SANS SEC566/GCCC

E Double U

Are there labs in this course? Curious if you are just discussing the controls or actually testing them.

Find more posts tagged with

GIAC

SANS

Comments

markmorow

I'm currently doing this class now and yes there are some labs. They are built around different tools and such that you can use to satisfy the control. For example Control 2 is Software Inventory. You run some PowerShell commands to **** out what's installed on the lab machine. They aren't all that easy but they aren't really complicated either.

E Double U

Thanks for response! My first day of SEC566 begins tomorrow.

FluffyBunny

E Double U said:

Thanks for response! My first day of SEC566 begins tomorrow.

Hang on... Are you in my group?

E Double U said:
Are there labs in this course? Curious if you are just discussing the controls or actually testing them.

To further answer the question: @markmorow has it right: there are some labs, but they are not very heavy lifting.

To summarize:

At the time of writing you will be provided with one Windows 10 Pro VM.
Yes, they do expect you to have setup VMWare on your system beforehand. Can be Player (free), Workstation/Fusion (cheapish). You could also use Parallels or VirtualBox, but in that case they tell you you're on your own; no guarantees about helping you in class.
There are roughly 15 labs, for 20 controls. As Mark pointed out, basic introductions to one or two tools for each subject. You can compare it to labs in a C|EH class: drive-by safari showing you various red/blue team tools.

E Double U

Passed GCCC today with 79% - just three weeks after completing the course. I wanted to attempt it sooner, but I had two work trips back-to-back that delayed the completion of my index. Took both practice exams the same day and got 59% on the 1st attempt (without the index) and 80% on the 2nd try (with the index).

FluffyBunny

Passed GCCC today with 79%

Congratulations! That's great work! I'm still working on my indices, but I keep getting distracted by my homelab

SecurityNoob45

E Double U said:

Passed GCCC today with 79% - just three weeks after completing the course. I wanted to attempt it sooner, but I had two work trips back-to-back that delayed the completion of my index. Took both practice exams the same day and got 59% on the 1st attempt (without the index) and 80% on the 2nd try (with the index).

How was the difficulty of the questions? where they straightforward? overall what did you think of it?

E Double U

@ Bunny - How far are you into the material?

@ Noob - The questions were very straightforward. This is my 4th GIAC exam and it was the easiest.

FluffyBunny

@ Bunny - How far are you into the material?

I'm almost through the second book. The easy part is that all five books and just about all the chapters have the same build-up, so there's a lot of recurring index words. I'm putting off going through The Big Fat Book(tm) unless I really, really have to.

As I said, my homelab has been waaaayyy too enticing, luring me away from the drudgery that is indexing. But now I'm putting my foot down! I'm scheduling my exam attempt in three weeks time (that's the one-week lull between two assignments), so now I absolutely have to finish my work

E Double U

Yes this has been the easiest index I have made because of the same structure with each control (measures, ERD, defenses, etc). I created a separate tab for each control and just copied the same format to each tab then modified it as needed. The fat NIST books are not needed for the exam.

FluffyBunny

I'm also adding a lot of key software names and concepts to the index. We'll see how things go!

FluffyBunny

Hey @E double U, I seem to have found a bug.

In book 3, pages 21 through 24 (root cause analysis for control 7) appear to be an exact copy/paste of pages 74 through 77 from book 2 (root cause analysis for control 5). Now I’ve seen other copy/paste moments, but in this particular case I feel that there’s been an error in making the syllabus: the repeated text does not appear to be relevant to the subject matter.

I've sent an email to James, Kelli and Russell about it. I'm curious whether you've noticed the same issue.

E Double U

My index is similar. For every index my tabs are topics, tools, and commands. The commands tab was not necessary for this GIAC attempt, but I kept the topics and tools plus the separate tab for each control. It made it easier for me to find what I was looking for during the exam. I rarely had to use the books.

I do not recall seeing that repeated text, but I will take a look.

SecurityNoob45

E Double U said:

My index is similar. For every index my tabs are topics, tools, and commands. The commands tab was not necessary for this GIAC attempt, but I kept the topics and tools plus the separate tab for each control. It made it easier for me to find what I was looking for during the exam. I rarely had to use the books.

I do not recall seeing that repeated text, but I will take a look.

This is my first SANS attempt! would you be able to show maybe a sample or even just a picture of how your index looks? Thanks!

LonerVamp

Others may have them different, but what I use is just a spreadsheet with three columns: term/topic/phrase/keyword - brief description or important points - page number found.

If a term appears on multiple pages in different places, I'll just have multiple entries for that term. And each definition will be tailored to the content from that specific page.

I've also found it helped me to print it landscape and have it ringbound at the top at Fedex/Kinkos. I then add sticky tabs on the bottom or side to let me flip to various alphaletters quickly.

And just to round out the subject, I'll add sticky tabs to the tops of the book pages for every major section shift, topic, examples, key charts and lists, and so on.

E Double U

Check this out: https://digitalforensicstips.com/2012/11/sans-index-how-to-guide-with-pictures/

FluffyBunny

Yeah, that's a good tutorial. Similar to "Better GIAC testing with Hacks4Pancakes".

Gosh, creating that index is a task of drudgery.

I'm on the last book and I'm so done with this... Once the index is done I'll tackle the practice exam(s) to see how I'll fare, then my exam is due in 1.5 weeks.

FluffyBunny

Whew! I finished my index today! I don't have a color printer at home, so all those cute colored labels aren't going to much use. But the index worked just fine anyway.

I immediately took my first practice test and scored a 90% in roughly 55 minutes. Two mistakes were down to sloppiness, the rest were honest fails on my part.

