SANS GSE Renewal
I passed. Why I did it. Phew.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.
🔒 Related Stories: Cybersecurity
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you aren’t familiar with the GSE I wrote about that here:
I wrote about how I was pondering whether or not to review the GSE here:
And for those who want a job in cybersecurity, I made this video:
Why renew?
I ultimately decided to renew. Why?
I was thinking about all my friends who have to get re-certified to work in their fields. At a bare minimum they have to attend continuing education classes in the U.S.
- A doctor.
- A CPA.
- Teachers.
- Pilots (including a comprehensive test of how planes work and a test in a flight simulator at one company I know.)
- Lawyers
- And many other fields
I even had to take a test on food safety to work in a restaurant once!
I thought, how are people supposed to know if you actually know what you are talking about or not if you don’t have some sort of credential? Would it hurt me when trying to provide consulting advice on calls — even if that credential is not really aligned with the things I write about or advise people on specifically? It helps people understand that I have a deep knowledge of security, regardless of how closely aligned it is to my work. I wondered if I would get as many calls or projects without it.
I don’t really have an answer to whether or not this certification will help me get more calls or more penetration testing or security assessment contracts. I don’t have a way to measure that. But I figured I would just get it.
I considered other certifications just because it might be interesting to get something different but given that I already put $45K or so into this cert I decided to stick with it.
The other thing is, by renewing the certs I get updated materials for all the classes. I’m especially interested in the material for my reverse engineering malware and advanced penetration testing certifications. One of the things that does align with what I actually do are any questions or material related to penetration testing so always looking to up my game there. Though I came up with some approaches and techniques for cloud and application testing that I never learned or saw in SANS material. I just realized that testing in cloud environments needed to be different from the way I learned to do it as soon as I engaged in my first test.
I just want to note that there was and approach for scanning clouds mentioned that I do not agree with. It’s encouraging bad behavior, increasing noise on already noisy systems, and costing people money. There are better approaches if your goal is to secure systems. I wish they would not promote that particular tactic. Please make sure you are only testing and scanning systems you are authorized to test.
Challenges with certifications in cybersecurity
The problem with security is that it is such a diverse field that having one particular certification — such as one that shows you can hack into systems like some certifications do— does not mean that you are qualified for incident response. A certification that focuses heavily on dissecting packets does not indicate that you are good at implementing a secure IdP solution or creating a secure SDLC pipeline to prevent attacks such as the Solar Winds breach. Architecting a security solution is different from breaking one. It helps to understand how attackers break in so you can architect accordingly but just blocking a hole is like putting bubble gum on a hole in a dam — that’s not security architecture.
That said, a certification that ensures you understand why networking controls, why packets matters and how attacks can be hidden in them, which encryption algorithms you should use when and why, how attackers get into systems, and how to investigate security incidents properly including event correlation and proper chain of custody, will be applicable across the board. It will help you when designing your secure SDLC pipeline or creating a secure application. That’s the kind of thing the SANS GSE covers. And more.
Anyone who says you don’t need networking to secure your digital assets likely doesn’t understand how networking works, attackers operate, or how to realistically stop, contain, or reduce the damage associated with a data breach in a large organization. I’ve written a few posts about network security here. Most of this isn’t on the test but some of the posts on fundamental networking concepts are applicable. I just present the topics in different way that made it easier for me to grasp the material.
New material and hands-on questions
The new material I received from SANS to prepare for the test does have some cloud information in it which I was happy to see. It is not comprehensive by any means, but it covers some relevant to things you should be worried about in cloud environments. The practice tests I took also had cloud questions. I liked those. :-)
The practice tests also had hands on sections. I liked that and did pretty well on those sections — except for a few things I missed on the first test related to tools I don’t really use — one of which doesn’t work well in a cloud environment. There are ways to make it work but so far cost money or not simple. I considered writing a tool for that but I have other priorities.
After the first practice test I revised my notes because I was trying a new approach and it didn’t work out very well (screenshots). I was missing some things and it was too difficult to find the information to answer the question.
