Passed GSEC - tips for preparing the exam

Hi everybody, first post here.

I recently passed GSEC, and I'd like to share my thoughts on the exam for those considering to take it or actually preparing for it.

I am a newcomer to IT security (this is my first cert), with a good background in Linux and programming (mostly numerical methods in Fortran and Python). A colleague of mine who is an experienced pentester recommended I take the SEC 401 class in order to get a good understanding of the basics; he recommended that I go in person, so I registered for the bootcamp in Brussels this January.

The class itself was fantastic and I cannot add anything to what JDMurray said here; I recommend it to anyone starting out in this field. It is physically and mentally taxing, though, so don't expect your first day at work after the class to be terribly productive

About a week after the class, you are given the links to the recordings of the lectures (SANS doesn't send you an e-mail; they appear in your profile page, which I didn't know and was a minor source of confusion) and four months to prepare for the exam. We were expecting a son in three months, so I had to finish before the birth; there was much to do, and not much time.

Find more posts tagged with

Comments

Nostromo

So, how does one study 1600+ pages of non-indexed information? I started with making a table of contents, which listed the title of every slide, its page number, and a summary of all its information (including any additional text) in no more than 4 sentences. I wasn't trying to remember everything, list keywords etc. but understanding, so I looked up every new word, etc. As I was studying all the material, this was the most time-consuming part, specially for Book 5 (Windows Security), which is the longest and densest of the six, and the area I am least familiar with (the best part of the course for me, BTW).

Once I had finished the TOC, I took the first of two practice tests, to see where I stood. I had with me the course books, the TOC (unbound), and cheatsheets for port numbers, subnetting/CIDR and hex/decimal conversion. I did the exam in 2h 31m, with maybe the first two thirds in the first 1h45m. I was surprised that I did the exam practically by memory and actually used the TOC very little; what helped me was all that I had learned while building it.

A couple of days later I started with the secod document: the index that I would actually use during the real exam. I read the books a second time (third, if you count the class). This time, I stopped to write down and cross-reference everything that looked like a possible exam question. For each page, I listed the page number and all important keywords (new concepts, definitions, tools, files, Registry keys...) as entries, along with subentries that would give context. For example, a part of what I typed for the Book 4 index looked like this:

1-54; integrity[description]
1-55; digital signature (see: signature, digital); signature, digital[description]; signature, digital[and public-key algorithms]; asymmetric key cryptography[and digital signatures]; signature, digital[and non-repudiation]
1-56; signature, digital[example]
1-57; signature, digital[and non-repudiation]

I then wrote a short Python script that parsed this list, sorted the keywords and subkeywords alphabetically, addes the pertinent page numbers and built a proper index, which looked like this:

forensic snapshot: B5 1-296
- contents: B5 1-298
- structuring: B5 1-297

forensics:
- virtualization uses in: B1 1-11

forest:
- Configuration Naming Context: B5 1-41
- data replication across: B5 1-45
- definition: B5 1-41
- number of Domain Admins: B5 1-103
- schema: B5 1-41
- trust with other forests: B5 1-44

An advantage of this approach is that, e.g. each tool can have its own entry in the index but you can also have a separate tool sub-index if you remember to add the approppriate subentry to the "tools" keyword. Same for files, port numbers, protocols, etc. Also, you build the index sequentially, i.e. without jumping up and down an 80+ page document to write everything in alphabetic order. It's a lot less work per word, which means you can catch a lot more words.

Doing these docs took cca. 10-12 hours per Book each, i.e. 60-65 hours for the TOC and another 50-55 for the index. Besides, I listened twice to the complete recordings in the car on my way to/from work. It was taxing but well worth the effort, IMO, because by the end I felt I understood practically every word in the course materials.

After finishing the index I took practice exam 2. I had the same materials as before, plus the index. Finished in a bit over 3 hours with 87%. Not ideal, but I was running out of time. I bound the TOC and the index (do it!), which I would bring to the exam along with the course books and the cheatsheets mentioned above.

Nostromo

I scheduled the real exam to take place immediately (1-2 days) after doing practice exam 2, so that the info would be as fresh as possible (a good idea, BTW; I answered several very obscure questions in the real exam from remembering similar ones during practice). I live in Slovenia, where exam centers are usually not crowded, so one can easily schedule an exam 4-5 days in advance. I choose a weekday between holidays, so that there would be few people and could have enough space in the (small!) PearsonVue exam room. The exam stations are tiny and don't make storing book easy, so I asked for two extra chairs, which I put behind and a little to my left: one for Books 1-3, the other for Books 4-6. I put the keyboard away (you only need the mouse, mostly) and put the index in its place, right in front of me. Based on my mistakes during the practice exams, I resolved to read the question several times and understand it completely, then try to answer it without looking at the given options, and then, if any doubt at all, looking in the index. I ended up looking about 80-90% of the questions.

I finished after 3h 30 min, no pauses, with a whooping 96%! The index really made a difference. I got the results statement in my profile page -- no e-mails, and no printout in the test center.

Random thoughts about the whole process:
1. The exam IS NOT HARD. Keep this in mind. No trick questions, (almost) no ambiguity, all is straightforward. Some of the questions require digging pretty deep into the books, but almost everything is there if you know where to look. Which leads us to...

2. You must know the books very well. The TOC helped me somewhat, but what really made a difference was the knowledge gained while *making* the TOCs. most of the time, I either remembered the answers from writing the summaries or had a good idea of where to search by memory. I actually used the TOC much, much less than I thought I would. Know thy books (and thy cheatsheets).

3. It seems to me that GIAC calibrates the exam so that passing at all is not difficult, but passing with a high degree is, and requires, not just understanding the material but knowing where to find specific pieces of text quickly. So if you are aiming for Advisory Board scores (90% +), make your index as detailed and cross-referenced as you possibly can.

4. Read the questions several times, and make sure you understand them completely. Most of my wrong answers were because I was not careful enough with the very precise choice of words in the questions and answered too quickly (at the beginning I was very nervous for some strange reason, and made maybe 80% of the mistakes in the first 30 minutes) . There are not trick questions, but there are a few "stop and think before embarrassing yourself" ones, to keep you alert (a good idea, BTW).

To all prospective GIAC-ers: go ahead, the exam is not that hard and what you'll learn is well worth it. Good luck and happy studying...

N.

TechGromit

Just out of curiosity, what where you practice exam scores?

Nostromo

TechGromit wrote: »

Just out of curiosity, what where you practice exam scores?

Hi TechGromit,

84% and 87%. In PE 1 I had no index; in PE2 I had it but didn'use it as much as I should have, so they got me with questions about obscure tools, precise turns of phrase in the books, etc. Having learned the lesson, in the real exam i looked up almost every question, which explains the higher score.

N.

BrandonEckert

Awesome! Congrats! I am taking mine at the end of the month.

TechGromit

Nostromo wrote: »

Hi TechGromit,

84% and 87%.

You must be smarter than me, I couldn't break 82% on both GSEC practice tests with indexes, but I ended up with a 87% on the exam. Just took my first GCIH practice test last week, scored a disappointing 76%.

Nostromo

BrandonEckert wrote: »

Awesome! Congrats! I am taking mine at the end of the month.

Good luck Brandon!

- Urtzi -