GIAC Security Expert (GSE) Overview
The GSE certification is the most prestigious in the IT Security industry. The current exam was developed by subject matter experts and top industry practitioners. The GSE's performance based, hands-on nature sets it apart from any other certifications in the IT security industry. The GSE will determine if a candidate has truly mastered the wide variety of skills required by top security consultants and individual practitioners.
The GSE exam has two parts:
Part 1: Multiple Choice Exam: The GSE multiple choice exam must be taken at a proctored location, just like any other GIAC exam. The current version of the GSE multiple choice exam has the passing score set at 75% and a time limit of 3 hours. Passing this exam qualifies a person to sit for the GSE hands-on lab.
The GSE multiple choice exam follows GIAC's standard retake policy. Click here for information: http://www.giac.org/exams/retakes-and-extensions
Once you successfully complete Part 1, you must sit for the GSE lab within 18 months of the date of completion. Failure to do so will require Part 1 to be re-completed.
Part 2: 2-day GSE Lab exam:
Day 1 of the GSE lab consists of an incident response scenario that requires the candidate to analyze data and report their results in a written report. Day 2 consists of a rigorous battery of hands-on exercises drawn from all of the domains listed below.
- GIAC reserves the right to request candidates who are unsuccessful in one domain of the GSE lab complete additional work outside of the GSE lab before awarding the credential.
- GIAC reserves the right to require any candidate to retake the entire lab.
Target Audience: Those who pursue an in-depth technical education in all areas of information security are the target audience for the GSE certification.
To reserve a seat for a GSE lab, you must have met the following two requirements:
- Successfully pass the multiple choice exam at least 30 days prior to the lab date. (This must be done before you are eligible to complete step 2.)
- Pay for the lab and requested a seat at least 30 days prior to the lab date.
The GSE is valid for four years and is maintained by passing the current version of the multiple choice exam every four years.
So long as you maintain your GSE certification, it automatically maintains and renews all other GIAC certifications you held in current standing prior to earning the GSE, as well as any additional certification you may earn once you are GSE certified.
- You will need the appropriate pre-requisite certifications. (See below)
- Once your application is reviewed and approved you may register for the multiple choice exam and pay a $399 fee.
- Upon passing the multiple choice exam, you are eligible to attempt the GSE hands-on lab. The lab fee is an additional $2,100.
- Please allow up to 10 business days for application processing and approval.
GSE Pre-requisites (updated 10-12-2009):
GSE pre-requisite baseline is: GSEC, GCIH, GCIA with two gold. GSEC pre-requisite is unique because of dual windows and unix coverage.
- GCWN & GCUX combined can act as a substitute for GSEC
- Higher level certifications can act as substitutes for gold papers examples: GCFA, GPPA, GCUX, GCWN, GCED, GPEN, GWAPT, GAWN, GREM
GSE pre-requisite list (including substitution options):
- GSEC, GCIH, GCIA with two gold
- GSEC, GCIH, GCIA with one gold and one substitute
- GSEC, GCIH, GCIA with no gold and two substitutes
- GCWN, GCUX, GCIH, GCIA with one gold
- GCWN, GCUX, GCIH, GCIA with no gold and one substitute
The skills required to successfully complete the GSE exam can be broken up into three major groups:
- General security skills
- Incident handling skills
- Intrusion detection and analysis skills
During the GSE lab, GIAC will provide a laptop to you with the following tools installed:
Tools and Versions
- Windows 7 Professional
- LibreOffice (version 4.4)
- VMWare Player (version 7.1)
- The Putty SSH suite and WinSCP
- Burp Suite
- A virtual machine with a customized configuration of Kali Linux 1.1.0a, with included security tools. We have also installed Snort, SiLK and Bro IDS. You can find a list of standard tools included with Kali Linux here (http://tools.kali.org/tools-listing).
- Virtual machines with Ubuntu Linux Server
To ensure a level playing field for all candidates, you will not be permitted to load data, software, or electronic references onto the computer for the exam. We will provide external mice, but you will not be permitted to attach additional peripherals (monitors, keyboards) to the candidate laptops. To complete the exercises, you must exclusively use the tools and virtual machines provided by GIAC. Failure to comply will result in dismissal from the examination.
The following is a partial list of some tools and techniques you can expect to encounter during GSE exercises.
