September 8, 2025 • 31 mins
Check us out at: https://www.cisspcybertraining.com/
Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout
Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv
Security models can be one of the most challenging concepts for CISSP candidates to grasp, yet they form the bedrock of how we implement and understand security controls. In this comprehensive episode, we break down Domain 3.2's security models in plain, accessible language with real-world examples that will finally make these abstract concepts click.
We start with an analysis of the recent TransUnion data breach affecting 4.4 million individuals, using it as a practical reminder of why proper security architecture matters. This breach, occurring through a third-party application, perfectly illustrates the dangers when security models aren't properly implemented.
The episode then demystifies the Trusted Computing Base (TCB), explaining its role as the foundation of creating secure code. We explore key components including the Security Kernel, Reference Monitor, Trusted Path, and TCB Boundary, translating these complex concepts into understandable terms.
The heart of the episode focuses on the "Big Eight" security models you need to know for the CISSP exam. From Bell-LaPadula's "no read up, no write down" confidentiality focus to Biba's integrity-centered approach, we provide clear explanations and memorable scenarios for each model. You'll learn how Clark-Wilson enforces business integrity through separation of duties, how Brewer-Nash prevents conflicts of interest, and how the remaining models address specific security concerns.
Rather than simply memorizing names and concepts, this episode gives you a framework for understanding each model's purpose, category (confidentiality, integrity, information flow, or access), and practical application. We conclude with exam preparation tips, highlighting which models deserve the most attention during your studies.
Whether you're preparing for the CISSP exam or simply want to deepen your cybersecurity knowledge, this episode transforms abstract security models into practical tools you can apply to real-world security challenges. Visit CISSPCyberTraining.com for free questions and additional resources to support your certification journey.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
Alright, let's get started.
Let's go.
Cybersecurity knowledge.
Speaker 2 (00:23):
All right, let's get started, hey y'all, sean Gerber,
with CISSP Cyber Training andhope you all are having a
beautifully blessed day today.
Today is CISSP Training Mondayand we are going to be going
over some amazing parts aroundDomain 3.2.
And this is the fundamentals ofthe Biba.
I can never say these names.
I'm just going to tell youright now Biba StarModel, bella
(00:44):
Pula Pula Bula.
I can never say these names,I'm just going to tell you right
now Biba Star Model, bella PulaPula Bula, the different
security models that are relatedto Domain 3.2.
So we're going to get into someof those, along with the end of
it, some exam tips to how to bebetter prepared for this,
because this is probably one ofthose that trip up a lot of
people because they're just abunch of guys' names and they
don't really make a whole lot ofsense.
But we'll try to break thatdown into a way that makes a
(01:06):
little bit more sense to you andgive you kind of maybe a little
bit of a training aid to helpyou get ready for the cissp exam
.
But before we do had a reallyquick article I wanted to bring
up to your attention, like we doevery single episode.
So this is the transunion databreach that occurred in july and
this is approximately 4.4million people were affected by
(01:28):
this breach.
So the interesting part isactually 4,461,511.
Okay, that's very specific, butthose are the people that were
affected by this breach thatoccurred on July 28, 2025.
Now, this was not done via theirown systems per TransUnion.
This was done through a thirdparty application.
(01:48):
Oh, no, heaven forbid a thirdparty once again.
Yes, we all talk about that andthere's actually an article I
read as well today that inSweden, I think, there's a big
ransomware attack that occurredin Sweden due to third parties
not properly securing theirconnections.
So, yes, it is happeningthrough third parties.
(02:08):
And why is this the big factor?
Well, because these guys andgals know that if they go after
the third parties, that willcause massive disruption and can
cause all kinds of drama.
This was done through.
Things that were lost werenames, security numbers and
dates of birth.
Again, if you haven't frozeyour credit by now, shame on you
.
You need to go freeze it ifyou're here in the United States
(02:28):
, specifically because, yeah,you're always getting breached
one way or another, and if theycan go ahead and attack
TransUnion and get access tonames, social security numbers
and date of birth.
They've got your stuff.
They probably have it multipletimes and, yeah, if you're not
freezing your credit, you arereally setting yourself up for
some sort of disaster.
The attack appears to be abroader one from the Salesforce
(02:52):
related breaches that haveoccurred, and I saw another one
from Salesforce that might haveaffected Gmail as well.
This is the threat group calledShiny Hunters, believed to be
responsible specifically forthis exploit as well.
So TransUnion has come out andsaid that they're working with
law enforcement, le and thecybersecurity experts to
investigate and contain thebreach.
Obviously, they offered you the24 months of free credit
(03:13):
reporting and monitoringassistance.
Yes, that is always what theyoffer and it's kind of like a
placebo.
It's, after the fact, freezeyour credit and then that isn't
necessarily a big factor andalso use multi-factor on any
sort of banking transactions youmay have.
Again, they, a transunion, willurges vigilance against phishing
and unsolicited requests andverifies communications by
(03:35):
contacting source directly, kindof.
All the stuff we talk about inthe security training world is
that you need to contact thesource directly if somebody
rings or pings you outside ofnormal channels.
Basically, if they're askingsomething from you, do not do it
.
You reach out to them on thefirst set of it.
That's a good thing.
If they're reaching out to you,someone's trying to just say,
(03:56):
hey, you've been compromised,click this link.
Don't do it.
You guys know this, I know youdo, but don't do it.
They also throw out theobligatory.
Make sure you have othersecurity tools in place, such as
antivirus tools, vpn, securebrowsers and the like.
Yes, so don't really know otherthan to say it's another one of
those things that just occurred.
You need to plan for it andmake sure you embrace and talk
(04:18):
to your people about this.
Make sure that you involve themin this overall plan.
I I would give them some, maybeeven one pager sending that out
saying that you may be gettingsomething from TransUnion, but
don't click on links.
Just go ahead and TransUnionwill reach out to you and, if
(04:38):
they haven't already, andexplain the situation.
So again, make sure that youhave a good plan prepared for
your people and that you arealso freezing your credit as
well.
All right, so let's move on towhat we're going to talk about
today.
Okay, so this is domain 3.2,understanding the fundamental
concepts of security models.
These are the various modelsand we're going to get into
those.
There's basically eight bigmodels that we'll go through,
but there are some additionalones that may get called out in
(05:01):
the CISSP, and so we'll justkind of go through those as well
in today's lesson.
All right, so here's anoverview of what we're going to
kind of get into.
The security models are for adesigner's map, basically to
create a security policy todevelopment from beginning to
end.
The security policies aretypically non-prescriptive.
Right Models will help, theywill help bind all that together
(05:22):
, and the models must supportthe overall security policy that
you have come in place.
These are very similar to aframework, but their ultimate
point is to provide guidance.
They don't necessarily aren'tvery prescriptive, but they're
to provide some high-levelguidance around what you should
potentially do.
Okay, so this is the trustedcomputing base.
We're going to get into that.
(05:42):
This is the foundation ofcreating secure code, and the
trusted computing base is abasis of what you do coding, and
if you don't have a goodtrusted computing base, you have
all kinds of drama that we'lltalk about.
So this includes the operatingsystem and the associated
security mechanisms that aretied to this.
This means your hardware, yourphysical locations, hard network
, your software, all of thosedifferent types of activities
(06:05):
are all tied into and need to bepart of your trusted computing
base.
