View RSS Feed

JDMurray's Blog at www.TechExams.Net

My Study Plan for the GIAC GSEC Exam

Rate this Entry
by , 09-11-2012 at 02:53 AM (300376 Views)
This is part two of a series of three articles on the SANS SEC401 training course and the GIAC GSEC certification exam. Parts one and three are The SANS Security Essentials SEC401 Experience and The GIAC GSEC Exam Experience.

Doing the self-study part of an IT certification can involve a daunting set of decisions and tasks. Where do you start? What materials should you use? How should you be organized? How, when, and for how long should you study? And how do you know when you are ready to take the exam? I really have no idea what you should do for yourself; everybody has differences that makes it impossible for me to devise a single set of recommendations for everyone. Instead, I offer here what I did to prepare for the GSEC exam.

The first step in studying for the GSEC exam is to attend SANS Security Essentials 401 training. If you have read part one of this series, you know that I highly recommend attending a SANS SEC401 class taught by the creator of the course, Dr. Eric Cole. He is very entertaining, authored the SEC401 course material, and certainly knows what's on the exam.

If you can't make it to one of Dr. Cole's classes, the other instructors teaching SEC401 are very good too. In fact, the audio recordings of SEC401 that you will be listening to feature Dr. Cole's lectures, so having a different in-class instructor with a different perspective will probably broaden your exposure to the SEC401 material.

Take copious notes while you focus your brain on the lectures. The lectures both reenforce the material in the books and adds to it. I'm not saying there is information on the exam that you can only get from the lectures, but the spoken information makes a different impression than the written information. Taking notes on a laptop not only will come in very handy to remember and reenforce what you have learned, but also make your notes searchable. You will find your notes complement the recorded lectures too.

If you are taking the vLive or OnDemand SANS SEC401 class, the advice is the same: take notes on the live or recorded lectures. The OnDemand material also features "Test Your Knowledge" quizzes on many of the modules. Make sure you have both listened to the lecture and read the book for each module before taking the quiz or you won't fully know the material you are being quizzed on.

Reading the SANS SEC401 books is very, very important. This seems silly to say, but after attending the training, taking detailed notes, and listening to the lecture recording over and over, you might decide not to fully read the books. This would be a mistake. Go over the books, marking the pertinent facts with a highlighter, and takes notes that include the book and page number for each fact you record. This not only aides you learning the information, but will help you with your most monumental study task: building the SANS SEC401 index.

An Index? I Really Need To Make an Index?

The GIAC GSEC exam is an open book exam. There is so much information in this exam that you will definitely need your SEC401 books with you in the exam room. However, you will notice that your books have neither a table of contents nor an index. This makes them very difficult to use for quickly looking up facts--such as those that might be useful for answering GSEC exam items. You therefore have no choice but to build your own indices from scratch. If you have never before created indexed for a book--let alone for six books--you are in for one, mind-numbing treat.

For my index, I made a single MS Word table with one column each for index term, book number, and page number(s). Each table row contain one indexed term. Using this format, the first few entries of your index might look something like this:

Term Book Pages
/etc/services 6 51,53
3DES 4 50
802.11 4 157-158
AAA 2 103-104
Account Lockout 5 160
Access Control 1 225
Access Control 2 99-109
Access Control 5 234-236

Be extremely detailed in your indexing. Include the names of programs and executable, RFC and NIST publications, acronyms, and well-known operating system files. Do not use a large page range to cover a single general topic, such as shown in the Access Control entry in the above index table example. Instead, break up the pages into smaller, indexed entries by topic. This will enable you to more quickly locate the detailed information you need during the exam.

Do not exclude concepts from your index that you think you know well. There may be some bit of trivia that you don't know or don't remember that makes the difference in your answers. Consider that you will be looking up topics you know just to double-check what you know. If you have a disagreement with facts presented in the SEC401 books, the exam will follow the books and not what you believe. Therefore, use your index to verify you have your facts from the SEC401 books and not from what somebody wrote in the Wikipedia or a blog article.

Bookmarks can be very helpful for finding significant sections in the books, such as the diagrams for IP, TCP, and UDP headers, incident handling stages, the command line options for tcpdump, and the glossary and acronyms listings in book 1. Make sure you bookmark the topics in your lecture notes and study notes too. The small size yellow sticky notes make excellent bookmarks. (You though I was talking about Web browsers, didn't you?)

Finally, make sure you include the page numbers on your index hard copy. This will come in handy for reordering the pages if you mix them up during the exam. Oh--be sure to sort the table each time before you print it. Saves paper and frustrations that way.

Take special care in making your index. The last thing you want is to find yourself in the exam flipping blindly through your books hoping to glance at information you need to answer a question. During the exam, you will feel satisfaction each time you use your index to confirm the correct answer to an exam item, and this will make you glad that you spent the time you did on your index.

If I have a really good index, will I still need to study?