Plus, I just made a couple dumb mistakes. I needed to practice a couple of the tools more. In the end, a few of the tools I spent time on weren’t even on my test, and the others weren’t featured as heavily. The questions were more “about the tool” instead of “how to use the tool” in the particular set of questions I got.
Since I wasn’t aware of that when studying how to use the tools, I considered how to write my notes for the commands I needed to know. The way I think is like a programmer does things. They write commands in scripts. The cheatsheets have material all over the place and it doesn’t work for me too well. I can’t easily find things. They feel disorganized the way my brain works, though I know other people like them.
Instead, I organized all the commands by tool in alphabetical order in a document I typed up in vi. That’s right. Like a programmer. :) It took a very, very long time. After resizing the font to be much smaller it was somewhere in the vicinity of 100 pages.
I know for a fact I had every tool in every workbook in those notes and I thought I had every tool in my list of tools from the books as well. I went through the books twice. However, when I got to the test in at least two of the questions I was asked about a tool that wasn’t in my notes. I remembered those tools from old tests I took but don’t use them a lot so that was challenging. After the test, I remember one of the answers I think I got wrong. Darn.
Anyway, I manually typed all the notes I took with me to the class for the most part. I read that writing things down (and hopefully typing them) helps you remember things better than reading it. This has always been my strategy with SANS certifications. There is simply too much information for any person to remember it all, like the nitty gritty of how particular encryption and networking algorithms work, all the commands and tools for various operating systems, how to dissect network packets, different scripting languages, etc. etc. etc. etc.
Or so I thought. Turns out my notes weren’t that helpful in the end. I probably would have passed without them.
Improving your score
For the next two practice tests I did very well on the hands on portions. For the GSEC I didn’t really even need my notes. I got a 93. I went through that one very fast. I think I got an 80 on the other — and initially I thought that particular class was my weakest area — but it contains some tools I use more frequently (and some I never use and probably still won’t in my particular line of work).
For the last practice test, I was confused about a couple of things on it. I think two of the questions had conflicting answers but I could be wrong. I also didn’t remember what they were asking from the material and couldn’t find the exact information (but didn’t look really hard for it).
I’m pretty sure I was answering one of the hands-on questions correctly but it would not work. The instructions said it could sometimes fail. Try again. Not sure how I feel about those instructions. If it’s on a test, shouldn’t it work 100% of the time? I couldn’t tell what I was doing wrong since apparently I guessed the right answer when I couldn’t get it to work so didn’t get the response telling me what I did wrong.
I also may have broken another question but I didn’t spend a lot of time on it to figure out what was going on. Oops. Perhaps I just did something wrong but it didn’t behave the way I was expecting.
In any case, I liked the hands-on questions. Especially the ones involving the tools I use a lot. :-)
What you can remember from the material…
Well, when I got to the test there may have been some kind of snafu. I confirmed this with another person who took the test. Let’s just say, my notes didn’t help me and I was answering just about every question from memory. My test wasn’t aligned with the format and timeframe of his test. The format of his test aligned with the practice tests I received.
Less questions actually makes it harder to get a higher score. A single miss has a bigger impact on how far your percentage goes down. I think my notes (both commands and terms) helped me with maybe four questions. I passed by 4 — is that 4% or 4 questions? I don’t know. Maybe my notes helped.
But in any case, I passed. I also got only two points lower on what I think was the same as the last time I took this test four years ago. There was some overlap in content between the last time I took the test and this one. But there was some content in questions that I didn’t recall being in the new material on my test. For one question in particular I remember thinking about the fact that they removed that material when I was studying.
Not a single question from the practice tests was on the actual test. Usually you get at least a few questions you’ve seen before. Nope. Not one. Sadly, there were no cloud questions. That is my specialty.
Don’t ask me what to study
For this reason, and because I think they are changing something about the way this test works, I can’t provide any help with what you should study. You’ll have to ask SANS about that. Whatever test you get — it’s not going to be easy and you’re going to need to know a lot of things from memory and (possibly) be able to sort through a mountain of material very quickly.
When I was looking around, I was searching for whether or not the GSE renewal test had a hands-on section and found conflicting information. One person told me his test did not have a hands-on component but he thought it might have been added. An online blog said it was. In the end, one person I talked to did get hands-on questions, but I did not.
