Thought I’d give taking ISACA’s Certified Information Security Manager (CISM) certification a go given the large amount of non-IT literate business people I’ve been dealing with needing careful hand holding when it comes to providing security to their operations. These people know their business operations inside and out until it’s connected to a computer and then it suddenly a black box of mystery.

As part of service to the business we (IT security folk) learn their language, terms and requirements but some business owners seem disinterested in even attempting the understanding the fundamentals of something that’s now critical to their business survival. Is it a simple fear of the unknown or the fear of being mocked for asking someone to explain something they have no understanding of ? Business-crippling IT stories are now filtering into the popular mainstream media, as a few examples:  administrators going mad and faceless people attacking companies from the far side of the world, deleting their web sites and even the very IT security aware companies losing their critical data.

If it makes the business folk feel as if I’m approachable without me having an MBA, seems an easy step to take to help breach that gap.

I’m booked in for the 10 December 2011 exam in Sydney, so better get on with some study.

Some useful web sites I use to keep me up to date and  help out studying Security and all things SANS.

The SANS Reading Room www.sans.org/reading_room/
The Honeypot Challenges www.honeynet.org/challenges
The Ethical Hacker www.ethicalhacker.net
Pauldotcom http://pauldotcom.com/wiki/index.php/Main_Page

Darkreading room www.darkreading.com
SANS forensic blog http://computer-forensics.sans.org/

Metasploit unleased www.offensive-security.com/metasploit-unleashed/Metasploit_Unleashed_Information_Security_Training
Internet Storm Center http://isc.sans.edu/index.html
Security Tube www.securitytube.net

Books:

Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide by Laura Chappell

Extrusion Detection by Richard Bejtlich

A Practical Guide to Fedora and Red Hat Enterprise Linux – Fifth Edition by Mark G. Sobell

Unix and Linux System Administration Handbook – Forth Edition by Evi Nemeth,

Attack Detection and Response with iptables, psad, and fwsnort by Michael Rash,

NMap Scanning by Gordon “Fyodor” Lyon

The Hacking Exposed series

Counter Hack reloaded by Ed Skoudis

The Hacker’s Challenge series

SQL Injection Attacks and defense by Justin Clarke

Sherlock Homes by Sir Arthur Conan Doyle

Hackin9 magazines

My target – life-, work- and proctor-willing, is to take the exam on Saturday the 20^th March 2010; which is exactly 42 days from now. As we all know 42 is the mean of Life or is that just a spooky coincidence?

I’m going to use an individual index system of each of the 3 courseware (401, 503 and 504). I have a brand new, lined A4 wire bound note book in which I’m handwriting the index of each book.

My goal is to have the 503 books indexed in seven days, then 504 indexed in seven days followed by the monstrous 401 fully indexed in ten days.

The rationale behind this is

1)      To make me read each page of each book and work out if that page should be indexed

2)      To make me read and think about each topic on the page

3)      For me to make side notes on tools, topics or subjects that are unclear

4)      I want to retain and use the knowledge for the practical exam

5)      I like using pen and paper

To make sure I don’t become just book smart, I plan to also run through the practical questions and exercises throughout the courseware books.

I been pretty active with hands on training from studying and passing SANS Advanced Security Essentials – Enterprise Defender (SEC501) and Offensive Security’s Pentesting with Backtrack, but intend to use some of the following sites to keep sharp:

Pauldotcom’s links to challenges, tools and a variety of other madness http://www.pauldotcom.com/wiki/index.php/Main_Page and not to mention actually listening to the podcast

The web site of the three Spanish GSE http://www.radajo.com/ they set a huge benchmark to reach

The internet storm centre for what’s going down in the real world http://isc.sans.org/

The ethical hacker forums can post up some interesting links to other challenges http://www.ethicalhacker.net/

Ed Skoudis and friends various devious, mind-twisting and nefarious challenges http://www.counterhack.net/Counter_Hack/Challenges.html

Mr Skoudis and friends again with command line kung fu in all shapes and flavours  http://blog.commandlinekungfu.com/

Laura Chappell is always fantastic for packets and wireshark http://laurachappell.blogspot.com/

Richard Bejtlich still pops up some great snort and packet stuff despite being a boss now http://taosecurity.blogspot.com

The SANS reading room for a brilliant reading resource and new ideas http://www.sans.org/reading_room/

SANS exams are open book, this means you can refer to the books at any point during the exam. In fact you can refer to any paper notes during the exam, only electronic notes are disallowed. Time is the enemy in open book exams, as spending too much time flipping pages or jumping between books looking for an answer slows you down horribly, eating away at the precious seconds.

