Finished up the GCIA

smashedpumpkins

The SANS exams are very different than the other exams I've taken. I can't say that I care for how tailored the exams are to the class material. It feels like a conflict of interest. I took the SANS 504 class back in December and created an index like most recommended. Some of the questions and samples were identical on the test compared to the books. This was the first certification where I took a class.

Regardless, the GCIA was a tough test for me. Being open book, they don't make it easy. I knew I would have to study hard and build a quality index. My index was about 20 pages. I also printed out a wireshark, tcpdump, nmap, common ports, dec to bin to hex conversion, and an ICMP sample sheet. My practice tests didn't go as well as I would have preferred. I scored in the low and mid 70's on each test. Luckily, I felt the actual exam was a little easier and scored mid 80's. I took every minute they gave me and unfortunately had to rush the last few questions. It's a little too easy to lookup answers just to verify what you already know.

I learned a lot and am planning my next exam and training. I'm debating between the GCIH and GCFA training next. I enjoyed the technical aspects of the GCIA so I'm leaning towards the GCFA. I work as an intrusion analyst for a large company. My primary roles are intrusion detection and incident response. From what I've read, the GCIH sounds a little easier than the GCFA. What are your thoughts? In the eyes of employers, what's more valuable?

Thanks!

LionelTeo

GCFA would be more useful for a higher end SOC/Intrusion Analyst work, GCIH cover a very simply incident handling (while necessary) and then lots of attack and counter measures to it, if you are are well equipped of the different type of attack, then GCIH is not really necessary except for the incident handling part. GCIH incident handling area and GCED incident handling section compliments each other, so best if your interested in IH then this two course will help a lot, this is a bit silly as both talk about different areas that is important to incident handling and you cannot find this in a single course.

My recommendation is to self study for GCIH first, since you already had GCIA, GCIH is somewhat a less as tough as GCIA, and a lot lesser in content, GCIA would somewhat require a analyst to understand how each attack vectors work before they can even analyse it, therefore I presume your experience in understanding how each attack works can help you a lot in GCIH. You can look up a book call counter hack reloaded by Ed Skoudis, which is happen to be the course author for GCIH, both the course and books explain in great details on each attack vectors, with the exception that the book did not cover the incident handling aspect, then cover the incident handling area with Hacker Techniques, Tools, And Incident Handling. However, the Incident Handling in the industry world is not the same standard as SANS, this will give you a disadvantage in the exam, luckily though, Eric Conrad from SANS wrote incident handling section in his CISSP Study Guide that is similar to what SANS follow, you can get that book and read that chapter up. Finally, google up anything that you miss out from these books and your ready to challenge your GCIH.

Since GCIH is considerably one of the easier exam for GIAC, this will give you a great deal of feel to how a GIAC Challenge would be like, this experience will help you in self study for GCFA exam, which is slightly harder, I haven't took GCFA so I can't comment, but on the first topic on the last page, I have share a link to a blog of an author who wrote about his GCFA experience.

Of course if you had the spare cash, you can simply jump straight to GCFA course materials.

docrice

Great job on passing the GCIA exam. I presume you meant that you took SANS 503 rather than 504.

I'm taking 408 right now which is the (not mandated but generally-recommended) prerequisite for 508. I'm also scheduled for 508 next month. I found that while the 504 material seems a bit easier than 503, at the same time I found them both quite challenging. I scored equally on both tests, although I finished the GCIA in under two hours (maybe half an hour more for the GCIH). Perhaps your existing experience as an intrusion analyst will give you some benefit in this regard on the GCIH.

It's always a tough call in regards to which SANS course to go with because while some have overlapping content, each one is uniquely-packaged enough that your decision will hinge on your experience and where your specific interests are in the near-term. If I were in your shoes, I'd peruse through Counter Hack Reloaded and see if it's too familiar of a ground for you, in which case go for SANS 508. Otherwise, 504 and GCIH as a certification is probably more employer-recognized if that's the angle you're working on.

And to flip the coin one more time, if you're dealing with employers who generally recognize GIAC certs, then the chances of them recognizing the GCFA probably increases.

Khaos1911

Congrats on the GCIA pass, Smash!

I'm interested in taking both GCIA and GCIH (GCED even sounds interesting) and have applied for work study for both. Do any of you know if they actually notify you if you're not selected for work study?

I've already eaten up my bosses budget this year for GSEC boot camp in San Diego, but I think GCIA/GCIH are more of what my job duties and interest are....(I tried talking to my boss, but he was dead set on the whole team taking GSEC and passing before any other SANS training. Even though my skills and experience are well past GSEC level info....Bummer

LionelTeo

I am not sure about work study, but I always email SANS on stuff that are not clear or wrong on their website, and they are pretty active. If they don't response just resend them. I am not sure how much your boss knows about IT Security, I advise my organization that everyone should go different course so we had a mix set of skill to work with. GSEC and GCIH are both somewhat a foundation skills in different aspect, GSEC is a foundation to compliance (basic managerial role stuff) and linux/windows administration, while GCIH is a foundation to general technical level path for intrusion analyst, forensic analyst, penetration tester, incident handling. This two course open doors to different path of work. I highly recommend GCED course if you are looking at GSE, given the cleaning malware book, network hardening and more insight to incident handling, it bumps up the incident handling knowledge that may aid you in the exam, unless you are a season incident handler (which many of us don't get to work on such job), GCED is a great asset to incident handling in terms of knowledge.

atx1975

Khaos1911 wrote: »

Congrats on the GCIA pass, Smash!

I'm interested in taking both GCIA and GCIH (GCED even sounds interesting) and have applied for work study for both. Do any of you know if they actually notify you if you're not selected for work study?

I've already eaten up my bosses budget this year for GSEC boot camp in San Diego, but I think GCIA/GCIH are more of what my job duties and interest are....(I tried talking to my boss, but he was dead set on the whole team taking GSEC and passing before any other SANS training. Even though my skills and experience are well past GSEC level info....Bummer

Khaos1911,

Yes if you are not chosen you will get an email stating so. But keep applying, I got rejected the first time but got accepted the second time I applied for the Work Study.

Mechs

Hi, well done on the pass

I applied before doing GCIA and got rejected. But I passed GCIA with a 93% score in Jan, so I am going to see if I can reapply so I can do GCIH myself

kbpatil

Hey Smashedpumpkins,
Can you help me with the index you created for the exam. I am giving the exam next month. Would be really helpful.

Thanks in advance