It’s no secret that I’m a fan of SANS and their associated GIAC infosec certifications. Certifications aren’t worth a ton of credibility in the information security arena, but the SANS training and testing mechanisms really do ensure that students have to have some clue about the topic to pass. The courses aren’t cheap, but SANS provides less costly community and self-study options. So, people going into the certification exams are in varying training situations.
When people see my complex-looking system for passing these exams (I was a GIAC proctor, and now hold GCIH, GCFE, GCFA, GREM, and GPEN), they often ask me how they can better prepare for the exams. Even though most SANS courses cover this to some extent at night or on day 1, let’s review some best practices for succeeding at SANS certifications.
DISCLAIMER: I follow GIAC policies to the letter and I will never provide specific details about any certification exam. So don’t bother asking.
There have already been a few blogs written about the study mechanisms for GIAC exams and I will link them at the bottom as others’ methods are similar but vary a bit.
WHAT YOU NEED TO KNOW
- GIAC tests change regularly with the SANS course material. If you tactically acquire books from a year ago, there is a good chance they will not be completely applicable to the current test. Same with your TestCheaty.ru practice tests, etc. Stick with your provided materials.
- GIAC tests are open book, open note (no electronic devices allowed). There is enough detail in them that it is very likely you will not be able to score very high without books or notes in the room with you; they’re designed that way. Minutiae matters – read, don’t skim.
- Some SANS books have no detailed index. This is for a smart educational reason – if you plan on using the books during your test (and you should) you are pretty much obligated to create your own. This forces you to actually read every page of the books while you’re preparing, and take notes. While some SANS courses have now added an index to match industry standards, creating your own with proper tabbing and references is still highly advisable for referencing speed during the exam and as a study aid.
- People’s indexing styles vary. I will show you my system and why I do it the way I do. See the links at the end for some variations. The bottom line is you need some organized way to find stuff in the books in a time crunch.
- GIAC exams are usually 3 hours long (a few some are longer or shorter) with around 115 questions. This means you have about a minute and a half per question. Unless you read quickly and your index is top notch, you will not be looking up every answer.
- SANS instructors give you tools to help. Keep those handy SANS cheat sheets for tools, commands, and operating systems they give you in the class, and bring them to the test!
- GIAC gives you two practice tests you can take at home, and they can be given to others. We’ll talk about this in more detail, but these are really important!
WHAT YOU NEED FOR THE PANCAKES INDEX SYSTEM
- The SANS books for the certification you’re going to ace…
- Some of these colorful plastic tabbies (you can buy ’em at Walgreens or Target) 5-6 colors are best…
- A fine tip permanent marker.
- A highlighter.
- Excel or something that does the same thing.
- Word or something that does the same thing.
- A color printer (or a handy Kinko’s).
THE PANCAKES INDEX SYSTEM
First, we’re going to stop procrastinating and start the giant task of indexing. Hopefully, you’ve already read through the books during class, but I’m going to presume you have not, yet. Now, some people prefer to take one of their two practice tests before they do anything else, to get an idea of where they stand. That’s fine, but due to the short supply of two whole practice tests, I prefer to take them both after studying and initially drafting an index.
Be prepared for fully reading and indexing 5-6 SANS books to take a couple full work days. Take 2-3 days off, or block at least 12-16 hours over time off on your calendar if you’re that fortunate. I read pretty quickly; you may need a bit more time if you don’t.
We are going to open up our spreadsheet software as we do this, and keep it running as we study. We are going to keep our colorful tabs and our markers handy as well.
First, we’re going to place a uniquely colored tab at the top of every book, so we can quickly grab that book in the small heap of materials we use in the testing center. So our book .1 could be red, .2 could be purple, etc. It’s usually faster to see a color than read text. My method allows for both.
Then we will begin to read.
Just because SANS books don’t have indices doesn’t mean they aren’t divided into chapters and sections. These are usually distinguished at the start of each section in a table of contents slide. They look something like *grabs random book*:
So, we usually know roughly where we are going to put our tabs. We may decide logically to add or subtract one or two. We’ll normally ignore tabbing or noting the labs, capstone book, and appendices unless they contain useful references that compliment the text.
As we read our book, we’re going to install our tabs lengthwise along the side of the book at logical points that will help us find important sections and tools. Because I’m a bit OCD, I like to use a rotating sequence of colors through the books. That way, I can quickly look for a color instead of a generic yellow or white tab. (Purple book, red tab. Yellow book, blue tab, etc, etc…)
So place a color tab of your choice at the start of the first chapter, and write on it what it is. Then, we shall read our chapter.