The way I use indexing is to jog my memory and note tools, processes, concepts and the like next to the page number it appears on.

I only have page entries when I need to recall something on that page. This saves time when during an exam as I can to jump straight to a reference.

Using a lined book I put down the page number, the title of the page and some key words or details. These details may be a formula, port numbers someone’s name or command line syntax.

At the top of each page I have the course and book number as a title.

As an example

503 Day 2

P99 TCPdump commands -F \location (tcpdump filter expression in a file) -s 0capture full packet -X display in hex& ascii

P130 filter for weird stuff in IP source and dest fieldsIP[12:4] != 127.0.01 and IP[16:4] != 10.10.10.10

Post-it tags can also be very help to mark out section full of tables as another form of reference for quick jump to sections.

As an side, my tutor for 503 was Mike Poor. As I read through the 503 pages making notes, I have him on the iPod. This unfortunately means I unconsciously use him as a narrator for my study notes. Even some of his jokes have started to appear in the notes…. I think I may know some of his stories better than him now

I felt it was worth while publishing as it covers and answers a question I though about but never asked.

The Question:

I’ve just had a quick look at the site you link to and would be interested to know why this was chosen as the attack platform:

<quote>

* Backtrack version 4

* Fedora Core 12

* Windows  Server

To ensure a level playing field for all candidates, you will not be permitted to use any pre-installed favourite tools that you may have on your laptop. To complete the exercises you must exclusively use the tools and virtual machines provided by GIAC. Failure to comply will result in dismissal from the examination.

</quote>

What does this prove, that you are a pen-tester from 4 years ago (BT1 released May 26, 2006)?

Surely if this exam is meant to show that you have current skills then it should allow you to use current tools.

A great response came back from Mark Baggett, one of the most recently minted GSE.

Mark’s response:

I think of it more like “Hey McGuyver, here is your paperclip and bubble gum, now dodge this.”

I found the old tools added VMWare compatibility complications to the test.

Having newer tools would have been nice. (or not deviating from the system requirements, no matter how smart I thought I was)  That said, the compatibility problems I experienced added to the “pressure cooker” which I think is part of it.  Also, I don’t think that being able to attack ms08-067 requires a different skill set than ms04-011.  Certainly pen-testing has changed a bit since then, but the GSE covers 504 not 560.  All aspects of pen-testing are not part of this.  A very solid understanding of the fundamentals of an attack are required.

I got there two days before, in a vague attempt to shake off any jet lag effects and to get into the Vegas flow. Nice idea, but the execution failed abysmally. It may have been due to the excited anticipation, nerves or the simple desire to get on with it, take the damnable thing and have done with it. Meeting up with two other GSE candidates, who’d also arrived early, only proved how much the three of us had no idea what was really going to happen over the two days. Many of my personal thoughts stretched from the ridiculous that it would just be the practice examples from the three courses in the books, to some mix of the Bourne movies, involving being hunted, tortured and escaping all while having to set up Snort alerts and using Netcat to defeat the bad guys.

The only thing I really knew was that it was two days for testing taken from the SANS courses of 401, 503 and 504 and that the ring leader of this circus, Jeff Pike, was a man of mystery. Mr Pike cruelly tantalised us with brief emails, each of which gave a tiny hint on what was going to happen at the exam. My over-active imagination pictured Jeff as a classic Bond evil mastermind villain, sitting in his high-backed leather chair, cackling – in an evil mastermind way – flipping switches labeled Doom, Pain, Mayhem and Café-latte Decaf with a twist of hazelnut and lemon. I’d imagine him ordering his minions to stop feeding the sharks, set the booby traps and prepare for the would-be GSEs.

Anyway, away from ramblings of my deluded mind, Saturday morning 8am arrived. Caesars Palace’s huge Italian styled hallways of its conference centre and archway entrance to the exam room, did nothing to detract from the imagined Herculean tasks ahead.

The architect of my fears over the last few months, Jeff Pike was sitting at the head of the room, bathed in the glow of reflected laptop screens arrayed around him. Looking up, he saw me entering the room in a natty, and very fashionable, grey linen suit, hair flowing heroically with forced, nonchalant bring-it-on grin slapped on my face. In a freakish fast motion he was up and striding towards me.

Cue dramatic, sweeping music and fade to black.

The GSE Practical Exam

I’m not going to comment on what the exam contained over the two days. The GSE practical exam subject matter is laid out on the web site, so take your cues from there.

Nine people took the exam; a very mixed bunch of skills, experiences and job roles. I knew each of them from traded emails, sneaky peaks at LinkedIn profiles, blogs, postings and some from the books they had written. I took a small comfort that the group, as a whole, seemed pretty nervous.

I will say that the GSE exam is split in to four, four hour sessions over the two days and it’s about using the skills and knowledge learnt in the three SANS course to deal with real world scenarios in a compressed time frame. It’s not just a “do you know it and how to do it”, but “can you do it” in the time allocated. Jeff or a proctor (Charles, in the case) is in the room at all times and there to answer any question on the exam or help with any odd problems that pop up. There is no group presentation objective any more, which was a bit disappointing, so the entire GSE exam is a solo effort.

You need to have a laptop that runs VMWare images, has over 2GB of RAM and you have full admin rights over. It shouldn’t, much to my embarrassment, be massively locked down and specially harden. That caused one or two problems, which I really didn’t need during the exam as you will be connected to a segmented network at some point. Basically bring a basic patched OS that just simply works on, is pretty much set to all defaults and you could happily format once you’ve finished the exam – should you want to.

You can bring in up to a suit case worth of written material and have access to the internet from a couple of isolated laptops to refer to at any point during the exam. It’s pretty fitting to have access to notes and the web as it’s only very rare cases I’ve been locked in a room without some form of reference. I had every cheat sheet under the sun, a copy of security Fedora 12 and my Don’t Panic –a guide to the GSE. This is a booklet I’d created when recording all the crazy tests, examples, exercises, trivia, trials and tribulations from the testing I’d put myself through over the last few months.

Once I broke through the initial nerves, I really started to enjoy the exam. Some parts I flew through and other parts I want to throw the laptop through the wall. Some parts completely stumped me and others left me grinning like a Cheshire cat, but I worked through each and double checked what I could. After the first day ended, we were all wired and still energized. I chatted with a couple of the guys on way back to the hotel on how they approach the objectives on the way, just to understand what approach they had taken. Around 2am, I snapped awake and realised I’d cocked up a response. Sleep didn’t come easy after that.

I want to say the second day was calmer, as we knew the level of testing to be expected. There was definitely a buzz of excitement and anticipation going in to the exam, as we’d discussed a number of guesses what was going to be tested on. Again, a day of highs and lows, with parts I felt I sail through on the Sea of Easy and those that sank me on the rough Seas of What the Heck and the fatal jagged rocks of WTF. Jeff Frisk, Director of GIAC, sent in a trolley full of cold beers and dips in the last hour of the second day’s exam. I couldn’t work out if it was some weird form of mental torture, in order to apply a final piece of pressure in that precious hour.

After time was called and exam was ended, the mixed look of relief, frustration, reflection, puzzlement, excitement and sheer pleasure just to be finally done was on the group’s faces. We all took a long drink, shook hands, rolled out eyes at the questions and answer given. A group of SANS instructors, Jeff Frisk, and current GSE magically appeared to offer their congratulations for taking the exam and making it to the end -and steal a beer or two. Jeff Pike had one final joke to spring on us. The results of the GSE would not be reviled until after 30 days once we’d completed the exam. With the large number of people taking the exam they need to triple check our answers with multiple reviewers and confirm if we passed enough questions successfully. Each of the sections is marked separately, as they demonstrate different knowledge and skills. I guess you need to reach a base score in each section to hit the pass mark of the GSE, as it’s a pass or fail exam with no scoring revealed. I’m not sure if that’s a good or bad thing, but it’s just the way of the world.

