Post your SANS/GIAC study material recommendations here

I was going to include a section in this forum's FAQ sticky about SANS/GIAC certification study materials recommended by TE's members. But it occurred to me that such a list could grow to be quite large, and that topic really should have its own sticky. Because it will take me some time to sift through all 1000+ posts in this forum to locate and consolidate all of the recommendations, I thought that I would appeal to the members of this forum to post your study material recommendations here. For saving me the time, you will have my undying gratitude.

GSEC - GIAC Security Essentials

GCIH - GIAC Certified Incident Handler

GCIA - GIAC Certified Intrusion Analyst

GPEN - GIAC Penetration Tester

SANS SECURITY 560 - Network Penetration Testing and Ethical Hacking

GCFW - GIAC Certified Firewall Analyst

http://www.techexams.net/forums/sans-institute-giac-certifications/10850-how-i-passed-gcfw.html

Other Resources SANS Security Training Courses SANS: Network, Information and Computer Security Training Courses SANS Information Security Reading Room SANS: Information Security Reading Room - Computer Security White Papers SANS Institute YouTube channel sansinstitute's Channel - YouTube

Find more posts tagged with

Comments

Q80Crud

Let's get this started!
I've heard Counter Hack Reloaded by Ed Skoudis is highly recommended for GCIH.

docrice

For the GCIA, I would recommend becoming familiar with TCP/IP headers and protocol behavior as a start. Note - I haven't read all the material below and I'm just listing them as potential good references:

Wireshark Network Analysis
http://www.amazon.com/Wireshark-Network-Analysis-Official-Certified/dp/1893939995/ref=sr_1_1?ie=UTF8&qid=1312869003&sr=8-1

TCP/IP Illustrated, Volume 1
http://www.amazon.com/TCP-Illustrated-Protocols-Addison-Wesley-Professional/dp/0321336313/ref=sr_1_6?s=books&ie=UTF8&qid=1312869043&sr=1-6

Network Intrusion Detection
http://www.amazon.com/Network-Intrusion-Detection-Stephen-Northcutt/dp/0735712654/ref=sr_1_1?ie=UTF8&qid=1312869808&sr=8-1

Nmap Network Scanning
http://www.amazon.com/Nmap-Network-Scanning-Official-Discovery/dp/0979958717/ref=sr_1_1?ie=UTF8&qid=1312869082&sr=8-1

IP / TCP / UDP / ICMP headers
http://nmap.org/book/tcpip-ref.html

RFC 791 (IP)
http://www.faqs.org/rfcs/rfc791.html

RFC 792 (ICMP)
http://www.faqs.org/rfcs/rfc792.html

RFC 793 (TCP)
http://www.faqs.org/rfcs/rfc793.html

RFC 768 (UDP)
http://www.faqs.org/rfcs/rfc768.html

RFC 1034 (DNS)
http://www.faqs.org/rfcs/rfc1034.html

Snort User's Manual
http://www.snort.org/assets/166/snort_manual.pdf

Any material on Tcpdump
http://www.tcpdump.org/tcpdump_man.html

Binary / hex / decimal systems (this is a random page that I chose as an example)
http://www.blaenkdenum.com/2006/09/binary-and-hexadecimal/

Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection
http://insecure.org/stf/secnet_ids/secnet_ids.html

Mitnick vs. Shimomura
http://wiki.cas.mcmaster.ca/index.php/The_Mitnick_attack

Honeynet Project Challenges
http://www.honeynet.org/challenges

docrice

For the GCFW, here's a partial list of things to check out (I haven't read all of these, but they seem promising):

Inside Network Perimeter Security
http://www.amazon.com/Inside-Network-Perimeter-Security-2nd/dp/0672327376

iptables
http://wiki.centos.org/HowTos/Network/IPTables

Cisco access-lists
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

Wireshark Network Analysis
http://www.amazon.com/Wireshark-Netw...2869003&sr=8-1

TCP/IP Illustrated, Volume 1
http://www.amazon.com/TCP-Illustrate...2869043&sr=1-6

Nmap Network Scanning
http://www.amazon.com/Nmap-Network-S...2869082&sr=8-1

IP / TCP / UDP / ICMP headers
http://nmap.org/book/tcpip-ref.html

RFC 791 (IP)
http://www.faqs.org/rfcs/rfc791.html

RFC 792 (ICMP)
http://www.faqs.org/rfcs/rfc792.html

RFC 793 (TCP)
http://www.faqs.org/rfcs/rfc793.html

RFC 768 (UDP)
http://www.faqs.org/rfcs/rfc768.html

RFC 1034 (DNS)
http://www.faqs.org/rfcs/rfc1034.html

Any material on Tcpdump
http://www.tcpdump.org/tcpdump_man.html

Binary / hex / decimal systems (this is a random page that I chose as an example)
http://www.blaenkdenum.com/2006/09/b...d-hexadecimal/

Mitnick vs. Shimomura
http://wiki.cas.mcmaster.ca/index.ph...Mitnick_attack

Chris:/*

For the G2700 I used the following study material all of which I found viable for the exam.

