You are on page 1of 8

ECIH: EC-Council Certified Incident Handler

Course ID #: 1275-245-ZZ-W
Hours: 14

Course Content
Course Description:
The EC-Council Certified Incident Handler program is designed to provide the fundamental skills to
handle and respond to the computer security incidents in an information system. The course
addresses various underlying principles and techniques for detecting and responding to current and
emerging computer security threats. Students will learn how to handle various types of incidents,
risk assessment methodologies, and various laws and policy related to incident handling.

At Course Completion:
After competing this course, student will be able to:
 Create incident handling and response policies
 Deal with various types of computer security
 Be proficient in handling and responding to various security incidents such as network
security incidents, malicious code incidents, and insider attack threats

Target Student:
This course will significantly benefit incident handlers, risk assessment administrators, penetration
testers, cyber forensic investigators, venerability assessment auditors, system administrators, system
engineers, firewall administrators, network managers, IT managers, IT professionals, and anyone
who is interested in incident handling and response.



Module 01: Introduction to Incident Response  Types Of Computer Security Incidents

and Handling  Examples Of Computer Security Incidents
 Cyber Incident Statistics  Verizon Data Breach Investigations Report –
 Computer Security Incident 2008
 Information As Business Asset  Incidents That Required The Execution Of
 Data Classification Disaster Recovery Plans
 Common Terminologies  Signs Of An Incident
 Information Warfare  Incident Categories
 Key Concepts Of Information Security o Incident Categories: Low Level
 Vulnerability, Threat, And Attack o Incident Categories: Middle Level Pages 1 of 8 800.639.3535
ECIH: EC-Council Certified Incident Handler
Course ID #: 1275-245-ZZ-W
Hours: 14

o Incident Categories: High Level  Risk Mitigation

 Incident Prioritization o Risk Mitigation Strategies
 Incident Response  Cost/Benefit Analysis
 Incident Handling  NIST Approach For Control
 Use Of Disaster Recovery Technologies Implementation
 Impact Of Virtualization On Incident  Residual Risk
Response And Handling  Risk Management Tools
 Estimating Cost Of An Incident o CRAMM
 Key Findings Of Symantec Global Disaster o Acuity STREAM
Recovery Survey – 2009 o Callio Secura 17799
 Incident Reporting o EAR/Pilar
 Incident Reporting Organizations
 Vulnerability Resources Module 3: Incident Response and Handling
Module 02: Risk Assessment  How To Identify An Incident
 Risk  Handling Incidents
 Risk Policy  Need For Incident Response
 Risk Assessment  Goals Of Incident Response
 NIST’s Risk Assessment Methodology  Incident Response Plan
o Step 1: System Characterization o Purpose Of Incident Response Plan
o Step 2: Threats Identification o Requirements Of Incident Response
o Step 3: Identify Vulnerabilities Plan
o Step 4: Control Analysis o Preparation
o Step 5: Likelihood Determination  Incident Response And Handling Steps
o Step 6: Impact Analysis o Step 1: Identification
o Step 7: Risk Determination o Step 2: Incident Recording
o Step 8: Control Recommendations o Step 3: Initial Response
o Step 9: Results Documentation o Step 4: Communicating The Incident
 Step To Assess Risks At A Work Place o Step 5: Containment
o Step 1: Identify Hazard o Step 6: Formulating A Response
o Step 2: Determine Who Will Be Strategy
Harmed And How o Step 7: Incident Classification
o Step 3: Analyze Risks And Check o Step 8: Incident Investigation
For Precautions o Step 9: Data Collection
o Step 4: Implement Results Of Risk o Step 10: Forensic Analysis
Assessment o Step 11: Evidence Protection
o Step 5: Review Risk Assessment o Step 12: Notify External Agencies
 Risk Analysis o Step 13: Eradication
o Need For Risk Analysis o Step 14: Systems Recovery
o Risk Analysis: Approach o Step 15: Incident Documentation Pages 2 of 8 800.639.3535

