The trail to GSEC
may seem that the road to GSEC is a rough one, full of obstacles. So here are
some tips and alternatives to steer round those dreaded potholes and barriers
to reach the finish line. by Avinash Kadam
The SANS Institute (www.sans.org) is virtually a supermarket for security certifications
and training conferences. The GIAC (SANS) Security Essential, GSEC in short,
is termed as the foundation level certificate (Level I). At the intermediate
level (Level II), SANS offers GSFW (Firewall, Perimeter Protection and VPNs),
GCIA (Intrusion Detection), GCIH (Hacker Techniques, Exploits and Incident Handling),
GCUX (Securing Unix), GCNA (Auditing Networks & Systems) and GCFA (System
Forensic & Investigation) certificates. At an advanced level, SANS offers
GSE (Security Expert) certificate. One of the conditions for this level is possession
of at least five Level II certificates.
So, SANS has created a pyramid of security certificates and we are looking at
the foundation level certificate, GSEC.
GSEC requires you to study the following six areas:
1. Networking Concepts
2. Defense in Depth
3. Internet Security Technologies
4. Secure Communication
5. Windows Security
6. Unix Security
The topics you need to prepare for these areas are as follows:
1. Networking Concepts
This covers all the essential topics like network fundamentals, network layer
security protocols, application layer security protocols, IP concepts, IP behavior,
IOS and router filters, host-based perimeter protection, hardware architecture
and physical security.
2. Defense in Depth
This domain covers Information Assurance foundation topics like threat model,
vulnerabilities, data classification, computer security policies, contingency
planning, disaster recovery, business impact analysis, password management techniques,
including single sign-on and Radius. It then moves on to access control techniques
and covers discretionary access control (DAC), mandatory access control (MAC),
lattice, rules and role-based access control, various models like Bell LaPadula,
Biba, Clark Wilson, state machines, access control protocols like CHAP and PAP
and incident handling techniques.
Next, this domain covers offensive and defensive information warfare topics,
which include Web security, data warehousing, system development and types of
systems like knowledge-based expert systems and neural networks.
This domain has mixed a number of topics from CISSP syllabus to fulfill the
claim that the GSEC course will also cover 10 domains of CISSP.
3. Internet Security Technologies
This domain covers hardcore technical topics. It begins with host-based intrusion
detection and network-based intrusion detection, which covers a number of open
source software. The domain covers a number of methods of attack and also honey-pots
and firewalls as defensive measures. The next topic is that of risk assessment
and auditing, which also covers vulnerability scanners like Saint, Nessus etc.
Security policy is covered here again, to tie up various defensive measures.
4. Secure communications
This domain starts with detailed coverage of cryptography, which includes symmetric
and asymmetric key cryptography, algorithms, PKI, VPN, digital certificates
etc. This is followed by steganography and PGP. Next the viruses, malicious
code and anti-viral tools are covered. The last topic is operations security,
which covers legal, administrative and operational requirements.
5. Windows security
This domain covers all aspects of Windows security, beginning with the Windows
family of operating systems, workgroups, local accounts, active directory, domain
policy, followed by permissions, user rights, security policies and templates;
service packs, patches and backups. The next topic is security network services,
which include firewalls, IPSec, VPNs, wireless networking, followed by auditing
6. Unix Security
Like the previous domain, this domain covers complete Unix security, starting
with patching and software installation, minimizing system services, guidance
for dangerous services, logging, warning banners, access control methods, other
additional security configurations like Kernal tuning and security for cron
systems and lastly, backups and archives.
From the above brief description, you will realize that GSEC has tried to combine
all essential technical aspects of security with additional security management
aspects as required by CISSP. This has made the domains 2, 3 and 4 very exhaustive
and slightly disjointed. The claim made by SANS is that the course covers two-in-one
certifications, GSEC and CISSP, in actual practice this may be difficult to
The domains 1, 4 and 5 are fairly clear-cut technical domains, expecting good
hands-on experience of networking, Windows security and Unix security. The questions
asked in the on-line examination expect you to remember exact syntax of commands,
as given in the books published by SANS. So, if you do not buy these books,
you may have some difficulty in answering the questions.
