I took the GSEC course in July with around 70 other folks in Canberra. I’ve taken a number of other SANS courses already, but wanted to see what I’d missed.
In hind sight it would have been great to have taken the GSEC (401 track) course as my starting point to my SANS training, but things didn’t work out that way. Doing the course was like revisiting old haunts to find new paths or to avoid getting to carried away in too many fluffy lines, it was well worth revisiting the core topics and looking at them again.
We had Steven Sims provide guidance on the broad canvas of all the topics the 401 track. He proved to be a brilliant and entertaining instructor, who coloured the course work with his own personal experiences and insights. Steven had a couple of topics close to his own heart during the six days, which I’m sure if he was allowed, could have talked for hours – possibility days – on them. It made a fascinating and seemly very short six days. I was all fired up, ready to kick start my exam prep as soon as I go home and complete this sucker before the month ended!
Then you get home, then back to work and reality sets in.
After the first three weeks of shifting the books from one spot to another, I talked to one of the guys I’d taken the course with and drew up a basic time line and study plan. We kept it simple and straight forward. Four hours of study a week and listen to the audit files on the commute in and out of work. The working target was to sit the exam three months down the line, giving a month’s breathing space before the exam deadline date. The four hours of studying was to include using the pre-defined courseware scenarios and supplied tools on virtual lab systems we’d pre-built. I ended up with a couple of Windows domains (no surprise there) and a couple of random Linux boxes sitting on VMware and Hyper-V for practicing on. Since the VM’s were isolated, I didn’t need to install AV software which plays havoc with the SANS supplied tools on the CD. This gave me the ability to break and quickly restore test systems, which avoid the questions of having attack tools on work machines 
The audio portion was taken from a class in the US, by another SANS instructor, Dr Eric Cole. Eric has a very distinctive American New York accent, which kinda made me think that one of the Sopranos’ was teaching me IT security. I guess it’s a perspective thing. Dr Cole had his own take on the material and it was a superb counter point to Steven’s. Twice the instructor at half the price 
Dr Cole accompanied me for the next two months commuting to work and those long, random shopping trips guys get dragging in to. I re-read and annotated the six course books on the bus; occasionally while half watching bad TV cop shows and two attempts at painting the kitchen.
Study suggestions
Put together a simple time line and goal plan. E.g. read book 1 properly, with notes and comments in two weeks, and then repeat again for the other 5 books.
If you can get someone to study with, even if as a form of encouragement, it really helps maintain focus. If you at a conference, swap email addresses with other doing the exam.
Get the little post notes stickies in different colours. Title the main chapters and sub sections first, then start creating tabs on topics or tools. Go mad with the sections you weaker on. The day six (Unix) book looks like I’ve double its depth with the things.
Create yourself little challenges on the sections you feel most confident on as a reality check. On the Windows day book, I was “I’m an Ms god! I work with this stuff every day. This is too easy!” Still a couple of the test questions had me scrabbling for the book as it was left field of my thinking.
Play with the tools and, if you can, build a lab. I still struggle with Linux/Unix and it was my biggest source of failed questions during the exam. More hands on practice would have flipped those wrongs to right answers.
Listen to the audio records. Download them and have a listen when you’re in the car, in the shower or in board meetings. Just joking, showering could damage the mp3 player. You get the idea.
Avoid watch junk TV while studying, put 40 minutes aside to concentrate on the material. It’s not like you don’t know how the show is going to end; oddly enough they’ll be in the same peril again next week and somehow escape/solve it in 40 minutes. You think they find some other career less risky…
Don’t just put the books away after the exam. Pick one or two areas to study more on and think about taking the Gold paper challenge or simply challenging yourself to learn one more piece in depth.
My exam tips
Its 180 questions in 300 minutes (that’s 5 hours) needing 126 right answers to pass.
Be nice to the Proctor
Get a good night sleep before the exam. Avoid going in to the exam with any pressing time issues hanging over you (like painting a kitchen before everyone gets, for example …)
Have a clear space around to spread out the books.
