View RSS Feed

JDMurray's Blog at www.TechExams.Net

The SANS Security Essentials SEC401 Experience

Rate this Entry
by , 09-11-2012 at 02:52 AM (112115 Views)
This is part one of a series of three articles on the SANS SEC401 training course and the GIAC GSEC certification exam. Parts two and three are My Study Plan for the GIAC GSEC Exam and The GIAC GSEC Exam Experience.

I was recently given the opportunity by my employer to attend SANS™ Institute training at SANS Security West 2012 in San Diego, CA. I attended the class associated with the GIAC GSEC certification: SANS Security Essentials 401 (SEC401). This class and certification are both a broad and in-depth survey of Information Security topics oriented towards technical knowledge and practical applications. The GSEC is considered to be the flagship of the 17 GIAC certifications, and with over 33,000 people having passed the GSEC exam, SEC401 is easily the most popular of all SANS training classes.

My Six Days in a Hotel Conference Room

SEC401 is a 6-day boot camp-style class for the GIAC GSEC certification and taught at most SANS events. The class runs from 9AM to 7PM for five days and 9AM to 5PM the last day, and may be attended by anywhere from 75 to 150 people. The time spent in class is mostly instruction with Q&A, but the last hour or so of the first five day is for completing lab exercises.

The SEC401 class material is divided into six major subject areas, with each area subdivided into half-dozen or so learning modules. There are six course books, one for each day, and you get them all in a nice SANS bag at registration. The lab exercises are found at the end of each course book. The books are instrumental in studying for an passing the GSEC exam, so treat them with care.

Dr. Eric Cole

The SEC401 class I attended was instructed by Dr. Eric Cole of SANS™ Institute and Secure Anchor Consulting. Dr. Cole is a very personable, entertaining, and highly energetic lecturer. Attending a very technical InfoSec class for 10+ hours a day for six straight days is tough enough, but when you are the class instructor needing to keep 100+ students engaged for that time frame you have to be the Energizer Bunny® of Information Security. SANS has found just such an instructor in Dr. Cole.

Dr. Cole has been authoring and teaching the SANS 401 course for the past 14 years. He puts all of his incredible personal and career experience in InfoSec into the class lectures and material. Listening to his personal stories and anecdotes alone is worth the price of admission, and you will likely be listening to them for weeks after the class on his recorded SANS SEC401 lectures.

Dr. Cole also has considerable input into the content of the GIAC GSEC exam, for which the SEC401 course is designed. Although the class is not taught specifically for the goal of passing the exam (i.e., "teaching to the exam"), you will receive hints along the way as to important topics to know. Dr. Cole also greatly values student's comments about the class' content and his instruction, and he welcomes comments and suggestions for improvements of both. With all of this considered, I strongly recommend you attempting to attend Dr Cole's SEC401 class if the GSEC certification is in your future plans.

blogs/jdmurray/attachments/2894-sans-security-essentials-sec401-experience-network-security-bible-2nd-ed.jpg Dr. Cole is also a principle author of the book Network Security Bible from Wiley. The information in his book parallels and augments the topics taught in SEC401, so you might consider taking a copy of it with you into the GSEC exam (*hint hint*).

Wait, Give It a Chance...

If, while in the first day of class, you think that you have signed up for a SANS class will not meet your needs, you have the option to turn in your SANS materials and switch to a different class. However, be aware that the SEC401 subjects change considerably each day. The first day is very technical with discussions of almost every possible concept in TCP/IP networking. So if you find yourself into a falling into a glassy-eyed stare during the talk about Internet protocols, VoIP, or IP subnetting, try to ride it out and remember the next day's subjects will be easier.

Snack Alert!

One thing to be very careful of are the breaks during the classes. A break is given every 90 minutes or so, and snacks are served in a common area by the hotel; it can be quite a sugary and caloric event. Cookies, ice cream, caramel apples slices, and pastries were some of the items on the snack menu during my SANS experience. It was rather unfortunate for more than a few people that "5-pound brownie day" just happened to be on the same day as the cryptography lecture. There were more than a few eyes shutting and heads nodding during class after that, and at least one case of "Keyboard Face" that I saw.