Should You Attempt the GSE?

If you have the exam skills and qualification requirements, then it’s simple. Book the exam
now. The exam is hard but fair, very real world based and uses from the knowledge and skills of the three courses. No annoyingly vague or trivia based knowledge questions appeared, but you have to be good under pressure and able to work to deadlines.

If you can respond to an event or incident, analysis the information and present your findings clearly while working to a strict time line, you should take the GSE. The test and objectives flowed well and was in a very logical format, but allowed for personal styles to work in their own fashion to present their answers. If you are a well-rounded security professional, being comfortable with completing the exercises in any of the three SANS courses and smart enough to read into the hints on the GSE requirements, plus be able to clearly communicate findings on to paper, take the GSE.

To me the GSE qualification is about challenging myself to prove I ‘m able to stand shoulder to shoulder with my peers; a virtual marathon or mountain to climb, if you will. Finishing or the view from the top is amazing, but the determination, effort and sheer grit to attempt such a goal in the first place is worth of admiration and a nod respect for trying to improve yourself from your peers. I’ve been lucky enough to sit in classes with skilled classmates, talked to brilliant people in hallways and worked with amazing fellow workplace facilitators who could easily be in the next round of GSE candidates if they want to be. All it takes is making the financial and mental commitment to sign up. It is a good chunk of money and time, but doesn’t anything worth achieving have a price?

More Suggestions on GSE preparation

My top tip is not to attempt the exam with jet lag. At one point I thought the room went green and at several stages I swear objects started moving by themselves. Really.

1. Find someone to study with and bounce questions off. This really helps as you get to look at differing ideas and directions. I occasionally get stuck in one particular direction and mindset which means I fail to grasp the meaning, question or objective without spending a lot more time the really necessary.
2. Mentor or teach others. The SANS mentor program is a heck of a way to get a better understanding the SANS material and help others to learn security, it also makes you read related subjects and topics. Even if you don’t lead any SANS training, do security talks at local user group meetings, help a friend or colleague pass and exam or even just explain to your parents how to stay safe online. Create a couple of security awareness programs at work, one for the technical and one of the non-technical staff.
3. Read good quality blogs and books. When researching GSE objectives and topics, I spent quite a bit of time searching the web for decent examples. I’m sure no-one is amazed to read that there’s a huge amount of poorly written, ill-informed and just plain wrong pieces out there.
4. Watch good webcasts or recorded sessions. I’m quite slow sometimes and watching someone perform the steps in front of me, with the ability to stop pause and rewind, means I can grasp the information a lot faster.
5. Ask others. There are some wonderful people out there that actually answer questions, even when it’s a complete stranger. I had some responses from book authors, security royalty, and well informed normal security guys and girls, none of which knew anything about me but freely and very generously spend time answering questions or correcting misperceptions.
6. Review Jeff Pike’s presentation on GSE: facts, rumours and myths - Sadly, this didn’t get recorded so all the abuse he gave me will remain in that Vegas room The slides from that day are here and worth a look.

Final Thoughts

Whether I pass or fail the GSE, it’s been an amazing experience. I’ve learnt diverse materials and skills, much more than my current job role requires, even in areas I simply have no current requirement for. As I’ve mentioned before, we have a couple of *Nix systems out of thousands of Windows systems, but none of what I’ve studied, practiced and now learnt will go to waste. The other GSE candidates are normal, very smart and motivated people who are true security professionals. I’m proud and humbled to have attempted the same exam as them. I still have a have a long way to go before I’d ever think of calling myself a security expert, but I now know I can cope, handle and deal with real security incidents in a professional manner under pressure and others watchful eyes. The GSE would be a seal of approve and validation from GIAC that I can do this and an excellent affirmation of the teaching skills and abilities of my SANS instructors.

Do I think I’ve passed?

I’ll tell you in thirty days.

I know of another six people take are taking the GSE in Las Vegas, so the biggest group of GSE candidates, to date, all in one room and hungry for the SANS platinum qualification.

Well, except for me – I’m really there for the sandwiches and to take in a Tom Jones show. These months of prep have all been a cover for that. Apparently, it’s not unusual….

I’ve talked to a couple the GSE candidates about the exam and we got a similar theory on how the exam is going to play out. The current GSE’s have given away nothing other than “know your stuff” I think that’s a Zen mindset you reach, either than or they want everyone else to go through the same pain are them.

I’m sitting here running through some exercises on getting GPG to do securing stuff and watching Conan the Barbarian The only reason I’m doing this is a) GPG and me have don’t get on as well as I like and b) Eric Huber put the thought in to my overly crammed and easily confused head via a supportive Conan-esk tweet.

Thankfully the web is full of quick start guides on GPG using this one. I’ve set up my BT4 and Fedora 12 machines to pass files over in a secured manner while evil BT3 machine is capturing the traffic and trying to steal the ‘top secret’ information of top Conan quotes.

Oddly enough, going over this has made me flash back to the SANS 560 course and it all started making sense. Or it could be the fact Conan has just punched out a camel. That sometime happens in Canberra too.

I’ll just run through a few more exercises to lock in the basic principles again and update my notes. The lovely folk at Fedora have straight forward steps to protect GPG keys, so that the next thing I’ll be playing with. At no point will I attempt any strange posturing with make believe swords during the typing of gpg commands. Crom!

One of the odd things about working in an OS that you hardly ever use is there’s no “where is everything and how do I use it” button. Google brings up fifty ways to do the same thing, yet the syntax doesn’t quite work. I’m pretty sure most of the learned *Nix folks would be shaking their heads at the blundering of a Windows Admin in their home turf.

Thank goodness for the “revert to snapshot” button on in VMware workstation for when I download every piece of software for no real reason and stuff up a perfectly working environment.

Let me give you an example.

One of the objectives in the GSE is a simple netcat relay followed by lots of weird and twisted relays, then shove shell back to you with the lovely # prompt.

Normally this is easy, jump on to the final box type in nc –l –p 80 –e /bin/sh. Not on Fedora, which doen’t like the -l and –p being run together. So nc –l 80 –e /bin/sh then?

No – Fedora’s default installed out of the box netcat stops the evil shenanigans of the –e excution command. Oops, so you have to go and get then install another version of netcat, such as the original written by the Hobbit (make netcat, as along as long as there’s a complier on the box) which is on all Ed Skoudis’ SANS course materials or pulled download socat or one its friends.

Then using –e to shove a shell works tricks works fine.

Okay, so different OS have different versions of applications, but surely we could keep command syntax similar? Apparently not.

I decided to reach out for a bit of help and guidance, in the form of what books to read. The two I settled on were both recommendations by people in the know:

A Practical Guide to Fedora and Red Hat Enterprise Linux – Fifth Edition by Mark G. Sobell.

It’s all about Fedora 12, which is the subject of the current GSE Linux tests. Very solid and clear layout, comprehensively covering the features of Fedora and its syntax proving excellent examples

Unix and Linux System Administration Handbook – Forth Edition by Evi Nemeth, Garth Snyder, Trent Hein and Ben Whaley.

This one was recommended by Hal_Pomeranz, who wrote the SANS Linux 506 track, after I hassled him on twitter. This one goes covers many flavours of Linux and Unix, but it’s a marvelous journey through a SysAdmin approach to using *nix, making it a surprisingly easy read.

I don’t expect either book will make me a super admin over the next few weeks, but they go a great way to make me feel somewhat more at home and relaxed in Linux, rather than feeling like I just broken in to someone’s place and set fire to it.

The 18th of September is D-Day and I have to make it through to some point in the evening of the 19th, surviving what ever the fiendish SANS team have to throw at me at Caesars Palace in Las Vegas.

I still have a giant pile of books next to my bed read through and plenty of hands of exercises to drill tools, techniques and best practices in to what ever space I have left in my brain.

Just when the GSE exam ends, the main event of SANS Network Security 2010 kicks off on the 20th. 41 different SANS tracks are running, meaning a huge number of security professionals there to learn, understand and have a great time. Seems so unfair, so much to learn and so little time.