Better GIAC Testing with Pancakes

It’s no secret that I’m a fan of SANS and their associated GIAC infosec certifications. Certifications aren’t worth a ton of credibility in the information security arena, but the SANS training and testing mechanisms really do ensure that students have to have some clue about the topic to pass. The courses aren’t cheap, but SANS provides less costly community and self-study options. So, people going into the certification exams are in varying training situations.

When people see my complex-looking system for passing these exams (I was a GIAC proctor, and now hold GCIH, GCFE, GCFA, GREM, and GPEN), they often ask me how they can better prepare for the exams. Even though most SANS courses cover this to some extent at night or on day 1, let’s review some best practices for succeeding at SANS certifications.

DISCLAIMER: I follow GIAC policies to the letter and I will never provide specific details about any certification exam. So don’t bother asking.

There have already been a few blogs written about the study mechanisms for GIAC exams and I will link them at the bottom as others’ methods are similar but vary a bit.


  • GIAC tests change regularly with the SANS course material. If you tactically acquire books from a year ago, there is a good chance they will not be completely applicable to the current test. Same with your practice tests, etc. Stick with your provided materials.
  • GIAC tests are open book, open note (no electronic devices allowed). There is enough detail in them that it is very likely you will not be able to score very high without books or notes in the room with you; they’re designed that way. Minutiae matters – read, don’t skim.
  • Some SANS books have no detailed index. This is for a smart educational reason – if you plan on using the books during your test (and you should) you are pretty much obligated to create your own. This forces you to actually read every page of the books while you’re preparing, and take notes. While some SANS courses have now added an index to match industry standards, creating your own with proper tabbing and references is still highly advisable for referencing speed during the exam and as a study aid.
  • People’s indexing styles vary. I will show you my system and why I do it the way I do. See the links at the end for some variations. The bottom line is you need some organized way to find stuff in the books in a time crunch.
  • GIAC exams are usually 3 hours long (a few some are longer or shorter) with around 115 questions. This means you have about a minute and a half per question. Unless you read quickly and your index is top notch, you will not be looking up every answer.
  • SANS instructors give you tools to help. Keep those handy SANS cheat sheets for tools, commands, and operating systems they give you in the class, and bring them to the test!
  • GIAC gives you two practice tests you can take at home, and they can be given to others. We’ll talk about this in more detail, but these are really important!


  • The SANS books for the certification you’re going to ace…
  • Some of these colorful plastic tabbies (you can buy ’em at Walgreens or Target) 5-6 colors are best… tabs
  • A fine tip permanent marker.
  • A highlighter.
  • Excel or something that does the same thing.
  • Word or something that does the same thing.
  • A color printer (or a handy Kinko’s).


First, we’re going to stop procrastinating and start the giant task of indexing. Hopefully, you’ve already read through the books during class, but I’m going to presume you have not, yet. Now, some people prefer to take one of their two practice tests before they do anything else, to get an idea of where they stand. That’s fine, but due to the short supply of two whole practice tests, I prefer to take them both after studying and initially drafting an index.

Be prepared for fully reading and indexing 5-6 SANS books to take a couple full work days. Take 2-3 days off, or block at least 12-16 hours over time off on your calendar if you’re that fortunate. I read pretty quickly; you may need a bit more time if you don’t.

We are going to open up our spreadsheet software as we do this, and keep it running as we study. We are going to keep our colorful tabs and our markers handy as well.

First, we’re going to place a uniquely colored tab at the top of every book, so we can quickly grab that book in the small heap of materials we use in the testing center. So our book .1 could be red, .2 could be purple, etc. It’s usually faster to see a color than read text. My method allows for both.

Then we will begin to read.

Just because SANS books don’t have indices doesn’t mean they aren’t divided into chapters and sections. These are usually distinguished at the start of each section in a table of contents slide. They look something like *grabs random book*:


So, we usually know roughly where we are going to put our tabs. We may decide logically to add or subtract one or two. We’ll normally ignore tabbing or noting the labs, capstone book, and appendices unless they contain useful references that compliment the text.

