Passed SANS GSE written!

Just got back from taking the test. Scored a 94.6% with 20 min left. Test was 150 questions with a 3-ish hour time limit (I forget if it was 3 or 3.5 hr). The study plan was to get a 91%, so I’m pleasantly surprised. The minimum passing score is somewhere in the mid 70’s, but I wanted plenty of wiggle room with the lab portion of the exam, and what GSE would want to pass with the bare minimum? The first half hour of the test was the most stressful. After that, I hit my stride and methodically worked through it, checking my time remaining at every checkpoint to make sure I wasn’t taking too long looking up items to verify my answers. If you have ever taken a GIAC test, you know that you get checkpoint scores every so often. . .

At any rate, you now know the materials I used to study, what I brought with me and how I created my index for the written portion of the SANS GSE.  Good luck to you!

Now the real preparation begins – for the GSE lab, hopefully in March 🙂


Final preparations for SANS GSE written test

Getting a little nervous I haven’t studied enough for the GSE written – you know, 20+ hours a week for 3 months and change. Looked at a few sites dealing with the multiple choice portion here: (yes, it’s from almost 5 years ago) and here ( – the ‘official word’ on the matter). There is also a helpful post from Courtney Imbert to the giac-study google groups e-mail list (dated 10/15/13? I don’t tend to delete e-mails very often.), although it seems directed more to the lab portion of the exam. For those who don’t know, Courtney is the GIAC tech director and has a GSE, so her advice merits close attention on two counts.


Oh, and I caved and started printing man pages. Couldn’t find a good one online, so I went into the SANS 503 virtual machine, did a ‘man snort | col –b > snort.txt’, then used netcat to move it to my OSX box (repeated for syslog, tcpdump and nc). Pro-tip: if you do this, use narrow margins to prevent occasional wordwrap in MS word.

SANS GSE certification progress – indexes, colored tabs, and verify what you’ve done!

[had a post for Nov 26 – lost it due to a computer crash while watching a youtube video on Clash of Clans. . . CURSE YOU GAME ADDICTION!!!!!]


Completed indexes, including SANS GCIA (503) workbook (that thing is a monster). Saved them, made a copy, sorted them, verified the term, page number, and any notes all line up. This may sound goofy, but one thing to double-check before going to a SANS test: verify your index is correct before you take any GIAC test! Why make such a silly statement? Because I happen to know someone who didn’t verify their index before they went to the test. On Question 2 they realized that something was horribly wrong; when they sorted the index, they only sorted the term and page columns, not the book column. Sucks right? Yeaahhh, ok – it was me. . . That was on the GPEN exam I took last year. Thankfully, I knew the material well, had tabs in the books for major topics, and still managed a good grade.

Oh, and tabs – put tabs in your books for major topics. I also sometimes put tabs along the top for major tools. Yes, I go through colored tabs frequently.


Anyway – the final index is 150+ pages, so I put that in a three-ring binder. Yes, I made an index with over 6500 entries for SANS 504, 503, and 401. Also going in there: the various cheat sheets, and all those pretty header diagrams from SANS 503.


Oh, and I just pillaged the GSE Google docs repository. Some good stuff in there, but I’m not going to print off the 50+ manpage references. . . now that I say that. . . maybe I shoul. . .NO!!! I’m not gonna do it. . . nooooooo.


This is getting a little sad at this point – I’m listening to SANS recordings instead of music. Hour long drive to work? You can fit a session in each way. Going to the grocery store? That’s 15min. Putting the final index together? You should really re-listen to GCIH 504 Day 2 (currently on hour 3, Maltego – and reconnaissance. You did the lab, right?).


Oh. . format string vulnerabilities – I still don’t get that. (504.3 p164-180)

SANS GSE test study update – getting everything organized and in one place

Felt pretty crappy today, so I stayed home to rest. One of the things I’ve saved till last is the SANS 503 Intrusion Detection In-Depth workbook. It’s big.

The only non-workbook. . . book I have left is SANS Security Essentials 401.5 (The Windows day). Now to start getting all the indexes in one place. The question is – do I combine them into one master index of SANS 401, 503 & 504 or keep them all separate? Probably both, just to be safe. I’ll be bringing a stack of books over a foot high to the testing center. . .what’s another ¼ inch?

