Librarium Whitehat
Blog Pics
"Inveniam viam aut faciam" : I will either find a way, or I shall make one

SANS GSEC Exam Preparation & Tips
Author: Leo Ni

Being a Security and Compliance professional for over a decade, I recently just undertook the SANS GSEC exam, and got some feelings and tips to share with everyone who is about to attend that exam.

Take my background for example: I am a bachelor degree holder majoring in computer science, with more than 14 years of combined working experience on the Information Security Risk Management field. I passed my CISA and ISO27001 Lead Auditor exams back to year 2005 and passed CISSP exam in year 2009. Prior to year 2002, I was focusing on more technical related topics and attained relevant technical certifications: MCSE + Internet, MCSD, MCDBA, etc.

SANS is famous for its in-depth technical research on Information Security and it is becoming more and more popular. For the CISSP designation holder like me, I would like to say, it is not as easy as people think to pass this exam. Some people may think CISSP is the ultimate certification in the Information Security field, and why bother taking SANS GSEC, and G-S-E-C is referring to GIAC Security Essential and it looks like an entry-level designation.

As a person who owns both CISSP and GSEC, I would like to say the answer is: Yes, GSEC is a SANS’s entry-level designation, but it is harder and more practical than CISSP.

CISSP is ten miles wide and one-inch depth but SANS GSEC is to further most of CISSP concepts by introducing its real world and practical operation. It is commonly to see those people who passed CISSP are not able to do actual information security technical work, but you can rest assured that people who are SANS certified can do them effectively. Imaging you are the Information Security consultant of a company, how are you able to effectively give the your client (normally: technical staff) practical suggestions they are highly likely to buy-in and unlike using an “aliens’ language”? For example: during the Information Security Assessment Phase, when you are walking through with your clients in discussing how to harden Linux TCP/IP rule settings. When you are being asked how to do that and whether or not there are any tools can do this in Linux? Your first reaction is using IPTABLE command, which is built-in in Linux. You can imagine the scenario that you wrongly told your clients to use other tools and later on clients figured it out by themselves. That is like a slap on the face of the professionalism of Information Security professionals.

I undertook SANS GSEC exam on Oct 18, 2013 and I used about 4 out of 5 hours in completing the exam at the score of 81 (Passing mark is 73) at the first attempt. Below are the tips in preparing for that exam:

1)    Familiarizing the six books is the most important thing. Like most people mentioned, preparing an index file as much detailed as possible. However, I want to add: Please do more tests and experiments, and memorize as much topics as possible in your brain otherwise time is not allowable for you to do everything through searching for index;

2)    Making the index file to be intuitive is the key. For the key world just like IPSEC, please put “IPSEC (Internet Protocol Security)” in your key column of index, instead of using “Internet Protocol Security (IPSEC)”. Via this way, it can boost your searching speed during the exam;

3)    Treating the two mock tests as real exams to know your skill level. Just regarding the mock test to be exactly the same like the real exam, since its difficulties and exam layout are extremely similar to the real exam. The score that you got from mock test is a good leading indicator which tells you how much score you are likely going to get in the real exam. According to the statistics, the real exam is 5% - 10% harder than the mock test. Thus, targeting at mock test score of 90, and people can normally look forward to getting about 86 in the real exam;

4)    Creating Mind Map to get a clear structure of six thick books. SANS GSEC intentionally does not make a TOC (Table of contents) for us. To compensate this, we can build it on our own. For me, I am using Free Mind software (It can be downloaded from to create a mind map of SANS GSEC books. When that mind map is fully built, you will find it is very rewarding: You will have to appreciate the thought of author why they arrange the topics and sequence like that way. Although it looks it is a mass initially, you will find its structure more and more clear and logical to you, which also helps you understand the content of books better

5)    Attending SANS GSEC official training workshop / courses. Although it is possible that people can get SANS GSEC by attending the challenging test by paying $999 USD, it is still recommended to attend the SANS GSEC official training workshop, especially your employer is willing to pay for the training fee. The tutors from SANS very experienced professionals and they carefully selected by SANS. They can effectively answer your questions / clear your confusions during the learning process. (Take myself for example, I had the opportunity to attend a very impressive Toronto SANS GSEC course from April 2013 to June 2013, and the tutor is Erich Samuel)

Passing SANS GSEC is just a starting point in your Information Security career, and there are much more things to update in the future. People may complain it is a little bit hard to maintain SANS GSEC in the long run but I tend to believe an ounce of gain is worth an ounce of pain, as long as if people has passion on Information Security and continuously updating it, people will find SANS courses are full of fun.

Above-mentioned are just some of my thoughts on SANS GSEC. Any of your comments and feedback is highly welcomed. We can discuss more later on. Cheers!