As we read our book, we’re going to install our tabs lengthwise along the side of the book at logical points that will help us find important sections and tools. Because I’m a bit OCD, I like to use a rotating sequence of colors through the books. That way, I can quickly look for a color instead of a generic yellow or white tab. (Purple book, red tab. Yellow book, blue tab, etc, etc…)

So place a color tab of your choice at the start of the first chapter, and write on it what it is. Then, we shall read our chapter.

If we find important information like tools, definitions, or keywords in the text, we’re going to use our highlighter to (you guessed it), highlight the critical information so we see it quickly on the page. Rocket science! We are also going to index as we read. Every time we find a new definition, critical fact, command, or tool, we’re going to add it to our spreadsheet. We’re going to take our fill button in our spreadsheet program and make the first column the number and book color, and the second column the specific item and the section tab color it is in.


We are going to give a little thought to how we write these items because they’re all going to go in alphabetical order at the end. For example, if we think we would look up XSS before CSS, we should make our line item XSS & CSS, instead of CSS & XSS. Or maybe we will make two entries, one for XSS and one for CSS, with the same page number and colors, just to be extra sure we can find it later.

If the items we are in all fall under one tool or subject, we might preface them with that tool so they end up in the same place once alphabetically sorted. For example, Meterpreter – priv module, and Meterpreter – Routing and Pivoting. We might put a couple word note next to a tool so we can quickly remember what it was for.

As we continue to fill our our index, we’ll start seeing a lovely, colorful list of book color and tab color develop. We now have two ways to reference any line in our index – reading the book and page number, or quickly glancing at the book and tab color.

It’s going to take a long time to read everything. Take a break when needed. Proofread your index every so often, and make sure your colors match up.

Eventually, our books will be tabbed, highlighted, and indexed in a spreadsheet from beginning to end. We’re then going to do some Office/Open-Office/Google Doc-fu. I’ll show you in Excel.


Sort by the text column alphabetically (with no headers). Your index is now an A-Z list of stuff, and a explosion of colors.

But printing this will be lots of pages, so we’re going to open up Word and make two columns…


Then copy-pasta (or import) the contents of our excel doc into that two column doc. If the lines are two long to fit in the two columns, make your font size smaller, your margins narrower, or abbreviate specific lines accordingly. We don’t want those lines to take long to read or find, anyway.

Now it will look something like this:


This is a lot more manageable. We can even print this two-sided to make our index even smaller. We still have the alphabetical list of topics, the page number, and the book and tab color code for the item. Our index should only be a max of 6-7, or four pieces of paper, printed out.

We have an index, and tabs! They look really cool!



So whether you used my index system or somebody else’s, let’s recap. You should now have:

  1. Read the books.
  2. Highlighted important facts, tools, and terms.
  3. Made an index you can quickly reference (if it’s over 8 pages you had better have bound and tabbed the index, too!)
  4. Tracked down your SANS course tool and software cheat sheets!

And now we must, alas, take the practice tests and the actual exam.

Tests make me nervous, and I like to ease myself into the first practice test. The first practice exam, I allow myself Google and the find function on my index document, neither of which I’ll have on the actual exam. This practice test, I concentrate on finding stuff that I missed adding to my index, and figuring out what SANS cheat sheets it will be a good idea to bring with me. I also use this test to gauge if there are sections I am very weak on and need to reread.

Some things to note:

  • On the practice tests, GIAC will tell you the correct answer of every question you get wrong (and why it is correct). If this is a confusing answer and you’re in a time crunch, copy pasta this information down to study later!
  • GIAC will also give you a 1-5 star score on each topic in the books when you’re done with the test. If you’re getting 2 or less stars on a section, you definitely need to re-read it and check the quality of your indexing.
  • Keep track on the first test of what you have to Google or can’t find, and make sure you add it to your index or cheat sheets.
  • At the end you will get a realistic percentile score. The passing score varies by exam, but is normally around 70%. I’m not sure exactly what the tolerance is, but expect your score to vary around 5% between the assorted practice tests and exam. So if you’re at say, a 73%, you’re going to want to consider studying quite a bit more before taking the second and final practice test.