Now, in this the provisionswill be of the following access
authorization to resources, userauthentication and your overall
backup of data.
Those are some specificprovisions that are set within
the TCB.
Now the total combination ofhardware, software and firmware
that enforces security policy isthe TCB and it is trusted to
(06:28):
enforce the CIA triad.
It's your confidentiality,integrity and availability.
Anything outside of the TCB isnot trusted and therefore
security mechanisms must be inplace and it is not trusted to
be enforced any level ofsecurity for your operating
system.
So you'll hear the use of thetrusted computing base a lot,
(06:50):
especially when you're dealingwith various levels of
development activities.
Now the TCB came up by agentleman by the name of John
Rushby.
He defined the TCB as acombination of kernel and
trusted processes.
So when we talk about thekernel, that is the hardware
aspects that you'll deal withyour system and that is down to
(07:10):
the kernel level processes,software.
These are trusted processesthat are layered on top.
Now the TCP, the TCB, is verysmall in size and it basically
works together to form a trustedbase between the software, the
hardware aspects of the, thekernel and the software aspects
to enforce the security policy,between the two.
(07:31):
Now there is a book series andthat's not like Nancy Drew or
any see, I just dated myself orany other book series could be
Harry Potter.
It's part of what they call theRainbow Series and this defines
TCB.
There's different books there'sorange, there's red and so
forth, and these different booksare defining this type of
(07:51):
activity.
Now the orange book definesspecifically the TCB and the
total protection of mechanismswithin it, including hardware,
firmware and software, and thecombination of which is
responsible for enforcing theoverall computer security policy
.
This is what the Orange Bookdoes and it defines the TCB as
well.
Now the Orange Book defines theboundaries of the TCP,
(08:12):
depending significantly on thedefinition of the overall
security policy that is in place.
So again, this is stuff that isa little.
You're not going to have anOrange Book in your environment,
but it's defining the differenttypes of policies or the
different types of what a TCBshould be, so that if you and
the manufacturers of thesesystems and of the software will
(08:33):
use this as a reference.
So it's not typically somethingyou deal with, but it's
something that the developerswill deal with that are making a
software and or hardware.
So as an example, we'll bringout here a web server.
This is a multi-userapplication maybe is created for
this web server and it's notpart of the operating system's
TCB.
So this provides accesscontrols to prevent individuals
(08:53):
from usurping others' rights,and a breach of the application
does not constitute a breach ofthe operating system's TCB.
So, realistically, you have aweb server and the web server
has an application on it.
The operating system is runningright, but there's multi-user
applications that are going backand forth utilizing this.
But if it's just accessing thesystem itself, it's providing
(09:15):
the access controls to preventindividuals that are set up in
the web server from usurping theother's rights.
Now this, if someone were tobreach that, it would not breach
the operating systems TCB.
That's the whole point of it.
The breach of the applicationdoes not constitute the breach
of the operating systems TCB.
So they're separate.
Right, if you have youroperating system operating doing
(09:36):
what it's doing, but if youhave an application that has
user activity, if someonebreaches the user activity, it
does not necessarily breach thetrusted computing base of the
operating system, because thosetwo are separate.
Tcb software protection.
This is where the orange bookspeaks of TCBs need to protect
against tampering.
So your trusted computing basemust prevent its own software
(09:59):
from being written to.
What that basically means isthat you have as a trusting
computing base of that operatingsystem.
It must prevent that itssoftware from being written to
by outside entities.
They cannot just go in andstart making changes.
A good example is Microsoft.
Microsoft does not allow you togo in and make changes to its
overall fundamental foundationalcode, and so therefore you can
(10:22):
have users that are operating inand out of the applications
that are tied to microsoft, butyou as an individual are not
allowed to actually access theoperating systems code to, to
make, make any changes to it ormanipulate it.
Same concept with the hardwareand the kernel you are not
allowed to make changes to thekernel level code.
Now there are Issues that comeup.
(10:43):
Right, we know ofvulnerabilities that pop up
where individuals can access thekernel in certain situations
and then those are then patched.
But the TCB, the trustedcomputer base, is saying that it
cannot be written to and itneeds to be defined so that your
operating systems that arecreated within your environment
cannot be written on thefundamental code that's created
(11:03):
Now a memory management unit oran MMU, will also add
protections to this as well, andwe'll get into that a little
bit later on.
Now, programmable by theoperating system, this allows or
defines access to a specificrange of systems or memory that
can be run.
There is a supervisor mode insome of these cases, within the
operating system, which willallow or restrict the access
(11:24):
that can be managed to thismemory.
So, really, what it comes downto is, if you have the ability
within the operating system togo in and make specific changes
to memory and there are specificranges in which you can do this
, you may have to run this inwhat they call the supervisor
mode.
This is not.
Again, this is very restrictive.
This is not allowing people tojust go in and make changes to
(11:46):
it.
You, as a cybersecurity person,need to be aware of this Not
that you're going to be goingand making any of these changes,
but if you have a softwaredevelopment team within your
environment, they need to beaware of what is the TCB.
They also need to be aware ofthe basics around that their
application should never touchthe operating system's core,
foundational code.
However, knowing andunderstanding where all these
(12:08):
buckets lie is an important partwith any software development
company to ensure that they areputting in place the proper
protections and that they're nottrying to go beyond the
boundaries of what is actuallyexpected.
So now we're getting to someother key components.
Security kernel Now this is thecore of the TCB and it's
usually a very small portion ofthe operating system.
(12:28):
This enforces reference monitorfunctions basically from a
complete mediation, isolationand verifiability.
This is a point that is verytight.
It's a very small subset ofdevelopment code and it is
working in conjunction with theoperating system and the
hardware.
What makes it?
Marries those two together.
(12:49):
Marries is not the right word,it's marry yeah, better word
Brings them together.
Cohesive, big $10 words mess meup.
I need like thing plus thingequals two.
That didn't even make senseeither.
But bottom line is you bringthe both of them together.
Reference monitor this is kindof an abstract concept.
A lot of this is abstract.
Let's just kind of be blunthere.
(13:13):
Basically, it needs a securitykernel and it's for it to be
implemented and it ensures thatall access requests are checked
against the security policy.
That's what a reference monitorwill do.
Trusted path this is a securecommunication channel between
the user and the tcb.
So an example of this would becontrol, alt, delete in a
windows screen.
That would be your login,that's your secure communication
(13:35):
channel between the user andthe trusted computing base.
The testing the tcb boundary isa logical fence around all
trusted components.
Everything within the boundarymust be examined, tested, tested
and verified.
So these are some key termsthat you may hear about the
security kernel, the referencemonitor, trusted path or TCB
(14:00):
boundary.
Now some characteristics of theTCB it is smaller is better,
right.
The smaller the TCB, the easierit is to secure, test and
verify.
So you want to keep it as tightas you possibly can.
It must be protected, it mustbe isolated from untrusted
processes.
It should be testable, which isverifiable via the formal
methods, by using a rigoroustesting method, and it should be
essentially enforced so thatbasically all critical decisions
(14:22):
pass through the TCB.
So those are important parts ofanything that goes on within a
system.
So some concepts that may comeup related to the exam or some
different terms is you havetrusted platform module.
This is a hardware chip thatsupports trusted boot and
attestation.