You might have the thought to use your index--or somebody else's index--to simply look up the answer to most every item you see on your the GSEC exam. You can try doing this using one of your GSEC practice exam to see what kind of score you get. You may find that there isn't enough exam time given to look up every possible answer in the books. You would literally need to look up each answer option and make a decision based on materials contain on perhaps dozens of pages. Building an index is an excellent way to help you study the GSEC materials, which is why your would take SANS SEC401 in the first place, so take advantage of the learning experience.

Study for How Long?

There is no simple answer for the question, "How long will it take me to study for the GSEC exam?" It depends on how much you already know about the GSEC topics, how well you understood the lectures and labs in your SANS SEC401 class, and afterwards how well you studied the material and prepared for the GSEC exam itself. SANS SEC401 students are given four months to take the GIAC GSEC exam after finishing SEC401, so most anyone with the motivation to obtain the GSEC should have enough time to prepare. Just don't try to cram it all in the weekend before your exam date.

GSEC Practice Exams

The SANS SEC401 course comes with two online practice exams that emulate the GSEC exam in length, format, and content. You are given 300 minutes in which to complete 180 exam items, just like in the real GSEC exam. There is also an on-screen clock displaying you exam time remaining, and your current exam score is displayed and updated after completing each 15 exam items. The exams are available in your account after you purchase the GSEC exam.

Your SEC401 instructor will probably advise you to take the first practice exam shortly after completing the class. This will give you an accurate assessment of how well you understand the class material and give you an idea of what the exam is like. At the completion of a practice exam, a summary is displayed of all of the topics on the exam, each with a rating of zero to five stars of how well you did on each topic. This assessment is the foundation of your study plan. Start by studying your worst topics (zero- and one-star) first and work up from there. Once you complete a practice exam, you cannot review or retake it, but the summary is always available to you in your account.

How and when you use your second practice exam is up to you. You can actually give it away to someone else registered on if you feel that you don't need it. One week before my GSEC exam, I used my second practice exam as a mock GSEC exam experience. I went to the library on a Saturday morning with all of my SANS 401 books and notes, set myself up in a private cubical, and proceeded to take the practice exam using the same rules as the real exam (no electronics, one 15-minute break, no distractions, etc.). The idea was to find any deficiencies in my knowledge and study materials, and to exercise my mental stamina for taking a 5-hour, computer-based exam.

I found myself getting mentally winded around exam item 130, but I pressed on. I took notes to study some topics, make some tables, and to improve my index. I found it helped me polish my exam materials and gave me confidence that I was prepared for the actual GSEC exam.

After 4 hours and 19 minutes, I finished with a score of 93%. (I scored only 80% on my first practice exam taken nearly three months before.) I was surprised how many topics I saw in the practice exam that were not listed in my handmade index. Several of the practice exam items I got wrong just from picking stupidly. You know those questions where you know the correct answer, but you end up picking wrong answer because you second-guessed yourself? And the exam items asking for the FALSE statement and you pick the first TRUE answer you see instead? I really hate myself for missing those.

During the practice exam, you are given a opportunity to flag up to five exam items to pass on and be given again at the end of the exam. I did not take advantage of this feature, but I would have had I been spending too long researching any one exam item. You may also flag exam items you wish to comment on after the exam is completed. I only had an issue with one exam item and how its information was not explained sufficiently detail in the SEC401 books. It may have been a trivial detail, but I got the item wrong and I felt that I needed vindication for a slightly lower practice exam score that meant nothing.

All That Effort Just to Pass an Expensive Certification Exam?

Why did I go to all this trouble? To get the best possible learning experience from the SANS Security Essential 401 class? For the "nerd cred" earned by a really high passing score? Well, both of those, really. But there is also an officially-recognized GIAC Elite; those who score in the 90th percentile on a GIAC exam are asked to join the GIAC Advisory Board. That sounded like something pretty cool to be a part of, so I went for it too.

More about how to inflame your nerdish ego in part 3 of this series, The GIAC GSEC Exam Experience.

Updated 09-11-2012 at 08:39 PM by JDMurray

Tags: giac, gsec, sans Add / Edit Tags


  1. Darsven's Avatar
    JDMurray - Your boss sounds like a scholar and a gentleman. Excellent article...Thanks for the assistance and advice. I took my first practice test today with no books, finished in 2 hours with a 75% I am not really as knowledgeable as I had previously thought. I will be studying more tonight and tomorrow, then taking a practice exam nice and slow on Sunday. Monday @ 11am I will be taking my scheduled exam. Wish me luck - D.R.S.
  2. ITforyears's Avatar
    This is some good info. I am taking the OnDemand course and I have no book so I cannot index. I am just writing notes in a notebook so hopefully I will be good to go. I have a CASP and Security + so I feel that I am somewhat prepared lol.
  3. jburke723's Avatar
    Thank you for the excellent index idea and example! I'm studying to challenge the GSEC hopefully in March and have found myself making WAY too man tabs. That will be SO helpful!
  4. akwah's Avatar
    I passed yesterday with 94% score, thanks a lot JDMurray for your notes it really helped me a lot


Total Trackbacks 0
Trackback URL: