Security Certification

The trail to GSEC

It may seem that the road to GSEC is a rough one, full of obstacles. So here are some tips and alternatives to steer round those dreaded potholes and barriers to reach the finish line. by Avinash Kadam

The SANS Institute (www.sans.org) is virtually a supermarket for security certifications and training conferences. The GIAC (SANS) Security Essential, GSEC in short, is termed as the foundation level certificate (Level I). At the intermediate level (Level II), SANS offers GSFW (Firewall, Perimeter Protection and VPNs), GCIA (Intrusion Detection), GCIH (Hacker Techniques, Exploits and Incident Handling), GCUX (Securing Unix), GCNA (Auditing Networks & Systems) and GCFA (System Forensic & Investigation) certificates. At an advanced level, SANS offers GSE (Security Expert) certificate. One of the conditions for this level is possession of at least five Level II certificates.

So, SANS has created a pyramid of security certificates and we are looking at the foundation level certificate, GSEC.

GSEC requires you to study the following six areas:

1. Networking Concepts

2. Defense in Depth

3. Internet Security Technologies

4. Secure Communication

5. Windows Security

6. Unix Security

The topics you need to prepare for these areas are as follows:

1. Networking Concepts

This covers all the essential topics like network fundamentals, network layer security protocols, application layer security protocols, IP concepts, IP behavior, IOS and router filters, host-based perimeter protection, hardware architecture and physical security.

2. Defense in Depth

This domain covers Information Assurance foundation topics like threat model, vulnerabilities, data classification, computer security policies, contingency planning, disaster recovery, business impact analysis, password management techniques, including single sign-on and Radius. It then moves on to access control techniques and covers discretionary access control (DAC), mandatory access control (MAC), lattice, rules and role-based access control, various models like Bell LaPadula, Biba, Clark Wilson, state machines, access control protocols like CHAP and PAP and incident handling techniques.

Next, this domain covers offensive and defensive information warfare topics, which include Web security, data warehousing, system development and types of systems like knowledge-based expert systems and neural networks.

This domain has mixed a number of topics from CISSP syllabus to fulfill the claim that the GSEC course will also cover 10 domains of CISSP.

3. Internet Security Technologies

This domain covers hardcore technical topics. It begins with host-based intrusion detection and network-based intrusion detection, which covers a number of open source software. The domain covers a number of methods of attack and also honey-pots and firewalls as defensive measures. The next topic is that of risk assessment and auditing, which also covers vulnerability scanners like Saint, Nessus etc. Security policy is covered here again, to tie up various defensive measures.

4. Secure communications

This domain starts with detailed coverage of cryptography, which includes symmetric and asymmetric key cryptography, algorithms, PKI, VPN, digital certificates etc. This is followed by steganography and PGP. Next the viruses, malicious code and anti-viral tools are covered. The last topic is operations security, which covers legal, administrative and operational requirements.

5. Windows security

This domain covers all aspects of Windows security, beginning with the Windows family of operating systems, workgroups, local accounts, active directory, domain policy, followed by permissions, user rights, security policies and templates; service packs, patches and backups. The next topic is security network services, which include firewalls, IPSec, VPNs, wireless networking, followed by auditing and automation.

6. Unix Security

Like the previous domain, this domain covers complete Unix security, starting with patching and software installation, minimizing system services, guidance for dangerous services, logging, warning banners, access control methods, other additional security configurations like Kernal tuning and security for cron systems and lastly, backups and archives.

From the above brief description, you will realize that GSEC has tried to combine all essential technical aspects of security with additional security management aspects as required by CISSP. This has made the domains 2, 3 and 4 very exhaustive and slightly disjointed. The claim made by SANS is that the course covers two-in-one certifications, GSEC and CISSP, in actual practice this may be difficult to achieve.

The domains 1, 4 and 5 are fairly clear-cut technical domains, expecting good hands-on experience of networking, Windows security and Unix security. The questions asked in the on-line examination expect you to remember exact syntax of commands, as given in the books published by SANS. So, if you do not buy these books, you may have some difficulty in answering the questions.

The path to GSEC

One of the major stumbling blocks while preparing for GSEC is the requirement of fulfilling the practical assignment. This is a unique requirement of all SANS certifications. For GSEC, the candidate is expected to prepare a practical assignment, which is like an original research paper, based on his/her

own experience. SANS puts tremendous emphasis on originality and summarily bans a candidate from appearing for the examination if any part of the assignment is plagiarized. The paper should be of minimum eight pages, and must give reference to minimum eight resources, available free on the Internet. The expectation is that the candidate has done some original work and has also researched the problem on the Internet and given reference to views of others who worked in a similar area. This also shows the depth of research undertaken.

After paying the fees for the GSEC examination, a candidate must appear for the exam within six months, and submit the paper; then get it approved at least one month before the examination.

The paper is reviewed by experts and returned with constructive comments. If the paper has been submitted before expiration of the five months period, you may resubmit the paper after incorporating the suggestions. If one reviewer rejects the paper, another reviewer, who does not know if the paper is rejected earlier, reviews it. If both reviewers reject the paper, you are out of luck. You will not be able to appear for the examination and your fee is forfeited.

Once the paper is approved, you can take the examination, which consists of two, two-hour, online, open-book tests—which can be taken from the comfort of your home. The result is declared immediately. If you pass the first exam, you can take the second, either immediately or after a gap. After you take the second exam and pass the same, you are immediately informed about the result.

After you pass the exam, your practical assignment paper is posted on the SANS website (www.giac.org) with practical assignment papers from others who have gone through similar (challenging) experiences. This is a major contribution of SANS to the security community. You may be able to find work done by others in practically each field of security, and all this is available for free. You can also verify the work done by a SANS certified professional by searching for his paper, after specifying his certification number. You can judge the quality of work the professional has done.

retainING your GSEC certification

Another unique feature of SANS certification is the requirement of taking a re-certification examination. Unlike other certificates, there is no annual fee. Instead, you are expected to take the same examination every second year by paying a fee, which is less than annual fees of other bodies. For this fee, you are also allowed to refer to the latest course material, which is constantly revised, for an update on changing technologies. So, if you hold a SANS certificate for six years, you would have taken three examinations, which will show that you are up-to-date with your knowledge.

preparING for GSEC certification

There are two ways of preparing for GSEC certification. First is attending a SANS conference which has the GSEC track (called track T1). This is a six-day course with extra time allotted in the evening for hands-on practical assignments, and demonstration of tools. The conference cost includes the course material, and offers the examination at a discounted price. You have to submit the practical assignment paper and clear the examination within six months from the date of conference.

If you do not feel like spending more than $3,000, the alternative is to directly pay $450 for the challenge certification, which means submission of the practical assignment paper and taking the examination. You will definitely save a lot of money, but you need to buy the set of books covering all the six days of the conference, i.e. the six domains. These will cost another $450. Since the examination questions expect very specific knowledge of that domain, including the exact syntax being used, without these books, you may find it difficult to answer all the questions.

The two examinations divide the six domains equally and ask 75 questions, online. The questions are objective type; you have to choose the correct answer from the four options. You cannot go back to correct an answer, and if you get 23 questions wrong (30%), the examination is terminated, since you need to score minimum 70% to pass the examination. Since each examination is only for two hours, having all the books open will not help. You have to find the correct answer in one and a half minute, which is hardly sufficient to refer to the book and turn to the right page.

All in all, taking the GSEC examination is quite an experience, beginning with the intense effort one has to put in to come out with a good practical assignment topic, then an actual research paper and improving it to the reviewers satisfaction. Reviewers really do a good job. They do not unnecessarily criticize you but give very constructive suggestions.

If you don’t expect to kill two birds with one stone, i.e. try to get both GSEC and CISSP in one sweep, you will benefit by attempting GSEC and completing it. You may still have to independently study for CISSP as the coverage given for this examination by SANS syllabus is not adequate.

Does GSEC cover all the domains of BS7799? With the topics added to cover the CISSP syllabus, it does cover all the requirements of BS7799. Probably, the CISSP portion was added to elevate the GSEC certificate from the label of a "techie" certificate to a full-fledged Security Management Certificate.