GCIA Preparation and attempt log

Well, with the GSEC, GCFW, and GCIH out of the way, I only need the GCIA and one gold paper to satisfy the requirement to attempt the GSE. I can't start on the gold paper until I get a response from SANS regarding whether a gold paper for the GCFW would count for the GSE so I'm going to start self-studying for the GCIA.

I compared the curriculum between the GCFW and the GCIA and don't see a huge difference. It looks like 85% of the material is shared. I suspect that certain topics are covered more in depth than on the GCFW but I can certainly fill in the gaps. I imagine I'm going to have to go a bit harder on signature and traffic analysis, Snort, and TCP ****. That shouldn't be a problem though because I've recently purchased some excellent books on intrusion analysis and have a strong background in TCP/IP as a whole.

My resources so far include:

SANS GCFW books
Routing TCP/IP Vol 1/2
The new Wireshark U book

Dynamik recommended the following and are books he's using for his attempt:

The TCP/IP Guide: A Comprehensive, Illustrated Internet Protocols Reference
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century
Security Monitoring: Proven Methods for Incident Detection on Enterprise Networks
Intrusion Signatures and Analysis
Extrusion Detection: Security Monitoring for Internal Intrusions (this one is particularly interesting to me)
The Tao of Network Security Monitoring: Beyond Intrusion Detection (probably the best book of them all)

My first order of business is going to be sitting down with the GCIA's curriculum and mapping each focus area to specific training resources. I should be able to complete that task in a day or two. From there I can really drill down to the specifics of the material. I'm going to need a steady supply of interesting traffic flows so I'm going to be generating some pcap files for analysis and hopefully I can find some good ones on the internet as well. The curriculum calls for analysis of attack patterns so I'm sure I'll have to be able to spot specific attacks from packet analysis.

I'll be sure to keep this updated as I progress further through this journey.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

dynamik

Much obliged; that looks like a fantastic resource.

Paul Boz

I'm back on the road this week so in the wake of making my GCFW proposal and continuing my studying for the GCIA I have started reading Bejtlich's "Extrusion Detection," the follow-up to the Tao book which I mentioned above. I've only gotten through chapter one but for the most part its just been a recap of the Tao book so far. That's to be expected. I'm intrigued by the later content on client-side attacks and using network security monitoring to mitigate them. I originally wanted to do my GCFW gold paper on outbound filtering so this book is pretty interesting to me. I wish I would have had this resource when I did my CUNA webinar on outbound filtering last month

Regarding the GCIA prep, I'm heavily leaning towards doing the exam in January when my employer renews my training budget. I blew all of my budget on the GCIH and GSEC so right now I'd have to float the exam out of pocket. I have to do the CISSP in September and that's out of pocket so I'm tempted to just hit the studying for that now and ramp back up on the GCIA after I've received confirmation of a pass. I have LSD-like visions of my head exploding when I think about the CISSP so you can imagine how much I'm looking forward to that.

Paul Boz

I haven't forgotten about this, I just haven't been updating as diligently as I should be. I configured and installed a home-brew OSSIM sensor a few days ago and got that set up on my external network at home. For those unaware of the OSSIM project, its basically the freeware version of the AlienVault SIM/SIEM software. It has snort, nagios, openVAS, and many other tools built in and correlates events with existing data. For example, if Snort detects an exploit known to target windows systems but knows that the system is running Linux based on Nagios and NMAP data it won't prioritize the attack. However, if it knows that the system is vulnerable to that specific exploit (by analyzing OpenVAS results) it will auto prioritize and make a trouble ticket. It has numerous other features that I won't go into detail, but I recommend it. I'm going to do a blog post on basic setup and hardware selection soon.

Aside from that I've been spending a good bit of time working on TCPDump and snort CLI. I'll have a decent bonus check coming my way in the next few weeks and I'm thinking about spending some of it on a GCIA attempt. I still have $200 on my training budget here so I don't think I'd mind going out of pocket for the remainder. I feel like with about a week of dedicated studying I could be ready for this test. If the attempts were the cost of Cisco exams I would have done it already. The $900 really is a killer.

In other news I'm considering challenging the GPEN straight up as well.. That's another post for another day though.

Bl8ckr0uter

Paul Boz wrote: »

I haven't forgotten about this, I just haven't been updating as diligently as I should be. I configured and installed a home-brew OSSIM sensor a few days ago and got that set up on my external network at home. For those unaware of the OSSIM project, its basically the freeware version of the AlienVault SIM/SIEM software. It has snort, nagios, openVAS, and many other tools built in and correlates events with existing data. For example, if Snort detects an exploit known to target windows systems but knows that the system is running Linux based on Nagios and NMAP data it won't prioritize the attack. However, if it knows that the system is vulnerable to that specific exploit (by analyzing OpenVAS results) it will auto prioritize and make a trouble ticket. It has numerous other features that I won't go into detail, but I recommend it. I'm going to do a blog post on basic setup and hardware selection soon.

This sounds awesome man. I am looking to roll out an IDS/IPS solution for my new employers network. Do you think this is scaleable for a decent size network ( about 60 users)? How difficult was it to set up? I've been looking at snort and it seems to be pretty straight forward.

Also how difficult do you think it would be for someone to challenge GSEC? I want to do that test (and a few other SANS exams) but I cannot afford 4k for the training course and my job probably won't pay for that. I want to be as good as a Security Admin as I can be and looking at the objectives for the GSEC make me think that it would be a worth while cert for me to get at this stage in my career.

dynamik

knwminus wrote: »

Also how difficult do you think it would be for someone to challenge GSEC? I want to do that test (and a few other SANS exams) but I cannot afford 4k for the training course and my job probably won't pay for that. I want to be as good as a Security Admin as I can be and looking at the objectives for the GSEC make me think that it would be a worth while cert for me to get at this stage in my career.

One of the course authors wrote this, and it covers a lot of the material: Amazon.com: Network Security Bible (9780470502495): Eric Cole: Books

You also get two practice exams when you challenge it, and you can use those to identify any areas you are weak in. The exams are open book, so you can bring notes, etc.

Bl8ckr0uter

dynamik wrote: »

One of the course authors wrote this, and it covers a lot of the material: Amazon.com: Network Security Bible (9780470502495): Eric Cole: Books

You also get two practice exams when you challenge it, and you can use those to identify any areas you are weak in. The exams are open book, so you can bring notes, etc.

Score. Have you read the book yourself? It seems to have gotten pretty good reviews.

I just browsed through this book on amazon. I am going to pick it up, asap. Right when I pick up the QoS book and the wireshark guide.

dynamik

knwminus wrote: »

Score. Have you read the book yourself? It seems to have gotten pretty good reviews.

I own it and have paged through it. Most of the material was review for me. I just picked it up because it was a good "essentials" book and wanted to refresh a few things that I don't work with on a regular basis. It's definitely worthy of the reviews.

Bl8ckr0uter

dynamik wrote: »

I own it and have paged through it. Most of the material was review for me. I just picked it up because it was a good "essentials" book and wanted to refresh a few things that I don't work with on a regular basis. It's definitely worthy of the reviews.

I think reason why I am going to buy it is the Unix and Web Security. Some of the "networking" stuff looked like review but I am sure it will be worth it.

Bl8ckr0uter

Hey paul did you ever get around to doing this test?