Months of waiting, debating about what might occur, what they may ask, what would be required and the occasional bits of study all came to a head on Saturday the 19^th of September 2010, in Caesar’s Palace, Las Vegas, Nevada in the United States of America.

I got there two days before, in a vague attempt to shake off any jet lag effects and to get into the Vegas flow. Nice idea, but the execution failed abysmally. It may have been due to the excited anticipation, nerves or the simple desire to get on with it, take the damnable thing and have done with it. Meeting up with two other GSE candidates, who’d also arrived early, only proved how much the three of us had no idea what was really going to happen over the two days. Many of my personal thoughts stretched from the ridiculous that it would just be the practice examples from the three courses in the books, to some mix of the Bourne movies, involving being hunted, tortured and escaping all while having to set up Snort alerts and using Netcat to defeat the bad guys.

The only thing I really knew was that it was two days for testing taken from the SANS courses of 401, 503 and 504 and that the ring leader of this circus, Jeff Pike, was a man of mystery. Mr Pike cruelly tantalised us with brief emails, each of which gave a tiny hint on what was going to happen at the exam. My over-active imagination pictured Jeff as a classic Bond evil mastermind villain, sitting in his high-backed leather chair, cackling – in an evil mastermind way – flipping switches labeled Doom, Pain, Mayhem and Café-latte Decaf with a twist of hazelnut and lemon. I’d imagine him ordering his minions to stop feeding the sharks, set the booby traps and prepare for the would-be GSEs.

Anyway, away from ramblings of my deluded mind, Saturday morning 8am arrived. Caesars Palace’s huge Italian styled hallways of its conference centre and archway entrance to the exam room, did nothing to detract from the imagined Herculean tasks ahead.

The architect of my fears over the last few months, Jeff Pike was sitting at the head of the room, bathed in the glow of reflected laptop screens arrayed around him. Looking up, he saw me entering the room in a natty, and very fashionable, grey linen suit, hair flowing heroically with forced, nonchalant bring-it-on grin slapped on my face. In a freakish fast motion he was up and striding towards me.

Cue dramatic, sweeping music and fade to black.

The GSE Practical Exam

I’m not going to comment on what the exam contained over the two days. The GSE practical exam subject matter is laid out on the web site, so take your cues from there.

Nine people took the exam; a very mixed bunch of skills, experiences and job roles. I knew each of them from traded emails, sneaky peaks at LinkedIn profiles, blogs, postings and some from the books they had written. I took a small comfort that the group, as a whole, seemed pretty nervous.

I will say that the GSE exam is split in to four, four hour sessions over the two days and it’s about using the skills and knowledge learnt in the three SANS course to deal with real world scenarios in a compressed time frame. It’s not just a “do you know it and how to do it”, but “can you do it” in the time allocated. Jeff or a proctor (Charles, in the case) is in the room at all times and there to answer any question on the exam or help with any odd problems that pop up. There is no group presentation objective any more, which was a bit disappointing, so the entire GSE exam is a solo effort.

You need to have a laptop that runs VMWare images, has over 2GB of RAM and you have full admin rights over. It shouldn’t, much to my embarrassment, be massively locked down and specially harden. That caused one or two problems, which I really didn’t need during the exam as you will be connected to a segmented network at some point. Basically bring a basic patched OS that just simply works on, is pretty much set to all defaults and you could happily format once you’ve finished the exam – should you want to.

You can bring in up to a suit case worth of written material and have access to the internet from a couple of isolated laptops to refer to at any point during the exam. It’s pretty fitting to have access to notes and the web as it’s only very rare cases I’ve been locked in a room without some form of reference. I had every cheat sheet under the sun, a copy of security Fedora 12 and my Don’t Panic –a guide to the GSE. This is a booklet I’d created when recording all the crazy tests, examples, exercises, trivia, trials and tribulations from the testing I’d put myself through over the last few months.

Once I broke through the initial nerves, I really started to enjoy the exam. Some parts I flew through and other parts I want to throw the laptop through the wall. Some parts completely stumped me and others left me grinning like a Cheshire cat, but I worked through each and double checked what I could. After the first day ended, we were all wired and still energized. I chatted with a couple of the guys on way back to the hotel on how they approach the objectives on the way, just to understand what approach they had taken. Around 2am, I snapped awake and realised I’d cocked up a response. Sleep didn’t come easy after that.

I want to say the second day was calmer, as we knew the level of testing to be expected. There was definitely a buzz of excitement and anticipation going in to the exam, as we’d discussed a number of guesses what was going to be tested on. Again, a day of highs and lows, with parts I felt I sail through on the Sea of Easy and those that sank me on the rough Seas of What the Heck and the fatal jagged rocks of WTF. Jeff Frisk, Director of GIAC, sent in a trolley full of cold beers and dips in the last hour of the second day’s exam. I couldn’t work out if it was some weird form of mental torture, in order to apply a final piece of pressure in that precious hour.