So you're going to hear aboutTPM in various other parts of
(14:42):
the CISSP, cyber training, butthe TPM is basically a chip
that's put on the system and itis used to support a trusted
boot and it's designed to keepall the processes without any
sort of injection of code.
It's not the same as the TCBbut conceptually they are
related.
Okay so, the TPM, the TCB,they're similar, like-minded
(15:03):
things.
Assurance versus functionalitythe TCB will provide functions,
but assurance comes fromproviding the trusted computing
base works as intended.
So you have insurance versusfunctionality.
Tcb provides functions,provides functionality, but
there is an assurance that whatit does and what's in place is
actually going to work asintended.
Okay, so a concept you need tounderstand for the exam, or
(15:25):
something that may give you alittle bit of a hint, is if you
see that all the protectionmechanisms of a system, air
quotes or hardware, software,firmware enforcing the security
policy, the answer will be TCB.
Okay so all protectionmechanisms that would be
everything is the TCB.
Or if there's hardware,software, firmware, that again,
(15:46):
all three of those that areenforcing the security policy,
then the answer would beassociated with the TCB.
So just keep that in mind.
Now, reference monitors andsecurity kernels.
A reference monitor is accessto every resource.
It sits between the object andthe user and this is the
gatekeeper allowing for accessto the object.
This enforces yourdiscretionary access control
(16:08):
module, your mandatory accesscontrols, role-based accesses
and other forms that are tied toit.
So it's the reference monitor.
It has access to every resourcewithin the operating system,
within the system itself.
The security kernels.
They act as appropriatereferences for the reference
monitor.
This is a trusted componentthat allows communication
between the subjects and itmediates any access requirements
(16:30):
or rules.
It's basically considered whatthey call a trusted advisor,
right?
So it's the security kernel.
Now some other key points tothink about.
We're going to get into themodels now.
Now the models.
You have your state machinemodel, information flow model
and non-interference model.
Your state machine model thisis a secure state machine which
basically boots into andmaintains a secure state.
(16:51):
You have your information flowmodel, which prevents
unauthorized information flowbetween levels of security, and
we'll get into all of these herewhen we start getting into the
various models that are outthere.
And then you have yournon-interference model.
This is based on informationalflow model and is designed to
avoid data leakage and programssuch as Trojans.
That's the ultimate point of anon-interference model.
(17:14):
Okay, so these are the big eightsecurity models that you can
see in the CISSP core and ifyou're listening to this on the
podcast, obviously you can goout to CISSP Cyber Training and
get access to this as well.
But this is a table broken downabout all the different the
main security model, eight mainsecurity models that you'll hear
about on the CISSP exam, andthe point of it is is that and
(17:34):
we'll go I'm just quick, doing aquick shot of this, but we'll
come back to it at the end as Igo through all the various
models and then you'll have thisit's a really good reference
tool to be able to look at andgo.
Okay, so the Bell LaPula BLP.
Its category is specificallyaround confidentiality.
It's got no read up, no readdown.
It protects secrecy.
It's based on the military andclassified systems.
(17:54):
This is a really good referencechart that will help you.
And it goes through all of them,from Bell, laputa, bibba, clark
, wilson and so forth.
But we'll come back over thisagain at the end, when we're
done with these various models.
Okay, so the big eight securitymodels we'll start off with the
bellaputa model, the belt, butI can't say that.
Lapula, papula okay, you knowwhat I mean.
It's number one, it's thepeople's last name, so it's bell
(18:16):
and lapula l-a-p-a-d-u-l-a.
That's the model.
Right, the bellaputa model okay, so it's got no read up, nru
and no write down okay, that'sthe ultimate point of that model
.
And it's got no read up NRU andno write down Okay, that's the
ultimate point of that model.
And it's designed for militaryand DOD classified systems.
The ultimate goal is to preventan unauthorized disclosure of
the information itself.
Now, this focuses around secrecyversus integrity, because it
(18:39):
doesn't really care so much ifthe data gets corrupted, because
it's all self-contained.
So let's give you a scenario Amilitary officer with a secret
clearance cannot open a topsecret file Yep, no read up.
And cannot save a secret reportto an unclassified system no,
write down.
But if he's secret, can he readdown?
Yes, he can, but he can't writedown.
He can't send anything lower.
(18:59):
If he's a top secret person.
Can he write down to a security?
He can't write down at all, buthe can read down the ultimate
point.
If you start doing right downto different aspects it can just
cause all kinds of confusion.
So it's designed aroundspecifically around dod type
systems.
The bibba model is.
This focuses primarily onintegrity.
It's built on a state machineconcept and is a multi-level
(19:21):
model.
It's designed to address threeintegrity issues one prevent the
modification of objects byunauthorized subjects.
Two prevent unauthorizedmodification of objects by
authorized subjects.
Or three, protect internal andexternal object consistency.
So let's give you a scenario Ajunior accountant cannot modify
(19:41):
the company's financial ledgerno write-up, but it can read it.
Financial ledger no write up,but it can read it.
Conversely, they cannot rely onunverified intern notes when
preparing reports no read down.
So the point of that is, again,this is based around the Biba
model and it's focused on amulti-level model to ensure the
consistency of or the integrityof those basic aspects.
(20:03):
Right?
So accountant can't modify thecompany's financial ledger,
can't write up, because, again.
So accountant can't modify thecompany's financial ledger,
can't write up because, again,accountant, junior accountant,
doesn't have the rights.
But he can read it.
You know, basically you canread the document itself.
Conversely, they cannot rely onunverified intern notes when
preparing reports.
Obviously, no read down.
So just a concept around theBIBA model, the Clark-Wilson
(20:25):
model.
This enforces well-informedtransactions through programs
and requires a separation ofduties.
And we've talked about this alot on CISSP, cyber Training.
Especially in this aspect isseparation of duties is an
important part.
The users will then have.
It uses certified programs plusenforcement rules to help
prevent fraud and enforcebusiness integrity.
So let's give you an example.
(20:47):
The bank teller enters atransaction into a banking
system.
So they go in, they make theirmodifications, they put it in
the system.
The transaction must go througha certified software.
Okay, so a well-formedtransaction.
So it must go through a processin which it's going to do this.
That could be software that'spurchased, it could have a plan,
basically an approval plan,built into it.
(21:07):
But it is a certified softwarethat's going to go in and then
the supervisor must approve it,which is the separation of
duties, and then that thesupervisor approves, then it can
happen.
So then there's multiple peopleinvolved, not just one.
That is the Clark-Wilson model,brewer and Nash model.
This access based on previousaccess history, so it prevents
(21:28):
conflicts such as an analystcan't go in and access
competitor data.
It also has a dynamic accessmodel allowing permissions that
can change over time.
It's very good in consultinglegal financial sectors, et
cetera, et cetera.
So what's the scenario aroundthat A consultant at PwC,
pricewaterhousecoopers somethinglike that can access the bank
(21:52):
A's confidential financialrecords but then is blocked from
seeing blank B's competitordata?
Now this can get very squishy,especially when you're dealing
with consultants especially.
I've dealt with this right.
But the bottom line is it'strying to have the separation
between Bank A and Bank B.
They can see they can accessBank A's confidential financial
records, but it can't see BankB's competitor data.
