REVIEW: "The GSEC Prep Guide", Mike Chapple

From: Rob Slade, doting grandpa of Ryan and Trevor (
Date: 11/10/03

Date: Mon, 10 Nov 2003 15:39:42 GMT


"The GSEC Prep Guide", Mike Chapple, 2003, 0-7645-3932-9,
%A Mike Chapple
%C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
%D 2003
%G 0-7645-3932-9
%I John Wiley & Sons, Inc.
%O U$60.00/C$90.99/UK#41.95 416-236-4433 fax: 416-236-4448
%P 448 p. + CD-ROM
%T "The GSEC Prep Guide: Mastering SANS GIAC Security Essentials"

The SANS (System administrators, Audit, Network, Security) Institute
GIAC (Global Information Assurance Certification) Security Essentials
Certification (GSEC) is supposed to be the "core" program for the
various GIAC courses and exams.

Chapter one covers some basic, but random, security concepts and
topics. A list of sample questions, intended to help the
student/candidate prepare for the GSEC exam, is given at the end of
every chapter. If these truly represent the level and type of
questions on the exam then getting the GSEC is a snap: quick, which
type of situation is worse, one that has low threat and low
vulnerability or high threat and high vulnerability? (On the other
hand, you may have to know the party line: one question insists that
you credit SANS with the concept of defence in depth, and there is a
concept of "separation of privilege" that seems to be what everyone
else refers to as separation of duties.) Security policies are
discussed in a verbose but almost "content-free" manner in chapter
two. Virtually nothing is said about the policy process and different
functional types of policies. Again, there is a demand for
idiosyncratic jargon: high level policies are "program" policies,
whereas detailed policies (mostly procedural, given the list
discussed) are "issue-specific." One term that might be worth
adopting is "system-specific policy": those who deal with policies
know that it is difficult to have exceptions documented. Using this
term for deviations, as SANS does, may reduce the resistance to noting
the irregularities. There are some basic ideas about risk assessment
and management in chapter three, but most of the text reviews network
scanning tools. Chapter four contains network nomenclature, Cisco
equipment filtering command arguments, and miscellaneous IP (Internet
Protocol) protocols in varying depth. There are a brief list of the
titular "Incident Handling" factors contained in chapter five, as well
as random legal terms. The discussion of cryptography in chapter six
is reasonable up to the point of symmetric block ciphers, but
subsequent material has errors (keystream data should *not* repeat
during the course of a message), confusing diagrams, and unhelpful
mathematics. There is no deliberation about the usage of public key
cryptography, hashes, and digests until chapter seven, which, despite
the title, has absolutely nothing to say about "Applications
Security." Chapter eight provides a simple overview of firewalls and
intrusion detection systems (IDSs) but is not overly detailed: no
distinction is made between application and circuit-level proxies, and
some of the statements made are clearly incorrect for circuit devices.
There is a grab bag of malware, cryptanalysis, attack methods and more
in chapter nine. The content on operations security is limited to
assorted aspects and tools of Windows and UNIX that might be related
to secure processing, in chapters ten and eleven respectively.
Chapter twelve is a practice exam. It's pretty easy.

The GSEC is sometimes said to be adequate preparation for the CISSP
(Certified Information Systems Security Professional) exam, but there
are significant gaps in GSEC's coverage of the security topic.
Although risk assessment and policy are discussed, management issues
and access controls get limited substance in GSEC. Security
architecture, applications security, physical security, and business
continuity are all missing, while operations are restricted to Windows
and UNIX.

This book does provide some useful direction in regard to information
systems security, but readers should be warned that the missing pieces
will probably be very important at some point.

copyright Robert M. Slade, 2003 BKGSECPG.RVW 20030918

"If you do buy a computer, don't turn it on."     - Richards' 2nd Law
============= for back issues:
[Base URL] site
      or mirror
CISSP refs:     [Base URL]mnbksccd.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews:   [Base URL]mnbk.htm
                [Base URL]review.htm
Security Educ.:
Review mailing list: send mail to