After time was called and exam was ended, the mixed look of relief, frustration, reflection, puzzlement, excitement and sheer pleasure just to be finally done was on the group’s faces. We all took a long drink, shook hands, rolled out eyes at the questions and answer given. A group of SANS instructors, Jeff Frisk, and current GSE magically appeared to offer their congratulations for taking the exam and making it to the end -and steal a beer or two. Jeff Pike had one final joke to spring on us. The results of the GSE would not be reviled until after 30 days once we’d completed the exam. With the large number of people taking the exam they need to triple check our answers with multiple reviewers and confirm if we passed enough questions successfully. Each of the sections is marked separately, as they demonstrate different knowledge and skills. I guess you need to reach a base score in each section to hit the pass mark of the GSE, as it’s a pass or fail exam with no scoring revealed. I’m not sure if that’s a good or bad thing, but it’s just the way of the world.

Should You Attempt the GSE?

If you have the exam skills and qualification requirements, then it’s simple. Book the exam
now. The exam is hard but fair, very real world based and uses from the knowledge and skills of the three courses. No annoyingly vague or trivia based knowledge questions appeared, but you have to be good under pressure and able to work to deadlines.

If you can respond to an event or incident, analysis the information and present your findings clearly while working to a strict time line, you should take the GSE. The test and objectives flowed well and was in a very logical format, but allowed for personal styles to work in their own fashion to present their answers. If you are a well-rounded security professional, being comfortable with completing the exercises in any of the three SANS courses and smart enough to read into the hints on the GSE requirements, plus be able to clearly communicate findings on to paper, take the GSE.

To me the GSE qualification is about challenging myself to prove I ‘m able to stand shoulder to shoulder with my peers; a virtual marathon or mountain to climb, if you will. Finishing or the view from the top is amazing, but the determination, effort and sheer grit to attempt such a goal in the first place is worth of admiration and a nod respect for trying to improve yourself from your peers. I’ve been lucky enough to sit in classes with skilled classmates, talked to brilliant people in hallways and worked with amazing fellow workplace facilitators who could easily be in the next round of GSE candidates if they want to be. All it takes is making the financial and mental commitment to sign up. It is a good chunk of money and time, but doesn’t anything worth achieving have a price?

More Suggestions on GSE preparation

My top tip is not to attempt the exam with jet lag. At one point I thought the room went green and at several stages I swear objects started moving by themselves. Really.

1. Find someone to study with and bounce questions off. This really helps as you get to look at differing ideas and directions. I occasionally get stuck in one particular direction and mindset which means I fail to grasp the meaning, question or objective without spending a lot more time the really necessary.
2. Mentor or teach others. The SANS mentor program is a heck of a way to get a better understanding the SANS material and help others to learn security, it also makes you read related subjects and topics. Even if you don’t lead any SANS training, do security talks at local user group meetings, help a friend or colleague pass and exam or even just explain to your parents how to stay safe online. Create a couple of security awareness programs at work, one for the technical and one of the non-technical staff.
3. Read good quality blogs and books. When researching GSE objectives and topics, I spent quite a bit of time searching the web for decent examples. I’m sure no-one is amazed to read that there’s a huge amount of poorly written, ill-informed and just plain wrong pieces out there.
4. Watch good webcasts or recorded sessions. I’m quite slow sometimes and watching someone perform the steps in front of me, with the ability to stop pause and rewind, means I can grasp the information a lot faster.
5. Ask others. There are some wonderful people out there that actually answer questions, even when it’s a complete stranger. I had some responses from book authors, security royalty, and well informed normal security guys and girls, none of which knew anything about me but freely and very generously spend time answering questions or correcting misperceptions.
6. Review Jeff Pike’s presentation on GSE: facts, rumours and myths - Sadly, this didn’t get recorded so all the abuse he gave me will remain in that Vegas room The slides from that day are here and worth a look.

Final Thoughts

Whether I pass or fail the GSE, it’s been an amazing experience. I’ve learnt diverse materials and skills, much more than my current job role requires, even in areas I simply have no current requirement for. As I’ve mentioned before, we have a couple of *Nix systems out of thousands of Windows systems, but none of what I’ve studied, practiced and now learnt will go to waste. The other GSE candidates are normal, very smart and motivated people who are true security professionals. I’m proud and humbled to have attempted the same exam as them. I still have a have a long way to go before I’d ever think of calling myself a security expert, but I now know I can cope, handle and deal with real security incidents in a professional manner under pressure and others watchful eyes. The GSE would be a seal of approve and validation from GIAC that I can do this and an excellent affirmation of the teaching skills and abilities of my SANS instructors.

Do I think I’ve passed?

I’ll tell you in thirty days.