The protection of information assets is a top priority for any business or organization; this explains the growing need for experts in a number of different InfoSec job roles. In particular, there is always a great demand for information assurance analysts whose duty is to protect the corporate environment from hackers and cyber threats as well as monitor network activity, quickly to solve problems and find ways to mitigate future risks. Also in demand are information assurance managers who are in charge of finding vulnerabilities and create security plans (risk assessments and disaster recovery preparations) to prevent future attacks and recover from them by controls, policies, and guidance.

IT specialists skilled in Information Assurance (IA) looking for the right security certification can rely on the GIAC series that has the standard frameworks and guidance to test learners and ensure they are qualified for job roles in InfoSec. Those who prepare for and certify through the Global Information Assurance Certification (GIAC) program will be able to demonstrate a set of knowledge, skills, and abilities (KSAs) to meet the demands of IA jobs.

Education/training and certifications are valuable in making sure professionals are keeping current with the latest trends and technology. In a field where things change daily, those interested in Information Assurance and Security (IAS) should seek continuous training opportunities to learn about the latest developments. In particular, they need to pay attention to threat trends and attack vectors that change over time and get familiar with latest methods and lesson-learned approaches to solving problems in the IAS field. In addition to lifelong learning, professional certification (and recertification) for specific occupations, are important to attest that knowledge is current and can give professionals a framework in which to move to continue learning and validate their current skills.

GIAC Certifications: An Overview

GIAC certifications cover all areas of the IA knowledge spectrum (Security Administration, Forensics, Management, Audit, Software Security, Legal) and are sole-sourced by SANS. An institute founded in 1989 for research and education in the computer security field, SANS (SysAdmin, Audit, Network and Security) provides training programs and is one of the largest depositories of IT research documents in the world. In 1999, the SANS Institute formed the Global Information Assurance Certification (GIAC), an information security certification independent entity used to test candidates’ knowledge, their skill level and validate their expertise as computer security professionals.

The GIAC certifications test students and/or experts already in the field on key areas of information security to ensure they have the competence required today to secure and protect computer systems and networks. GIAC are well-respected certifications in many IT organizations and are trusted by thousands of companies and government agencies, including the United States National Security Agency (NSA), affirms GIAC. Many employers are even willing to cover the costs of these certifications and might require them for their employees or job candidates as a guarantee of a certain level of expertise and knowledge.

GIAC certification holders can keep their computer security qualifications current through periodic recertification. Certified GIAC practitioners can progress through the silver level, gold status (that requires developing a technical report) and platinum level (the highest certification available).

Pricing for actual certifications through GIAC are consistent across the board. The cost of a certification exam is $1,149 (or $659 if taken after completing the accompanying SANS course). Re-attempting the test will cost applicants $659; however, those who fail and want to attempt the exam again have a 30-day waiting period. Again, the tester will need to pay the fee and schedule their exam appointment. After three failed attempts, candidates must wait a year to try to earn their GIAC certification. Certified professionals who wish to recertify, after four years, will need to pay $399 for a new exam.

Prices are higher for the GIAC Security Expert (GSE) option that costs $2,100 for the Hands-on Lab and $399 for the Multiple Choice Exam. The GSE certification is considered the most prestigious of the GIAC options in the IT Security industry, and it differs from all others thanks to its practical, hands-on component. The GSE extensively tests InfoSec professional on a great range of skills required by expert security consultants. Through this option, GIAC offers the first true technical InfoSec certification requiring candidates to pass exams that demonstrate that they have “the true hands-on skills that go beyond theory and tests on the pragmatics of security administration, management, audit, and software security.”

Why Information Assurance Training and Certification?

Certifications like GIAC can open up a career field and can help land a top-notch cybersecurity job. For managers and technology professionals alike, it is always a plus to have one of these certifications in their resume, apart from their practical experience. Because of the advancement in Information and Communication Technology (ICT) and the fast growth of the information assurance (IA) field, security, IT professionals specialized in IA are in demand to help deter information security breaches that often have devastating effects on business. Their role in ensuring complete security of the organization’s critical infrastructures is crucial for today’s workforce that needs to be able to rely on safe information processing, storage or transmission. As malicious hackers become more and more savvy and employ advanced technology to elude countermeasures, it is important that IA/IT professionals are continuously training to recognize the latest threats and trends. Whether for personal development or enrichment, that’s where IA training and certification come into play; certifications can guide professionals through a review of all knowledge and skills required to perform their job at best. It also gives a good understanding of how current the professional’s skillsets are to date. The GIAC exam tests comprehension of each course and are used “to measure the specific knowledge needed by people at each level of their careers,” as noted by cmadmin in Certification Magazine. As noted, in fact, on GIAC’s official website, “candidates earning GIAC certifications and employers who hire them can be confident that a holder of a GIAC certification possesses the skills and know-how to get the job done.”