To ward off the affects of "high tide, low tide" blood sugar, bring your own healthy snacks and just partake of the water, coffee, and tea in the break area. There will likely be food markets near to your hotel. To find the closest, just ask Dr. Cole where he buys his coconut water.

The SANS SEC401 Labs

The lab exercises in each class are to help you better understand the concepts and applications within the SEC401 material (Linux commands, vulnerability scanning, network traffic interpretation, password cracking, steganography, event logging, etc.). The labs are very useful and could be very helpful with the GSEC exam (*hint hint*), but truth be known, all of the labs in SEC401 are optional. If you are very familiar with a lab exercise, perhaps because it is part of your daily work activities, you can skip it. You might find yourself skipping entire labs to participate in the evening activities hosted by SANS.


In the evening of the first five class days are the SANS@Night after-class events. I highly recommend that you attend as many of these events as possible. Instructors from each class lecture and demonstrate on what it they teach, giving SANS Conference attendees a chance to decide on what class they would like to take at their next SANS conference. There are also presentations and discussion panels on special topics, such as state of the Internet, social engineering, future trends in hardware and software technology, and Internet safety for kids and adults. There is also a NetWars Capture-The-Flag tournament and an overview of the GIAC program for people wanting to become SANS Facilitators. You should at least attend the Welcome to SANS lecture given on the morning of the first day.

There are actually two events at 7:15PM and another two at 8:15PM, so you will need to decide what you want to attend. Realize that none of these SANS@Night events are recorded, so when you attend one you will miss the other. If you choose to stay after class and finish all of your labs, you may miss them all. And let's not even ponder what you'll miss if you instead decide spend an evening on the town in a place like Chicago, San Diego, San Francisco, Orlando, or Las Vegas. (For the sake of team-building with my co-workers, I did select this option as my evening's activity more than once.)

The Venue

If possible, get to your SANS conference the day before it begins so you can register, collect your materials, check in to your room, explore the venue, and look over the schedule of events. SANS is in more places than you can think to DDoS, so I can only offer a description of my venue.

The SANS Security West 2012 I attended was held at the Manchester Grand Hyatt in San Diego, CA. This is a very nice and large hotel on the water designed in the confusing, two-tower configuration. (Yes, I went up the wrong tower my first trip to my room. That's what I get for checking in using a kiosk-bot and not a desk-human.) The hotel is stylish, comfortable, and has more than enough space for a SANS conference. SANS comps attendees free access to the hotel's Wi-Fi (also something the kiosk-bot didn't tell me).

The Hyatt is in a nice downtown area near to the San Diego Convention Center. (You know, that place where 100K+ people attend ComicCon every year?) The entire downtown is within walking distance of the Hyatt, including fast food, grocery stores, other hotels, and Petco Park. However, you probably won't want to go any farther than 5th Street in San Diego's Gaslamp Quarter. All forms and manner of food, drink, shopping, and entertainment are there. With the many weeks you'll be putting in studying for your GSEC exam, you may not have another opportunity to get away like this for quite a while.

More Questions?

I highly suggest reading through all of the material on the SANS Security Essential 401 page for more in-depth information on the content of the classes and upcoming locations of training events. Have a look at the SANS Security Training FAQ for answers to your questions about SANS courses, GIAC GSEC certification, and to understand the different training SANS options (vLive, OnDemand, Self-study, etc.). And, of course, there is always the SANS GIAC discussion forum at TechExams.Net.

Oh--and don't forget to read part two of this series, My Study Plan for the GIAC GSEC Exam.

Updated 09-11-2012 at 09:18 PM by JDMurray

Tags: giac, gsec, sans Add / Edit Tags


  1. ITforyears's Avatar
    I am taking this test soon. Are you still on the board for questions?
  2. JDMurray's Avatar
    Yes, please post your SANS /GIAC questions the TechExams.Net SANS/GIAC discussion forum.
  3. ITforyears's Avatar
    Sorry that I saw this response after the fact. I passed the test and wanted to thank you for your advice. I posted a response about my experience at


Total Trackbacks 0
Trackback URL: