SANS 503 and GCIA Thoughts

I attended the SANS SEC 503 ‘Intrusion Detection In-Depth’ course at SANS Network Security two months ago and just took the GCIA certification exam yesterday so I thought I’d post a few thoughts on the class and the exam. It’s not a full review but if you have questions feel free to ask and I’ll do my best to answer them.

In the past people I respect greatly have told me that I should be able to look at raw tcpdump output and decipher what was going on. I thought this class would help me out quite a bit in this area and I was 100% correct. In fact late on the exam yesterday I caught myself smiling as I worked through a somewhat complicated problem which presented me with a bunch of hex and asked me what was going on. I assure you that I would not have been smiling if I had to answer that question two months ago.

I may have very well been the only student in class who had never held a networking job so in addition to learning low level packet skills I picked up a lot of knowledge about filters, improved my familiarity with Wireshark quite a bit and got a more in depth look at a lot of correlation and analysis topics that I learned about in SEC 401.

I had a harder time studying for this exam than any of the previous GIAC exams I’ve taken as I often felt mentally exhausted. It’s tough for me to know what percentage of that was from the material itself and what percentage was the 17 certifications in under two years pace I’ve been on but I still wanted to mention it.

I had heard that the GCIA was one of the more difficult SANS exams, saw that the passing score was only 67% and was honestly a little worried about the test. The practice exams drained me mentally but my scores were well above passing so I scheduled my test. I started the exam with a good score but on a slower than acceptable pace. My pace got quicker and quicker and I ended up finishing with a score of 92 and an hour left.

A few tips for anyone taking the GCIA exam:

  • I know I’m Mr. Index and I had a good one for this exam too but I used my index less on this test than I ever have before. You still absolutely need to make one (and make sure you include the packet header spreadsheet included on the course VM and a common port cheat sheet) but a lot of the questions required you to understand and apply concepts and analyze hex in addition to the normal syntax questions. Use lots of tabs on the books for this one my friends.
  • On the cover of my index I put what question I should be on at the one hour mark, two hour mark and three hour mark. I would recommend you do the same if you’re at all worried about time but don’t overreact if you’re behind pace early. I was 5 or 6 questions off the pace at the one hour mark but like I said earlier I ended up having an hour left at the end. You’ll end up performing the same sort of packet analysis repeatedly and will likely speed up quite a bit.

The 503 doesn’t have the sexiness of the hacking courses or the forensics courses but I enjoyed the class and it was a very important one for me as I really needed to work on my packet analysis skills. Next up on my to-do list is assembly language for reverse engineering and exploit development.

Sans 542 and GWAPT Review

I recently finished the OnDemand version of the SANS 542 Web App Penetration Testing and Ethical Hacking course and passed the GIAC Web Application Penetration Tester (GWAPT) exam so I thought I would post a few quick thoughts on the course and exam.

It’s more than a little redundant to say a SANS instructor did a great job but Kevin Johnson rocked. I was slightly biased coming in as I talked to him for about 90 seconds last year in Vegas and he was really friendly but even setting that massive amount of personal experience aside Kevin is both incredibly entertaining and a great teacher. I really want to take a class from him in person so I need to keep my eyes peeled for any 642 offerings out west.

Mr. Johnson is very upfront about what the class is and isn’t. While there is a full day devoted to exploitation the class is not a collection of “Here’s exploit A, now here’s exploit B…” but rather an overall look at web app pen testing methodology and best practices as a whole.

What this class won’t give you:  “If they’re using WordPress version 3.2 I’ll use exploit X but if they’ve upgraded to 3.3 I’ll use exploit Y”

What this class will give you: The ability to properly examine a website, determine the underlying technologies, give you an understanding of possible attack vectors based on your earlier findings and expose you to the tools to help you locate these vulnerabilities and attempt to exploit them.

It really boils down to the old give a man a fish vs. teach a man to fish thing and I’m extremely happy this class takes the approach they do. The SANS website course breakdown is accurate so there’s no need for me to give a play by play on what was covered but you will learn concepts to test both specific types of technologies (AJAX, Flash, Javascript etc.) and technology independent design and logic flaws. The course also covers using Python scripts to help automate your testing.

I had played with a lot of these tools and been exposed to a lot of the concepts from earlier courses and practice but the 542 did a great job of providing a systematic approach and a barrel full of real world stories which tie concepts taught in class to practical applications. As penetration testing is a hobby rather than a daily job for me I greatly enjoyed and appreciated these.

Regarding the test, it’s short and I loved it! The test is 75 questions long and you have two hours to complete it. I finished with 30 minutes left and got a score in the low 90s so it’s very doable.