And since @SecurityNoob45 asked, here's a photo of my books and index. I used Apple's Numbers as spreadsheet to take indexing notes and then made the actual document in Pages. That took a little effort, because you can't simply paste Numbers data into the DTP tool that is Pages. You first have to make a table to post the data into, and funnily enough Pages limits its tables to 999 rows. So I've had to make three very long tables

SecurityNoob45

FluffyBunny said:

Whew! I finished my index today! I don't have a color printer at home, so all those cute colored labels aren't going to much use. But the index worked just fine anyway.

I immediately took my first practice test and scored a 90% in roughly 55 minutes. Two mistakes were down to sloppiness, the rest were honest fails on my part.

And since @SecurityNoob45 asked, here's a photo of my books and index. I used Apple's Numbers as spreadsheet to take indexing notes and then made the actual document in Pages. That took a little effort, because you can't simply paste Numbers data into the DTP tool that is Pages. You first have to make a table to post the data into, and funnily enough Pages limits its tables to 999 rows. So I've had to make three very long tables

SO ARE YOU SUPERMAN OR BATMAN? CAUSE YOU SAVED ME! THANK YOU!!!

FluffyBunny

SecurityNoob45 said:
SO ARE YOU SUPERMAN OR BATMAN? CAUSE YOU SAVED ME! THANK YOU!!!

Well to be fair, EdoubleU did already link you to a site that provides detailed instructions on how to make these...

FluffyBunny

Today was the day

I passed my GCCC certification exam with a 93% score (my trials rang in at 91% and 89%)

I found the actual exam to be a bit more difficult than the two trials. I also grabbed for my indices and reference tables a few more times than during the practice rounds. Overall it's a very doable exam though; mostly common sense thinking.

LonerVamp

Nice job, congrats!

What's next?

FluffyBunny

LonerVamp said:

Nice job, congrats!

What's next?

I'm setting up my homelab, trying to finish up the basic infrastructure, so I can start work on RedHat's EX407 (Ansible). I want to renew my RedHat certs this year.

I'm also applying for a SANS Mentor position (for the Netherlands) and have just signed up with the GIAC Advisory Board

dimkat2903

E Double U said:

Passed GCCC today with 79% - just three weeks after completing the course. I wanted to attempt it sooner, but I had two work trips back-to-back that delayed the completion of my index. Took both practice exams the same day and got 59% on the 1st attempt (without the index) and 80% on the 2nd try (with the index).

Greetings my friend and congrats for passing your exam. As i am also preparing for the exam, may i ask if you could provide me with your SEC566 index please? That would be a great help for me, please.

E Double U

My index is over a year old so I am not sure how good it will do you since the material is updated. I have no problem with sharing it, but I would strongly advise you to prepare your own. Index building has been a part of studying process for me since I read all of the books and do the labs as I create it. If you are just looking for a quicker way to pass the exam you are cheating yourself.

SteveLavoie

I was thinking about doing the SEC566 SANS class, Is it good ? Did it really bring something more than reading the control (most are rather straight forward).

FluffyBunny

SteveLavoie said:

I was thinking about doing the SEC566 SANS class, Is it good ? Did it really bring something more than reading the control (most are rather straight forward).

Based on my experiences as Facilitator in this class (in which I met E double U as student) I would say: it depends.

It depends on the trainer and more importantly it depends on the students. Unlike most technical SANS classes, SEC566 is squarely targeted at defining and enforcing policies and procedures and at testing their outcome. It's not hacking, it's not code, it's about helping an organization reach security maturity targets.

The quality of this class stands and falls with interaction between those people in the room. If it's nothing but one-way traffic and students are only there to drink from the firehost, it's gonna suck for you. Yes you'll learn stuff, but you could be getting so much more from it. I found the talks and discussions we had during each chapter the most valuable parts of my week with SANS. As you point out: you can just read best practices and the CSC. But it's discussing HOW to tackle all this with others that will help you actually get somewhere with'm.

FluffyBunny

dimkat2903 said:
Greetings my friend and congrats for passing your exam. As i am also preparing for the exam, may i ask if you could provide me with your SEC566 index please? That would be a great help for me, please.

I'm with E double U here: the point of making your index is part of the learning experience and helps you familiarize yourself with all the materials. Sure you can ask for other people's index, but you're robbing yourself of an experience.

Yeah, I've shared my index with one of my classmates at the time. And yeah, I'm pretty sure they passed. But yeah, I felt a bit "meh" about it. But asking us for our index now, over a year after the class, won't help you much. The books have probably changed quite a bit since then.

Kickstone

E Double U said:

My index is over a year old so I am not sure how good it will do you since the material is updated. I have no problem with sharing it, but I would strongly advise you to prepare your own. Index building has been a part of studying process for me since I read all of the books and do the labs as I create it. If you are just looking for a quicker way to pass the exam you are cheating yourself.

FluffyBunny said:

I'm with E double U here: the point of making your index is part of the learning experience and helps you familiarize yourself with all the materials. Sure you can ask for other people's index, but you're robbing yourself of an experience.

You guys are right. But, on the other hand, there are more kinds of approach. One of them is making your own index and then compare with others and refine your work. That's the way I always passed those exams quite successful.

Also, with this kind of preparing, the "age" of an index doesn't matter at all. It's just for optimizing.

Due to the current global situation I am taking the Online Training now, and as there is not much orientation to what's important and what's not, which does not make it easier.

If somebody is willing to share his index with me, I would appreciate it very much. Thanks in advance.

E Double U

I found my index. What is your email?

FluffyBunny

Also, with this kind of preparing, the "age" of an index doesn't matter at all. It's just for optimizing.
Weeellll, chapter layout and page count of the source books may vary wildly.

But sure. Knock yourself out -> https://www.kilala.nl/Images/SEC566-index.pdf