Well, it’s that time again.
Time to tackle yet another certification. The last certification I took was the GIAC
GSEC which was chronicled in depth in a previous journal. In that post, I went over briefly on the idea
of are certifications worth it to someone.
After the GIAC experience I had last year, I couldn’t wait to get back
into the saddle and conquer another GIAC class.
This time, a co-worker and I were approved to take on the GIAC GCIA training
and exam. What follows is another
adventure into the wonderful world of SANS.
You mean I get to travel?!
The last time I was able to go to a SANS event, it was held
locally. By locally, I mean in my state
of residence, Texas. Roughly translated,
a little over 250 miles. This time I was
approved for some major travel expenses, which made me feel all warm and
fuzzy. This year I was able to go to the
SANS conference in Reston, VA. One
hassle free Virgin Airlines ride and we got on our way! This was my first time in Virginia. My trusty co-worker and I made our way to the
hotel and checked into our rooms ready to wake up, get badged up, and submit
our lives to the one and only Mike Poor.
I blame Mike Poor!
Upon entering the classroom, our awesome facilitator handed
us our bag of books, which was different from my first time at a SANS
conference where we received our books at check-in, and made our way to our
seats. We picked them strategically… you
know, not at the very back, but not first row.
Others made their way in and filled the seats. You could just feel the aura of nerd
permeating through the rows of tables.
Finally the class started and we were introduced to the man, the myth,
the legend, Mike Poor. Many have said Red Bull runs
through this man’s veins. I’m not sure
if that’s true, but the energy drink company may sponsor this guy due to the
amount of cans he went through during the week.
Although he may not have visual wings, this man is high-powered octane
and will keep you engaged.
Like the GSEC and, I assume, any other SANS class, we went
one book a day. This material was very
new to me. Day one I kept up and
understood the majority since it was a lot of TCP/IP concepts and also included
IPv6. Day two was slightly different but
I held on. It wasn’t so much of lack of
understanding, more so than lack of sleep which kicked in the last hour or so
of class. Day three is where I started
getting “deer-in-headlight” face when the topic of IDS/IPS evasion and other
traffic analysis topics came up towards the latter half of the day. The workbook definitely filled in the gaps
and solidified the concepts covered in class. Day four… what can I say about
day four? It was the best of times. It was the worst of times. We were introduced to Snort and Bro. In the past, I was introduced to these two
tools, but never got to play with them in their full capacity. Each package went over their own operational
lifecycle, so by the time you got to the end of Snort, it was like Mike hit the
repeat button but it was all for Bro.
That was morale crushing.
Necessary in the grand scheme of things, but my mind just did not want
to get back in the game after half time.
But wait! Didn’t you say it was the best of times? Sure, but let’s take a step back for a moment
and go over a topic I find unbelievably valuable at these conferences;
SANS@Night. These are bonus sessions in
which the instructors give an hour long talk about a certain topic. When I did the GSEC class, I found myself at
these talks every night. Up until day
four, I was in the room as well. What
stopped me from going on night four?
Mike Poor. He invited my
co-worker and me to go eat at a Korean BBQ place somewhere in the area. Let me be the first to say, when you are
invited to go to dinner with a minimum of five SANS instructors, you go. The evening was an epic event that will not
soon be forgotten. However, co-worker
and I had to cut our invite short since it was getting way too late. The rest of the party were out until sometime
the following morning. I can only speak
for myself, but I was destroyed and had to depend on sugar and caffeine to get
me through the next day. For this, I
blame Mike Poor. What is most
impressive, Poor came to the class and didn’t skip a beat. He taught the class with the same intensity
he had the past few days. That man is a
beast or part cyborg!
The last couple of days went off without a hitch. I must say I was confused on a lot of the
material but picked it up with the included workbook exercises. The final day came forcing all of us to
utilize the skills we all gathered throughout the week to recount the steps a
nefarious hacker took within a honeypot.
This was a very exciting exercise as we were split up in teams and
divided the tasks among individuals. I
was not expecting much in the area of results from my area since everyone else
seemed way more experienced than me, but surprisingly enough I nailed my
portion of the investigation including finding a photo of the perpetrator with
some Google-fu.
