GIAC Security Expert (GSE) Overview
The GSE certification is the most prestigious in the IT Security industry. The current exam was developed by subject matter experts and top industry practitioners. The GSE's performance based, hands-on nature sets it apart from any other certifications in the IT security industry. The GSE will determine if a candidate has truly mastered the wide variety of skills required by top security consultants and individual practitioners.
The GSE exam has two parts:
Part 1: Multiple Choice Exam: The GSE multiple choice exam must be taken at a proctored location, just like any other GIAC exam. The current version of the GSE multiple choice exam has the passing score set at 75% and a time limit of 3 hours. Passing this exam qualifies a person to sit for the GSE hands-on lab.
The GSE multiple choice exam follows GIAC's standard retake policy. Click here for information: http://www.giac.org/exams/retakes-and-extensions
Once you successfully complete Part 1, you must sit for the GSE lab within 18 months of the date of completion. Failure to do so will require Part 1 to be re-completed.
Part 2: 2-day GSE Lab exam:
Day 1 of the GSE lab consists of an incident response scenario that requires the candidate to analyze data and report their results in a written report. Day 2 consists of a rigorous battery of hands-on exercises drawn from all of the domains listed below.
- GIAC reserves the right to request candidates who are unsuccessful in one domain of the GSE lab complete additional work outside of the GSE lab before awarding the credential.
- GIAC reserves the right to require any candidate to retake the entire lab.
The GSE Lab exam has its own retake policy, outlined here:
- First Failed Attempt
- The mandatory waiting period before attempting the retake is 12 months
- Two or More Failed Attempts
- The mandatory waiting period before attempting the retake is 36 months
Target Audience: Those who pursue an in-depth technical education in all areas of information security are the target audience for the GSE certification.
To reserve a seat for a GSE lab, you must have met the following two requirements:
- Successfully pass the multiple choice exam at least 30 days prior to the lab date. (This must be done before you are eligible to complete step 2.)
- Pay for the lab and requested a seat at least 30 days prior to the lab date.
The GSE is valid for four years and is maintained by passing the current version of the multiple choice exam every four years.
So long as you maintain your GSE certification, it automatically maintains and renews all other GIAC certifications you held in current standing prior to earning the GSE, as well as any additional certification you may earn once you are GSE certified.
- You will need the appropriate pre-requisite certifications. (See below)
- Once your application is reviewed and approved you may register for the multiple choice exam and pay a $399 fee.
- Upon passing the multiple choice exam, you are eligible to attempt the GSE hands-on lab. The lab fee is an additional $1699.
- Please allow up to 10 business days for application processing and approval.
2014 GSE Hands-On Lab Offerings: April 5th and 6th at SANS 2014 in Orlando, FL October 17th and 18th at SANS Network Security 2014 in Las Vegas, NV
GSE Pre-requisites (updated 10-12-2009):
GSE pre-requisite baseline is: GSEC, GCIH, GCIA with two gold. GSEC pre-requisite is unique because of dual windows and unix coverage.
- GCWN & GCUX combined can act as a substitute for GSEC
- Higher level certifications can act as substitutes for gold papers examples: GCFA, GPPA, GCUX, GCWN, GCED, GPEN, GWAPT, GAWN, GREM
GSE pre-requisite list (including substitution options):
- GSEC, GCIH, GCIA with two gold
- GSEC, GCIH, GCIA with one gold and one substitute
- GSEC, GCIH, GCIA with no gold and two substitutes
- GCWN, GCUX, GCIH, GCIA with one gold
- GCWN, GCUX, GCIH, GCIA with no gold and one substitute
The skills required to successfully complete the GSE exam can be broken up into three major groups:
- General security skills
- Incident handling skills
- Intrusion detection and analysis skills
If you are ready to sit for the GSE exam you will need the following:
- A Windows XP or higher laptop - at least 1.5 GB of RAM, at least two USB ports, and a 10/100 Ethernet port.
- VMWare Player - a recent version
We will also provide a virtual network of targets and other machines needed to complete the exercises hosted on our servers. We will provide a USB drive with the virtual machines and tools needed to complete the hands-on portion of the exercises including the following:
- Backtrack 4
- Fedora Core 12
To ensure a level playing field for all candidates, you will not be permitted to use any pre-installed favorite tools that you may have on your laptop. To complete the exercises you must exclusively use the tools and virtual machines provided by GIAC. Failure to comply will result in dismissal from the examination.
