SANS Sydney 2010 is here again, with another four excellent courses to stretch, warp and expand the security mind.
From the twitter feed of Eric Conrad:
I just realized that 101010 is not only 42 in decimal, but * in ASCII.
It all makes sense now.
Honest.
Yesterday morning was thrown into disarray by a simple email.
Twenty days of replaying possible answers, pondering if I’d done enough and what I’d have to do if I failed came to a screeching stop. Jeff Frisk, Director of GIAC, notified me I’d passed the GSE practical exam and was now a GSE. Relief, joy and a perverse disbelief forced me to re-read the email a number of times just to confirm I had actually passed. I’m also delighted to announce that my classmates Doug Burks, Mike Cardoza, Jim Clausing, Vishal Hariprasad, Seth Misenar and Guy Bruneau are also GSEs.
I put a lot of hard work, effort and study in to achieving a pass on these exams, and despite the title of GIAC Security Expert (GSE) I’m not nearly foolish enough to call myself an expert. This is a phenomenal starting point to continue to develop, grow and learn.
With all the serious stuff aside, it was time to celebrate. With all this healthy mind and body stuff to keep focused, I had avoided my normal sweet tooth cravings over these last months. Well, it was time to blow that out of the water. This first thing to do was hit the shops and buy two tubs of Ben and Jerry’s ice cream, followed by hand made chocolates and freshly baked bread.
I spent the day reading a normal book, sitting outdoors in the sunlight and fresh air, stuffing my face. The sweet taste of success!
Thanks and acknowledgement to Mike Poor, Mark Hofman, John Strand, Bryce Galbraith, Steve Sims and Eric Conrad for providing advice, abuse, guidance, support and inspiration whenever I cornered them. They did this unconditionally, answering my questions and offering suggestions; all without making me feel a complete idiot for asking in the first place and making it simple to understand. The true hallmarks of exceptional teachers.
A last piece of heartfelt thanks goes to my friends and family that had to put up with my constant study, staring at computers day and night and listening to wild rants on why things didn’t go as planned.
Here’s a list of some of the additional material I used to on top of the SANS courseware. I used these as a jump off point to understand some more in-depth points
Books:
Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide by Laura Chappell
Extrusion Detection by Richard Bejtlich
A Practical Guide to Fedora and Red Hat Enterprise Linux – Fifth Edition by Mark G. Sobell
Unix and Linux System Administration Handbook – Forth Edition by Evi Nemeth,
Attack Detection and Response with iptables, psad, and fwsnort by Michael Rash,
NMap Scanning by Gordon “Fyodor” Lyon
The Hacking Exposed series
Counter Hack reloaded by Ed Skoudis
The Hacker’s Challenge series
SQL Injection Attacks and defense by Justin Clarke
Sherlock Homes by Sir Arthur Conan Doyle
I posted the following to a couple of lists to get people thinking about getting off that fence and sign up for the GSE exam. I’ve re-posted here for posterity.
Hello All,
Jeff Frisk and the folks at GIAC have made a significant effort in making the GSE exam available to more of us to attempt.
I have applied for the GSE 2010 challenge and hope to convince a few more of you to sign up with me.
If you have spent the time, energy and money to get pre-requisites for the GSE exam http://www.giac.org/certifications/gse.php#prereq then, from my limit viewpoint, only three things stand in the way: time, money and confidence.
Good grief, why did no-one warn me about this in the first place?
Time is the most valuable and unforgiving part of this trinity of obstacles.
It’s a lot of time so far and I’m only squaring up for the multiple choice. I’m spending about an hour a day revising and reviewing. Playing with the tools and challenges from the books is pure geek fun, but factor in about six hours a week. These numbers may have to increase, especially on dreaded *nix OS knowledge, which is a bit of – or a gaping hole – a weakness of mine.
None of this time is wasted as it improves on my skills and knowledge, which equates (hopefully) to increased market worth. Yes, it means juggling some of the junk out of my life to make time for study. I, sadly, now don’t watch the Biggest Loser or the Bachelor anymore. I refuse to give up House, 24, the occasional drinks after work and having a life though.
As always, I take my hat off to those with families who still make time to spend time to excel at their profession. It’s not easy to spend so much time lock away in a room away from loved ones and friends. Still, this effort can lead to opportunities in the future that benefit them directly.
Exam fees, travel, accommodation and time off work are the major financial costs.