Ugh… Indexing… Again
Indexing? Do I really have to? In short, yes. Much like the GSEC experience, you get a ton
of pages with no way of knowing where anything is which necessitates the need
for an index. However the biggest
difference between GSEC and GCIA is the amount of topics covered. Whereas GSEC is a broad spectrum of
information security knowledge, GCIA is more focused on a specific set of
concepts, tools, and commands. Because
of this, your index will be significantly smaller than GSEC.
My previous experience in indexing really helped out. But I
deviated in my study method. I went
through each book and took meticulous notes by hand in a spiral first. That’s right. I went through the books twice. In hindsight, I feel I could have done this
study portion without this first step.
But I can’t say it hurt. I am
able to maintain knowledge better if I write stuff out by hand rather than
blindly typing stuff into a Word or Excel document. It’s just the way I work.
Round two of hitting the books included indexing which was
not as detailed as my first phase notes, nor my GSEC index. But I did get the main sections I included in
my GSEC version (Book Index, Tools, Commands, References). I added header charts I found over at
nmap.org and a hex, dec, bin chart that definitely helps making quick work of
conversions found in those practice exams.
Am I Ready?
GIAC gives you two practice exams to see if you are on
target. My first practice exam emulated
my GSEC experience. The biggest
difference was how often I used material to double check my work. I hardly found myself reaching for the index
or books. This can be a very good
thing. For the first half, I was hitting
a solid 90+% score. But something
happened. Mental fatigue and wanting to
figure out what I was going to do later that evening. The increase of bone head mistakes and just
wanting this to be done dropped my score.
I passed, but I learned a ton about the necessity of maintaining
concentration. I also found areas I needed
more work in such as DNS and strangely Wireshark fundamentals (I think this is
due to the aforementioned distractions).
The second practice exam was better, as you’d expect. But that damn DNS category still got me. I did get five stars on Wireshark (At least
the embarrassment of that went away). Other
than that one aspect, I pretty much got it.
I’ll go ahead and schedule the exam and let you know how it goes in the
next section.
It’s Time
So in the last section, I left off with two practice exams
down and this feeling of just wanting to get this over with. I scheduled a week out at my testing facility
of choice. DNS was a weak spot for both
practice exams so I had that nagging me all week and I really concentrated on trying
to that sorted. Two days before the exam
I felt I was ready and didn’t want to study any more. I just couldn’t force myself to get those
books out again. I took the days off
despite my wife’s words of wisdom.
Something about locking me out of the house if I failed the exam because
I didn’t study those two days. The night
before I went through the books again and firmed up the loose ends I had. Before I went to sleep, I made sure I put all
the material I was to bring in the bag from the SANS convention I got back in
Reston, VA. I had dreams of the
exam. Yes, I was the paranoid about
it. Oddly enough, it wasn’t about taking
the exam, it was about missing my scheduled time and not even getting to sit
for the thing! I woke up the next
morning groggy. In addition to the
horrible dream, my dog found her way on to my pillow and a canine tail was
laying on my face. Looking at the clock,
I realized I had overslept but only by about 30 minutes. Definitely enough time to get to the testing
facility.
So with all the worry about waking up late and the traffic
due to construction, I get to the facility 2 hours early. The people there know me and consider me an
expert tester (mainly due to the certs you obtain through WGU). They were nice enough to just put me in the
hot seat immediately. The first few
questions did not phase me. Then the
DNSish questions came…. I plowed through them.
Around a quarter into the exam, I was hitting 90+ on the accumulated
score. I think I’m going to be able to
get this thing done without issue! Or at
least that is what I thought. Half way,
I’m down to 83%. I wouldn’t say panic
hit me, more than disappointment. I took
my break and regrouped. Went outside
with one of the proctors and walked around a bit. Warmed up too; it’s cold in that room! Getting back to the test, I fought through
that thing and stayed pretty consistent.
In the end I ended up with an 84%.
Not too bad keeping that score and not dipping below the lowest
checkpoint score of 83.
Your Thoughts?
I’ll be the first to say, this exam is a definite
challenge. The practice exams provided
seem to be exam preps for the Sec503, not the actual exam. What do I mean by that? I feel the actual exam seemed to be more
targeted/focused instead of the “relaxed” content of the practice exams. I can’t get into too much detail due to NDA,
but details matter in this exam.
Overall, this was a great experience and welcome anyone who is willing
to give it a shot.