My GWAPT index was quite a bit shorter (7-8 pages) than a lot of my previous indexes but it honestly wasn’t a matter of laziness as much as it was the material didn’t seem to lend itself to a fat index as well as other courses have. During the test I never looked for a topic in my index and came up empty so mission accomplished.

There were definitely questions on the exam which required me to understand multiple concepts rather than just reference a particular page. I’m perfectly ok with that if the tradeoff is a two hour enjoyable test instead of a five hour exam that has me questioning my life choices towards the end. I hope more classes go to the shorter exam format.

In summary I enjoyed the course, learned a lot, passed the test and had a good time doing it all.

Quick Update and Minor Tool Announcement

June was a fairly busy month as I knocked out my GISP and CEH. The GISP required no extra study on my part as I had just finished my CISSP exam and it’s basically an open book CISSP. The GISP questions were more technical than the CISSP versions which honestly made the test easier. Well, that and the open books 🙂

The CEH is fairly straightforward with a lot of tool specific questions, port related questions and scenarios which test your basic network security knowledge.

The CEH was a nice one to get out of the way and the GWAPT should be the next one on my list. I just finished going through the SANS SEC 542 course in the On-Demand format and will now start spending some time with the course exercises and creating my index.

If anyone has any specific questions on my GISP or CEH prep please feel free to ask.

On another note I recently encountered a Rand McNally GPS unit which no commercial forensic tool I had access to was able to parse. I wrote a small python script which parsed the destination history file and created a HTML report and KML file for Google Earth display. The tool is working but there are a few tweaks I’d still like to make to the KML structure. I’m planning on releasing the tool for public consumption later this week.

Passed My CISSP Exam

I’m back from my self-imposed month of silence and am happy to report that I passed my CISSP exam.

I allowed for a hair over three weeks from my CISSP boot camp to my test date which seemed very aggressive but doable. What I didn’t count on was an unforeseen incident causing me to miss a week of study time. 4-5 days before my exam I was seriously considering postponing my test but the next available date for the local testing center was over a month away and I didn’t want this test hanging over my head for another month. Thankfully I was able to pass my test with no extensions.

Here is a quick overview of how I studied for the exam.

Step 1: Bootcamp

I choose the SANS 414 course for my CISSP bootcamp. I can’t say how it compares to any other CISSP prep course since I haven’t taken any others but I can say that I enjoyed the class and I passed the test. It’s redundant to say that a SANS instructor did a great job but Eric Conrad and Eric Cole are two of the greatest instructors I’ve ever had the privilege to learn from.

One thing I think I could have done better was take a few of the cccure practice exams before I started the bootcamp. I think bombing a few practice tests would have probably forced me to pay a little more attention to some of the minutia in the more mind numbing sections.

One HUGE bonus of the SANS bootcamp is that you get the entire course on MP3. I spent nights and weekends barricaded in the guest room studying but still got a lot of value from listening to the MP3s on my commute to work and while working out. I even listened on my way to the exam and one of the questions Eric Cole discussed was on the test. I’ve always enjoyed having a different instructor for the live class and the pre-recorded content because You get the same content but from two different points of view, different teaching styles, different war stories etc.

Step 2: CISSP study guide

Right after the bootcamp I started reading Eric Conrad’s CISSP study guide. I would definitely recommend that you visit a bookstore and pick a book you’re comfortable with but for me this book would have been an easy choice even if it didn’t come with the class.

A lot of the CISSP books on the market are well over 1,000 pages. Eric’s books cover the exact same material in 500 pages. It’s actually a really quick read with a lot of charts and practice tests at the end of each domain. The fans of the larger books point out that they cover each topic in greater detail but Eric’s guide absolutely provides the level of knowledge you need to pass the exam. On the few occasions I was interested in a bit more detail I Googled the subject, spent a few minutes reading and happily moved on.

Step 3: Practice tests

This is probably the most important step of them all. Most of the people that have problems on the CISSP don’t say that the exam was too technically difficult , they say they had problems with questions being poorly worded, having multiple “correct” answers etc. Practice tests help prepare you for the style of questions asked and force you to come to terms with the fact that you can’t change the questions no matter how badly you want to. The question may frustrate you, you make think it’s stupid, but you still have to try to figure out which answer is correct in CISSP land.

I started off by taking practice exams from cccure with varying results. I only had a week until my test so I got a copy of the Exam Cram CISSP Practice Question book and spent three evenings taking all ten of the tests in the book. I used the scores of those tests to dictate which domains I should be taking cccure practice tests for during the next two days. I would recommend the exam cram practice questions book and a cccure subscription to anyone preparing for the CISSP.