Have any liquid in a container with a lid. It’s amazing how often a cup can be knocked over near paper or a computer. Both do an excellent job of absorbing that liquid. 
Use the five skip question options if you spend more than 5 minutes figuring out the question. You can get hung up on the wording or meanings, so coming back to it later can help and avoid derailing you.
Use the break time of 15 minutes at the half way point, so at about Question 90. Take this to stretch your legs and take a break from the screen. Exam fatigue sets in staring at the questions and the screen. You can get a little click happy otherwise, just to finish up faster. Don’t use it as a last minute revision scramble! It’s there to relax.
I had so many stickie notes hanging out of the side of my books when i was studying. When I got to the exam center they gave me a desk in the corner of the room so I could spread all my books out for the exam.
Stephen Northcutt ended up making some good comments on my blog about my study habits and what he would recommend.
All in al it was a great course (which I’m sure you’ll agree) .. and as a quick plug – I’ll be mentoring this course in Brisbane in Feb 09 (yay for a free plug)
Ash brings up a very good point.
Six A4 books spreads over a normal sized desk, so when you sort out a proctor let them know you need some space around the pc.
More on having Ash as a mentor of the course click here
http://www.chris-mohan.com/?p=107
Hi Mohan,
I am planning to take SANS 401 test in 3 weeks. I am trying to index it but it takes lot of stuggle. Since you have it all done, would you mind to send me that. Your help will be highly appreciated.
Thank you,
Hello Jason,
My notes were scribbled in an old dog-eared notepad, so aren’t in a format can be emailed. Making an index of the 401 books will take around 3-4 hours, so just spread that time in amongst your 401 revision. I find indexing a way of strengthening my memory of the more obscure tools, commands or topics.
Gook luck with the exam.
Hi Chris,
Would you mind sharing ur GSEC study materials with me? I just don’t have spare money to buy the course materials. I would really appreciate your help and would be really grateful to you. Thanks!
Hello Siva,
The SANS study material comes in a bound book format only. If you are lacking in funds for SANS training, look to applying http://www.sans.org/security-training/volunteer.php for a SANS event near you.
I’ve been enough lucky to selected before as a volunteer and had a great time being at the conference.
Good luck with your endeavors.
Hi Chris,
It would be an interesting experience from your article. Now I’m preparing for taking GSEC401 exam after join SANS OnDemand course. I wonder did you also had assessment questions in your SANS portal accounts, and is that similar with exam question or not? I have finished all the assessment questions in the OnDemand training soon, but being not confident just a little bit.
Hello Minh,
I found the two practice exam questions to be very similar to the real exam and a great indicator on what type of score I’d get when taking the actually exam. Just take the first test exam as if it were the real one and that will give you a great idea on where, if any, the areas you’ll need to study further on.
Well I took my exam today and my score was 71.67, I needed a 73 and tips anyone. I did book mark my book pretty good, I guess I better take the practice exam. This is really upsetting
Hello James,
First off don’t get dishearten that you didn’t pass. I’d guess you were one or two question out from passing.
The exam report in your SANS portal will give you some pointers to what topics you struggled on, so that would be the first place to re-work your revision efforts. If you can remember any areas or questions that you got wrong or that you didn’t fully understand, revisit them.
Make some fresh notes on those topics and work through any related hands-on course exercises. The more the material is in your head and you understand it, the less important having an index is.
Try not to be too hard on yourself and definitely take a practice exam once you’ve worked through the problem topics areas.
Hi Chris
I am going to be doing the 401 course in Sydney in a couple of weeks, and I was just wondering how much course material we will receive, as i was just going to take along a small backpack, ie the sort they give out at TechEd, plus a laptop bag.
But in th email I received from SANS they advise to bring along a small roller bag, but the only type I have is a mid-sized one used when travelling.
Thanks
John