of this material, this document refers to numerous hardware and software products by their trade names. References to other companies and their products are for
informational purposes only, and all trademarks are the properties of their respective companies. It is not the intent of ProTech Professional Technical Services, Inc. to use any of these
names generically
"Charting the Course ...

... to Your Success!"

EC-Council Certified Incident Handler

Course Outline (con’t)


17. Step 17: Review and Update the L. Role of CS IRTs
Response Policies M. Roles in an Incident Response Team
G. Training and Awareness N. CSIRT Services
H. Security Awareness and Training 1. Reactive Services
Checklist 2. Proactive Services
I. Incident Management 3. Security Quality Management
1. Purpose of Incident Management Services
2. Incident Management Process O. CSIRT Policies and Procedures
3. Incident Management Team 1. Attributes
J. Incident Response Team 2. Content
1. Incident Response Team Members 3. Validity
2. Incident Response Team Members 4. Implementation, Maintenance and
Roles and Responsibilities Enforcement
3. Developing Skills in Incident P. How CSIRT Handles a Case
Response Personnel Q. CSIRT Incident Report Form
4. Incident Response Team Structure R. Incident Tracking and Reporting Systems
5. Incident Response Team 1. Application for Incident Response
Dependencies Teams (AIRT)
6. Incident Response Team Services 2. BMC Remedy Action Request System
K. Defining the Relationship between Incident 3. PGP Desktop Email
Response, Incident Handling and Incident 4. The GNU Privacy Guard (GnuPG)
Management 5. Listserv
L. Incident Response Best Practices S. CERT
M. Incident Response Policy T. CERT-CC
N. Incident Response Plan Checklist U. CERT(R) Coordination Center: Incident
O. Incident Handling System: RTIR Reporting Form
P. RPIER 1st Responder Framework V. CERT:OCTAVE
1. OCTAVE Method
IV. CSIRT 2. OCTAVE-S
A. What is CSIRT? 3. OCTAVE Allegro
B. What is the Need of an Incident Response W. World CERTs
Team (IRT) 1. Australia CERT (AUSCERT)
C. CSIRT Goals and Strategy 2. Hong Kong CERT (HKCERT/CC)
D. CSIRT Vision 3. Indonesian CSIRT (ID-CERT)
E. Common Names of CSIRT 4. Japan CERT-CC (JPCERT/CC)
F. CSIRT Mission Statement 5. Malaysian CERT (MyCERT)
G. CSIRT Constituency 6. Pakistan CERT (PakCERT)
H. CSIRT Place in the Organization 7. Singapore CERT (SingCERT)
I. CSIRT Relationship with Peers 8. Taiwan CERT (TWCERT)
J. Types of CSIRT Environments 9. China CERT (CNCERT/CC)
K. Best Practices for creating a CSIRT 10. Government Forum of Incident
1. Step 1: Obtain Management Support Response and Security Teams
and Buy-in (GFIRST)
2. Step 2: Determine the CSIRT 11. Canadian CERT
Development Strategic Plan 12. Forum of Incident Response and
3. Step 3: Gather Relevant Information Security Teams
4. Step 4: Design your CSIRT Vision 13. CAIS/RNP
5. Step 5: Communicate the CSIRT 14. NIC BR Security Office Brazilian
Vision CERT
6. Step 6: Begin CSIRT Implementation 15. EuroCERT
7. Step 7: Announce the CSIRT 16. FUNET CERT
8. Step 8: Evaluate CSIRT Effectiveness 17. SURFnet-CERT
Due to the nature of this material, this document refers to numerous hardware and software products by their trade names. References to other companies and their products are for
informational purposes only, and all trademarks are the properties of their respective companies. It is not the intent of ProTech Professional Technical Services, Inc. to use any of these
names generically
"Charting the Course ...

... to Your Success!"

EC-Council Certified Incident Handler

Course Outline (con’t)


