[Cisspstudy] Bell-Lapadula?

Clement Dupuis clement.dupuis at cccure.com
Mon Sep 7 06:24:41 EDT 2009 

I think it is another VERY BAD question from ISC2

Their book has many that are wrong (unfortunately)

Access modes are covered as well.  See extract below from Wikipedia:

A system state is defined to be "secure" if the only permitted access modes
of subjects to objects are in accordance with a security
policy<http://en.wikipedia.org/wiki/Security_policy>.
To determine whether a specific access mode is allowed, the clearance of a
subject is compared to the classification of the object (more precisely, to
the combination of classification and set of compartments, making up
the *security
level*) to determine if the subject is authorized for the specific access
mode. The clearance/classification scheme is expressed in terms of a
lattice. The model defines two mandatory access
control<http://en.wikipedia.org/wiki/Mandatory_access_control>(MAC)
rules and one discretionary
access control <http://en.wikipedia.org/wiki/Discretionary_access_control>(DAC)
rule with three security properties:


I would trash the question

Best regards

Clement


Clément Dupuis, CD
CISSP, GCFW, GCIA, Security+, CEH, ECSA, LPT, CCSA, CCSE, MBNS, MBIS, MBHS,
 ACE
----------------------------------------------------------------------------------------------
In real life:
Senior Security Specialist and Instructor
Security University
>>  Call me to get the best CISSP training  <<
----------------------------------------------------------------------------------------------
In Cyberspace:
President/Security Evangelist/Chief Learning Officer (CLO)
The CCCure Family of Portals
----------------------------------------------------------------------------------------------
Business:  407 479 3903
Fax:          407 264 8396

Maintainer of :
The CISSP and SSCP Open Study Guides Web Site
http://www.cccure.org

The Professional Security Testers Warehouse
http://www.professionalsecuritytesters.org

Knowledge sharing and giving back to the community


On Mon, Sep 7, 2009 at 03:23, Vardhan, Aditya {PI} <
aditya.vardhan at intl.pepsico.com> wrote:

>  Hi Clement,
>
> What is the best answer….
>
>
>
> *From:* cisspstudy-bounces at cccure.org [mailto:
> cisspstudy-bounces at cccure.org] *On Behalf Of *Clement Dupuis
> *Sent:* Saturday, September 05, 2009 12:06 AM
> *To:* The CISSP Study Mailing list
> *Subject:* Re: [Cisspstudy] Bell-Lapadula?
>
>
>
> Bell Lapadula does address flow control.
>
> It will not allow the information to flow in a way that would compromise
> Confidentiality such as allowed a Secret document to be written into a
> confidential container for example.  BLP has to be combined with the flow
> model and the state model to achieve something useful in real life
>
> Take care
>
> Clement
>
> Clément Dupuis, CD
> CISSP, GCFW, GCIA, Security+, CEH, ECSA, LPT, CCSA, CCSE, MBNS, MBIS, MBHS,
>  ACE
>
> ----------------------------------------------------------------------------------------------
> In real life:
> Senior Security Specialist and Instructor
> Security University
> >>  Call me to get the best CISSP training  <<
>
> ----------------------------------------------------------------------------------------------
> In Cyberspace:
> President/Security Evangelist/Chief Learning Officer (CLO)
> The CCCure Family of Portals
>
> ----------------------------------------------------------------------------------------------
> Business:  407 479 3903
> Fax:          407 264 8396
>
> Maintainer of :
> The CISSP and SSCP Open Study Guides Web Site
> http://www.cccure.org
>
> The Professional Security Testers Warehouse
> http://www.professionalsecuritytesters.org
>
> Knowledge sharing and giving back to the community
>
>  On Fri, Sep 4, 2009 at 14:27, <An.Dang at do.treas.gov> wrote:
>
> A) is very tempting as well ... or you can argue out of it because the word
> "control" ... involves with label.
>
> My review seminar instructor also gave the answer to a question for
> "certification" as "a set of technical ... by technical staff" while the CBK
> CD gave a different answer as well.
>
>
> ----- Original Message -----
> From: cisspstudy-bounces at cccure.org <cisspstudy-bounces at cccure.org>
> To: cisspstudy at cccure.org <cisspstudy at cccure.org>
> Sent: Fri Sep 04 12:00:01 2009
> Subject: cisspstudy Digest, Vol 15, Issue 7
>
> Send cisspstudy mailing list submissions to
>        cisspstudy at cccure.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
> or, via email, send a message with subject or body 'help' to
>        cisspstudy-request at cccure.org
>
> You can reach the person managing the list at
>        cisspstudy-owner at cccure.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cisspstudy digest..."
>
>
> Today's Topics:
>
>   1. Bell-LaPadula Question?
>      (Dallas, Michael J Civ USAF USAFE 100 CS/SCQ)
>   2. Re: Bell-LaPadula Question? (Clement Dupuis)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 4 Sep 2009 14:32:07 +0100
> From: "Dallas, Michael J Civ USAF USAFE 100 CS/SCQ"
>        <mike.dallas at mildenhall.af.mil>
> To: "'cisspstudy at cccure.org'" <cisspstudy at cccure.org>
> Subject: [Cisspstudy] Bell-LaPadula Question?
> Message-ID:
>        <200909041321.n84DLgKl036775 at mset-fwl-002.lakenheath.af.mil>
> Content-Type: text/plain; charset="us-ascii"
>
> I received this question in a practice exam provided by a recent ISC2 CBK
> review seminar.  I was told the correct answer is C, however I don't agree
> with it as need-to-know would be an important factor with this model.  What
> do you all think? My guess on this was D.
> 24.  What is one issue NOT addressed by the Bell-LaPadula model?
>            (A)  Information flow control
>            (B)  Security levels
>            (C)  Need to Know
>            (D)  Access modes
>
> Thanks,
> Mike
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://cccure.org/pipermail/cisspstudy_cccure.org/attachments/20090904/0af558f6/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 2
> Date: Fri, 4 Sep 2009 11:56:52 -0400
> From: Clement Dupuis <clement.dupuis at cccure.com>
> To: The CISSP Study Mailing list <cisspstudy at cccure.org>
> Subject: Re: [Cisspstudy] Bell-LaPadula Question?
> Message-ID:
>        <959788640909040856y707aa912qad05febc04e63f50 at mail.gmail.com>
> Content-Type: text/plain; charset="windows-1252"
>
> The need to know is address by the use of labels.
>
> Bell Lapadula was built to secure multilevel secure database.  They were
> under Mandatory Access control.
>
> The labels contain a security clearance (sensitivity) and also categories.
> The categories enforces the need to know.
>
> So it is definitively wrong
>
> Take care
>
> Clement
>
> Cl?ment Dupuis, CD
> CISSP, GCFW, GCIA, Security+, CEH, ECSA, LPT, CCSA, CCSE, MBNS, MBIS, MBHS,
>  ACE
>
> ----------------------------------------------------------------------------------------------
> In real life:
> Senior Security Specialist and Instructor
> Security University
> >>  Call me to get the best CISSP training  <<
>
> ----------------------------------------------------------------------------------------------
> In Cyberspace:
> President/Security Evangelist/Chief Learning Officer (CLO)
> The CCCure Family of Portals
>
> ----------------------------------------------------------------------------------------------
> Business:  407 479 3903
> Fax:          407 264 8396
>
> Maintainer of :
> The CISSP and SSCP Open Study Guides Web Site
> http://www.cccure.org
>
> The Professional Security Testers Warehouse
> http://www.professionalsecuritytesters.org
>
> Knowledge sharing and giving back to the community
>
>
> On Fri, Sep 4, 2009 at 09:32, Dallas, Michael J Civ USAF USAFE 100 CS/SCQ <
> mike.dallas at mildenhall.af.mil> wrote:
>
> >  I received this question in a practice exam provided by a recent ISC2
> CBK
> > review seminar.  I was told the correct answer is C, however I don?t
> agree
> > with it as need-to-know would be an important factor with this model.
>  What
> > do you all think? My guess on this was D.
> >
> > 24.  What is one issue NOT addressed by the Bell-LaPadula model?
> >
> >             (A)  Information flow control
> >
> >             (B)  Security levels
> >
> >             (C)  Need to Know
> >
> >             (D)  Access modes
> >
> >
> >
> > Thanks,
> >
> > Mike
> >
> > _______________________________________________
> > cisspstudy mailing list
> > cisspstudy at cccure.org
> > http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
> >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://cccure.org/pipermail/cisspstudy_cccure.org/attachments/20090904/99e6f2f7/attachment-0001.html
> >
>
> ------------------------------
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
> End of cisspstudy Digest, Vol 15, Issue 7
> *****************************************
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
>
> _______________________________________________
> cisspstudy mailing list
> cisspstudy at cccure.org
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cccure.org/pipermail/cisspstudy_cccure.org/attachments/20090907/0937386a/attachment-0001.html>

More information about the cisspstudy mailing list