The following is a partial list of some tools and techniques you can expect to encounter during GSE exercises.
- sniffers/IDS - wireshark/snort
- scanners - nmap/nessus
- utilities - netcat, ssh, gpg, iptables
- misc - metasploit, command line tools, and common attack techniques
Before a person can attempt the GSE, they must successfully complete three GIAC certifications (GSEC, GCIA and GCIH) with GIAC Gold in at least two. In addition, you must have real world, hands-on experience in these subject areas. The GSE hands-on examination ensures each candidate has a high-degree of competence in each of the objectives listed below.
GIAC reserves the right to request that candidates who are unsuccessful in one domain of the GSE lab by a slim margin complete additional work outside of the GSE lab before awarding any credential.
GIAC also reserves the right to require any candidate to retake the entire lab.
GIAC also reserves the right to change any exam specifications until 30 days prior to the exam.
|Objective||Outcome - The GIAC promise is that holders of the GSE will have the following capabilities.|
|IDS and Traffic Analysis Domain|
|Capture Traffic||Demonstrate competence with common IDS tools and techniques for capturing traffic.|
|Analyze Traffic||Demonstrate the ability to decipher the contents of packet capture headers.|
|Interpret Traffic||Make correct judgments as to the nature of traffic to or from specific hosts in packet captures.|
|IDS Tools||Demonstrate proficiency using common Open Source IDS tools including Snort, tcpdump, and Ethereal|
|Incident Handling Domain|
|IH Process||Demonstrate mastery of the Incident Handling process.|
|Common Attacks||Demonstrate a broad knowledge of computer and network attacks.|
|Malware||Demonstrate solid understanding of malware and how to handle infected computers.|
|Preserving Evidence||Demonstrate the ability to preserve evidence relevant to an Incident investigation.|
|Windows Security||Demonstrate general knowledge of Windows Security and proficiency in a Windows environment.|
|Unix Security||Demonstrate knowledge of Unix Security and proficiency in a Unix environment.|
|Secure Communications||Demonstrate an understanding of basic cryptography principles, techniques, and tools.|
|Protocols||Demonstrate a solid understanding of TCP/IP, UDP, ICMP, DNS, and other common protocols.|
|Security Principles||Consistently demonstrate and practice bedrock security principles.|
|Security Technologies Domain|
|Firewalls||Demonstrate competence with firewalls.|
|Vulnerability Scanners, and Port Scanners||Demonstrate competence with scanning tools including vulnerability and port scanners.|
|Sniffers and Analyzers||Demonstrate competence with Sniffers and Protocol Analyzers|
|Common Tools||Demonstrate competence with common tools including netcat, SSH, Ettercap, p0f, etc...|
|Soft Skills Domain|
|Security Policy and Business Issues||Demonstrate an understanding of the security policy and business issues including continuity planning.|
|Information Warfare and Social Engineering||Demonstrate an understanding of Information Warfare and Social Engineering.|
|Ability To Write||Demonstrate the ability to write quality technical reports or articles.|
|Ability to Analyze||Demonstrate the ability to analyze complex problems that involve multiple domains and skills.|
Note: Specific versions of tools, operating systems, and objectives are subject to change without prior notice.
A copy of the slides for the GSE Brief we've given at several SANS conferences click here.
Retake Policy -- A person who has unsuccessfully attempted either the multiple choice exam or hands-on lab must wait a year before they are eligible to purchase another attempt. The price for each attempt is the same.
Renewal Policy -- The GSE is renewed every four years by taking a multiple choice exam. There are no CMUs or exceptions.
Those who pursue an in-depth technical education in all areas of information security are the target audience for the GSE certification. Knowledge in a particular area, Intrusion Detection or Incident Handling are both important and valuable. Individuals who earn any of the GIAC certifications have worked hard, demonstrated essential technical skill, and should rightfully take pride in their accomplishment. But individuals who make the effort to not only learn, but to master all of the essential elements of information security belong in a very special group. These individuals will be the elite of Information Security, the top practitioners in the field. Candidates who receive and maintain all of the GSE track certifications*, earn gold status in at least 2 certifications are eligible to sit for the GIAC Security Expert (GSE) certification.
GIAC Testing and Certification offers individuals the opportunity to demonstrate their comprehensive and real world knowledge through intensive testing subject areas including Information Security, Intrusion Detection and Incident Handling. The SANS Institute offers training to prepare you for these certifications through conferences and other learning opportunities.View GSE Professionals