I took the GSEC course in July with around 70 other folks in Canberra. I’ve taken a number of other SANS courses already, but wanted to see what I’d missed.
In hind sight it would have been great to have taken the GSEC (401 track) course as my starting point to my SANS training, but things didn’t work out that way. Doing the course was like revisiting old haunts to find new paths or to avoid getting to carried away in too many fluffy lines, it was well worth revisiting the core topics and looking at them again.
We had Steven Sims provide guidance on the broad canvas of all the topics the 401 track. He proved to be a brilliant and entertaining instructor, who coloured the course work with his own personal experiences and insights. Steven had a couple of topics close to his own heart during the six days, which I’m sure if he was allowed, could have talked for hours – possibility days – on them. It made a fascinating and seemly very short six days. I was all fired up, ready to kick start my exam prep as soon as I go home and complete this sucker before the month ended!
Then you get home, then back to work and reality sets in.
After the first three weeks of shifting the books from one spot to another, I talked to one of the guys I’d taken the course with and drew up a basic time line and study plan. We kept it simple and straight forward. Four hours of study a week and listen to the audit files on the commute in and out of work. The working target was to sit the exam three months down the line, giving a month’s breathing space before the exam deadline date. The four hours of studying was to include using the pre-defined courseware scenarios and supplied tools on virtual lab systems we’d pre-built. I ended up with a couple of Windows domains (no surprise there) and a couple of random Linux boxes sitting on VMware and Hyper-V for practicing on. Since the VM’s were isolated, I didn’t need to install AV software which plays havoc with the SANS supplied tools on the CD. This gave me the ability to break and quickly restore test systems, which avoid the questions of having attack tools on work machines
The audio portion was taken from a class in the US, by another SANS instructor, Dr Eric Cole. Eric has a very distinctive American New York accent, which kinda made me think that one of the Sopranos’ was teaching me IT security. I guess it’s a perspective thing. Dr Cole had his own take on the material and it was a superb counter point to Steven’s. Twice the instructor at half the price
Dr Cole accompanied me for the next two months commuting to work and those long, random shopping trips guys get dragging in to. I re-read and annotated the six course books on the bus; occasionally while half watching bad TV cop shows and two attempts at painting the kitchen.
Put together a simple time line and goal plan. E.g. read book 1 properly, with notes and comments in two weeks, and then repeat again for the other 5 books.
If you can get someone to study with, even if as a form of encouragement, it really helps maintain focus. If you at a conference, swap email addresses with other doing the exam.
Get the little post notes stickies in different colours. Title the main chapters and sub sections first, then start creating tabs on topics or tools. Go mad with the sections you weaker on. The day six (Unix) book looks like I’ve double its depth with the things.
Create yourself little challenges on the sections you feel most confident on as a reality check. On the Windows day book, I was “I’m an Ms god! I work with this stuff every day. This is too easy!” Still a couple of the test questions had me scrabbling for the book as it was left field of my thinking.
Play with the tools and, if you can, build a lab. I still struggle with Linux/Unix and it was my biggest source of failed questions during the exam. More hands on practice would have flipped those wrongs to right answers.
Listen to the audio records. Download them and have a listen when you’re in the car, in the shower or in board meetings. Just joking, showering could damage the mp3 player. You get the idea.
Avoid watch junk TV while studying, put 40 minutes aside to concentrate on the material. It’s not like you don’t know how the show is going to end; oddly enough they’ll be in the same peril again next week and somehow escape/solve it in 40 minutes. You think they find some other career less risky…
Don’t just put the books away after the exam. Pick one or two areas to study more on and think about taking the Gold paper challenge or simply challenging yourself to learn one more piece in depth.
My exam tips
Its 180 questions in 300 minutes (that’s 5 hours) needing 126 right answers to pass.
Be nice to the Proctor
Get a good night sleep before the exam. Avoid going in to the exam with any pressing time issues hanging over you (like painting a kitchen before everyone gets, for example …)
Have a clear space around to spread out the books.
Have any liquid in a container with a lid. It’s amazing how often a cup can be knocked over near paper or a computer. Both do an excellent job of absorbing that liquid.
Use the five skip question options if you spend more than 5 minutes figuring out the question. You can get hung up on the wording or meanings, so coming back to it later can help and avoid derailing you.
Use the break time of 15 minutes at the half way point, so at about Question 90. Take this to stretch your legs and take a break from the screen. Exam fatigue sets in staring at the questions and the screen. You can get a little click happy otherwise, just to finish up faster. Don’t use it as a last minute revision scramble! It’s there to relax.