18. DFN-CERT 2. Security Administrator’s Integrated
19. JANET-CERT Network Tool (SAINT)
20. CERT POLSKA 3. Security Auditor’s Research Assistant
21. Swiss Academic and Research (SARA)
Network CERT 4. Nmap
X. http://www.first.org/about/organization/tea 5. Netcat
ms/ 6. Wireshark
Y. http://www.apcert.org/about/structure/mem 7. Argus - Audit Record Generation and
bers.html Utilization System
Z. IRTs around the World 8. Snort
J. Network Protection Tools
V. Handling Network Security Incidents 1. Iptables
A. Denial-of-Service Incidents 2. Proventia Network Intrusion
B. Distributed Denial-of-Service Attack Prevention System (IPS)
C. Detecting DoS Attack 3. NetDetector
D. Incident Handling Preparation for DoS 4. TigerGuard
1. DoS Response Strategies
2. Preventing a DoS Incident VI. Handling Malicious Code Incidents
3. Following the Containment Strategy to A. Count of Malware Samples
Stop DoS B. Virus
E. Unauthorized Access Incident C. Worms
1. Detecting Unauthorized Access D. Trojans and Spywares
Incident E. Incident Handling Preparation
2. Incident Handling Preparation F. Incident Prevention
3. Incident Prevention G. Detection of Malicious Code
4. Following the Containment Strategy to H. Containment Strategy
Stop Unauthorized Access I. Evidence Gathering and Handling
5. Eradication and Recovery J. Eradication and Recovery
6. Recommendations K. Recommendations
F. Inappropriate Usage Incidents L. Antivirus Systems
1. Detecting the Inappropriate Usage 1. Symantec: Norton AntiVirus 2009
Incidents 2. Kaspersky Anti-Virus 2010
2. Incident Handling Preparation 3. AVG Anti-Virus
3. Incident Prevention 4. McAfee VirusScan Plus
4. Recommendations 5. BitDefender Antivirus 2009
G. Multiple Component Incidents 6. F-Secure Anti-Virus 2009
1. Preparation for Multiple Component 7. Trend Micro AntiVirus plus
Incidents AntiSpyware 2009
2. Following the Containment Strategy to 8. HijackThis
Stop Multiple Component Incidents 9. Tripwire Enterprise
3. Recommendations 10. Stinger
H. Network Traffic Monitoring Tools
1. Ntop VII. Handling Insider Threats
2. EtherApe A. Insider Threats
3. Ngrep B. Anatomy of an Insider Attack
4. SolarWinds: Orion NetFlow Traffic C. Insider Risk Matrix
Analyzer D. Insider Threats Detection
5. Nagios: op5 Monitor E. Insider Threats Response
6. CyberCop Scanner F. Insider’s Incident Response Plan
I. Network Auditing Tools G. Guidelines for Detecting and Preventing
1. Nessus Insider Threats

Due to the nature of this material, this document refers to numerous hardware and software products by their trade names. References to other companies and their products are for
informational purposes only, and all trademarks are the properties of their respective companies. It is not the intent of ProTech Professional Technical Services, Inc. to use any of these
names generically
"Charting the Course ...

... to Your Success!"

EC-Council Certified Incident Handler

Course Outline (con’t)


1. Human Resources 9. DumpSec
2. Network Security 10. DumpEvt
3. Access Controls 11. Foundstone Forensic ToolKit
4. Security Awareness Program 12. Sysinternals Suite
5. Administrators and Privileged Users 13. SLOOKUP
6. Backups 14. dig – DNS Lookup Utility
7. Audit Trails and Log Monitoring 15. Whois
H. Employee Monitoring Tools 16. VisualRoute
1. Activity Monitor 17. Netstat Command
2. Net Spy Pro 18. Linux: DD Command
3. Spector Pro 19. Linux: Find Command
4. SpyAgent 20. Linux: Arp Command
5. Handy Keylogger 21. Linux: ps, ls, lsof, and ifconfig
6. Anti Keylogger Commands
7. Actual Spy 22. Linux: Top Command
8. IamBigBrother 23. Linux: Grep Command
9. 007 Spy Software 24. Linux: Strings Command
10. SpyBuddy
11. SoftActivity Keylogger IX. Incident Reporting
12. Elite Keylogger A. Incident Reporting
13. Spy Sweeper B. Why to Report an Incident
C. Why Organizations do not Report
VIII. Forensic Analysis and Incident Response Computer Crimes
A. Computer Forensics D. Whom to Report an Incident
B. Objectives of Forensics Analysis E. How to Report an Incident
C. Role of Forensics Analysis in Incident F. Details to be Reported
Response G. Preliminary Information Security Incident
D. Forensic Readiness Reporting Form
E. Forensic Readiness and Business H. CERT Incident Reference Numbers
Continuity I. Contact Information
F. Types of Computer Forensics 1. Sample Report Showing Contact
G. Computer Forensic Investigator Information
H. People Involved in Computer Forensics J. Summary of Hosts Involved
I. Computer Forensics Process 1. Sample Report Showing Summary of
J. Digital Evidence Hosts Involved
K. Characteristics of Digital Evidence K. Description of the Activity
L. Collecting Electronic Evidence 1. Sample Report Showing Description
M. Challenging Aspects of Digital Evidence of the Activity
N. Forensic Policy L. Log Extracts Showing the Activity
O. Forensics in the Information System Life 1. Example Showing the Log Extracts of
Cycle an Activity
P. Forensic Analysis Guidelines M. Time Zone
Q. Forensics Analysis Tools N. Federal Agency Incident Categories
1. Helix O. Organizations to Report Computer
2. Tools Present in Helix CD for Incident
Windows Forensics 1. United State Internet Crime Task
3. Windows Forensic Toolchest Force
4. Knoppix Linux 2. Internet Crime Complaint Center (IC3)
5. The Coroner’s Toolkit (TCT) 3. Computer Crime & Intellectual
6. EnCase Forensic Property Section
7. THE FARMER’S BOOT CD (FBCD) 4. Internet Watch Foundation (IWF)
8. DumpReg
Due to the nature of this material, this document refers to numerous hardware and software products by their trade names. References to other companies and their products are for
informational purposes only, and all trademarks are the properties of their respective companies. It is not the intent of ProTech Professional Technical Services, Inc. to use any of these
names generically
"Charting the Course ...