ECIH: EC-Council Certified Incident Handler
Course ID #: 1275-245-ZZ-W
Hours: 14

o Step 16: Incident Damage And Cost  Types Of CSIRT Environments

Assessment  Best Practices For Creating A CSIRT
o Step 17: Review And Update The o Step 1: Obtain Management Support
Response Policies And Buy-In
 Training And Awareness o Step 2: Determine The CSIRT
 Security Awareness And Training Checklist Development Strategic Plan
 Incident Management o Step 3: Gather Relevant Information
o Purpose Of Incident Management o Step 4: Design You CSIRT Vision
o Incident Management Process o Step 5: Communicate The CSIRT
o Incident Management Team Vision
 Incident Response Team o Step 6: Begin CSIRT Implementation
o Incident Response Team Members o Step 7: Announce The CSIRT
o Incident Response Team Members o Step 8: Evaluate CSIRT Effectiveness
Roles And Responsibilities  Role Of Csirts
o Developing Skills In Incident  Roles In An Incident Response Team
Response Personnel  CSIRT Services
o Incident Response Team Structure o Reactive Services
o Incident Response Team o Proactive Services
Dependencies o Security Quality Management
o Incident Response Team Services Services
 Defining The Relationship Between Incident  CSIRT Policies And Procedures
Response, Incident Handling, And Incident o Attributes
Management o Content
 Incident Response Best Practices o Validity
 Incident Response Policy o Implementation, Maintenance, And
 Incident Response Plan Checklist Enforcement
 Incident Handling System: RTIR  How CSIRT Handles A Case
 RPIER 1st Responder Framework  CSIRT Incident Report Form
 Incident Tracking And Reporting Systems
Module 04: CSIRT o Application For Incident Response
 What Is CSIRT? Teams (IRT)
 What Is The Need Of An Incident Response o BMC Remedy Action Request
Team (IRT) System
 CSIRT Goals And Strategy o PGP Desktop Email
 CSIRT Vision o The GNU Privacy Guard (Gnupg)
 Common Names Of CSIRT o Listserv
 CSIRT Mission Statement  CERT
 CSIRT Constituency  CERT-CC
 CSIRT Place In The Organization  CERT® Coordination Center: Incident
 CSIRT Relationship With Peers Reporting Form Pages 3 of 8 800.639.3535

ECIH: EC-Council Certified Incident Handler
Course ID #: 1275-245-ZZ-W
Hours: 14

 CERT: OCTAVE Module 05: Handling Network Security Incidents

o OCTAVE Method  Denial-Of-Service Incidents
o OCTAVE-S  Distributed Denial-Of-Service Attack
o OCTAVE Allegro  Detecting Dos Attack
 World Certs  Incident Handling Preparation For Dos
o Australia CERT (AUSCERT) o Dos Response Strategies
o Hong Kong CERT (HKCERT/CC) o Preventing A Dos Incident
o Indonesian CSIRT (ID-CERT) o Following The Containment
o Japan CERT-CC (JPCERT/CC) Strategy To Stop Dos
o Malaysian CERT (Mycert)  Unauthorized Access Incident
o Pakistan CERT (Pakcert) o Detecting Unauthorized Access
o Singapore CERT (Singcert) Incident
o Taiwan CERT (TWCERT) o Incident Handling Preparation
o China CERT (CNCERT/CC) o Incident Prevention
o US-CERT o Following The Containment
o Government Forum Of Incident Strategy To Stop Unauthorized
Response And Security Teams Access
(GFIRST) o Eradication And Recovery
o Canadian CERT o Recommendations
o Forum Of Incident Response And  Inappropriate Usage Incidents
Security Teams o Detecting The Inappropriate Usage
o CAIS/RNP Incidents
o NIC BR Security Office Brazilian o Incident Handling Preparation
CERT o Incident Prevention
o Eurocert o Recommendations
o FUNET CERT  Multiple Component Incidents
o Sufnet-CERT o Preparation For Multiple
o DEN-CERT Component Incidents
o JANET-CERT o Following The Containment
o CERT POLSKA Strategy To Stop Multiple
o Swiss Academic And Research Component Incidents
Network CERT o Recommendations
o Http://Www.First.Org/About/Organ  Network Traffic Monitoring Tools
ization/Teams/ o Ntop
o Http://Www.Apcert.Org/About/Stru o Etherape
cture/Members.Html o Ngrep
o Irts Around The World o Solarwinds: Orion Netflow Traffic
o Nagios: Op5 Monitor
o Cybercop Scanner Pages 4 of 8 800.639.3535

ECIH: EC-Council Certified Incident Handler
Course ID #: 1275-245-ZZ-W
Hours: 14

 Network Auditing Tools o Tripwire Enterprise

o Nessus o Stinger
o Security Administrator’s Integrated
Network Tool (SAINT) Module 07: Handling Insider Threats
o Security Auditor’s Research  Insider Threats
Assistant (SARA)  Anatomy Of An Insider Attack
o Nmap  Insider Risk Matrix
o Netcat  Insider Threats Detection
o Wireshark  Insider Threats Response
o Argus – Audit Record Generation  Insider’s Incident Response Plan
And Utilization System  Guidelines For Detecting And Preventing
o Snort Insider Threats
 Network Protection Tools o Human Resources
o Iptables o Network Security
o Preventia Network Intrusion o Access Controls
Prevention System (IPS) o Security Awareness Program
o Netdetector o Administrators And Privileged
o Tigerguard Users
o Backups
Module 06: Handling Malicious Code Incidents o Audit Trails And Log Monitoring
 Count Of Malware Samples  Employee Monitoring Tools
 Virus o Activity Monitor
 Worms o Net Spy Pro
 Trojans And Spywares o Spector Pro
 Incident Handling Preparation o Spyagent
 Incident Prevention o Handy Keylogger
 Detection Of Malicious Code o Ani Keylogger
 Containment Strategy o Actual Spy
 Evidence Gathering And Handling o Iambigbrother
 Eradication And Recovery o 007 Spy Software
 Recommendations o Spybuddy
 Antivirus Systems o Softactivity Keylogger
o Symantec: Norton Antivirus 2009 o Elite Keylogger
o Kaspersky Anti-Virus 2010 o Spy Sweeper
o AVG Anti-Virus
o Mcafee Virusscan Plus Module 08: Forensic Analysis and Incident
o Bitdefender Antivirus 2009 Response
o Trend Micro Antivirus Plus  Computer Forensics
Antispyware 2009  Objectives Of Forensics Analysis
o Hijackthis Pages 5 of 8 800.639.3535

ECIH: EC-Council Certified Incident Handler
Course ID #: 1275-245-ZZ-W
Hours: 14

 Role Of Forensics Analysis In Incident o Linux: Ps, Ls, Lsof, And Ifconfig
Response Commands
 Forensic Readiness o Linux: Top Command
 Forensic Readiness And Business o Linux: Grep Command Linux:
Continuity Strings Command
 Types Of Computer Forensics
 Computer Forensic Investigator Module 09: Incident Reporting
 People Involved In Computer Forensics  Incident Reporting
 Computer Forensics Process  Why To Report An Incident
 Digital Evidence  Why Organization Do Not Report
 Characteristics Of Digital Evidence Computer Crimes
 Collecting Electronic Evidence  Whom To Report An Incident
 Challenging Aspects Of Digital Evidence  How To Report An Incident
 Forensic Policy  Details To Be Reported
 Forensics In The Information System Life  Preliminary Information Security Incident
Cycle Reporting Form
 Forensic Analysis Guidelines  CERT Incident Reference Numbers
 Forensics Analysis Tools  Contact Information
o Helix o Sample Report Showing Contact
 Tools To Present In Helix CD Information
For Windows Forensics  Summary Of Host Involved
o Windows Forensic Toolchest o Sample Reporting Showing
o Knoppix Linux Summary Of Host Involved
o The Coroner’s Toolkit (TCT)  Description Of The Activity
o Encase Forensic o Sample Report Showing Description
o Dumpreg  Log Extracts Showing The Activity
o Dumpsec o Example Showing The Log Extracts
o Dumpevt Of An Activity
o Foundstone Forensic Toolkit  Time Zone
o Sysinternals Suite  Federal Agency Incident Categories
o NSLOOKUP  Organizations To Report Computer
o Dig – DNS Lookup Utility Incident
o Whois o United States Internet Crime Task
o Visualroute Force
o Netstat Command o Internet Crime Complain Center
o Linux: DD Command (IC3)
o Linux: Find Command o Computer Crime & Intellectual
o Linux: Arp Command Property Section
o Internet Watch Foundation (IWF) Pages 6 of 8 800.639.3535

ECIH: EC-Council Certified Incident Handler
Course ID #: 1275-245-ZZ-W
Hours: 14

 Incident Reporting Guidelines  Evidence Preservation Policy

 Sample Incident Reporting Form  Information Security Policy
 Sample Post Incident Report Form o Information Security Policy:
University Of California
Module 10: Incident Recovery o Information Security Policy: Pearce
 Incident Recovery & Pearce, Inc.
 Principles Of Incident Recovery o Importance Of Information Security
 Incident Recovery Steps Policy
 Contingency/Continuity Of Operations  National Information Assurance
Planning Certification & Accreditation Process
 Business Continuity Planning (NIACAP) Policy
 Incident Recovery Plan o Importance Of NIACAP Policy
 Incident Recovery Planning Process  Physical Security Policy
o Incident Recovery Planning Team o Sample Physical Security Policy 1
o Business Impact Analysis o Sample Physical Security Policy 2
o Incident Recovery Plan o Importance Of Physical Security
Implementation Policies
o Incident Recovery Training  Physical Security Guidelines
o Incident Recovery Testing  Personnel Security Policies & Guidance
 Law And Incident Handling
Module 11: Security Policies and Laws o Role Of Law In Incident Handling
 Security Policy o Legal Issues When Dealing With An
 Key Elements Of Security Policy Incident
 Goals Of A Security Policy o Law Enforcement Agencies
 Characteristics Of A Security Policy  Laws And Acts
 Design Of Security Policy o Searching And Seizing Computer
 Implementing Security Policies Without A Warrant
 Acceptable Use Policy (AUP)  A: Fourth Amendment’s
 Access Control Policy “Reasonable Expectation Of
o Sample Access Control Policy Privacy” In Cases Involving
o Importance Of Access Control Computers: General
Policies Principles
 Asset Control Policy  A.4: Private Searches
 Audit Trail Policy o The Privacy Protection Act
o Sample Audit Trail Policy 1 o Federal Information Security
o Importance Of Audit Trail Policy Management Act (FISMA)
 Logging Policy o Mexico
o Importance Of Logging Policies o Brazilian Lwas
 Documentation Policy o Canadian Lwas
 Evidence Collection Policy o United Kingdom’s Laws Pages 7 of 8 800.639.3535

ECIH: EC-Council Certified Incident Handler
Course ID #: 1275-245-ZZ-W
Hours: 14

o Belgium Laws
o German Laws
o Italian Laws
o Cybercrime Act 2001
o Information Technology Act
o Singapore Laws
o Sarbanes-Oxley Act
o Social Security Act
o Gramm-Leach-Bliley Act
o Health Insurance Portability And
Accountability Act (HIPAA)
 Intellectual Property Laws
o Intellectual Property
o US Laws For Trademarks And
o Australia Laws For Trademarks And
o UK Laws For Trademarks And
o China Laws For Trademarks And
o Indian Laws For Trademarks And
o Japanese Laws For Trademarks And
o Canada Laws For Trademarks And
o South African Laws For Trademarks
And Copyright
o South Korean Laws For Trademarks
And Copyright
o Belgium Laws For Trademark And
o Hong Kong Laws For Intellectual
Property Pages 8 of 8 800.639.3535