Step 4: The day before my test

I spent the day before my exam curled up with Eric Conrad’s other book, his 11th hour CISSP study guide. The book is around 150 pages of extremely concise CISSP information. It did a great job providing a final walkthrough of each domain for the exam.

All of this wasn’t cheap and it took an entire month but it accomplished the mission of passing the CISSP exam on the first attempt. The scariest part of all of this is how beat felt after spending a month straight studying for this thing. It definitely makes me wonder how much of a recluse I’ll become when I attempt the OSCP at some point in the next twelve months.

SANS Index How To Guide with Pictures

I got some great advice recently on creating an index for SANS exams and I wanted to write a blog post to share it with others.

I took the SANS FOR 508 Computer Forensics course in 2008. It was way over my head but I had a great time and learned a ton. A few months ago I finally decided to go for my GCFA certification. I had four year old material from a course that had been completely revamped and no index. I passed the exam with a score in the 80s but it was a grueling experience. I had to rush on the last part of the exam and never felt comfortable.

A few months after my GCFA exam I got an opportunity to attend a SANS SEC 504 class. I really wanted to prepare for my GCIH exam the right way so while I was at the conference I asked several individuals how they prepared their index.

Most people told me that their indexes were 8-10 pages. A lot of these people had more SANS certs than I have friends so their methods obviously worked for them. My class had a teaching assistant (also SANS mentor) named Neal Bridges who gave me some slightly different advice. Neal said that he tells his students that a 10 page index is a recipe for failure unless you’re a super genius. A bit tongue in cheek? Probably, but I’m so far from being a super genius that I needed all the help I can get.

When I asked Neal how long he thought an index should be he replied “fifty pages” without blinking. I followed up with a question on how he formatted his indexes and he offered to have his wife bring one of his when she came into town the next day.

The next day he showed me a copy of his GSEC index and I was impressed. It was close to 50 pages and had been professionally bound at Kinkos. I promised myself that I would put together an index like that for my GCIH exam.

Putting together a comprehensive index proved to be an incredible time investment but as I was going book by book putting it together I was also learning.

I went through the course via On Demand from Ed Skoudis and in person from John Strand. Even after double exposure from two of the best instructors in the world that third exposure to the material (from the books) really helped solidify a few of the concepts. At first I thought that was weird but when you look at the sheer volume of information covered in the course it makes sense. Also, since a lot of the material was new to me my learning went from exposure to concepts to specifics.

I ended up getting a 94 on my GCIH exam which I was obviously thrilled with and I think the index (both preparation and usage) was a big reason why.

My index ended up being 31 pages I created plus a few pages I copied (IvP4 breakdown etc. type stuff) tacked onto the end in a “misc.” section. My created content was broken down into two big sections (main and tools) and two small sections (windows commands and Linux commands).

The main section consisted of both items and concepts. If something wasn’t a tool or a windows or Linux command, it went in this section.

The tools section is self-explanatory. Any tool mentioned in a book went in here. If they mention a functionality and then listed 7 tools, all 7 tools went into this section.

The windows commands and Linux commands are also self-explanatory. I listed the commands, a brief description and sometimes a command line example. Any examples I made bold.

Getting a quick look at someone else’s SANS index (even though it was for a different course) really helped me out so here are a few pictures of mine.


SANS index cover example


side of SANS GCIH index


GIAC index example


SANS tool index

Linux commands:

GSEC or GCIH index example

If you’ve taken a few GIAC tests and have had good results, then by all means keep doing what you’re doing. But if you have your first SANS/GIAC exam coming up and feel like you could use a little extra help, I would seriously consider taking the time to make a comprehensive index. You’ll be glad you did for many reasons.

NOTE: I am unable to provide copies of this index so please do not ask. This post is meant solely to help students who have never seen an in-depth index get a feel for how they could design one of their own.

GCIH Passed

I’m a few days late in posting this but last Monday I passed my GCIH exam with a 94. SANS advisory board here I come!!!

I watched the course in the On Demand format taught by Ed Skoudis and attended the live training taught by John Strand. It was very time consuming but well worth it to get the material from two world class instructors with different points of view.

The key to my high score was taking some great advice from a SANS teaching assistant & mentor named Neal Bridges who encouraged me to make a detailed (mine ended up around 30 pages) index and was kind enough to show me his GSEC index so I had an idea on how to format mine. I’ll write up a blog post soon where I’ll discuss my index and show a few samples.