(22:16):
So again, it's all lookingbased on access.
The Gorgon Messinger See,that's even worse than the
Laputa, it's G-O-G-U-E-N andthen Messinger M-E-S-S-E-Q-U-E-R
Messinger model.
So this is based on formalmathematical models for security
(22:37):
.
The subjects can't interferewith other subjects' operations.
It prevents covert channelsfrom occurring, and then the
focus is around information flowsecurity.
Basically, here's a scenario Aclassified system user cannot
cause their activity to alter orleak into unclassified systems.
No signal is sent from topsecret domain to an unclassified
(22:57):
domain.
So the ultimate goal then isthat you can't go into and put
information into unclassifiedsystems.
It's an information flow modeland it keeps the information
from leaving that specific area.
The Sutherland model focuses onsystem states and transitions.
This prevents users from makinginferences about secrets, and
(23:17):
it's often used in databases.
The ultimate goal is to stopindirect disclosure through
observation, and I did this whenI was a red teamer.
We would look for observationall the time and try to discern
different types of informationdisclosure through that.
So, as an example, in a medicaldatabase, a doctor can see the
aggregated statistics aboutpatient illnesses, but cannot
(23:38):
infer which patient individualpatient potentially has HIV
based on indirect patterns.
So the goal, though, is to hideor mask some of that activity,
and that is the Sutherland model, and again, that is focused
around indirect disclosurethrough observation.
And now we're on seven and eight, graham-denning model.
This provides eight primitiveoperations, such as create,
(24:01):
delete, object subjects, grant,revoke.
All those pieces are all tiedto the Graham-Denning model, and
it describes securely sharing,managing these specific rights,
the models on how these rightsare controlled in the specific
system, and this is a frameworkfor access control mechanisms.
So, as an example, a fileserver enforces rules, such as
admin creates a new user, theuser grants read rights to a
(24:23):
file, the system deletes anobject.
These are all different typesof aspects tied to the
Graham-Denning model and so it'sall set up to be specifically
around what it can do forsecurely sharing and managing
the rights.
The Harrison-Russo-Ullman model,hru.
It's an extension of theGraham-Denning model but its
focus is around the air quotessafety problem.
(24:45):
Can rights leak over time?
And this uses access matrixplus specific rules, and it
proves that some safety problemsare undecidable.
All right, so let's give you ascenario in an hr system, if
user a grants user b air quotesdelete rights, so giving them
delete and user b later grantsit to c.
So then b goes thanks for thedelete rights, I'm going to move
(25:07):
that to c.
The rights can eventually leakto unauthorized users.
That is the question, right.
Hru analyzes this and makes thatif that is decidable or not,
can they just, can they thatperson do that?
Can user b grant access to userc?
And then user c couldpotentially be an unauthorized
user.
That's what they're asking.
(25:28):
That's how the Harrison-Russellmodel, russell-ullman model
works is if a person can moverights from one person and leak
those rights over time toanother person.
They're asking is thatdecidable?
Can you make the decisionaround that.
Can you determine if that wouldoccur?
That is the HRU model.
Now those are the big eightsecurity models and those are
(25:49):
the ones that if you're going tosee on the CISSP, those are the
ones you're probably going tosee Now.
You may see some of these otherones that are coming up here in
a minute, but highly it's morelikely that you're going to see
one of the big eight on theCISSP.
So again, this is a graph thatgoes over the big eight, talks
about each of the models ofthose and then it goes into the
categories.
So, such as Bell isconfidentiality, biba is
(26:11):
integrity, clark-wilson isintegrity, brewer-nash is
confidentiality, gogan isinformation flow, sutherland is
information flow andGraham-Denning is access, as
well as HRU is access.
There's also a key examprinciple you can want to think
about on the right versus.
That will kind of focus on eachof those that you can study
this at your leisure.
But again, you can go to CISSP,cyber Training, and that'll be
(26:34):
there and available for you.
So let's go to the other modelsthat are there Lippner model.
So the Lippner model.
This is, again, these are onesthat you may or may not see.
I have seen the Tate Grantmodel that's popped up at time
to time At least people havetalked about it.
The Lipner model this focuseson basically combines the
(26:54):
Bellaputa plus the Biba and itsuse case where you might see
this is commercial environmentswhere you need both
confidentiality and integrity,not just the one.
Okay, so when you want toconsider it, look for the hybrid
model.
If you see it on the test,consider the hybrid model.
Lattice-based access controls.
So this is LBAC, not like RBACor any of those other ones.
(27:15):
Lbac this assigns subjects andobjects a label in a lattice
structure, such as top secret,secret and confidential.
This is where you're dealingwith mandatory access controls
and this really helps explainmulti-level security and
clearance levels.
So if you're going to see thison the exam, multi-level
security and clearance levelscould be based on the latest
(27:37):
lattice-based access control.
Next one is the TAKE slash GRANTmodel.
Now, this model here defineshow rights can be taken or
granted to another subject.
This is one that is not thelast name of somebody of take or
grant.
It is actually you're taking itor you're granting it.
This simplifies basically moredynamic access rights and it's
(27:58):
often compared to theGraham-Denning or HRU models,
but how rights can be taken orgranted to another subject.
The access control matrix thisis a table of subjects versus
objects, showing which subjecthas the right to which object.
This is usually a foundationalpiece that is tied to most
(28:19):
access control lists andcapability lists.
It's usually more of a steppingstone, it's not necessarily a
primary model, but it'ssomething they may talk about as
the access control matrix.
So, if you see it don't even Iwould really don't bite off on
it as a model because it's not.
It's more of just a concept inthought process.
The state machine model thisfocuses a system remains secure
(28:43):
as it transitions from one stateto another.
A use case around this is afoundational for formal security
proofs.
Something to consider whenyou're looking at it from an
exam standpoint is it ties intoSutherland and is generally part
of the trusted computing base.
The state machine model Again,focus is on secure as it
transitions from one state toanother.
(29:03):
If they talk about states andgoing from one state to another,
probably the state machinemodel.
Okay, the last thing we have issome exam tips, some things for
you to consider.
High priority that you mightexpect to see on the exam is the
Bell, laputa, bibb,clark-wilson, brewer, nash.
Those are ones that you mightexpect to see questions around.
Some that may have questions isthe Goggan, messinger,
(29:26):
sutherland, graham denning andhru.
So those between those rightthere I mean, if you look at a
priority wise, bibba, bell,clark, wilson and brewer nash
are probably the ones you maysee something about.
The rare but good to know isthe lipner lattice base, take,
grant, access, controls, matrixand state machine.
Those are obviously the lowerrisk ones that you're going to
see.
But but if you're planning onanything, think of Bell, laputa,
(29:49):
biba Clark-Wilson, brewer andNash.
If you don't have time and allyou remember is those, your odds
are better that you're going toprobably run into one of those
on the test than you will theGogan, mussinger, sutherland,
graham Denning and so forth.
So again, that's the models.
They can be very confusing,they can be very challenging.
I highly recommend that you goto CISSP Cyber Training.
(30:10):
Go check out the video that'llbe out there, as well as also
the table that I created relatedto each of the big eight models
.
Okay, I hope you guys have awonderful, wonderful day.
Go out to CISSP Cyber Training,check it out, get some free
stuff.
That's there.
