Archive for the ‘Certification’ Category

Passed SANS GSE written!

Just got back from taking the test. Scored a 94.6% with 20 min left. Test was 150 questions with a 3-ish hour time limit (I forget if it was 3 or 3.5 hr). The study plan was to get a 91%, so I’m pleasantly surprised. The minimum passing score is somewhere in the mid 70’s, but I wanted plenty of wiggle room with the lab portion of the exam, and what GSE would want to pass with the bare minimum? The first half hour of the test was the most stressful. After that, I hit my stride and methodically worked through it, checking my time remaining at every checkpoint to make sure I wasn’t taking too long looking up items to verify my answers. If you have ever taken a GIAC test, you know that you get checkpoint scores every so often. . .

At any rate, you now know the materials I used to study, what I brought with me and how I created my index for the written portion of the SANS GSE.  Good luck to you!

Now the real preparation begins – for the GSE lab, hopefully in March 🙂


Final preparations for SANS GSE written test

Getting a little nervous I haven’t studied enough for the GSE written – you know, 20+ hours a week for 3 months and change. Looked at a few sites dealing with the multiple choice portion here: (yes, it’s from almost 5 years ago) and here ( – the ‘official word’ on the matter). There is also a helpful post from Courtney Imbert to the giac-study google groups e-mail list (dated 10/15/13? I don’t tend to delete e-mails very often.), although it seems directed more to the lab portion of the exam. For those who don’t know, Courtney is the GIAC tech director and has a GSE, so her advice merits close attention on two counts.


Oh, and I caved and started printing man pages. Couldn’t find a good one online, so I went into the SANS 503 virtual machine, did a ‘man snort | col –b > snort.txt’, then used netcat to move it to my OSX box (repeated for syslog, tcpdump and nc). Pro-tip: if you do this, use narrow margins to prevent occasional wordwrap in MS word.

SANS GSE certification progress – indexes, colored tabs, and verify what you’ve done!

[had a post for Nov 26 – lost it due to a computer crash while watching a youtube video on Clash of Clans. . . CURSE YOU GAME ADDICTION!!!!!]


Completed indexes, including SANS GCIA (503) workbook (that thing is a monster). Saved them, made a copy, sorted them, verified the term, page number, and any notes all line up. This may sound goofy, but one thing to double-check before going to a SANS test: verify your index is correct before you take any GIAC test! Why make such a silly statement? Because I happen to know someone who didn’t verify their index before they went to the test. On Question 2 they realized that something was horribly wrong; when they sorted the index, they only sorted the term and page columns, not the book column. Sucks right? Yeaahhh, ok – it was me. . . That was on the GPEN exam I took last year. Thankfully, I knew the material well, had tabs in the books for major topics, and still managed a good grade.

Oh, and tabs – put tabs in your books for major topics. I also sometimes put tabs along the top for major tools. Yes, I go through colored tabs frequently.


Anyway – the final index is 150+ pages, so I put that in a three-ring binder. Yes, I made an index with over 6500 entries for SANS 504, 503, and 401. Also going in there: the various cheat sheets, and all those pretty header diagrams from SANS 503.


Oh, and I just pillaged the GSE Google docs repository. Some good stuff in there, but I’m not going to print off the 50+ manpage references. . . now that I say that. . . maybe I shoul. . .NO!!! I’m not gonna do it. . . nooooooo.


This is getting a little sad at this point – I’m listening to SANS recordings instead of music. Hour long drive to work? You can fit a session in each way. Going to the grocery store? That’s 15min. Putting the final index together? You should really re-listen to GCIH 504 Day 2 (currently on hour 3, Maltego – and reconnaissance. You did the lab, right?).


Oh. . format string vulnerabilities – I still don’t get that. (504.3 p164-180)

SANS GSE test study update – getting everything organized and in one place

Felt pretty crappy today, so I stayed home to rest. One of the things I’ve saved till last is the SANS 503 Intrusion Detection In-Depth workbook. It’s big.

The only non-workbook. . . book I have left is SANS Security Essentials 401.5 (The Windows day). Now to start getting all the indexes in one place. The question is – do I combine them into one master index of SANS 401, 503 & 504 or keep them all separate? Probably both, just to be safe. I’ll be bringing a stack of books over a foot high to the testing center. . .what’s another ¼ inch?

One other thing – I need to get organized. I’ve left various SANS books, CDs and cheat-sheets here and there. Now getting everything organized and figuring out what’s the newest version has taken over an hour to do.   Ugh.

SANS GSE progress – what order to study/outline books

I’ve taken one day off every other week to try to get ahead, but there is also a holiday in there, that’s helping me out. Yea! Currently I’m a little ahead, with only three books left (one is the massive 503 GCIA lab book). I’ve found indexing the 401 material to be somewhat basic – I’m wishing I had done that first to get it out of the way and have the more difficult material fresh in mind.

So far, it seems that I’m on track to take the test the first week of December as planned. IF all goes well, I’ll have four months or so to study for the practical part of the exam.

Need more time to study for SANS GSE test

Thinking of taking one day off / week from work until test day. If I take one day off every other week, I won’t be burning too much vacation time. . .

Scheduled the SANS GSE test – and making a study plan

Scheduled the test today. I work mids, so I scheduled it as late as possible. Also, I scheduled the test at a center a bit further away, but after calling them, they said it would be ok to pull up another desk to hold all the books etc.

So the study schedule for the test. I’ve got about 6 ½ weeks – GCIA (SEC503) has been outlined. I’ve moved on to GSEC (SEC401) this weekend. To get GSEC and GCIH (SEC504) re-outlined, I need to get through two books per week, which is a double-edged sword. The 401 material isn’t as tough, but there is a LOT to go through. I have an older outline for GCIH, so I’ll save that for last. Also, the workbook for 503 still needs completed (I’m about 1/3 the way through it).   So:

Oct 15-18:      GSEC 401.1 & 401.2

Oct 22-25:      GSEC 401.3 & 401.4

Oct 29-Nov1:             GSEC 401.5. This will be hard – Halloween is my fav. One book this week.

Nov 5-8:         GSEC 401.6 & GCIH 504.1

Nov 12-15:     GCIH 504.2 & 504.3

Nov 19-22:     GSEC 504.4 & 504.5

Nov 26-29:     Thanksgiving. . . whatever is left over. . . get it?

Dec 2:             TEST

Wow – this is going to be tough.

Paid for the SANS GSE written test . . and some thoughts/advice on practice tests

Paid the invoice for the GSE test. Also signed up for the GSEC re-certification so I could have the latest course material. Discovered that if you go the CPE option, SANS will NOT give you access to the practice tests. I asked nicely if they would. They replied that for the low price of $175 per (or something like that) I could purchase practice tests.


That sucks, guys. Work isn’t going to go for paying out for that kind of stuff. Would it really be that bad to give the CPE guys a practice test?


So, if you are trying to get the testing material and want access to the practice tests, don’t go the CPE route; go the re-test route. Also, complain bitterly to SANS about the lack of practice tests for going the CPE route. I considered switching to test-recertification, but the last time I took the GSEC my grade was 95%. I’m not going to top that while trying to study for everything else.

Hindsight – if you have a test you didn’t do great on, go the re-test route even if you have the CPEs. You can improve your grade on the GIAC site and have those practice tests. This would have been helpful for my GCIA cert. It’s my weakest area and I only scored an 85% last time. I purchased the GCIA re-certification with CPE option back in June, so it’s way too late to even think of asking them if I could switch to testing. Guess I’ll be working extra hard on the labs to make sure I have everything down.

Now that the invoice is paid, I need to find a testing center to take the GSE exam. There was a really nice testing center up in Hunt Valley, but they apparently don’t do it any more. The testing centers in Baltimore are not. . . um. . . up to my standards (I’m trying to be diplomatic – basically the staff is nice, there just isn’t any space for my books and other testers are crammed in like sardines). I may actually go visit the testing centers in Columbia just to make sure they are nice. The last thing I want to do is switch centers and end up someplace worse. At any rate, one thing I have learned doing SANS certifications is to SCHEDULE EARLY! The desirable timeslots tend to fill up quickly.

Going for SANS GSE certification

So, I finally decided to actually do the GSE and stop talking about it. I’m not starting these posts at the beginning of my studies. I’m Actually about ¼ of where I want to be. I’m debating keeping these posts offline until the certification has been completed. . . I don’t like posting failures to a place that can be as permanent as the Internet.

Today is the day after submitting for (and getting) approval to take the pre-qualification test.   SANS is calling it the ‘multiple choice portion’ of the GSE. I didn’t know that the score on multiple-choice test would be combined with the score on the lab portion.   It seems that having a great score on the Multiple Choice Portion can lift the overall grade – very handy in case I don’t do so great on one of the labs.

Let’s see. I’m planning on taking the lab in March. That gives me about 6 months to take (and pass with a good grade) the written portion then study for the labs. It’s a bit aggressive (most people seem to want to take about a year), but I think I can do it.

So far, I have gone through ½ of 503 (Intrusion Analysis) and indexing it again. I recently took the 504 class and certification, so I’m not planning on going through that material for the test (although I’m listening to the lecture in my car). After I finish 503, I’ll get the 501 (Security Essentials) course material and index that again.


The plan is to take the indexes and books from 501, 503 and 504 along with the Blueteam and Redteam handbooks to the test.


I should being a dolly with me.


And I have a lot of reading to do.


The testing center better have space!

Return top