I don’t take two practice tests in one day. I fix my index up, study sections I am weak on, and sleep on it.

The second practice test, I have a better idea what to expect. I treat it like the actual exam. No digital resources, just what I have printed out and my books. I take my time and look up anything I am not certain about in my books. I do continue to take a few notes when something really eludes me.

Hopefully at this point my score is pretty good. I make some final tweaks before getting another night’s rest and taking the exam at the testing center.


If you happen to pass your certification exam after only using one of your practice exams, you may send your spare test to another person’s SANS account via your GIAC portal account. This is an optional but nice thing to do for people who are struggling with an exam. The SANS course alumni and advisory board mailing lists are a great place to trade or give away practice tests, or find an extra yourself if you’re still struggling after your second practice test.


I recommend checking out some other lovely peoples’ guides to indexing and studying. Everybody’s learning and note-taking style is different. Perhaps you’ll find one that works for you or combine aspects of a couple.

(Updated March 2017 to reflect SANS courses with integrated indices.)

Gen Con 2015 – A Big “Thank You!” from Us to You!

Wow! I can’t believe Gen Con is already over. We had an amazing time at the con and giving our Hacking in Fiction panel for 43 lovely people on Thursday night. I want to extend a big thanks to my co-speakers, Johnny and Beltface. We ended up going over our allotted 90 minutes again – mostly because we had so much fun answering fantastic audience questions. Also, thanks to our many Twitter friends who came out to roast us, like Joe, 0DDJ0BB, Lslybot, and Justin!



Just some awesome costumes I snapped pictures of!


Our most frequently asked question that I want to restate here for the world was, “I don’t have much experience; how do I get into infosec/hacking?”

If you’re asking us that question, you’re on the right track. I firmly believe have the best community out there in a professional field. There are tremendous resources for anyone out there who has the will and motivation to be good at infosec. They usually don’t come with any dependency on expensive degree programs or certifications. My recommendations are:

  • Go to independent security conferences, Def Con, DerbyCon, Shmoocon, GrrCon, and various local BSides are great options to learn about security and network with other people who share your interests. You can get into most of these conferences for 100-200 dollars and a hotel room. There is no experience requirement, and there are usually talks at technical levels from management skills to sophisticated reverse engineering. Yes, these conferences can be intimidating, but follow basic best practices like not using a credit/ATM card, turning off WIFI on your phone, and not bringing a production computer, and you’ll find them an intriguing and welcoming environment with lots of fun!
  • Use your internet resources. Blogs, Twitter, and Podcasts are a great way to learn more about current events in InfoSec. Don’t rely on bulletins from vendors or government agencies. Some of my favorite general security news sources are:

    Paul’s Security Weekly

    Naked Security – Sophos

    Krebs on Security

    Dark Reading | Security

    Steve Ragan | CSO Online

    We Live Security

  • Find your local hacker meetups and attend. As well as 2600, DC(area code) groups, and BSides, many metro areas have independent security meetups. These are a great way to network and find a mentor.
  • Do publicly shared CTF exercises to learn more about hacking. Beyond “Hack this Site“, many agencies post online ‘Capture the Flag’ exercises in blue team and red team areas of security that allow you to take your best shot at a hacking simulation and then see the results when it ends. I recommend all of the SANS exercise, especially their holiday challenges.
  • Build your own lab, and experiment! It’s really not that expensive to build a hacking lab at home. Virtualization has made it relatively affordable to construct a VM lab environment with an attacker and defender machine(s) in which you can simulate the area of security of your choice. It looks fantastic in interviews if you can describe your home lab an d
  • Don’t get intimidated! While I highly recommend you always be certain you have permission to hack the computer network(s) you are experimenting with, there are plenty of legal and affordable ways to learn more about information security. Everyone who legitimately claims to work in ‘infosec’ or ‘cyber’ should have a solid understanding of how bad guys think. Avail yourself of available resources, and test your skills!