SANS 504 / GCIH Review

I completed the GCIH exam on 3/18 with a passing score of 93%. I know how helpful it is for me to read reviews of classes, so I wanted to expand upon a few things in addition to the post by Abel:

http://www.techexams.net/forums/sans-institute-giac-certifications/118236-sec504-course-exam-passed.html

First, I attended the Ft. Lauderdale, FL class taught by Kevin Fiscus where I also got to meet abelamorales and EngRob - great guys, and it was a pleasure having class with them.

With regards to the class - I felt like a lot of people who attended the class were under the assumption that you will learn a bunch of tools and be able to start hacking right away - that is not the case. Also, some of the older tools that are used / reviewed in the class require you to lower some security thresholds otherwise enabled by default on Windows 7+ systems. There is a reason for all of this...

Coming out of the class, you should have an excellent understanding as to the techniques used by attackers against your system - not just knowing how to use a single tool in their arsenal. For example, there is a lab on Nessus and it goes into some examples for how you'd run a scan and identify vulnerabilities. It is less that you know how to use Nessus, and more that you understand the role a vulnerability scanner (i.e. substitute Nessus for Qualys, OpenVAS, Nexpose, etc.) plays in the overall attack process.

I found the labs to be valuable, especially the CTF on Day 6 where you put on your red team gear and use the tools you reviewed in class to exploit systems. I found myself wanting more of that from this class, but understanding that we've already been in class for 46+ hours in a week, it's hard to squeeze out additional in-depth labs (Hello SANS561).

Studying for the test was rather challenging for me. I was studying for the CCENT/CCNA at the time of the Ft. Lauderdale class, but I had also purchased the OnDemand to review closer to my actual testing day. After completing the CCNA at the end of February, I went full speed ahead into building my index and reviewing the GCIH materials. This being my 2nd SANS cert prep, I would watch the videos (taught by John Strand) then read / index from the book. It did get to a point where I was running low on time watching the videos, so I read and indexed most of book 5 without watching the videos. In total, my index was 12 pages back to back. I took a practice test 3 days before my actual test and scored a 90%.

On the day of the test, while my index was of course helpful, my real-world experience also benefited me greatly - particularly as it came to applying the concepts taught in class to the questions asked on the exam. I finished the exam in just over 3 hours, ate lunch, then went home and relaxed

Next on the list: Laying low until I complete my courses at WGU - then I'm thinking SANS560 or 408. Two different tracks, but both applicable for me. I hope this review is helpful to someone who might be on the fence about taking the class or understanding what you will get out of it. It really was a great time, and I learned a lot.

Find more posts tagged with

Comments

JoJoCal19

Congrats on the pass and great score! Interesting on both 560 and 408 being applicable for you. You handle both pentesting and forensics in your job, or just interested in knowing both areas?

5ekurity

Thanks

With regards to the classes, I'm a technical manager and focus a lot on the blue team concepts / technologies. However I'm a firm believer that knowing red team activities creates a stronger blue team (red informs blue), so 560 is relevant there.

With 408, I have an IR background (and thus familiar with many of the 408 concepts) and I leverage the investigation work I do to build stronger defenses. With this class, I'm kind of on the fence because I don't want to revisit things I already know - I guess it's the unknown unknown's that I want to make sure I address before I'd like to get into FOR508.

abelamorales

Congrats 5ekurity - agree with you that blue team should understand red team tactics and vice versa, it makes you better at your job.

EngRob

Congrats! I would go for both 408 & 508

cyberguypr

Purple Team concept. It's an up and coming thing that should be the norm: https://www.rsaconference.com/writable/presentations/file_upload/air-w02-the-rise-of-the-purple-team.pdf

hilld

Congrats, I am going to be taking the SEC 504 class next month in NO. Looking forward to it. I took the MGT 512 class in December and passed the accompanying GSLC exam in Feb. I am also a technical manager and I inherited and currently manage a red (maybe even purple) team and want to gain a better understanding on the tools they use and how they apply them. I am looking forward to attending and gaining even more knowledge. You are never too old to learn.