My Experience with the GIAC GSEC Exam

What do you do when you decide to take an IT certification exam? What path are you going to head down first? How long should this endeavor take? What books or video prep classes should you invest in? All these questions go through our minds when we take that first step into the realm of certification. Since everyone learns differently, there is no silver bullet when it comes to taking exams. Anyone who has gone through any sort of exam experience, whether it be a mid-term, SAT, or IT certifications, should by now really understand how they learn the best. What I’m going to give you is my experience and what I did to prepare for the GSEC exam.

Collecting certs is to become
a Pokemon Master!

I am the Ultimate Pokemon Collector

My first step was really to decide whether or not the GSEC exam would benefit me in the long run. It may sound silly to even ask this question. But in the world of IT certifications, you must really take into consideration the return on investment. A friend of mine, Ike, and I joked around with the notion of certifications becoming like the characters from Pokemon, “gotta collect them all.” There are so many out there and trying to do this to become the ultimate Pokemon collector is just not feasible, nor financially responsible (even if someone else is paying). I decided that the GSEC exam would be a good ROI for me as I am retooling my skillset from a help desk/system admin role to a security centric role. I have always been interested in aspects of security, but it never really fit into my job description. I figured I should change the job description and this would be a great place to start.

The Doctor Will See You Now

After deciding I’d like to attempt the exam, I researched what the exam is all about. People said it was a good supplement to the CompTIA Security+ exam, which I got when going through Western Governors University. If you are reading this, you may have also read that attending the SANS Security Essentials 401 class is a must. While this is not technically true, you can do a challenge attempt, it is highly recommended. I attended a SANS event in Austin, TX. I chose this one specifically for the fact that the man, myth, and legend, Dr. Eric Cole would be teaching the SEC401 class. Dr. Cole is the creator of the course and definitely knows his stuff. Unfortunately Dr. Cole would not be joining us the length of the class as he was inducted into the Infosecurity Europe Hall of Fame. He did, however, make the flight back from Europe to finish out the class. This dude is dedicated to everything he does. While he was away fighting fatigue by drinking frightening amounts of RedBull, Keith Palmgren took the reins and guided the class through the SIX BOOKS we received on the first day.

A gallon a day, keeps fatigue at bay.

Yes, for one week, we went through a book a day. I was mentally exhausted by day four. This is where I have to thank my personal sponsors, caffeine and sugar. Those two guys got me through the last couple days. But I digress. You need mental stamina to continue to write down notes and glean gems of information the instructor gives you. The books are excellent material, but the real world stories you are told not only reinforce the book material, but gives ideas on what could be implemented at your current job. This is where the SANS events shine. I was able to bundle the OnDemand and get the self-study MP3s. The advice here is the same: Take as many notes as you can. The OnDemand option has a nice feature of small quizzes at the end of each section to reinforce what you learned. If you are doing purely OnDemand, do NOT skip out on lecture and go straight to the quizzes. You WILL miss material and won’t get all the information you need.

So you have gone through a SANS event in person or via vLive, did OnDemand training, or did the self-study option. What now? Read the books. You might not think you’d need to read every word after listening to or watching lectures, but this would really put a hurt on your final outcome. You will find details you missed, but that’s ok you’re going to find those details. You are now in the midst of the longest part of the process. Making the Index.

On Indexing and Losing Your Social Life

You may ask, why in the world do I need an index? Well, the GIAC GSEC exam is open book. Remember back to the first day you took your SANS course? You received a big heavy bag of books that gives a wide range of information ranging from physical security to annual loss expectancy. Each of those books are heavy in information, but unfortunately light on either a table of contents or an index. If you are like the 99% of us who can’t recall what is on page 132 of book 3 in seconds, take a deep breath and realize your social life is on hold until you fix that void in your study plans by making The Index. Just like me, you will find any and every excuse to want to stop making the index. Persevere and you will be rewarded. I promise.

People on forums will tell you that an index that is greater than 50 pages is too much and you learned too little. Others, like me, will tell you that your index needs to be as long as your index needs to be. My initial index is 74 pages long. After taking a practice test, I know I need to add more details (more on this later). Basically what I did was go page by page creating an index of term, book, page number, and detail using an Excel spreadsheet. The following is a rough sample of what I created:

Term	BK	Page #	Info
%systemroot%\system32\drivers\etc\hosts	1	67	Location of Hosts file in Windows
/etc/hosts	1	57	Location of hosts file in Linux
ACEs	5	91	Individual permissions in the DACL.

I had my index spiral bound for added geek cred.

The index needs to be detailed. The information cells I’ve included here do not match exactly what I have in my index since I don’t want to deal with copyright issues with SANS. But the more information you put here is less time you’ll flip through your book, skim the paragraph, and find your answer if you’ve forgotten some fact or just want to double check your answer. List a term, put in the book number, page number, and the definition word for word in the detail/info section. This is time consuming but will pay off come test time. Another bit of advice here is to not make your entries too long. Break up your entries into smaller portions. For example, I have three rows for HIDS alone, then one row each for HIDS – Advantages, HIDS – Challenges, and HIDS – Developments.

Commands were color coded
depending on OS.

Another tip you may want to incorporate is to have a separate section in your index for just commands, tools, and misc/bonus material. My index includes five sections: The SANS SEC401 Books 1-6, Commands Index, Tools Index, Bonus Material, and Glossary of Terms/Acronyms. I chose to include the glossary even though it is in the back of book six for the fact that I do not want to be flipping books too much during the test. Each of these sections are divided off with labeled tabs for easy acquisition. The commands and tools are in the same format as the book index; four columns, term, book, page, and info. The bonus materials include the SANS TCP/IP and tcpdump reference guide, two styles of subnetting charts, and an IPv6 reference guide. Update: The price for having this index spiral bound at a professional store made me rethink the glossary. That section has been replaced with the Bonus Material section being broken down into subnetting reference and the tcpdump guide.

Indexed and Ready… Right?

Hold on there cowboy (or girl). The index is finally complete. Take a day or two to recompose yourself. In other words, bathe. Before you go off to your testing facility, remember that SANS gives you two practice exams to try out before you attempt the actual exam. Some of the SANS instructors tell you to take one of those practice exams soon after the class or self-study is finished. I knew before attending the SANS event in Austin, I wanted to use my first practice exam to refine my index, so I did not take this advice. I don’t really think this would hurt me in any way. But I don’t have any numbers of my own to back up this claim. I took the first practice exam to see how my rough draft version of my index would help me out. I got my results back and at 80% I got my answer as to how to proceed with the index. Two things were clear from this result: 1) Read the question and understand what it is asking. I had multiple questions where it asked for the false statement where I picked the true statement instead (I probably missed 6-8% because of this). 2) There were a few tools and commands out of place in the index and some terms I need to keep my eye out for during my second read through the books.

I will be taking my exam in a few weeks and will let you know how everything goes. Until then, it will be many sleepless nights. Updates will follow once this journey is complete.