Study Material:

IT Governance A Manager's Guide to Data Security and ISO 27001 / ISO 27002
Amazon.com: IT Governance: A Manager's Guide to Data Security and ISO 27001 / ISO 27002 (9780749452711): Alan Calder, Steve Watkins: Books

How to Achieve 27001 Certification: An Example of Applied Compliance Management
Amazon.com: How to Achieve 27001 Certification: An Example of Applied Compliance Management (9780849336485): Sigurjon Thor Arnason, Keith D. Willett: Books

CISSP All-in-One Exam Guide
Amazon.com: CISSP All-in-One Exam Guide, Fifth Edition (9780071602174): Shon Harris: Books

Information Security Management Handbook
Buy Information Security Management Handbook by Harold F. Tipton, Micki Krause Used from Barnes & Noble

Information Security Management Handbook Volume 2
Amazon.com: Information Security Management Handbook, Sixth Edition, Volume 2 (978142006708

: Harold F. Tipton, Micki Krause: Books

CERT VTE CISSP Videos

ISO/IEC 27000

ISO/IEC 27002:2005

SephStorm

Any recommendations for the GSEC?

docrice

I wish I could recommend a small set of books and other resources specifically for the GSEC, but since the coverage is so vast (even at a basic level) it's hard to pin it down to a few. Since it's often compared to the CISSP, one might assume that one of the CISSP books would be a good start, but I wouldn't necessarily say so (although it certainly doesn't hurt and provides good foundations).

Another way to approach it would be to start with the topics that Security+ covers and take each section to the next level. Make a list of the differences between what the coverage from that and the GSEC is and go from there. Then add on some Windows and Unix-specific books (such as the Hacking Exposed series for Windows and Linux).

Chris:/*

SephStorm wrote: »

Any recommendations for the GSEC?

I am writing this list up to cover anyone who wants to take the certification so if you have already read through any of this material you should be good to go.

I would recommend Linux+ study material such as the new All-in-one:
http://www.amazon.com/LPIC-1-CompTIA-Certification-LX0-101-LX0-102/dp/0071771573/ref=sr_1_1?ie=UTF8&qid=1318723418&sr=8-1

For the Windows knowledge requirements I would look at:
Amazon.com: MCSA/MCSE Self-Paced Training Kit (Exam 70-290): Managing and Maintaining a Microsoft® Windows Server(TM) 2003 Environment, Second Edition (9780735622890): Dan Holme, Orin Thomas: Books

For the security requirements:
http://www.amazon.com/CompTIA-Security-Certified-Ahead-SY0-201/dp/1439236364/ref=sr_1_1?ie=UTF8&qid=1318723593&sr=8-1

To get an overview of some of the tools out there:
http://www.amazon.com/CEH-Prep-Guide-Comprehensive-Certified/dp/0470135921/ref=sr_1_5?ie=UTF8&qid=1318723622&sr=8-5

For the basics of networking before diving to deep you should read ICND1:
http://www.amazon.com/CCENT-ICND1-Official-Certification-Guide/dp/1587201828/ref=sr_1_1?s=books&ie=UTF8&qid=1318724497&sr=1-1

The only books I know of that shows how networking works concisely from the engineering perspective was TCP/IP Illustrated. A new version of the books material is supposed to be covered in one book called The Illustrated Network (which I have not yet read). As I understand it is more entry level compared to the older books. That book should better fit the objectives of the GSEC as the TCP/IP Illustrated set would be overkill.
TCP/IP Illustrated all 3 volumes:
Amazon.com: TCP/IP Illustrated (3 Volume Set) (0785342776317): W. Richard Stevens, Gary R. Wright: Books

The Illustrated Network:
http://www.amazon.com/Illustrated-Network-Modern-Kaufmann-Networking/dp/0123745411/ref=wl_it_dp_o_npd?ie=UTF8&coliid=I18XXF1JILWI1D&colid=2BPLS3TKW2NU9

wiredwizard

Any advice on study material other then SANS for GPEN or GWAPT?

Morgan Todd ~ Memphis, Tn

dover

I didn't see it mentioned elsewhere but for GSEC you may want to check out the latest version of the Network Security Bible by Eric Cole. From my understanding Cole helped build and teach the SANS GSEC course. I haven't taken the GSEC myself, but from what I've heard this book could be very useful - especially when combined with some of the other suggestions from Chris:/*

http://www.amazon.com/Network-Security-Bible-Eric-Cole/dp/0470502495

l!ght

How current are these sources? I mean Tao is from 2004, NSB is from 2009. Is it still worth it to buy them?

JDMurray

SANS Learning Resource Center

SANS Information Security Resources

docrice

While not necessarily study material for the GIAC exams, the Gold papers submitted by SANS students / GIAC certification holders might be a good resource for general infosec topics.

http://www.giac.org/certified-professionals/directory/latest-papers

isairamm

Hi am planning to take GCFW cert, I read about the links that were mentioned below will that suffice or anything else is required to get through the exam.

Please help me in this regard.

docrice wrote: »

For the GCFW, here's a partial list of things to check out (I haven't read all of these, but they seem promising):

Inside Network Perimeter Security
Amazon.com: Inside Network Perimeter Security (2nd Edition) (9780672327377): Stephen Northcutt, Lenny Zeltser, Scott Winters, Karen Kent, Ronald W. Ritchey: Books

iptables
HowTos/Network/IPTables - CentOS Wiki

Cisco access-lists
Configuring IP Access Lists - Cisco Systems

Wireshark Network Analysis
http://www.amazon.com/Wireshark-Netw...2869003&sr=8-1

TCP/IP Illustrated, Volume 1
http://www.amazon.com/TCP-Illustrate...2869043&sr=1-6

Nmap Network Scanning
http://www.amazon.com/Nmap-Network-S...2869082&sr=8-1

IP / TCP / UDP / ICMP headers
TCP/IP Reference

RFC 791 (IP)
RFC 791 - Internet Protocol (RFC791)

RFC 792 (ICMP)
RFC 792 - Internet Control Message Protocol (RFC792)

RFC 793 (TCP)
RFC 793 - Transmission Control Protocol (RFC793)

RFC 768 (UDP)
RFC 768 - User Datagram Protocol (RFC76

RFC 1034 (DNS)
RFC 1034 - Domain names - concepts and facilities (RFC1034)

Any material on Tcpdump
Manpage of TCPDUMP

Binary / hex / decimal systems (this is a random page that I chose as an example)
http://www.blaenkdenum.com/2006/09/b...d-hexadecimal/

Mitnick vs. Shimomura
http://wiki.cas.mcmaster.ca/index.ph...Mitnick_attack

SephStorm

With my latest topic going the way it is, I wanted to ask, resources for the non traditional GIACs? GCED, GCWN (the windows, not wireless), GCUX?

docrice

Just came across this for those looking at the GCIH:

http://www.insecurityasylum.com/2012/05/gcih-study-plan.html

JDMurray

That gives me great idea! I'm in the SANS 401 course in San Diego in a couple of weeks. I should do a similar blog articles linking to resources people can use as a pre-study plan for SANS 401 and the GIAC GSEC. I might be able to do the same for SANS 501/GIAC GCED too. I'll update this post with links to those articles.

flt0nujr

That would be awesome JD!!!

docrice

Here's a blog post from a former member here who successfully challenged the GWAPT exam:

https://www.infosiege.net/2012/04/gwapt-challenge-review/

JDMurray

And speaking of challenging GIAC exams, I just confirmed with GIAC that a challenge exam is also "open book, open notes" just like a GIAC exam taken after attending SAN training. No electronics are allowed in either, so it's one bag of only books and hardcopy for all candidates.

Something else I need to put into the FAQ is that the $999US GIAC challenge exam price is reduced to $799US if you are a SANS alumni (that is, having attended a SANS training class and passed the associated GIAC exam).

ChooseLife

JDMurray wrote: »

And speaking of challenging GIAC exams, I just confirmed with GIAC that a challenge exam is also "open book, open notes" just like a GIAC exam taken after attending SAN training. No electronics are allowed in either, so it's one bag of only books and hardcopy for all candidates.

Thanks for confirming and posting here.

JDMurray wrote: »

Something else I need to put into the FAQ is that the $999US GIAC challenge exam price is reduced to $799US if you are a SANS alumni (that is, having attended a SANS training class and passed the associated GIAC exam).

I found the official statement and it looks confusing (highlights are mine):
GIAC Exam Challenge Info

GIAC Exam Challenge is for subject matter experts who wish to attempt a certification exam without taking the associated SANS training course.
...
There is a SANS alumni rate for anyone who has previously taken the SANS training course associated with the certification exam they wish to challenge. For example, if you previously took SANS SEC401 (Security Essentials) through any of the SANS training venues, you would be eligible to purchase the GSEC Challenge Exam at the discounted alumni rate of $799.

How do you understand it?

JDMurray

I understood that a SANS Alumni is anyone who has taken a SANS training course and passed the corresponding GIAC exam. When I saw the term SANS Alumni associated with pricing of GIAC challenge exams, I assumed this was the same thing.

Per their example, if I have taken SANS 401, why would I need to challenge the GSEC exam? Taking 401 is the prerequisite for taking the GSEC. Maybe there is a time limit on how long after taking a SANS class you have to take the GIAC exam.

I'll check with GIAC about all this and post back.

ipchain

JDMurray wrote: »

Per their example, if I have taken SANS 401, why would I need to challenge the GSEC exam? Taking 401 is the prerequisite for taking the GSEC. Maybe there is a time limit on how long after taking a SANS class you have to take the GIAC exam.

Unless things have changed, students have about (4) months to take the corresponding GIAC exam from the moment they are provided with the course material. Should you need additional time, you can always extend the deadline for a fee, which is way cheaper than the Alumni discount.

Not sure if this will help or not, but I bought one of their courses through one of the traditional training venues and decided not to pay for the certification attempt at the time. This is not typically a smart move as it's cheaper to pay for the certification attempt once you are registering, but I had no intention of pursuing this specific cert. Although I lost the opportunity to save about $200 USD, I can still request the Alumni discount in the future should I change my mind.

JDMurray

OK, the official clarification is:

After completing a SANS training class, the student is given a four month deadline to pass the corresponding GIAC exam.
If the exam is not passed within this time, the student can purchase a 45-day deadline extension before the deadline passes.
If the exam deadline passes and was not extended, the student can challenge the exam at a SANS Alumni discount for having taken the corresponding SANS class. (I didn't ask for how long after the deadline the discount will be honored.)
The SANS Alumni discount only applies to challenging a GIAC exam corresponding to a SANS class previously taken by the alumni and after the deadline has passed with no extension taken.

All that just to see how to save $200US.

ChooseLife

JDMurray wrote: »

4.The SANS Alumni discount only applies to challenging a GIAC exam corresponding to a SANS class previously taken by the alumni and after the deadline has passed with no extension taken.

No luck, eh.. I started getting hopes that any challenge is $799 after any one SANS course is taken. Nonetheless, thank you for finding out and sharing.

Getting ready for San Diego?

uyen_nguyen

For GAWN (Auditing Wireless Network), I used:
Zigbee Wireless Networking by Drew Gislason
Hacking Exposed Wireless, Second Editionby Cache / Liu / Wright (must have this book because Wright is course author of GAWN)
CWAP Certified Wireless Analysis Professional Official Study Guide: Exam PW0-270 (CWNP Official Study Guides)by David A. Westcott, David D. Coleman, Ben Miller, Peter Mackenzie
CWDP Certified Wireless Design Professional Official Study Guide: Exam PW0-250 (Study Guide Pw0-250) by Shawn M. Jackman, Matt Swartz, Marcus Burton, Thomas W. Head
CWSP Certified Wireless Security Professional Official Study Guide: Exam PW0-204 (CWNP Official Study Guides)by David D. Coleman, David A. Westcott, Bryan E. Harkins, Shawn M. Jackman
CWNA: Certified Wireless Network Administrator Official Study Guide: Exam PW0-105by David D. Coleman, David A. Westcott

And other material from Cisco wireless forum

uyen_nguyen

For GWAPT, I am using:
The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws [Paperback]

Dafydd Stuttard (Author), Marcus Pinto (Author)

HACKING EXPOSED WEB APPLICATIONS, 3rd Edition [Paperback]

Joel Scambray (Author), Vincent Liu (Author), Caleb Sima (Author)

SQL Injection Attacks and Defense, Second Edition [Paperback]

Justin Clarke (Author), Kevvie Fowler (Contributor)

Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-' [Paperback]

Mario Heiderich (Author), Eduardo Alberto Vela Nava (Author), Gareth Heyes (Author), David Lindsay (Author)

XSS Attacks: Cross Site Scripting Exploits and Defense [Paperback]

Seth Fogie (Author), Jeremiah Grossman (Author), Robert Hansen (Author), Anton Rager (Author), Petko D. Petkov (Author)

bunch of javascript, PHP, HTML5, Python knowledge and ton of video available on youtube.