With any staff/business cost, it needs to be justified and measured again a return on investment for with the business sees benefit for. For the GSE exam itself, I wrote a business case from my boss in the advantages having me attempt the GSE. As an example, I put forward most of the study effort would be done in my own time and they are directly benefitting from what I’m striving for. By applying my increased knowledge, awareness and skills to our environment I could better serve the security needs of our business. They agreed to pay for the exam fees and time off, but I picked up travel and accommodation to the States. As I live in Australia, that was a fun conversation to convince the better-half of the overseas travel costs, especial to somewhere like Las Vegas.
No certification will magically increase my salary overnight, but it can be a powerful motivator and differentiator at review or interview times. An added bonus, having the GSE avoids needing to recertify in your existing GIAC certifications. That’s a fair cost saving incentive to my company and a significant reduction of study hours.
It’s going to be a tough exam. I might fail. Would failing make me the black sheep of the security community or condemn in to corners at parties?
I think not.
Working on any major project by yourself is awful. However, get a group of determined, motivated, likeminded people working together toward the same goals, Fear, Uncertainty and Doubt (FUD) become distance memories. I found working with others helps me understand issues with greater clarity and removes a great deal of anxiety when dealing with complex topics, questions and problems.
Yes, I’m as nervous as heck and may crash and burn horribly, but if I do, that’s life and that’s an experience to not be forgotten. The more practice with real world challenges, whether I succeed or fail, provides invaluable experience. With a great group of people to training and study with, our chances of passing the GSE are only going to increase.
As a last parting shot to those still on the fence:
Without a critical mass of people having the GSE certification, it’s not going to go anywhere and SANS may have to drop it. We’re then stuck with industry bench marks qualifications that fail to prove anything more than you can pass exams on academic topics. Yes, that’s more than a touch sweeping but when I see hands on security jobs requiring only management orientated security qualifications, I despair; HR/management has once again written the job advert and they’re just using the expected, ill-informed industry base line of security skills. So why not get a some certifications up on the board we can aspire to that have real world value that can be measured?
I hear horror stories of the Cisco’s CCIE final lab exam pass rates. Despite around only 26% (according to Google searches) of first timers pass the $1250 exam, that doesn’t seem to stop them from retaking it and retaking it until they pass. The recognition and value of the exam allows companies to fund their staff until they pass, providing them to be seen as employing the best and brightest. Those that pass the qualification are proudly acknowledged as being top of their game, even by those that don’t know a switch from a box of cheese.
All I’m hoping for is a few people to take this exam with me. To be able to study and learn with and from others is an amazing boost and motivator. The IT security industry is still very young, and certifications may not be the best way forward, but currently they are all we have. Why not get one top end security qualification universally recognised as worthwhile, value for money and hands-on=ability validating by people from inside and outside of the IT industry? The GSE could be the first of those if we, the security community, get it there.
I hope at least a few of you sign up or convince a friend, colleague or fellow student to that step with me.
Sorry for the length of the post. It started out as two paragraphs and then I got caught up….
My approach to the multiple choice exam, was to treat it like any normal 500 level SANS exam.
My target – life-, work- and proctor-willing, is to take the exam on Saturday the 20th March 2010; which is exactly 42 days from now. As we all know 42 is the mean of Life or is that just a spooky coincidence?
I’m going to use an individual index system of each of the 3 courseware (401, 503 and 504). I have a brand new, lined A4 wire bound note book in which I’m handwriting the index of each book.
My goal is to have the 503 books indexed in seven days, then 504 indexed in seven days followed by the monstrous 401 fully indexed in ten days.
The rationale behind this is
1) To make me read each page of each book and work out if that page should be indexed
2) To make me read and think about each topic on the page
3) For me to make side notes on tools, topics or subjects that are unclear
4) I want to retain and use the knowledge for the practical exam
5) I like using pen and paper
To make sure I don’t become just book smart, I plan to also run through the practical questions and exercises throughout the courseware books.
I been pretty active with hands on training from studying and passing SANS Advanced Security Essentials – Enterprise Defender (SEC501) and Offensive Security’s Pentesting with Backtrack, but intend to use some of the following sites to keep sharp:
Pauldotcom’s links to challenges, tools and a variety of other madness http://www.pauldotcom.com/wiki/index.php/Main_Page and not to mention actually listening to the podcast
The web site of the three Spanish GSE http://www.radajo.com/ they set a huge benchmark to reach
The internet storm centre for what’s going down in the real world http://isc.sans.org/
The ethical hacker forums can post up some interesting links to other challenges http://www.ethicalhacker.net/
Ed Skoudis and friends various devious, mind-twisting and nefarious challenges http://www.counterhack.net/Counter_Hack/Challenges.html
Mr Skoudis and friends again with command line kung fu in all shapes and flavours http://blog.commandlinekungfu.com/
Laura Chappell is always fantastic for packets and wireshark http://laurachappell.blogspot.com/
Richard Bejtlich still pops up some great snort and packet stuff despite being a boss now 
http://taosecurity.blogspot.com
The SANS reading room for a brilliant reading resource and new ideas http://www.sans.org/reading_room/
Quick word on indexing for SANS exams.
SANS exams are open book, this means you can refer to the books at any point during the exam. In fact you can refer to any paper notes during the exam, only electronic notes are disallowed. Time is the enemy in open book exams, as spending too much time flipping pages or jumping between books looking for an answer slows you down horribly, eating away at the precious seconds.
The way I use indexing is to jog my memory and note tools, processes, concepts and the like next to the page number it appears on.
I only have page entries when I need to recall something on that page. This saves time when during an exam as I can to jump straight to a reference.
Using a lined book I put down the page number, the title of the page and some key words or details. These details may be a formula, port numbers someone’s name or command line syntax.
At the top of each page I have the course and book number as a title.
As an example
503 Day 2
P99 TCPdump commands -F \location (tcpdump filter expression in a file) -s 0capture full packet -X display in hex& ascii
P130 filter for weird stuff in IP source and dest fieldsIP[12:4] != 127.0.01 and IP[16:4] != 10.10.10.10
Post-it tags can also be very help to mark out section full of tables as another form of reference for quick jump to sections.
As an side, my tutor for 503 was Mike Poor. As I read through the 503 pages making notes, I have him on the iPod. This unfortunately means I unconsciously use him as a narrator for my study notes. Even some of his jokes have started to appear in the notes…. I think I may know some of his stories better than him now 
A great question was posted to one of the SANS’ lists on the practical requirements
I felt it was worth while publishing as it covers and answers a question I though about but never asked.
The Question:
I’ve just had a quick look at the site you link to and would be interested to know why this was chosen as the attack platform:
<quote>
* Backtrack version 4
* Fedora Core 12
* Windows Server
To ensure a level playing field for all candidates, you will not be permitted to use any pre-installed favourite tools that you may have on your laptop. To complete the exercises you must exclusively use the tools and virtual machines provided by GIAC. Failure to comply will result in dismissal from the examination.
</quote>
What does this prove, that you are a pen-tester from 4 years ago (BT1 released May 26, 2006)?
Surely if this exam is meant to show that you have current skills then it should allow you to use current tools.
A great response came back from Mark Baggett, one of the most recently minted GSE.
Mark’s response:
I think of it more like “Hey McGuyver, here is your paperclip and bubble gum, now dodge this.”
I found the old tools added VMWare compatibility complications to the test.
Having newer tools would have been nice. (or not deviating from the system requirements, no matter how smart I thought I was) That said, the compatibility problems I experienced added to the “pressure cooker” which I think is part of it. Also, I don’t think that being able to attack ms08-067 requires a different skill set than ms04-011. Certainly pen-testing has changed a bit since then, but the GSE covers 504 not 560. All aspects of pen-testing are not part of this. A very solid understanding of the fundamentals of an attack are required.
Las Vegas was hot, darned hot. The average temperature was a blistering 38C, without promise of clouds, rain or even a cool breeze. None of this really mattered to me as for nine days I was a virtual prisoner of Caesars Palace, doomed to only see the outside sunlight though glimpses out of windows, doorways and the TV.
The pre-panic GSE study, followed by the GSE exam took care of three days. Those days descended into terrible sleepless nights, which manifested itself in forcing me to roaming the halls, streets and haunts of nearby Vegas venues from 12am until 5am each night. This was a desperate attempt to weary my confused and over excited brain to slumber. If only it had worked. The days were simply blurred. I have vivid memories of particular moments and events, but anything that wasn’t GSE driven has been consigned to the void.
Luck was on my side this year as I got to be a work place volunteer at SANS Network Security 2010 on Steve Sims’ Developing Exploits for Penetration Testers and Security Researchers course. This meant I got to take this amazing course and not go in to further crippling debt, which in Vegas is always a good thing. Normally, as a volunteer, there’s a muster on morning before the conference starts and all the behind the scenes work takes place. This ranges from sorting out the course materials, working out what needs to be done and then everything in between. There’s a huge amount of hard, physical work that’s done by the volunteer crew. As the GSE exam was still in full flow, I missed all this. That’s actually a shame, as you get to know the others, start the banter and camaraderie that keeps you going for the long week ahead.
Around 1200 people attended, with 41 courses, dozens of talks, presentations and break out groups happening throughout the week. This is the first time I’ve been a part of a SANS conference of this size and the sheer amount of planning, organisation and ordered chaos is stunning. I stuck my head in the early register room around 8pm on the Sunday night and was surprise to find a large group of volunteers and SANS staff still there. They had registered over 500 students, but the place still looked like only a few people had registered. I said a few quick hellos, picked up my books and the famous red apron headed off to sleep. Well, that didn’t work and after around three hours sleep I was back at the meeting point at 6am Monday morning, feeling surprisingly awake. Only problem was, I was at the wrong muster point and it took about ten minutes to work this out. Obviously I was as awake as I thought.
A quick jog to the right meeting point, walked in to the volunteer group. To see thirty plus men and women in the bright red aprons in one spot is a stirring sight to behold, especial without any form of caffeine in the blood stream. Standing at the head of the room was Katherine, the SANS volunteer general, fixer, enforcer and part time fairy godmother. Katherine was in full flow, assigning last minute tasks, correcting minor issues and checking on status points. She quickly noted my less than quiet entrance and summoned me. This is a great start to the day and week, I though groaning inwardly, busted for being late and stupid, an excellent first impression. Katherine was very kind – fortunately – and had a couple of extra duties for me to undertake during the conference. None of which were any real burden and being determined to make up for any slight, I happily took them on.
The major part of the first day duties is to get the students sorted with their course materials, welcome packs and point them in the right directions. Given some of the delightful American accents and turns of phrase I’d already encountered and had some “minor confusions” with, I quickly volunteer to be a runner to grab the books, rather be on the front desk. There’s nothing worse that some foreigner demanding you repeat yourself clearly and in the Queen’s English – it might work for Hugh Grant, but put in front of 500 Americans who haven’t had coffee, I wouldn’t like his chances.
Anyway, the hours flew by. Some six hundred students where sorted out; I got to meet some of the guys and girls and nearly crippled both Emily and Matthew, the two other SANS staffers working with Katherine. I think the accent and the floppy hair smoothed over most of the my near fatal mistakes, the professionalism of everyone else helped too J
When a supply problem popped up, I got to assist Katherine as she worked her magic fixing it, which was pretty amazing to behold, given the distances, logistics and time frames involved. I’ve worked at big events before, but I’m still amazed how the folks in the background just make things work, without anyone noticing. I think they could have stepped in to a career as an illusionist without messing their hair.
All of this in the first few hours before conference had even started. The first day is usually the busiest and when things can go a bit loopy. Still, got to the end of the day in one piece and no fires broke out in the building, so better than the last SANS conference. It’s at this point the volunteers disappear in to the “office” do some quick paper work, talk about what’s happening in the classes and hurry off to help out with one of the evening talks.
It’s during the downtime you get to socialise with the other volunteers, share experiences, swap ideas, verbally abuse each other and generally have a lot of fun. It’s all about the banter. Anyone who puts their hand up for a one of these roles there to learn and put in a good amount of hard work on top of all the mental effort while in class. In my book, that’s someone worth getting to know. Over the six days, I got to spend a bit of time with pretty much everyone in a red apron, some very unlucky people got to spend too much time with me. Brad, Sarene and Jared obviously did something terrible in a former life and so got the lion share of quality time. If you get the chance to be a volunteer, throw everything you have at the experience and drag out every last second.
The rest of the week became a predictable flow of stability and spikes of utter chaos. The spikes, caused either by near-death experiences from instructors on Segways and/or beer, kept life pretty interesting. One late night incident which culminated in a disastrous round of whiskey shots, another plonked me in the middle of the Forensic crowd, face to face with Eric Huber and his Liege, Rob Lee. I think it only best to left some of other stories in Vegas, but a good and semi-safe time was had by all.
I had some excellent random chats with other students about the GSE, SANS, security and life in general. I only wish I’d had more time to spending chatting with some of the other people there, as I’d seen their names on blogs and mail lists, but it’s better to put a face to the name. As the little red apron gives you more access to the instructors, so I managed to chat with a good number that never reach these shores, in an attempt to teach a class or two in Oz.
Some fantastic talks were given in the evenings, but invariably there would be work to do or three talks on at the same time I wanted to be at, so I got to what I could. One evening I gave a talk on TMG, which I must write a post on, where 20 odd souls turned up to hear. I was following some very tough acts, but managed to survive and hey – I can now say I was on Stage in Vegas!
Summing up, it was a crazy, non-stop nine days in Las Vegas, I meet some amazing people, took a phenomenal course, had very little sleep, was occasionally tortured and had all-round brilliant time. Okay, it took over 1200 hundred words and a huge amount of rambling to say that, but it was a massive experience and one I won’t be forgetting any time soon.