I also looked for the passing score and couldn’t find it anywhere. The online blog post about it is wrong — based on the test I took (The score I had to hit was 7 points higher than what was stated on that blog.) I figured, regardless of what the score is you have to hit, I just need to do as well as I can so the score you have to get is somewhat irrelevant, so I didn’t bother to ask SANS what the passing score actually is for this test.
I hope they do include the hands-on section in the future and base it on things in the actual workbooks. The hands-on questions on tools covered in the workbooks are better than questions on some tool mentioned in a footnote.
A test that asks you about anything in the universe is not a very fair test. Cybersecurity is too diverse. I have hundreds of penetration testing tools and plugins and scripts I’ve written myself just for penetration testing. No one can know how to use every single tool that exists in cybersecurity.
It should cover the tools you were actually taught and align with things you were told to study. Otherwise the only people who pass are those who cheat and get information from other people about what is on the test — and that defeats the purpose. It’s not fair or an accurate judge of knowledge, but it is a judge of character.
I will compare this to the SAT and other tests like that which students need to pass to get into college. The people who pay for books and classes to study for those tests generally do better. They have an idea what the test will be like and what will be on it. Often those study aids have questions on the actual tests or extremely closely aligned.
Base the test on the same tests you send people to practice for the test. If I get a 93 on the practice test and barely need to look at my notes because I memorized what’s in the material it seems like I should have a similar experience on the actual test. Instead, if I don’t recognize a lot of the questions (even in similarity), perhaps the practice tests and study material are not well aligned. In every single case before this one, I got a higher score on the actual test than I did on the practice test because I studied the material. This time around, it was the opposite.
The other thing I hope is that there are less of the type of questions to see if you know a particular term or process promoted by a single organization. My least favorite is the term “applistructure” that I saw in the CSA documentation at one point. No one uses that term. I hope it is not on any tests. But I haven’t taken any tests from CSA.
Avoid questions based on material specific to one organization or product, unless that product is used the majority of the industry and on most job applications. I like questions about dissecting packets, encryption algorithms, and how to use tools that pretty much everyone in the industry uses regardless of where they study or work. The fundamentals of cybersecurity and risk reduction via prioritizing according to attack vectors and correlation of logs is all very valid. Password cracking an application attacks are also relevant and universal to help with an overall understanding of cybersecurity and how hackers break into systems or figure out passwords.
One thing I was disappointed by in the material was that the information on different operating systems and mobile was severely imbalanced. I also found a question on one of the operating systems on my test overly complicated and tricky. If you are interested in MAC or Mobile security the GSEC is not where you will find that information. It’s pretty light whereas the Windows section seems very, very deep for an introductory security class.
The material claims Windows is more heavily used. But is it? More Linux systems run in Microsoft Azure than Windows according to one report I read. I also read a report that says more executives and developers are using Macs — and those are some of your highest risk individuals in an organization. A very non-scientific poll on my Twitter account heavily favored Mac. Just like cloud, I’m sure SANS will be continuously revising the material to align with the industry. I don’t know the actual statistics at this point, I’m just speculating based on my experience and I work primarily in cloud and with organizations doing the same.
As for the recordings, SANS told me initially these were not included but I thought I had gotten them the first time around, which is why I asked for them. They sent them over which was nice. I could have done without out them to be honest, but they are interesting to check out. You may or may not get those in the future.
I did not find that the recording for the GSEC aligned with the material too well. I didn’t listen beyond the first day. The recordings for the other classes were very good, though I didn’t listen to them in entirety either. (Time factor.) I think I listened to most of 504 which seemed to be pretty well aligned and I think it did help me remember some things on the practice test. In general, I find that for SANS certifications it’s best to focus on the books and labs.
Done.
In any case, I’m just glad that I’m done and passed. It was brutal and stressful and took a lot of time away from my family. My poor puppy was missing me and sad when I wouldn’t go on walks with him and my significant other.
It also took away from the time I want to spend researching and writing on this blog. But as I was studying, I did think of some new things I want to try out on penetration tests and write about. These ideas were not in the material — but the material inspired me to think about it so that’s good!
Onwards and upwards…
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