Javascript by Example 2nd is an excellend resource for Javascript in the Programming Fundamental objective.

(I will update more as I m studying for GWAPT)

Jurgenius

JDMurray wrote: »

OK, the official clarification is:
After completing a SANS training class, the student is given a four month deadline to pass the corresponding GIAC exam.

If the exam is not passed within this time, the student can purchase a 45-day deadline extension before the deadline passes.

If the exam deadline passes and was not extended, the student can challenge the exam at a SANS Alumni discount for having taken the corresponding SANS class. (I didn't ask for how long after the deadline the discount will be honored.)

The SANS Alumni discount only applies to challenging a GIAC exam corresponding to a SANS class previously taken by the alumni and after the deadline has passed with no extension taken.

All that just to see how to save $200US.

JDMurray,

Do you know perhaps whether taking OnDemand, vLive or Self-Study training will allow for the lower certification price $579?

Regards,

J.

JDMurray

Yes, US$579 is curently the GIAC exam price if you sign up to take the exam when you purchase the classroom, vLive, and OnDemand training. For self-study, the exam challenge cost is US$999.

Jurgenius

JDMurray wrote: »

Yes, US$579 is curently the GIAC exam price if you sign up to take the exam when you purchase the classroom, vLive, and OnDemand training. For self-study, the exam challenge cost is US$999.

Thanks for the post!

J.

LionelTeo

Here is a list of books written by GIAC Instructors/Students/or people who have taken and pass GIAC Exams before.

Note: I never said you would definitely pass base on these books, however, their content would be good enough to probably help you to get at least a pass in their training materials. You should buy a practice test at one of their site so as the gauge yourself if you are ready for the real exam. You should also actively scout yourself for other online resources that may aid you in the exam, a couple of others have post them in the forum. Please do not blame me if you cannot pass the exams, this are just recommendations from me out of good will.

I compile this list for my future usage to reinforce my concepts, meaning I haven't had the time to read them before.

GCIH
Counter Hack Reloaded (Ed Skoudis, SANS Instructor for GCIH)
Hacker Techniques, Tools, and Incident Handling (Jones & Bartlett Learning Information Systems Security & Assurance Series)
Incident Response and Computer Forensics, Second Edition

CISSP Study Guide (2nd Edition) (Eric Conrad)
Page 329-331 (Incident Response Management)
Chapter 10: Domain 9: Legal
Cyber Laws for Europe/UK/US/Singapore/Japan/Germany and other countries Found Online
Virtualisation Escape materials found online

GAWN
Hacking Exposed Wireless (Joshua Wright, SANS Instructor for GAWN)
Exam Note: Never took the exam with this book before

GISP
CISSP Study Guide 2nd Edition (Eric Conrad, SANS Instructor for GISP)
Exam Note: I pass 76% with this book alone

GCIA
Practical Packet Analysis (Chris Sanders)
Wireshark Network Analysis (Non GIAC Related)
Network Intrustion Detection (Stephen Northcutt)
Inside Network Perimeter Security (Stephen Northcutt)
Intrusion Signature and Analysis (Stephen Northcutt)
Internet Core Protocols

Books Recommended by Stephen Northcutt (See the reviews)
The Practice of Network Security Monitoring: Understanding Incident Detection and Response
Tao of Security Monitoring
Extrusion Detection: Security Monitoring for Internal Intrusions

Latest Snort Manual: SNORT Users Manual 2.9.5 *Some questions answers can be found in Snort Manual

Exam Warning: There is a section on the exam that ask about the latest technology and detection tools. You cannot find them in any of the books. Neither it is easy to find them online.

GSEC
Having study CISSP, the recommendation I can give in regards to GSEC, it is about 8 domains from CISSP and another two books of GSEC are windows and unix related.

CISSP Study Guide (2nd Edition) (Eric Conrad)
- Minus Hardware Architecture
- Minus Software Development
Network Security Bible (Eric Cole) *Someone reviewed on the Amazon page that they use it along for GSEC course
-Microsoft® Windows® Security Resource Kit
- Linux Administration: A Beginner's Guide, Fifth Edition
GCFA
Please see, An Eye on Forensics: Studying for the GCFA certification: Part 1

Most from the list is prepared for myself to challenge the GSE Exam, but some is prepared for additional reading if I have the interest in the future to branch into those field. I will be preparing for my GSE after my OSCP. I intend to use the experience from OSCP to cover part of the GSE hands on lab domain.

Not Sure where to place this
Advance Persistent Threat (Eric Cole)