View RSS Feed

JDMurray's Blog at www.TechExams.Net

The GIAC GSEC Exam Experience

Rate this Entry
by , 09-11-2012 at 02:53 AM (118715 Views)
This is part three of a series of three articles on the SANS SEC401 training course and the GIAC GSEC certification exam posted at Parts one and two are The SANS Security Essentials SEC401 Experience and My Study Plan for the GIAC GSEC Exam.

If you have ever taken a Prometric or Pearson VUE computer-based exam then you know pretty much what you are in for with the GSEC exam. However, the GIAC experience has a few differences from other IT certification exams that you should be aware of.

Signing Up for the GIAC GSEC Exam

The GIAC GSEC is a 5-hour, 180-question computer-based exam administered at a Pearson VUE Testing Center. You will choose your testing center when you sign up for the exam through your account on (Military testing centers have the word "Military" or "DoD" in their name.) With over 3500 testing center globally, you should be able to find a Pearson VUE Testing Center within a practical distance from yourself.

I scheduled my exam at the testing center of a local community college near to where I both work and live. I always schedule my certification exams for early Saturday mornings when there is no line of exam candidates waiting to check in, or competition for spaces in the student parking lots. An early exam time also leaves me the rest of the day to squander on finishing these blogs articles, playing Minecraft, and eating Chipotle.

Vetting and Verifying and Validating (Oh My!)

If you haven't taken a Pearson Vue exam in a while--which was my case--you may be surprised and impressed by the increased security. You start with a printed form on a clipboard with all of the DO's and DON'T's of the testing center and the exam provider that you must check off and sign. It's nothing unreasonable and pretty much the rules you would expect in a secure testing environment.

The only DON'T that caught my eye was the agreement not to write anything on the dry erase note board given to you for taking notes during the exam before you actually start the exam. One of the long-standing, IT certification test-taking tactics has been to "dump" things you were holding in your brain for the exam (formulas and equations, calculation matrices, tables and listings, etc.) on to this note board before you click the button to start your exam. Apparently, this action is now specifically disallowed, so a forewarning to you all.

You also need two forms of personal ID, one of which must be government-issued with picture, and both must have your signature. A driver's license is standard; I used my city library card for the other. This is verified against your on-screen signature you sign on a pad with a stylus. Your picture is then taken with a webcam. In my case, this resulted in an image that looked worse than either the picture on my drivers license or my library card. Certainly I could remind no one anymore of Silent Bob.

You must next surrender the bulk of your personal possessions to a (small) secure locker for the duration of your stay at the testing center. (I needed two because of my SANS bag and hat.) I would really suggest leaving backpacks and overcoats in your car.

What you cannot take into the exam room with you includes the following:

  • Anything possibly electronic (cell phones, watches, cameras, computers, calculators, USB devices, car keys, The Internet, etc.)
  • Extraneous clothing (coats, jackets, head coverings, bags, purses, wallets, portable floatation devices, etc.)
  • Food, water, children, and small animals (helper monkeys and seeing-eye ferrets are possibly OK, but ask to be sure)

You are also not allowed to take in pens, pencils or other writing implements, yet you are given an erasable note board and a dry erase marker, so go figure. (I guess you might have a camera-and-voice-recorder spy pen?)

What you should be taking into the exam room includes:

  • All six SANS SEC401 training books with sticky note bookmarks attached
  • Your printed SEC401 lecture notes that you took in class
  • Your printed SEC401 books index that you made with extreme attention to detail
  • A printed copy of the SANS TCP/IP/tcpdump cheat sheet (recommended by Dr. Cole too)
  • Printed copies of other information that you think may be useful in the exam
  • A copy of the Network Security Bible by Dr. Eric Cole, et al., complete with its own professionally-created index (your secret weapon!)
  • Your lucky SANS upside down IP & TCP headers t-shirt (I looked at it more than once!)
  • Yellow sticky notes (keep reading...)

Now, you might be thinking, "Do I really need to take all of that stuff? Well, the GSEC exam is designed with the idea that the exam candidate will have all of this information at their fingertips during the exam. You are also allowed to take with you as much paper into the exam as you want (within reason, of course). So unless you think you know the GSEC material so well that all of that paper would just slow down your brain, I highly recommend lugging all the dead trees into the exam room and give your brain's ego a rest (*hint hint*).

You can find out more details about the testing center requirements from the SANS and Pearson VUE Web sites, and from the emails you will start receiving from about a week before your scheduled exam date.

Into the Abyss...

As you enter the exam room and are lead to the very small table that harbors your testing computer, you might find yourself thinking, "Wait, there no room for all my books and papers!" Yes, there is a possibility that the generous amount of desk space you gave yourself for shuffling your books and indices back and forth while taking your practice exams will not exist in the testing center.

Fortunately for me, the cubical in my testing center were of adequate size for SANS books and paper shuffling. From taking the practice exams, I knew that I had to make a pile of book on either side of the keyboard and keep my index directly in front of me. All my other papers, Network Security Bible, and dry erase note board were to either side of the monitor. The ergonomics of it actually worked quite well.

My only real concern was the noise level. The room was deathly quiet; most of the time I was the only occupant making any noise, flipping my books and index pages. Despite my concern, it turned out not to be a problem. Part of the testing center security is having a proctor physically patrol the testing room every 15 minutes or so. The occasional sound of doors opening and closing, and people with questions and computer problems, more than masked the thuds and scratchings evoked by me taking my exam.

It's All About Cerebral Endurance

Five hours is a lot of time to spend taking an exam. However, you won't be in there nearly that long if you learn the material and prepare well. But heck, you need only a 73.9% to pass the GSEC. You might even consider speed-clicking your way out of the exam in under an hour. Of course, you would need to spend the rest of your life telling people, "Hey, a pass is a pass!" to explain your low passing score. (Start by telling that to the person who paid for your SANS training and GIAC exam.)

The GIAC exams are very similar to the other computer-based certification exams that you've already taken, so use the same test-taking strategy you've used before for solving CBT exam items:

  1. Read the question and attempt to determine the correct answer before looking at the answer options (this may not be possible for some exam items).
  2. Read each answer options and explain to yourself why this option is correct or incorrect.
  3. If two answers both seem to be correct, re-read the question and determine which of the two answers best fits the question.
  4. If still stumped, use your index to look up information found in the question or answer options and read what the SANS training material says about it.
  5. If you index does not list a term that you need, look in your notes and print outs, the Network Security Bible, or on your lucky SANS t-shirt. (Ah, now you wished that you had bought them.)
  6. Still nothing? Either start blindly flipping through the books hoping to see something, or skip the question and try to answer it at the end of the exam. (You can only do for five exam items, so try not to not to end up at this step too many times.)

Geez, That's Annoying...

The time remaining in your exam is displayed prominently at the top of the screen. If this bothers you, cover it up using one or two of your yellow sticky notes. Also on screen, your exam score is shown and updated every 15 questions. Cover that up with a sticky note if it freaks you out. If you need a calculator for any arithmetic operations, one is provided also on-screen, and may be covered up if you find it unnerving as well.

Five Hours Without a Trip to the Bathroom?

At the top of the screen are buttons that give you the chance to skip the current exam item, or to flag it to make a comment about it at the end of the exam. Items that you skip will be shown to you again at the end of the exam for you to answer and, as I said in the previous article, you can only do this for five exam items. If you want to take a break, hit the "Take a Break!" button to stop the exam clock for 15 minutes. However, you will need to answer all the questions that you skipped first. (Can't have people running out to look up exam item answers on the Internet using their 4G LTE cell phone, can we?)

One other interesting fun-fact is that items displayed for comments will only have their questions shown and not their answer options. I assume this mitigates against the memorization of exam items for post-exam brain dumping. So make sure you take notes on your dry erase board about any items you wish to comment. You may comment on up to ten exam items. Write some especially clever exam item comments and you may one day get an email reply from someone at GIAC. (Hi Jeff! )

Crushed It!

I finished the GSEC exam just before the 4-hour mark and had three skipped questions to go. After having a second look that them, I decided the answers were fairly obvious and did not waste too much time on them. I then completed the exam and was informed that I passed with a score of 93.89% in a time of 04:04:34, which was astonishingly close to to results of my second practice exam. I was shooting for 95%, but would settle for any score in the nineties, so I did acquire my target objective.