If we find important information like tools, definitions, or keywords in the text, we’re going to use our highlighter to (you guessed it), highlight the critical information so we see it quickly on the page. Rocket science! We are also going to index as we read. Every time we find a new definition, critical fact, command, or tool, we’re going to add it to our spreadsheet. We’re going to take our fill button in our spreadsheet program and make the first column the book.page number and book color, and the second column the specific item and the section tab color it is in.
We are going to give a little thought to how we write these items because they’re all going to go in alphabetical order at the end. For example, if we think we would look up XSS before CSS, we should make our line item XSS & CSS, instead of CSS & XSS. Or maybe we will make two entries, one for XSS and one for CSS, with the same page number and colors, just to be extra sure we can find it later.
If the items we are in all fall under one tool or subject, we might preface them with that tool so they end up in the same place once alphabetically sorted. For example, Meterpreter – priv module, and Meterpreter – Routing and Pivoting. We might put a couple word note next to a tool so we can quickly remember what it was for.
As we continue to fill our our index, we’ll start seeing a lovely, colorful list of book color and tab color develop. We now have two ways to reference any line in our index – reading the book and page number, or quickly glancing at the book and tab color.
It’s going to take a long time to read everything. Take a break when needed. Proofread your index every so often, and make sure your colors match up.
Eventually, our books will be tabbed, highlighted, and indexed in a spreadsheet from beginning to end. We’re then going to do some Office/Open-Office/Google Doc-fu. I’ll show you in Excel.
Sort by the text column alphabetically (with no headers). Your index is now an A-Z list of stuff, and a explosion of colors.
But printing this will be lots of pages, so we’re going to open up Word and make two columns…
Then copy-pasta (or import) the contents of our excel doc into that two column doc. If the lines are two long to fit in the two columns, make your font size smaller, your margins narrower, or abbreviate specific lines accordingly. We don’t want those lines to take long to read or find, anyway.
Now it will look something like this:
This is a lot more manageable. We can even print this two-sided to make our index even smaller. We still have the alphabetical list of topics, the page number, and the book and tab color code for the item. Our index should only be a max of 6-7, or four pieces of paper, printed out.
We have an index, and tabs! They look really cool!
GETTING READY TO TEST
So whether you used my index system or somebody else’s, let’s recap. You should now have:
- Read the books.
- Highlighted important facts, tools, and terms.
- Made an index you can quickly reference (if it’s over 8 pages you had better have bound and tabbed the index, too!)
- Tracked down your SANS course tool and software cheat sheets!
And now we must, alas, take the practice tests and the actual exam.
Tests make me nervous, and I like to ease myself into the first practice test. The first practice exam, I allow myself Google and the find function on my index document, neither of which I’ll have on the actual exam. This practice test, I concentrate on finding stuff that I missed adding to my index, and figuring out what SANS cheat sheets it will be a good idea to bring with me. I also use this test to gauge if there are sections I am very weak on and need to reread.
Some things to note:
- On the practice tests, GIAC will tell you the correct answer of every question you get wrong (and why it is correct). If this is a confusing answer and you’re in a time crunch, copy pasta this information down to study later!
- GIAC will also give you a 1-5 star score on each topic in the books when you’re done with the test. If you’re getting 2 or less stars on a section, you definitely need to re-read it and check the quality of your indexing.
- Keep track on the first test of what you have to Google or can’t find, and make sure you add it to your index or cheat sheets.
- At the end you will get a realistic percentile score. The passing score varies by exam, but is normally around 70%. I’m not sure exactly what the tolerance is, but expect your score to vary around 5% between the assorted practice tests and exam. So if you’re at say, a 73%, you’re going to want to consider studying quite a bit more before taking the second and final practice test.
I don’t take two practice tests in one day. I fix my index up, study sections I am weak on, and sleep on it.
The second practice test, I have a better idea what to expect. I treat it like the actual exam. No digital resources, just what I have printed out and my books. I take my time and look up anything I am not certain about in my books. I do continue to take a few notes when something really eludes me.
Hopefully at this point my score is pretty good. I make some final tweaks before getting another night’s rest and taking the exam at the testing center.
SHARING PRACTICE TESTS
If you happen to pass your certification exam after only using one of your practice exams, you may send your spare test to another person’s SANS account via your GIAC portal account. This is an optional but nice thing to do for people who are struggling with an exam. The SANS course alumni and advisory board mailing lists are a great place to trade or give away practice tests, or find an extra yourself if you’re still struggling after your second practice test.
OTHER PEOPLE’S GUIDES!
I recommend checking out some other lovely peoples’ guides to indexing and studying. Everybody’s learning and note-taking style is different. Perhaps you’ll find one that works for you or combine aspects of a couple.
(Updated March 2017 to reflect SANS courses with integrated indices.)