Last month I took the GIAC Penetration Tester certification exam as a conclusion to the course in Network Pentesting & Ethical Hacking I took with SANS in september. At the final exam, I ended up with a score of 86%, with which I am quite content. :)
In this short article I want to share with you why I chose this certification and how I prepared for the exam.
The GIAC GPEN certification is my first infosec certification. Before taking the course and the exam, I made sure that my chosen certification was valued within the infosec community (and not just by HR people or C-level managers). What has helped me to decide which course/certification to take was reading other people’s opinions and experiences.
Eventually I decided to take the SANS course and GIAC exam since the SANS courses consist of both theory and practice. I specifically decided to go with the network pentesting course for two reasons. After leaving university, it turned out that my networking knowledge could definitely use some improvement. Secondly, I find that the offensive side of security interests me tremendously.
I followed these steps to prepare for the GPEN exam:
Many people have written down their experiences with taking a GIAC exam. A bit of smart Google-ing goes a long way. The following blogposts have helped me prepare for the exam:
When picking a date for the exam, make sure you have plenty of preparation time. If you are planning to make an index of the SANS lecture notes and you have a busy day job, a week is not enough!
You have to take the GIAC exam at a proctored exam center. On the website of Pearson-Vue you can check the location and availability of the exam centers. When you have selected the center of your choice, you can pick a date and a time slot. When I tried to schedule my exam, the scheduling website failed multiple times. Be sure to set some time apart for booking a time slot with Pearson. ;)
Every person has their own way of studying for a test. Since GIAC tests are open book, the most common way of preparing for a GIAC exam is making an index for the books you want to bring. Most people will use the SANS course books. For my GPEN certification, this meant indexing over 1000 pages of lecture notes.
I took a month to make my index, taking one day a week to go through one of the books. After a whole day of cramming powershell commands, tackling the stack of SANS books can feel a bit overwhelming. Taking some time between study sessions was a good way for me to let the theory sink in for a bit.
My index was fairly simple and consisted of a spreadsheet with columns “concept”, “book_nr”, “page_nr” and “description”. I tried to put as much information as possible in the description field, since this saves you a lot of time during the exam.
I brought two copies of my index to the exam: one with the concepts in alphabetical order, and one in the original page order of the SANS book. I did this because related terms are often mentioned in the same part of the same book, which makes it easier to find a term if you don’t know the exact name.
When you register for a GIAC exam, you get access to two practice exams. You can take these online via the GIAC website. The practice exams are a great way to prepare for the real exam. The format and time limit is the same as you will get in the proctored exam center and the practice exams will also give you feedback about the different exam topics. During the practice exams, you can also get immediate feedback about incorrectly answered questions. Taking one of the practice exams with your index and books only (no internet) is also a good way of checking the quality of your index.
Don’t forget to bring two forms of ID and your books + index, and don’t worry too much. :) Just do it!
When you have passed the exam, it’s time to celebrate! Don’t forget this step! It’s very important. ;) After I passed the exam, I treated my colleagues to traditional Dutch oliebollen.
Judith van Stegeren is a Dutch computer scientist. She is working as PhD candidate at the University of Twente, where she researches natural language generation for the video games industry. She occassionaly works as a consultant in data engineering for textual data.