What not to do when taking a GIAC exam

I’ll discuss these in more detail, but here are a few items worth considering avoiding. I’m writing this the day after I passed my GIAC GXPN with my lowest score ever on a GIAC exam (90%). I’m accustomed to scoring 95% or better, and I feel like I had subpar performance on this exam. So, I’ll discuss the things I didn’t so, so you won’t make the same mistakes. My GIAC certs: GSEC (SEC401), GCIA (SEC503), GCIH (SEC504), GCFA (FOR508), GMOB (SEC575), GASF (FOR585), GREM (FOR610), GXPN (SEC660).

In case you don’t know me and have found this blog post via the magic of search, I’m a Principal SANS Instructor, and consultant. Yes, I still take exams. I really care what I get for a score on my exams.

1. Don’t procrastinate

2. Don’t skip making an index

3. Don’t skip taking the practice exams

4. Don’t squander your time during the exam

5. Don’t beat yourself up

1. Don’t procrastinate
The biggest problem for this exam was that I took the class in April at SANS Orlando. I consistently advise students to (HTFU) and create the index within a week (two maximum) of taking the class, take a practice exam within two or three weeks, take a second practice exam if you got below an 80%, and take the actual exam within a week or two of the practice exam.

This exam, I simply didn’t do that. Why? Because I let my schedule dictate my priorities and failed to allocate and/or follow through on the index creation and practice exam. In retrospect, six months later, I didn’t spend any additional time over the last few weeks that I couldn’t have spent 5 or 6 months ago. I spent approximately 9 hours studying for the exam. Most of those 9 hours was not purely focused and I had interruptions like messages and twitter during that time. It was only as I was rushing out of my house, jetlagged, printing my just completed index on my just connected printer (I just moved ;) that I really dedicated my time.

2. Don’t skip making an index
My index methodology is something I’ve shared with a number of people. Check out the details and Perl scrip here: http://bit.ly/crowley-index-script . I’ve had people come up to me to introduce themselves, thanking me for helping them to pass exams based on this script. The method I use has been translated into Japanese: contact me via twitter ( CCrowMontance ) if you want the Japanese version.

Short story for my index method is that I spend about 1-3 hours per book reviewing the content, and creating raw data to input to the Perl script. The raw data looks something like this:

14;GIAC, exam;exam, GIAC;certification, exam, GIAC;certification, exam, passing;exam, GIAC, pass

The point being that I include the topics on each page, in some cases referencing the same information multiple different way. The reason for the duplication is that I don’t know how I’ll need to seek the data when I attempt to retrieve it. My memory is excellent, but my recall is terrible.

The index helps me quick find detailed information in the books to confirm my thought, or differentiate a nuanced detail that I can’t recall.

3. Don’t skip taking the practice exams
This is where I deviated from my methodology substantially. My standard practice is to take a practice exam with my completed index then use the practice to update the index. I was simply too busy in the last month to complete this. I had already extended the exam once, and I really didn’t want to extend it a second time. So I skipped the practice exam. That hurt my score, I’m sure of it.

I did take a beta version of the new practical questions. But, that was just after I took the class. That was a cool experience, but in some ways skewed my perception about what the practical questions would be. In my beta exam, I used techniques covered in the class for developing exploits. In my actual exam, I had an environment I needed to use pen test techniques covered in the class to exploit an environment.

4. Don’t squander your time during the exam
I look up questions in the book to verify that I’m right if I’m not 90% sure that I know the answer. I mark an answer after reading the question, then go to the book for validation. Infrequently, I have to change the answer. But, my stance is that I have the time to do this.

During this exam, I completely ran out of time, and just answered the last 5 (practical) questions without having any idea what the answers were. I started the practical section with only about 15 minutes left for the exam.

Additionally, in the practical section, I crashed a service that I wanted to interact with. To restart the service, I restarted the virtual machine environment. This took almost 4 minutes to complete. So, that consumed about 30% of my time to work on the practical questions.

5. Don’t beat yourself up
My score percentage went down over the course of the exam. My recollection of my check point scores is below.

Splits:

Checkpoint 1: 100% (15/15)
Checkpoint 2: 93% (28/30)
Checkpoint 3: 91% (41/45)
Checkpoint 4: 90% (50/55)

That being said, I didn’t lose my cool during the exam. At the first checkpoint, I was surprised at the 100% mark. There were two questions in the first 15 that I wasn’t sure if I was falling for a trap, or if I was over thinking the question too much. One danger for me is going way down an esoteric thought process to answer the question, rather than simply answering the actual question. After 30 questions, I saw I had missed some. No worries. Move along.

When I took the GCFA, I answered two questions incorrectly. This was back when you saw if you answered the question correctly immediately after answering. My first incorrect answer was on a legal question related to German law. I was really upset that I got the answer wrong, because I spent about 10 minutes considering the information I had looked up in the book. I was so bothered by this, I got the next question wrong, too. I would have entered into a failure spiral if I hadn’t taken a few minutes right then to simply stop answering questions, and allow the frustration and ire to dissipate. During that GCFA exam, I actually talked myself out of the frustration. If you’re feeling frustrated, counsel yourself that the frustration is detrimental. Pause as long as you need to, so you don’t make another mistake.

Here I am, unhappy with my performance. But, I got a 90%. I’ve done a root cause failure analysis, and will not do so poorly when I take the GIAC GMON here in the next few months.

Good luck on your cert exam, if you are embarking on it. If you have questions about how to use my Perl script ( http://bit.ly/crowley-index-script ) feel free to contact me on twitter – CCrowMontance.