I mean, there's tons of freestuff there.
It's all free Go.
All you got to do is just giveme your email address.
That's it, no more than that.
(30:31):
That's all we're asking for.
Lots of free stuff, though I gotall of my rapid reviews are
going to be getting posted outthere.
You'll have access to all therapid reviews.
You have access to all of myquestions.
Everything is available to youat CISSP Cyber Training.
If you need some more help, Ihave paid products that are out
there as well.
If you need these videos, it'sall paid.
You actually can get access tothe videos and all the extra
(30:52):
content that I have.
So, again, lots of great stuff.
Go to CISSPCyberTrainingcom.
Check it out.
Lots of great stuff.
All right, we'll talk to youlater and we'll catch you on the
flip side, see ya.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes,
(31:13):
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
plethora, or a cornucopia, ofcontent to help you pass the
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
(31:36):
Thanks again for listening.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
Alright, let's get started.
Let's go.
Cybersecurity knowledge.
Speaker 2 (00:23):
All right, let's get started, hey y'all, sean Gerber,
with CISSP Cyber Training andhope you all are having a
beautifully blessed day today.
Today is CISSP Training Mondayand we are going to be going
over some amazing parts aroundDomain 3.2.
And this is the fundamentals ofthe Biba.
I can never say these names.
I'm just going to tell youright now Biba StarModel, bella
(00:44):
Pula Pula Bula.
I can never say these names,I'm just going to tell you right
now Biba Star Model, bella PulaPula Bula, the different
security models that are relatedto Domain 3.2.
So we're going to get into someof those, along with the end of
it, some exam tips to how to bebetter prepared for this,
because this is probably one ofthose that trip up a lot of
people because they're just abunch of guys' names and they
don't really make a whole lot ofsense.
But we'll try to break thatdown into a way that makes a
(01:06):
little bit more sense to you andgive you kind of maybe a little
bit of a training aid to helpyou get ready for the cissp exam
.
But before we do had a reallyquick article I wanted to bring
up to your attention, like we doevery single episode.
So this is the transunion databreach that occurred in july and
this is approximately 4.4million people were affected by
(01:28):
this breach.
So the interesting part isactually 4,461,511.
Okay, that's very specific, butthose are the people that were
affected by this breach thatoccurred on July 28, 2025.
Now, this was not done via theirown systems per TransUnion.
This was done through a thirdparty application.
(01:48):
Oh, no, heaven forbid a thirdparty once again.
Yes, we all talk about that andthere's actually an article I
read as well today that inSweden, I think, there's a big
ransomware attack that occurredin Sweden due to third parties
not properly securing theirconnections.
So, yes, it is happeningthrough third parties.
(02:08):
And why is this the big factor?
Well, because these guys andgals know that if they go after
the third parties, that willcause massive disruption and can
cause all kinds of drama.
This was done through.
Things that were lost werenames, security numbers and
dates of birth.
Again, if you haven't frozeyour credit by now, shame on you
.
You need to go freeze it ifyou're here in the United States
(02:28):
, specifically because, yeah,you're always getting breached
one way or another, and if theycan go ahead and attack
TransUnion and get access tonames, social security numbers
and date of birth.
They've got your stuff.
They probably have it multipletimes and, yeah, if you're not
freezing your credit, you arereally setting yourself up for
some sort of disaster.
The attack appears to be abroader one from the Salesforce
(02:52):
related breaches that haveoccurred, and I saw another one
from Salesforce that might haveaffected Gmail as well.
This is the threat group calledShiny Hunters, believed to be
responsible specifically forthis exploit as well.
So TransUnion has come out andsaid that they're working with
law enforcement, le and thecybersecurity experts to
investigate and contain thebreach.
Obviously, they offered you the24 months of free credit
(03:13):
reporting and monitoringassistance.
Yes, that is always what theyoffer and it's kind of like a
placebo.
It's, after the fact, freezeyour credit and then that isn't
necessarily a big factor andalso use multi-factor on any
sort of banking transactions youmay have.
Again, they, a transunion, willurges vigilance against phishing
and unsolicited requests andverifies communications by
(03:35):
contacting source directly, kindof.
All the stuff we talk about inthe security training world is
that you need to contact thesource directly if somebody
rings or pings you outside ofnormal channels.
Basically, if they're askingsomething from you, do not do it
.
You reach out to them on thefirst set of it.
That's a good thing.
If they're reaching out to you,someone's trying to just say,
(03:56):
hey, you've been compromised,click this link.
Don't do it.
You guys know this, I know youdo, but don't do it.
They also throw out theobligatory.
Make sure you have othersecurity tools in place, such as
antivirus tools, vpn, securebrowsers and the like.
Yes, so don't really know otherthan to say it's another one of
those things that just occurred.
You need to plan for it andmake sure you embrace and talk
(04:18):
to your people about this.
Make sure that you involve themin this overall plan.
I I would give them some, maybeeven one pager sending that out
saying that you may be gettingsomething from TransUnion, but
don't click on links.
Just go ahead and TransUnionwill reach out to you and, if
(04:38):
they haven't already, andexplain the situation.
So again, make sure that youhave a good plan prepared for
your people and that you arealso freezing your credit as
well.
All right, so let's move on towhat we're going to talk about
today.
Okay, so this is domain 3.2,understanding the fundamental
concepts of security models.
These are the various modelsand we're going to get into
those.
There's basically eight bigmodels that we'll go through,
but there are some additionalones that may get called out in
(05:01):
the CISSP, and so we'll justkind of go through those as well
in today's lesson.
All right, so here's anoverview of what we're going to
kind of get into.
The security models are for adesigner's map, basically to
create a security policy todevelopment from beginning to
end.
The security policies aretypically non-prescriptive.
Right Models will help, theywill help bind all that together
(05:22):
, and the models must supportthe overall security policy that
you have come in place.
These are very similar to aframework, but their ultimate
point is to provide guidance.
They don't necessarily aren'tvery prescriptive, but they're
to provide some high-levelguidance around what you should
potentially do.
Okay, so this is the trustedcomputing base.
We're going to get into that.
(05:42):
This is the foundation ofcreating secure code, and the
trusted computing base is abasis of what you do coding, and
if you don't have a goodtrusted computing base, you have
all kinds of drama that we'lltalk about.
So this includes the operatingsystem and the associated
security mechanisms that aretied to this.
This means your hardware, yourphysical locations, hard network
, your software, all of thosedifferent types of activities
(06:05):
are all tied into and need to bepart of your trusted computing
base.
Now, in this the provisionswill be of the following access
authorization to resources, userauthentication and your overall
backup of data.
Those are some specificprovisions that are set within
the TCB.
Now the total combination ofhardware, software and firmware
that enforces security policy isthe TCB and it is trusted to
(06:28):
enforce the CIA triad.
It's your confidentiality,integrity and availability.
Anything outside of the TCB isnot trusted and therefore
security mechanisms must be inplace and it is not trusted to
be enforced any level ofsecurity for your operating
system.
So you'll hear the use of thetrusted computing base a lot,
(06:50):
especially when you're dealingwith various levels of
development activities.
Now the TCB came up by agentleman by the name of John
Rushby.
He defined the TCB as acombination of kernel and
trusted processes.
So when we talk about thekernel, that is the hardware
aspects that you'll deal withyour system and that is down to
(07:10):
the kernel level processes,software.