- sniffers/IDS - wireshark, snort
- Scanners - nmap, Nessus vulnerability scanning results
- utilities - netcat, ssh, gpg, iptables
- miscellaneous - metasploit, command line tools, and common attack techniques
Before a person can attempt the GSE, they must successfully complete three GIAC certifications (GSEC, GCIA and GCIH) with GIAC Gold in at least two. In addition, you must have real world, hands-on experience in these subject areas. The GSE hands-on examination ensures each candidate has a high-degree of competence in each of the objectives listed below.
GIAC reserves the right to request that candidates who are unsuccessful in one domain of the GSE lab by a slim margin complete additional work outside of the GSE lab before awarding any credential.
GIAC also reserves the right to require any candidate to retake the entire lab.
GIAC also reserves the right to change any exam specifications until 30 days prior to the exam.
|Objective||Outcome - The GIAC promise is that holders of the GSE will have the following capabilities.|
|IDS and Traffic Analysis Domain|
|Capture Traffic||Demonstrate competence with common IDS tools and techniques for capturing traffic.|
|Analyze Traffic||Demonstrate the ability to decipher the contents of packet capture headers.|
|Interpret Traffic||Make correct judgments as to the nature of traffic to or from specific hosts in packet captures.|
|IDS Tools||Demonstrate proficiency using common Open Source IDS tools including Snort, tcpdump, and Wireshark|
|Incident Handling Domain|
|IH Process||Demonstrate mastery of the Incident Handling process.|
|Common Attacks||Demonstrate a broad knowledge of computer and network attacks.|
|Malware||Demonstrate solid understanding of malware and how to handle infected computers.|
|Preserving Evidence||Demonstrate the ability to preserve evidence relevant to an Incident investigation.|
|Windows Security||Demonstrate general knowledge of Windows Security and proficiency in a Windows environment.|
|Unix Security||Demonstrate knowledge of Unix Security and proficiency in a Unix environment.|
|Secure Communications||Demonstrate an understanding of basic cryptography principles, techniques, and tools.|
|Protocols||Demonstrate a solid understanding of TCP/IP, UDP, ICMP, DNS, and other common protocols.|
|Security Principles||Consistently demonstrate and practice bedrock security principles.|
|Security Technologies Domain|
|Firewalls||Demonstrate competence with firewalls.|
|Vulnerability Scanners, and Port Scanners||Demonstrate competence with scanning tools including vulnerability and port scanners.|
|Sniffers and Analyzers||Demonstrate competence with Sniffers and Protocol Analyzers|
|Common Tools||Demonstrate competence with common tools including netcat, SSH, Ettercap, p0f, etc...|
|Soft Skills Domain|
|Security Policy and Business Issues||Demonstrate an understanding of the security policy and business issues including continuity planning.|
|Information Warfare and Social Engineering||Demonstrate an understanding of Information Warfare and Social Engineering.|
|Ability To Write||Demonstrate the ability to write quality technical reports or articles.|
|Ability to Analyze||Demonstrate the ability to analyze complex problems that involve multiple domains and skills.|
Note: Specific versions of tools, operating systems, and objectives are subject to change without prior notice.
A copy of the slides for the GSE Brief we've given at several SANS conferences click here.
Retake Policy -- A person who has unsuccessfully attempted either the multiple choice exam or hands-on lab must wait a year before they are eligible to purchase another attempt. If you wish to retake prior to 1- year, you may apply for a waiver by filling out the following form and emailing it to firstname.lastname@example.org. The price for each attempt is the same.
Due to the hand-on nature of the GSE lab, there is a *3 attempt limit* on GSE lab attempts.
Renewal Policy -- The GSE is renewed every four years by taking a multiple choice exam. There are no CPEs or exceptions.
Those who pursue an in-depth technical education in all areas of information security are the target audience for the GSE certification. Knowledge in a particular area, Intrusion Detection or Incident Handling are both important and valuable. Individuals who earn any of the GIAC certifications have worked hard, demonstrated essential technical skill, and should rightfully take pride in their accomplishment. But individuals who make the effort to not only learn, but to master all of the essential elements of information security belong in a very special group. These individuals will be the elite of Information Security, the top practitioners in the field. Candidates who receive and maintain all of the GSE track certifications*, earn gold status in at least 2 certifications are eligible to sit for the GIAC Security Expert (GSE) certification.
GIAC Testing and Certification offers individuals the opportunity to demonstrate their comprehensive and real world knowledge through intensive testing subject areas including Information Security, Intrusion Detection and Incident Handling. The SANS Institute offers training to prepare you for these certifications through conferences and other learning opportunities.View GSE Professionals