Certifications can set people apart from non-certified applicants; an employer often prefers to hire certification holders with information assurance-related work experience. Though the market for information assurance and other InfoSec personnel is likely to remain strong, in today’s ever-changing labor market, security job seekers and experienced IT professionals will need to meet or exceed certification requirements to remain competitive. The GIAC Certification Roadmap can help determine what security certifications are right for specific job needs or career goals. Because many IA professionals tend to perform multiple roles in the course of their career, security-centric certifications offered by GIAC will aid candidates in identifying the right path to the desired work role and career progression.

The GIAC Program: Exam Info and Related Course

Planning to take any of GIAC’s exams in the near future? The GIAC Certification Portal is where the candidate will log in and demonstrate if he or she has the practical knowledge, skills and awareness to perform job duties at a competent level.

Candidates can register through the GIAC Certification Exam Sign-up page by filling out an online form and paying the related fee. Once registration is complete, the candidate will be authorized to attempt the GIAC certification of their choice. The cert-attempt is taken online through a portal in a proctored environment through Pearson VUE, which is the primary partner to deliver exams through their network of host locations with 3,500 testing centers worldwide.

GIAC certification exams are open book format, which means books and notes are allowed in the testing center room to be used by the testers. Once the candidate has access to the exam material, there is no turning back, as vouchers are non-transferable and non-refundable.

GIAC study material and practice tests are available via online registration. The exam preparation material is an aid for students to master material covered on GIAC certification. The applicant can receive free GIAC practice tests once they register. Questions can be directed to info@giac.org or for specific problems with registration to registration@giac.org.

As for the specific types of questions that will appear on the certification exam, the allotted time to take it and minimum score to pass, it depends on the certs requirements; for example, the GCIH exam has 150 multiple choice questions and allots 240 minutes for completion and requires a minimum passing score of 72%, whereas, GSEC has 180 multiple choice & advanced questions and gives 300 minutes to complete it with a minimum passing score of 74%.

The following list gives insight to some of the details to some GIAC certification objectives.

GIAC Assessing and Auditing Wireless Networks (GAWN)

This cert for auditors, network administrators, and penetration testers covers knowledge of different security mechanisms using a range of tools and techniques to find the vulnerabilities or weaknesses specific to wireless networks. In essence, it covers IT security auditing best practices (from installation to configuration to maximize security) for a Wi-Fi network. In particular, topics covered include attacking and securing DECT, LEAP, PEAP, WPA2 and more; protecting wireless devices; evaluating hotspots; defending from DoS attacks, securing and configuring Wireless Clients as well as sniffing traffic. Those who pass this test demonstrate expert skills in assessing the security of wireless networks.

SANS Course – SEC617: Wireless Ethical Hacking, Penetration Testing, and Defenses (6-days). The training awards 36 CPEs.

Exam: 75 questions

Time limit: 2 hours

Minimum Passing Score: 71%

Estimated Annual Median Salary: $70,000

GIAC Mobile Device Security Analyst (GMOB)

A cert that focuses on professionals who are tasked to look for vulnerabilities and concentrate on data loss from mobile devices being targeted and attacked by hackers. The test covers security controls and updates to defend against an increasing number of hacks that place machines at higher risk. It tests professionals on their knowledge related to mobile device architecture, configuration, and encryption as well as common attacks methods including sidejacking, jailbreaking and SSL/TLS attacks. The application of security policies and security analysis of mobile apps are also tested as well as the ability to setup an efficient program of penetration testing. The professional needs to demonstrate competence in also securing the newest mobile technologies including wearable devices.

SANS Course – SEC575: Mobile Device Security and Ethical Hacking (6-days). The training awards 36 CPEs.

Exam: 75 questions

Time limit: 2 hours

Minimum Passing Score: 66%

Estimated Annual Median Salary: $70,000

Ethical Hacking Training – Resources (InfoSec)

GIAC Penetration Tester (GPEN)

This certification involves assessing target networks and systems to find vulnerabilities and mitigate their effects. Applicants can demonstrate their ability to execute penetration-testing and best practices. Specialists are evaluated on the ins-and-outs of penetration-testing methodologies for data security both from a technical and non-technical standpoint; in fact, legal issues are also addressed. The test covers attacks to passwords and password hashes, conducting and analyzing port and operating system scans and assessing advanced Windows Power Shell skills.

SANS Course – SEC560: Network Penetration Testing and Ethical Hacking (6-days). The training awards 37 CPEs.

Exam: 115 questions

Time limit: 3 hours

Minimum Passing Score: 74%

Estimated Annual Median Salary: $80,000

GIAC Web Application Penetration Tester (GWAPT)

A cert that covers knowledge of web application exploits that can target organizations today. The test covers the ability of the professional to spot Web app holes that are a major problem for today’s organizations and are responsible for many incidents regarding credit cards theft and financial loss. The professional will need to demonstrate specific knowledge of tools required for security testing of web applications on web-based languages (JavaScript with AJAX), SQL injection attacks and vulnerabilities. He or she will also demonstrate ability in auditing and finding possible flaws in the design and configurations of websites. Of course, the candidate will also need to demonstrate an understanding of all techniques, tools, languages and structures needed to build websites as well as all the techniques used for mapping. Port scanning, spidering, application flow charting are covered.

SANS Course – SEC542: Web App Penetration Testing and Ethical Hacking (6-days). The training awards 36 CPEs.

Exam: 75 questions

Time limit: 2 hours

Minimum Passing Score: 71%

Estimated Annual Median Salary: $80,000

GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)

This cert is appropriate for those with prior experience primarily in Penetration Testing, as the exam/course is ‘advanced’ and requires using tools or “manually” find security flaws and identify issues and solutions in a variety of domains – systems, networks, applications, architecture, etc. The candidate will need to demonstrate expert knowledge in bypassing network access control systems, advanced fuzzing techniques and exploiting common vulnerabilities in crypto. The professional, however, will also need to demonstrate hands-on experience in a variety of situations, from ability in Advanced Network Attacks to Linux and Windows memory exploitation, Python scripting and fuzzing and network attacks for penetration testers.

SANS Course – SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking (6-days). The training awards 46 CPEs.

Exam: 55-75 questions

Time limit: 3 hours

Minimum Passing Score: 66%

Estimated Annual Median Salary: Over $100K; on Avg. $105,000 (payscale.com)

These are five sought-after GIAC certifications; SANS says: “Each of these certifications indicate a holder processes the technical expertise and has mastered the process components vital to implementation and execution of information security best practices.” Holding one of these certifications will enable professionals to qualify for many IA positions, specialties and levels. There’s definitely a GIAC certification program for everyone working in IT security!

Conclusion

GIAC claims their certifications will help IT security professionals earn promotions, additional salary and pay raises faster, as many organizations use certs as a factor when giving employees the upper-hand in a hiring or advancement situation. Typically, more years of experience result in higher pay, but there appears to be a strong correlation between having an IT certification and earning better pay, in some cases, or even moving up the career ladder more quickly, as noted in the Salary Data and GIAC Reputation page. Although the number of information security certifications available today is increasing, “the GIAC certification will likely become the preferred credential,” affirms GIAC, which notes the benefits of its own certs and gives reason to why certify can be important with or without formal SANS training.

GIAC certification might help professionals secure the job they desire, but salary will be based on the actual position they can land. According to PayScale, Inc., the Information Assurance Analyst Salary that earns about $74K per year is “mainly influenced by location, followed by career duration and the particular employer.” Those that are “Information Assurance Analysts often transition into Information Assurance Manager positions, for which compensation tends to be much higher. On average, Information Assurance Managers earn $88K per year.” Information Assurance Specialists can earn as much as $93K a year or more. As for Certified Penetration Tester (CPT) average salary or as an Advanced Penetration Tester (GXPN), well they can earn as much as a six-figure income, i.e. over $100K.

References

Cmadmin (2006, December 19). Real-World Expertise Security Professionals. Retrieved from http://certmag.com/sans-giac-real-world-expertise-security-professionals/

GIAC. (n.d.). Certifications. Retrieved from http://www.giac.org/certifications

IT Security Career. (n.d.). Training and Certs. Retrieved from http://www.itsecuritycareer.com/certifications/

Messmer, E. (2013, August 19). 7 IT security skills certifications on the rise. Retrieved from http://www.networkworld.com/article/2170044/security/7-it-security-skills-certifications-on-the-rise.html

SANS-EMEA. (n.d.). Why Certify with GIAC. Retrieved from https://uk.sans.org/giac-certifications/why-certify

SANS Penetration Testing. (n.d.). Certification: Overview. Retrieved from http://goo.gl/5gNBkY

Tittel, E. & Lindros, K. (2016, April 7). SANS GIAC Certification Guide: Overview And Career Paths. Retrieved from http://www.tomsitpro.com/articles/sans-giac-certification-guide,2-839.html

Warner, T. L. (2009, February 24). Introduction to the GIAC Certification Program. Retrieved from http://www.informit.com/blogs/blog.aspx?uk=Introduction-to-the-GIAC-Certification-Program