These are trusted processesthat are layered on top.
Now the TCP, the TCB, is verysmall in size and it basically
works together to form a trustedbase between the software, the
hardware aspects of the, thekernel and the software aspects
to enforce the security policy,between the two.
(07:31):
Now there is a book series andthat's not like Nancy Drew or
any see, I just dated myself orany other book series could be
Harry Potter.
It's part of what they call theRainbow Series and this defines
TCB.
There's different books there'sorange, there's red and so
forth, and these different booksare defining this type of
(07:51):
activity.
Now the orange book definesspecifically the TCB and the
total protection of mechanismswithin it, including hardware,
firmware and software, and thecombination of which is
responsible for enforcing theoverall computer security policy
.
This is what the Orange Bookdoes and it defines the TCB as
well.
Now the Orange Book defines theboundaries of the TCP,
(08:12):
depending significantly on thedefinition of the overall
security policy that is in place.
So again, this is stuff that isa little.
You're not going to have anOrange Book in your environment,
but it's defining the differenttypes of policies or the
different types of what a TCBshould be, so that if you and
the manufacturers of thesesystems and of the software will
(08:33):
use this as a reference.
So it's not typically somethingyou deal with, but it's
something that the developerswill deal with that are making a
software and or hardware.
So as an example, we'll bringout here a web server.
This is a multi-userapplication maybe is created for
this web server and it's notpart of the operating system's
TCB.
So this provides accesscontrols to prevent individuals
(08:53):
from usurping others' rights,and a breach of the application
does not constitute a breach ofthe operating system's TCB.
So, realistically, you have aweb server and the web server
has an application on it.
The operating system is runningright, but there's multi-user
applications that are going backand forth utilizing this.
But if it's just accessing thesystem itself, it's providing
(09:15):
the access controls to preventindividuals that are set up in
the web server from usurping theother's rights.
Now this, if someone were tobreach that, it would not breach
the operating systems TCB.
That's the whole point of it.
The breach of the applicationdoes not constitute the breach
of the operating systems TCB.
So they're separate.
Right, if you have youroperating system operating doing
(09:36):
what it's doing, but if youhave an application that has
user activity, if someonebreaches the user activity, it
does not necessarily breach thetrusted computing base of the
operating system, because thosetwo are separate.
Tcb software protection.
This is where the orange bookspeaks of TCBs need to protect
against tampering.
So your trusted computing basemust prevent its own software
(09:59):
from being written to.
What that basically means isthat you have as a trusting
computing base of that operatingsystem.
It must prevent that itssoftware from being written to
by outside entities.
They cannot just go in andstart making changes.
A good example is Microsoft.
Microsoft does not allow you togo in and make changes to its
overall fundamental foundationalcode, and so therefore you can
(10:22):
have users that are operating inand out of the applications
that are tied to microsoft, butyou as an individual are not
allowed to actually access theoperating systems code to, to
make, make any changes to it ormanipulate it.
Same concept with the hardwareand the kernel you are not
allowed to make changes to thekernel level code.
Now there are Issues that comeup.
(10:43):
Right, we know ofvulnerabilities that pop up
where individuals can access thekernel in certain situations
and then those are then patched.
But the TCB, the trustedcomputer base, is saying that it
cannot be written to and itneeds to be defined so that your
operating systems that arecreated within your environment
cannot be written on thefundamental code that's created
(11:03):
Now a memory management unit oran MMU, will also add
protections to this as well, andwe'll get into that a little
bit later on.
Now, programmable by theoperating system, this allows or
defines access to a specificrange of systems or memory that
can be run.
There is a supervisor mode insome of these cases, within the
operating system, which willallow or restrict the access
(11:24):
that can be managed to thismemory.
So, really, what it comes downto is, if you have the ability
within the operating system togo in and make specific changes
to memory and there are specificranges in which you can do this
, you may have to run this inwhat they call the supervisor
mode.
This is not.
Again, this is very restrictive.
This is not allowing people tojust go in and make changes to
(11:46):
it.
You, as a cybersecurity person,need to be aware of this Not
that you're going to be goingand making any of these changes,
but if you have a softwaredevelopment team within your
environment, they need to beaware of what is the TCB.
They also need to be aware ofthe basics around that their
application should never touchthe operating system's core,
foundational code.
However, knowing andunderstanding where all these
(12:08):
buckets lie is an important partwith any software development
company to ensure that they areputting in place the proper
protections and that they're nottrying to go beyond the
boundaries of what is actuallyexpected.
So now we're getting to someother key components.
Security kernel Now this is thecore of the TCB and it's
usually a very small portion ofthe operating system.
(12:28):
This enforces reference monitorfunctions basically from a
complete mediation, isolationand verifiability.
This is a point that is verytight.
It's a very small subset ofdevelopment code and it is
working in conjunction with theoperating system and the
hardware.
What makes it?
Marries those two together.
(12:49):
Marries is not the right word,it's marry yeah, better word
Brings them together.
Cohesive, big $10 words mess meup.
I need like thing plus thingequals two.
That didn't even make senseeither.
But bottom line is you bringthe both of them together.
Reference monitor this is kindof an abstract concept.
A lot of this is abstract.
Let's just kind of be blunthere.
(13:13):
Basically, it needs a securitykernel and it's for it to be
implemented and it ensures thatall access requests are checked
against the security policy.
That's what a reference monitorwill do.
Trusted path this is a securecommunication channel between
the user and the tcb.
So an example of this would becontrol, alt, delete in a
windows screen.
That would be your login,that's your secure communication
(13:35):
channel between the user andthe trusted computing base.
The testing the tcb boundary isa logical fence around all
trusted components.
Everything within the boundarymust be examined, tested, tested
and verified.
So these are some key termsthat you may hear about the
security kernel, the referencemonitor, trusted path or TCB
(14:00):
boundary.
Now some characteristics of theTCB it is smaller is better,
right.
The smaller the TCB, the easierit is to secure, test and
verify.
So you want to keep it as tightas you possibly can.
It must be protected, it mustbe isolated from untrusted
processes.
It should be testable, which isverifiable via the formal
methods, by using a rigoroustesting method, and it should be
essentially enforced so thatbasically all critical decisions
(14:22):
pass through the TCB.
So those are important parts ofanything that goes on within a
system.
So some concepts that may comeup related to the exam or some
different terms is you havetrusted platform module.
This is a hardware chip thatsupports trusted boot and
attestation.
So you're going to hear aboutTPM in various other parts of
(14:42):
the CISSP, cyber training, butthe TPM is basically a chip
that's put on the system and itis used to support a trusted
boot and it's designed to keepall the processes without any
sort of injection of code.
It's not the same as the TCBbut conceptually they are
related.
Okay so, the TPM, the TCB,they're similar, like-minded
(15:03):
things.
Assurance versus functionalitythe TCB will provide functions,
but assurance comes fromproviding the trusted computing
base works as intended.
So you have insurance versusfunctionality.
Tcb provides functions,provides functionality, but
there is an assurance that whatit does and what's in place is
actually going to work asintended.
Okay, so a concept you need tounderstand for the exam, or
(15:25):
something that may give you alittle bit of a hint, is if you
see that all the protectionmechanisms of a system, air
quotes or hardware, software,firmware enforcing the security
policy, the answer will be TCB.
Okay so all protectionmechanisms that would be
everything is the TCB.
Or if there's hardware,software, firmware, that again,
(15:46):
all three of those that areenforcing the security policy,
then the answer would beassociated with the TCB.
So just keep that in mind.
Now, reference monitors andsecurity kernels.
A reference monitor is accessto every resource.
It sits between the object andthe user and this is the
gatekeeper allowing for accessto the object.
This enforces yourdiscretionary access control
(16:08):
module, your mandatory accesscontrols, role-based accesses
and other forms that are tied toit.
So it's the reference monitor.
It has access to every resourcewithin the operating system,
within the system itself.
The security kernels.
They act as appropriatereferences for the reference
monitor.
This is a trusted componentthat allows communication
between the subjects and itmediates any access requirements
(16:30):
or rules.
It's basically considered whatthey call a trusted advisor,
right?
So it's the security kernel.
Now some other key points tothink about.
We're going to get into themodels now.
Now the models.
You have your state machinemodel, information flow model
and non-interference model.
Your state machine model thisis a secure state machine which
basically boots into andmaintains a secure state.
(16:51):
You have your information flowmodel, which prevents
unauthorized information flowbetween levels of security, and
we'll get into all of these herewhen we start getting into the
various models that are outthere.
And then you have yournon-interference model.
This is based on informationalflow model and is designed to
avoid data leakage and programssuch as Trojans.
That's the ultimate point of anon-interference model.
(17:14):
Okay, so these are the big eightsecurity models that you can
see in the CISSP core and ifyou're listening to this on the
podcast, obviously you can goout to CISSP Cyber Training and
get access to this as well.
But this is a table broken downabout all the different the
main security model, eight mainsecurity models that you'll hear
about on the CISSP exam, andthe point of it is is that and
(17:34):
we'll go I'm just quick, doing aquick shot of this, but we'll
come back to it at the end as Igo through all the various
models and then you'll have thisit's a really good reference
tool to be able to look at andgo.
Okay, so the Bell LaPula BLP.
Its category is specificallyaround confidentiality.
It's got no read up, no readdown.
It protects secrecy.
It's based on the military andclassified systems.
(17:54):
This is a really good referencechart that will help you.
And it goes through all of them,from Bell, laputa, bibba, clark
, wilson and so forth.
But we'll come back over thisagain at the end, when we're
done with these various models.
Okay, so the big eight securitymodels we'll start off with the
bellaputa model, the belt, butI can't say that.
Lapula, papula okay, you knowwhat I mean.
It's number one, it's thepeople's last name, so it's bell
(18:16):
and lapula l-a-p-a-d-u-l-a.
That's the model.
Right, the bellaputa model okay, so it's got no read up, nru
and no write down okay, that'sthe ultimate point of that model
.
And it's got no read up NRU andno write down Okay, that's the
ultimate point of that model.
And it's designed for militaryand DOD classified systems.
The ultimate goal is to preventan unauthorized disclosure of
the information itself.
Now, this focuses around secrecyversus integrity, because it
(18:39):
doesn't really care so much ifthe data gets corrupted, because
it's all self-contained.
So let's give you a scenario Amilitary officer with a secret
clearance cannot open a topsecret file Yep, no read up.
And cannot save a secret reportto an unclassified system no,
write down.
But if he's secret, can he readdown?
Yes, he can, but he can't writedown.
He can't send anything lower.
(18:59):
If he's a top secret person.
Can he write down to a security?
He can't write down at all, buthe can read down the ultimate
point.
If you start doing right downto different aspects it can just
cause all kinds of confusion.
So it's designed aroundspecifically around dod type
systems.
The bibba model is.
This focuses primarily onintegrity.
It's built on a state machineconcept and is a multi-level
(19:21):
model.
It's designed to address threeintegrity issues one prevent the
modification of objects byunauthorized subjects.
Two prevent unauthorizedmodification of objects by
authorized subjects.
Or three, protect internal andexternal object consistency.
So let's give you a scenario Ajunior accountant cannot modify
(19:41):
the company's financial ledgerno write-up, but it can read it.
Financial ledger no write up,but it can read it.
Conversely, they cannot rely onunverified intern notes when
preparing reports no read down.
So the point of that is, again,this is based around the Biba
model and it's focused on amulti-level model to ensure the
consistency of or the integrityof those basic aspects.
(20:03):
Right?
So accountant can't modify thecompany's financial ledger,
can't write up, because, again.
So accountant can't modify thecompany's financial ledger,
can't write up because, again,accountant, junior accountant,
doesn't have the rights.
But he can read it.
You know, basically you canread the document itself.
Conversely, they cannot rely onunverified intern notes when
preparing reports.
Obviously, no read down.
So just a concept around theBIBA model, the Clark-Wilson
(20:25):
model.
This enforces well-informedtransactions through programs
and requires a separation ofduties.
And we've talked about this alot on CISSP, cyber Training.
Especially in this aspect isseparation of duties is an
important part.
The users will then have.
It uses certified programs plusenforcement rules to help
prevent fraud and enforcebusiness integrity.
So let's give you an example.
(20:47):
The bank teller enters atransaction into a banking
system.
So they go in, they make theirmodifications, they put it in
the system.
The transaction must go througha certified software.
Okay, so a well-formedtransaction.
So it must go through a processin which it's going to do this.
That could be software that'spurchased, it could have a plan,
basically an approval plan,built into it.
(21:07):
But it is a certified softwarethat's going to go in and then
the supervisor must approve it,which is the separation of
duties, and then that thesupervisor approves, then it can
happen.
So then there's multiple peopleinvolved, not just one.
That is the Clark-Wilson model,brewer and Nash model.
This access based on previousaccess history, so it prevents
(21:28):
conflicts such as an analystcan't go in and access
competitor data.
It also has a dynamic accessmodel allowing permissions that
can change over time.
It's very good in consultinglegal financial sectors, et
cetera, et cetera.
So what's the scenario aroundthat A consultant at PwC,
pricewaterhousecoopers somethinglike that can access the bank
(21:52):
A's confidential financialrecords but then is blocked from
seeing blank B's competitordata?
Now this can get very squishy,especially when you're dealing
with consultants especially.
I've dealt with this right.
But the bottom line is it'strying to have the separation
between Bank A and Bank B.
They can see they can accessBank A's confidential financial
records, but it can't see BankB's competitor data.
(22:16):
So again, it's all lookingbased on access.
The Gorgon Messinger See,that's even worse than the
Laputa, it's G-O-G-U-E-N andthen Messinger M-E-S-S-E-Q-U-E-R
Messinger model.
So this is based on formalmathematical models for security
(22:37):
.
The subjects can't interferewith other subjects' operations.
It prevents covert channelsfrom occurring, and then the
focus is around information flowsecurity.
Basically, here's a scenario Aclassified system user cannot
cause their activity to alter orleak into unclassified systems.
No signal is sent from topsecret domain to an unclassified
(22:57):
domain.
So the ultimate goal then isthat you can't go into and put
information into unclassifiedsystems.
It's an information flow modeland it keeps the information
from leaving that specific area.
The Sutherland model focuses onsystem states and transitions.
This prevents users from makinginferences about secrets, and
(23:17):
it's often used in databases.