... to Your Success!"

EC-Council Certified Incident Handler

Course Outline (con’t)


P. Incident Reporting Guidelines Q. Physical Security Policy
Q. Sample Incident Reporting Form 1. Sample Physical Security Policy 1
R. Sample Post Incident Report Form 2. Sample Physical Security Policy 2
3. Importance of Physical Security
X. Incident Recovery Policies
A. Incident Recovery R. Physical Security Guidelines
B. Principles of Incident Recovery S. Personnel Security Policies & Guidance
C. Incident Recovery Steps T. Law and Incident Handling
D. Contingency/Continuity of Operations 1. Role of Law in Incident Handling
Planning 2. Legal Issues When Dealing With an
E. Business Continuity Planning Incident
F. Incident Recovery Plan 3. Law Enforcement Agencies
G. Incident Recovery Planning Process U. Laws and Acts
1. Incident Recovery Planning Team 1. Searching and Seizing Computers
2. Business Impact Analysis without a Warrant
3. Incident Recovery Plan 2. § A: Fourth Amendment’s
Implementation “Reasonable Expectation of Privacy”
4. Incident Recovery Training in Cases Involving
5. Incident Recovery Testing 3. Computers: General Principles
4. § A.4: Private Searches
XI. Security Policies and Laws 5. The Privacy Protection Act
A. Security Policy 6. Federal Information Security
B. Key Elements of Security Policy Management Act (FISMA)
C. Goals of a Security Policy 7. Mexico
D. Characteristics of a Security Policy 8. Brazilian Laws
E. Design of Security Policy 9. Canadian Laws
F. Implementing Security Policies 10. United Kingdom’s Laws
G. Acceptable Use Policy (AUP) 11. Belgium Laws
H. Access Control Policy 12. German Laws
1. Sample Access Control Policy 13. Italian Laws
2. Importance of Access Control Policies 14. Cybercrime Act 2001
I. Asset Control Policy 15. Information Technology Act
J. Audit Trail Policy 16. Singapore Laws
1. Sample Audit Trail Policy 1 17. Sarbanes-Oxley Act
2. Importance of Audit Trail Policy 18. Social Security Act
K. Logging Policy 19. Gramm-Leach-Bliley Act
1. Importance of Logging Policies 20. Health Insurance Portability and
L. Documentation Policy Accountability Act (HIPAA)
M. Evidence Collection Policy V. Intellectual Property Laws
N. Evidence Preservation Policy 1. Intellectual Property
O. Information Security Policy 2. US Laws for Trademarks and
1. Information Security Policy: University Copyright
of California 3. Australia Laws For Trademarks and
2. Information Security Policy: Pearce & Copyright
Pearce, Inc. 4. UK Laws for Trademarks and
3. Importance of Information Security Copyright
Policy 5. China Laws for Trademarks and
P. National Information Assurance Copyright
Certification & Accreditation Process 6. Indian Laws for Trademarks and
(NIACAP) Policy Copyright
1. Importance of NIACAP Policy

Due to the nature of this material, this document refers to numerous hardware and software products by their trade names. References to other companies and their products are for
informational purposes only, and all trademarks are the properties of their respective companies. It is not the intent of ProTech Professional Technical Services, Inc. to use any of these
names generically
"Charting the Course ...

... to Your Success!"

EC-Council Certified Incident Handler

Course Outline (con’t)


7. Japanese Laws for Trademarks and
Copyright
8. Canada Laws for Trademarks and
Copyright
9. South African Laws for Trademarks
and Copyright
10. South Korean Laws for Trademarks
and Copyright
11. Belgium Laws for Trademarks and
Copyright
12. Hong Kong Laws for Intellectual
Property

Due to the nature of this material, this document refers to numerous hardware and software products by their trade names. References to other companies and their products are for
informational purposes only, and all trademarks are the properties of their respective companies. It is not the intent of ProTech Professional Technical Services, Inc. to use any of these
names generically

You might also like