The path to GSEC
One of the major stumbling blocks while preparing for GSEC is the requirement
of fulfilling the practical assignment. This is a unique requirement of all
SANS certifications. For GSEC, the candidate is expected to prepare a practical
assignment, which is like an original research paper, based on his/her
own experience. SANS puts tremendous emphasis on originality and summarily bans
a candidate from appearing for the examination if any part of the assignment
is plagiarized. The paper should be of minimum eight pages, and must give reference
to minimum eight resources, available free on the Internet. The expectation
is that the candidate has done some original work and has also researched the
problem on the Internet and given reference to views of others who worked in
a similar area. This also shows the depth of research undertaken.
After paying the fees for the GSEC examination, a candidate must appear for
the exam within six months, and submit the paper; then get it approved at least
one month before the examination.
The paper is reviewed by experts and returned with constructive comments. If
the paper has been submitted before expiration of the five months period, you
may resubmit the paper after incorporating the suggestions. If one reviewer
rejects the paper, another reviewer, who does not know if the paper is rejected
earlier, reviews it. If both reviewers reject the paper, you are out of luck.
You will not be able to appear for the examination and your fee is forfeited.
Once the paper is approved, you can take the examination, which consists of
two, two-hour, online, open-book testswhich can be taken from the comfort
of your home. The result is declared immediately. If you pass the first exam,
you can take the second, either immediately or after a gap. After you take the
second exam and pass the same, you are immediately informed about the result.
After you pass the exam, your practical assignment paper is posted on the
SANS website (www.giac.org) with practical assignment papers from others who
have gone through similar (challenging) experiences. This is a major contribution
of SANS to the security community. You may be able to find work done by others
in practically each field of security, and all this is available for free. You
can also verify the work done by a SANS certified professional by searching
for his paper, after specifying his certification number. You can judge the
quality of work the professional has done.
retainING your GSEC certification
Another unique feature of SANS certification is the requirement of taking
a re-certification examination. Unlike other certificates, there is no annual
fee. Instead, you are expected to take the same examination every second year
by paying a fee, which is less than annual fees of other bodies. For this fee,
you are also allowed to refer to the latest course material, which is constantly
revised, for an update on changing technologies. So, if you hold a SANS certificate
for six years, you would have taken three examinations, which will show that
you are up-to-date with your knowledge.
preparING for GSEC certification
There are two ways of preparing for GSEC certification. First is attending a
SANS conference which has the GSEC track (called track T1). This is a six-day
course with extra time allotted in the evening for hands-on practical assignments,
and demonstration of tools. The conference cost includes the course material,
and offers the examination at a discounted price. You have to submit the practical
assignment paper and clear the examination within six months from the date of
If you do not feel like spending more than $3,000, the alternative is to directly
pay $450 for the challenge certification, which means submission of the practical
assignment paper and taking the examination. You will definitely save a lot
of money, but you need to buy the set of books covering all the six days of
the conference, i.e. the six domains. These will cost another $450. Since the
examination questions expect very specific knowledge of that domain, including
the exact syntax being used, without these books, you may find it difficult
to answer all the questions.
The two examinations divide the six domains equally and ask 75 questions, online.
The questions are objective type; you have to choose the correct answer from
the four options. You cannot go back to correct an answer, and if you get 23
questions wrong (30%), the examination is terminated, since you need to score
minimum 70% to pass the examination. Since each examination is only for two
hours, having all the books open will not help. You have to find the correct
answer in one and a half minute, which is hardly sufficient to refer to the
book and turn to the right page.
All in all, taking the GSEC examination is quite an experience, beginning with
the intense effort one has to put in to come out with a good practical assignment
topic, then an actual research paper and improving it to the reviewers satisfaction.
Reviewers really do a good job. They do not unnecessarily criticize you but
give very constructive suggestions.
If you dont expect to kill two birds with one stone, i.e. try to get both
GSEC and CISSP in one sweep, you will benefit by attempting GSEC and completing
it. You may still have to independently study for CISSP as the coverage given
for this examination by SANS syllabus is not adequate.
Does GSEC cover all the domains of BS7799? With the topics
added to cover the CISSP syllabus, it does cover all the requirements of BS7799.
Probably, the CISSP portion was added to elevate the GSEC certificate from the
label of a "techie" certificate to a full-fledged Security Management