After the scoring, I was given the chance to remark on the exam items I had flagged to comment. I had a few remarks ("So where was THAT topic in the SANS SEC401 books?"), but not much really to complain about. Regardless, I do feel as though I contributed a miniscule modicum of improvement to the quality of the GSEC exam. It's nice to have the ability to provide direct input into something I've invested so much time in.

Also at the finish of the GSEC exam is the familiar exam summary with the zero-to-five-stars rating of each topic. I got three or five stars on every topic except for honeypots--where I got zero stars! Well, I guess I can live that one down. I would have bet that Active Directory and Windows permission would have been my Achilles heels. Apparently I can tell a GPO from a SACL.

Post-Exam Administration

Another stage of your GSEC certification journey begins just before you step outside of the testing center, squint in the sunlight, and try to remember where you parked your car. Forewarned is forearmed for avoiding this confusion.

Be aware that there is no post-exam printout of your exam results at the testing center. Your score is displayed on the computer screen and GIAC sends you all of your information and instructions via email immediately after you complete your exam. Neither myself nor the testing center people knew this, and we wasted about 20 minutes attempting to coax a printout from the testing center's system, and filing an incident report with Pearson VUE. To their credit, Pearson VUE did send me an email saying that my exam results was available online at

Sans Frame?

One interesting post-exam decision I was asked to make is whether or not to receive my GIAC paper certificate pre-mounted in a wooden frame. This question is asked at the conclusion of the exam, in email, and again when filling out the certificate request form online. The frame is free, but does require a shipping and handling charge to the tune of $19 for US/Canada and $34 for international delivery. I shook off my eBay S&H deja vue and decided to go with the bare paper, which is completely free. I may have chosen otherwise had I been able to see what the certificate looks like in the frame. My GSEC certificate arrived one week after I submitted the form, and it looks very nice in a $6 Big Lots picture frame.

GIAC Advisory Board

If you pass any GIAC exam with a score of 90% or better you can expect to receive an email from GIAC asking if you would like to join the GIAC Advisory Board. The Advisory Board is made up of GIAC-certified professionals who meet to discuss formal issues directly related to GIAC and SANS business, such as training and certification. Meetings are held on a group of mailing lists averaging about 30 messages per week, and is distributed to about 2000 GIAC members. Because some of the material presented involves content regarding future direction of exams and other proprietary information, members are required sign a Non-Disclosure Agreement. More on this once I'm active on the board.

And a Final Thank You To My Employer

I would never personally assume the expense to indulge myself in SANS training and GIAC certification. The target market for SANS courses and GIAC certification are businesses and not individuals, and their cost reflects what the market will bear. For organizations, the ROI for having SANS-trained people is tremendous. I am grateful my employer--both the human and administrative parts--recognizes the value of SANS training for its employees.

Have any questions for the SANS-trained, GIAC-certificed people at TechExams.Net? Please post them to the SANS GIAC discussion forum at TechExams.Net.

Updated 04-02-2013 at 07:31 PM by JDMurray

Tags: giac, gsec, sans Add / Edit Tags


  1. uyen_nguyen's Avatar
    I love this one: "A copy of the Network Security Bible by Dr. Eric Cole, et al., complete with its own professionally-created index (your secret weapon!)". Thank you for sharing your secret weapon.
  2. laughing_man's Avatar
    Great review of the GSEC, a very comprehensive exam! Congrats JDMurray!
  3. YFZblu's Avatar
    Great writeup, one of the best I've seen!
  4. hiteckcwby's Avatar
    I just finished SEC401 today and am anxious to begin studying for the exam. I found your blog prior to taking the class and try to apply your advice during the class. However, I was unable to track down one of these TCP header t-shirts. Any idea where a person can order one?

    Great review by-the-way!
  5. JDMurray's Avatar
    Thanks! I'm glad this article helped.

    The TCP/IP header t-shirt was a free give-a-way at a SANS event. You can probably order one through the SANS bookstore.


Total Trackbacks 0
Trackback URL: