SANS 401 exam - advice needed

zetec

The other day I failed my 401 at the second attempt. I scored 66%, which was a mere 2% improvement on my first attempt back in August. I suspect that my index was way too long (87 pages) , overly detailed and basically not structured in a way that would derive maximum advantage. During both exams (and indeed in both practice tests) I seemed to spend an inordinate amount of time looking for information I know I had captured somewhere. Can anyone offer any useful advice on how I can restructure my material so that I can reduce the amount of time that I am searching for information as opposed to actually devoting the scarce time to thinking? Thanks in advance 👍

iBrokeIT

You need to actually comprehend the material and rely on your index less.  I would turn those 87 pages in flash cards for practicing with and the cut your index down to 15 pages or less.

cyberguypr

I concur with iBrokeIT. The case here seems to be lack of understanding of the material. Although I don't think any index will help with this, I am curious as to how you laid it out. Also curious how long ago you took the class and what your background is. 

JDMurray

The index is only to be used during the exam for topics that you are not clear on. You should only need to use your index about every 7-10 exam items if you know the material well.

Were you able to complete the exam in the given time or did you run short of time? It sounds like you were spending most of your time flipping pages.

zetec

Thanks JD. No, I didn’t run out of time, but seemed to be constantly against the clock. In retrospect, I think my approach was wrong. Very frustrating as I scored 72% on 2nd practice exam. 

cyberguypr

@zetec care to discuss why you disagree with? 

JDMurray

zetec said:

Very frustrating as I scored 72% on 2nd practice exam. 

I would consider the GIAC practice exams as a measure of how well you know the material and not as a predictor of what score you will likely receive on the actual exam. Practice exams are almost always "teaching aides" and not "readiness predictors."

zetec

Ok, cheers JD. Contrary to other somewhat negative comments received, which questioned my understanding of the material and I strongly refute, I found your insight to be useful. Any suggestions on how to keep my knowledge current in light of the fact that I have used up both practice exams? Thanks again. 

quogue66

There is a lot of material covered in the 6 books for SEC401.  That being said I think 87 pages is too much.  I over-index my books and most of my indexes are around 32 pages for 5 books so I would say that 40 pages would be the max for GSEC.  I've taken the GSEC exam and I've restudied the GSEC material for the GSE multiple choice exam so the material is pretty fresh in my mind.  How much time have you spent reading the material and doing the labs?  I usually read the books and do the labs three times before taking the exam.  I create a color coordinated index of all terms for the entire course (yellow=book 1, orange= book 2, etc) and then I create a table of contents for each book and tape it to the inside cover.  The only thing in my GSEC index was the term and page number.  I also take a marker and I color the end of the books so I can quickly grab the right book if they are stacked on top of each other.  Another thing to look at is your score on the GIAC site.  Which areas are you weakest on?

zetec

Thanks quogue66, that’s helpful. I worked really hard on the books. I would say I devoted well in excess of 200 hours. I have a tendency to want to understand the lot, so Rarely rarely did I skim pages. The colour coordination is definitely a good shout. I have dabbled with that but not in a systematic basis. As for scores for all 4 exams, there are wild fluctuations on my scoring in a fair few of the 32 models. So, for example, where I scored say 1 or 2 out of 5 I would naturally target those, however to my surprise I found that others where I I thought I was strong, I suffered a reduction in correct answers.Lesson learned: don’t neglect what you think you know.  My scores for all 4 attempts (practice tests and real) were (in chronological order) as follows:- 56% (1st practice test), 64% (1st exam), 72% (2nd pt), 66% (2nd exam). Finally, I definitely need to do the labs a few more times. I’ve only completed them once, so thanks for that advice. 

Grafixx01

I think that the index I created for the GSEC was only like 15 pages. I passed the exam last month. I did have a GSEC All-In-One book with me as well that I found some answers in there versus what was in the actual SANs books. I know someone who had an index like yours but I don't think he actually used it in the exam, it was more to gauge what he knew/didn't know. I don't think I even used the practice exams that I got from SANs on my portal for it either. I'm now trying the GCIH, we'll see how that goes. 

TechGromit

zetec said:

I suspect that my index was way too long (87 pages) , overly detailed and basically not structured in a way that would derive maximum advantage. During both exams (and indeed in both practice tests) I seemed to spend an inordinate amount of time looking for information I know I had captured somewhere.

While I'm an advocate for longer more detailed indexes, 87 pages is way too long for the GSEC, I looked back and mine was 39 pages printed portrait. The process of creating an index is a great study technique, if you read, understood and created a really good index, chances are you will not have to refer back to is very much during the exam. The Index should not be used as an answer key, where you look up every answer, even if you know it to validate your picking the correct one. My first index was simply a keyword, book, tab number.

Multi Router Traffic Grapher (MRTG)            6       25

After refining my indexes, I now do Keyword, Book #, Tab # and short description of concept, printed landscaped.  

/lib              1     35    common libraries

The most complicated index I created was for the GCIH, after noticing the practice test questions probed knowledge for programs, like what program is a sniffer, and 4 or 5 different programs are the answers to pick from.  Assuming I didn't know the answer, looking up every program in my index was way too time intensive, I try to minimize the amount of time I spend on each question, even a few seconds saved on one question, will give me more time to spend on future questions. So Created a separate index just for programs, I broke the different program classes up and then added what programs were in that category.  

Sniffer                  Wireshark                                              1    7    Investigate Software Page 40
Sniffer                  Subterfuge Framework (Linux)               3  11    a Tool similar to ettercap, sniffing, os fingerprinting, connect killing (Page76)
Sniffer - Wireless  Marious Milner wrote InSSDER               2  10    Tools for Wireless LAN Discovery (WAR DRIVING)

Despite all the work I put into this index, I think I only used it once for the exam. The beauty of a good index if is you really took the time to create a good one, Chances are you will not need it for the exam. Then the question is was creating the index a waste of time, not if you helped you pass a $750+ exam. I know there are plenty of people that take the course and take the exam a week later and pass 90%+ and have two spare practice exams to give away to boot. But I'm not one of those people, I need a little more time to absorb the information, the courses and exams are very expensive, I firmly believe if you put in the time and effort anyone can pass them.     

bigdogz

@zetec
87 pages may be long but you have to use the most optimum way to utilize the material during the exam.

1. Know  most of the material well. Preparing for the GIAC exams is much different than the others. 
2. Use your index with the practice exams so you can make sure that you know where to look if needed. Open book does not give you enough time to look up 35% of the questions.

As others have said a good index goes a long way. I only broke open the book 3/4 into the exam. I think it was because I read the material a few times and labbed like an animal!

Good luck