The ultimate goal is to stopindirect disclosure through
observation, and I did this whenI was a red teamer.
We would look for observationall the time and try to discern
different types of informationdisclosure through that.
So, as an example, in a medicaldatabase, a doctor can see the
aggregated statistics aboutpatient illnesses, but cannot
(23:38):
infer which patient individualpatient potentially has HIV
based on indirect patterns.
So the goal, though, is to hideor mask some of that activity,
and that is the Sutherland model, and again, that is focused
around indirect disclosurethrough observation.
And now we're on seven and eight, graham-denning model.
This provides eight primitiveoperations, such as create,
(24:01):
delete, object subjects, grant,revoke.
All those pieces are all tiedto the Graham-Denning model, and
it describes securely sharing,managing these specific rights,
the models on how these rightsare controlled in the specific
system, and this is a frameworkfor access control mechanisms.
So, as an example, a fileserver enforces rules, such as
admin creates a new user, theuser grants read rights to a
(24:23):
file, the system deletes anobject.
These are all different typesof aspects tied to the
Graham-Denning model and so it'sall set up to be specifically
around what it can do forsecurely sharing and managing
the rights.
The Harrison-Russo-Ullman model,hru.
It's an extension of theGraham-Denning model but its
focus is around the air quotessafety problem.
(24:45):
Can rights leak over time?
And this uses access matrixplus specific rules, and it
proves that some safety problemsare undecidable.
All right, so let's give you ascenario in an hr system, if
user a grants user b air quotesdelete rights, so giving them
delete and user b later grantsit to c.
So then b goes thanks for thedelete rights, I'm going to move
(25:07):
that to c.
The rights can eventually leakto unauthorized users.
That is the question, right.
Hru analyzes this and makes thatif that is decidable or not,
can they just, can they thatperson do that?
Can user b grant access to userc?
And then user c couldpotentially be an unauthorized
user.
That's what they're asking.
(25:28):
That's how the Harrison-Russellmodel, russell-ullman model
works is if a person can moverights from one person and leak
those rights over time toanother person.
They're asking is thatdecidable?
Can you make the decisionaround that.
Can you determine if that wouldoccur?
That is the HRU model.
Now those are the big eightsecurity models and those are
(25:49):
the ones that if you're going tosee on the CISSP, those are the
ones you're probably going tosee Now.
You may see some of these otherones that are coming up here in
a minute, but highly it's morelikely that you're going to see
one of the big eight on theCISSP.
So again, this is a graph thatgoes over the big eight, talks
about each of the models ofthose and then it goes into the
categories.
So, such as Bell isconfidentiality, biba is
(26:11):
integrity, clark-wilson isintegrity, brewer-nash is
confidentiality, gogan isinformation flow, sutherland is
information flow andGraham-Denning is access, as
well as HRU is access.
There's also a key examprinciple you can want to think
about on the right versus.
That will kind of focus on eachof those that you can study
this at your leisure.
But again, you can go to CISSP,cyber Training, and that'll be
(26:34):
there and available for you.
So let's go to the other modelsthat are there Lippner model.
So the Lippner model.
This is, again, these are onesthat you may or may not see.
I have seen the Tate Grantmodel that's popped up at time
to time At least people havetalked about it.
The Lipner model this focuseson basically combines the
(26:54):
Bellaputa plus the Biba and itsuse case where you might see
this is commercial environmentswhere you need both
confidentiality and integrity,not just the one.
Okay, so when you want toconsider it, look for the hybrid
model.
If you see it on the test,consider the hybrid model.
Lattice-based access controls.
So this is LBAC, not like RBACor any of those other ones.
(27:15):
Lbac this assigns subjects andobjects a label in a lattice
structure, such as top secret,secret and confidential.
This is where you're dealingwith mandatory access controls
and this really helps explainmulti-level security and
clearance levels.
So if you're going to see thison the exam, multi-level
security and clearance levelscould be based on the latest
(27:37):
lattice-based access control.
Next one is the TAKE slash GRANTmodel.
Now, this model here defineshow rights can be taken or
granted to another subject.
This is one that is not thelast name of somebody of take or
grant.
It is actually you're taking itor you're granting it.
This simplifies basically moredynamic access rights and it's
(27:58):
often compared to theGraham-Denning or HRU models,
but how rights can be taken orgranted to another subject.
The access control matrix thisis a table of subjects versus
objects, showing which subjecthas the right to which object.
This is usually a foundationalpiece that is tied to most
(28:19):
access control lists andcapability lists.
It's usually more of a steppingstone, it's not necessarily a
primary model, but it'ssomething they may talk about as
the access control matrix.
So, if you see it don't even Iwould really don't bite off on
it as a model because it's not.
It's more of just a concept inthought process.
The state machine model thisfocuses a system remains secure
(28:43):
as it transitions from one stateto another.
A use case around this is afoundational for formal security
proofs.
Something to consider whenyou're looking at it from an
exam standpoint is it ties intoSutherland and is generally part
of the trusted computing base.
The state machine model Again,focus is on secure as it
transitions from one state toanother.
(29:03):
If they talk about states andgoing from one state to another,
probably the state machinemodel.
Okay, the last thing we have issome exam tips, some things for
you to consider.
High priority that you mightexpect to see on the exam is the
Bell, laputa, bibb,clark-wilson, brewer, nash.
Those are ones that you mightexpect to see questions around.
Some that may have questions isthe Goggan, messinger,
(29:26):
sutherland, graham denning andhru.
So those between those rightthere I mean, if you look at a
priority wise, bibba, bell,clark, wilson and brewer nash
are probably the ones you maysee something about.
The rare but good to know isthe lipner lattice base, take,
grant, access, controls, matrixand state machine.
Those are obviously the lowerrisk ones that you're going to
see.
But but if you're planning onanything, think of Bell, laputa,
(29:49):
biba Clark-Wilson, brewer andNash.
If you don't have time and allyou remember is those, your odds
are better that you're going toprobably run into one of those
on the test than you will theGogan, mussinger, sutherland,
graham Denning and so forth.
So again, that's the models.
They can be very confusing,they can be very challenging.
I highly recommend that you goto CISSP Cyber Training.
(30:10):
Go check out the video that'llbe out there, as well as also
the table that I created relatedto each of the big eight models
.
Okay, I hope you guys have awonderful, wonderful day.
Go out to CISSP Cyber Training,check it out, get some free
stuff.
That's there.
I mean, there's tons of freestuff there.
It's all free Go.
All you got to do is just giveme your email address.
That's it, no more than that.
(30:31):
That's all we're asking for.
Lots of free stuff, though I gotall of my rapid reviews are
going to be getting posted outthere.
You'll have access to all therapid reviews.
You have access to all of myquestions.
Everything is available to youat CISSP Cyber Training.
If you need some more help, Ihave paid products that are out
there as well.
If you need these videos, it'sall paid.
You actually can get access tothe videos and all the extra
(30:52):
content that I have.
So, again, lots of great stuff.
Go to CISSPCyberTrainingcom.
Check it out.
Lots of great stuff.
All right, we'll talk to youlater and we'll catch you on the
flip side, see ya.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes,
(31:13):
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
plethora, or a cornucopia, ofcontent to help you pass the
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
(31:36):
Thanks again for listening.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!