One other thing – I need to get organized. I’ve left various SANS books, CDs and cheat-sheets here and there. Now getting everything organized and figuring out what’s the newest version has taken over an hour to do.   Ugh.

SANS GSE progress – what order to study/outline books

I’ve taken one day off every other week to try to get ahead, but there is also a holiday in there, that’s helping me out. Yea! Currently I’m a little ahead, with only three books left (one is the massive 503 GCIA lab book). I’ve found indexing the 401 material to be somewhat basic – I’m wishing I had done that first to get it out of the way and have the more difficult material fresh in mind.

So far, it seems that I’m on track to take the test the first week of December as planned. IF all goes well, I’ll have four months or so to study for the practical part of the exam.

Need more time to study for SANS GSE test

Thinking of taking one day off / week from work until test day. If I take one day off every other week, I won’t be burning too much vacation time. . .

Scheduled the SANS GSE test – and making a study plan

Scheduled the test today. I work mids, so I scheduled it as late as possible. Also, I scheduled the test at a center a bit further away, but after calling them, they said it would be ok to pull up another desk to hold all the books etc.

So the study schedule for the test. I’ve got about 6 ½ weeks – GCIA (SEC503) has been outlined. I’ve moved on to GSEC (SEC401) this weekend. To get GSEC and GCIH (SEC504) re-outlined, I need to get through two books per week, which is a double-edged sword. The 401 material isn’t as tough, but there is a LOT to go through. I have an older outline for GCIH, so I’ll save that for last. Also, the workbook for 503 still needs completed (I’m about 1/3 the way through it).   So:

Oct 15-18:      GSEC 401.1 & 401.2

Oct 22-25:      GSEC 401.3 & 401.4

Oct 29-Nov1:             GSEC 401.5. This will be hard – Halloween is my fav. One book this week.

Nov 5-8:         GSEC 401.6 & GCIH 504.1

Nov 12-15:     GCIH 504.2 & 504.3

Nov 19-22:     GSEC 504.4 & 504.5

Nov 26-29:     Thanksgiving. . . whatever is left over. . . get it?

Dec 2:             TEST

Wow – this is going to be tough.

Paid for the SANS GSE written test . . and some thoughts/advice on practice tests

Paid the invoice for the GSE test. Also signed up for the GSEC re-certification so I could have the latest course material. Discovered that if you go the CPE option, SANS will NOT give you access to the practice tests. I asked nicely if they would. They replied that for the low price of $175 per (or something like that) I could purchase practice tests.


That sucks, guys. Work isn’t going to go for paying out for that kind of stuff. Would it really be that bad to give the CPE guys a practice test?


So, if you are trying to get the testing material and want access to the practice tests, don’t go the CPE route; go the re-test route. Also, complain bitterly to SANS about the lack of practice tests for going the CPE route. I considered switching to test-recertification, but the last time I took the GSEC my grade was 95%. I’m not going to top that while trying to study for everything else.

Hindsight – if you have a test you didn’t do great on, go the re-test route even if you have the CPEs. You can improve your grade on the GIAC site and have those practice tests. This would have been helpful for my GCIA cert. It’s my weakest area and I only scored an 85% last time. I purchased the GCIA re-certification with CPE option back in June, so it’s way too late to even think of asking them if I could switch to testing. Guess I’ll be working extra hard on the labs to make sure I have everything down.

Now that the invoice is paid, I need to find a testing center to take the GSE exam. There was a really nice testing center up in Hunt Valley, but they apparently don’t do it any more. The testing centers in Baltimore are not. . . um. . . up to my standards (I’m trying to be diplomatic – basically the staff is nice, there just isn’t any space for my books and other testers are crammed in like sardines). I may actually go visit the testing centers in Columbia just to make sure they are nice. The last thing I want to do is switch centers and end up someplace worse. At any rate, one thing I have learned doing SANS certifications is to SCHEDULE EARLY! The desirable timeslots tend to fill up quickly.

Going for SANS GSE certification

So, I finally decided to actually do the GSE and stop talking about it. I’m not starting these posts at the beginning of my studies. I’m Actually about ¼ of where I want to be. I’m debating keeping these posts offline until the certification has been completed. . . I don’t like posting failures to a place that can be as permanent as the Internet.

Today is the day after submitting for (and getting) approval to take the pre-qualification test.   SANS is calling it the ‘multiple choice portion’ of the GSE. I didn’t know that the score on multiple-choice test would be combined with the score on the lab portion.   It seems that having a great score on the Multiple Choice Portion can lift the overall grade – very handy in case I don’t do so great on one of the labs.

Let’s see. I’m planning on taking the lab in March. That gives me about 6 months to take (and pass with a good grade) the written portion then study for the labs. It’s a bit aggressive (most people seem to want to take about a year), but I think I can do it.

So far, I have gone through ½ of 503 (Intrusion Analysis) and indexing it again. I recently took the 504 class and certification, so I’m not planning on going through that material for the test (although I’m listening to the lecture in my car). After I finish 503, I’ll get the 501 (Security Essentials) course material and index that again.


The plan is to take the indexes and books from 501, 503 and 504 along with the Blueteam and Redteam handbooks to the test.


I should being a dolly with me.


And I have a lot of reading to do.


The testing center better have space!

Microsoft patching

This is just to give everyone an idea of the escalation that happens in the information security field. . . .


Most of us know about Microsoft’s “Patch Tuesday”.  In case you don’t, this is the day every month that Microsoft releases new patches (it’s the 2nd Tuesday).  It allows IT departments to better plan patch deployments and avoids the issue of having a constant stream of patches to install.

Malware authors adapted to this schedule. On patch Tuesday, they would race antivirus and antimalware companies trying to generate protections.  Every month as the Microsoft patches became available; malware authors would download the patches and analyze the code changes to figure out what Microsoft fixed.  With the knowledge gained from reverse-engineering patches the malware authors would create new malware to take advantage of unpatched systems. At the same time, antivirus and antimalware companies would attempt to generate antimalware protections for unpatched machines.


Microsoft created the Microsoft Active Protections Program (MAPP) in 2008 as a response to the problem with reverse-engineering patches.  The MAPP program was to give antimalware companies a chance to generate protection signatures or heuristics before the patch was released.  This gave antimalware companies a big advantage in creating protection.

(By the way, Microsoft even keeps track of companies that generate protections within 96 hours of notification here.  Please note – based on what I see from the information provided by Microsoft, very few companies consistently provide protection within the 96-hour window.)


Big win, right?


Not so fast.


In March 2012, exploit code for a just-patched RDP exploit was discovered on a Chinese website.  There was a text in the file that seemed to reference an internal Microsoft case number, “MSRC11678”; strong evidence that there was a leak in the MAPP program.  While the website with the code was discovered after the patch was released, it was likely antimalware authors had access to the exploit earlier.  Confirmation of the leak came on May 3rd, when Microsoft excommunicated Hangzhou DPTech Technologies Co., Ltd. From the MAPP program for breaching Microsoft’s NDA.


Now I know what you must be thinking: how much in advance does Microsoft notify MAPP participants?


While it is tempting to stop there and spread FUD, the answer can be found on the MAPP blog site.  In a post dated May 2, 2012, The MSRC senior program manager, Maarten Van Horenbeeck, said this:

We provide this information to participating vendors shortly in advance of the release of a security update. We base the timeframe on partners’ ability to release effective protections, while limiting the risk, should the information be inadvertently disclosed.

We recognize that there is the potential for vulnerability information to be misused. In order to limit this as much as possible, we have strong non-disclosure agreements (NDA)with our partners. Microsoft takes breaches of its NDAs very seriously. When partners do not successfully protect our intellectual property, we take action, which may include removing the partner from our program.

In addition, we make sure to only release data shortly in advance of the security update. Prior to MAPP, vendors released detection within hours to days following the release of a security update. Today, we send MAPP data to our partners just as far in advance as they need to get that work done, only now, the protection is usually available when we release the update.


So, what is the point of all this?  Two points:

1)      In trying to give advanced notice to antimalware vendors, Microsoft has also given early access to malware authors.  At a minimum you can bet that foreign intelligence agencies like China’s MSS (APT, anyone?) and Russia’s FSB have this advanced information.  Currently, Microsoft has over 70 companies from all over the world participating in the MAPP program.  That’s a lot of people who have access to this information.

2)      Microsoft attempts to balance early dissemination with the threat of premature disclosure to malicious actors.  The ability of antimalware companies to execute on this information for creating protection seems to be highly variable.  At the same time, the delay from vulnerability notification to patch is measured in months; in this case the patch took six months.




Return top