Dang! Failed with 716.

pmann

I just failed with 716 , this is the one and only cert I have ever failed! The exam seemed ok to me, but there were a lot of questions with what looked like several 'valid' answers, so I guess I made some bad calls.

Some of the questions pulled up some gaps in my studies and Im confused about. A few questions to ask...

What is the SQL security model based on? Users/Objects/Files? or Users/Files/Folders? or some other combination.

From Bell LaPadula, Clark-Wilson and BIBA. Which model is which in terms of MAC, DAC, RBAC?

Is RBAC multiple roles, mutliple users, single actions? or multiple users, single roles, multiple actions? or some other combination.

Any help appreciated.

RussS

Condolences pmann

SQL Security Model http://www.sql-server-performance.com/vk_sql_security.asp

BLP is MAC -
Biba is lattice - therefore MAC (In fact Biba is a revision of BLP from around 1980 if I remember correctly)

Clark-Wilson is Role Based



RBAC = User / Operation / Document ..... so, from that what do you extrapolate?

Webmaster

I'm sorry to hear you didn't pass. What did you use to prepare for the exam?

RussS and I had a long discussion about the BLP model and what it is (MAC, RoleBAC, RuleBAC or DAC). Bell LaPadula is MAC, they actually developed the early MAC model.
Biba is based on the Bell Lapadula model and is also MAC, and Clark-Wilson is in turn based on the Biba model but is indeed considered RBAC. It is kinda hard to put them into a single category. The security models use features of various Access Control models and can be combined with others (ie. Clark-Wilson + Biba) in Multi-level security system.

Here are some resources relating to this topic:
www.techexams.net/technotes/securityplus/mac_dac_rbac.shtml
www.attackprevention.com/ap/library/securitymodels.htm
www.rsbac.org/models.htm#mac
http://citeseer.nj.nec.com/context/69575/0
http://infoeng.ee.ic.ac.uk/~malikz/surprise2001/spc99e/article2/

Is RBAC multiple roles, mutliple users, single actions? or multiple users, single roles, multiple actions? or some other combination.

RBAC supports multiple users per role, multiple roles per user, multiple permissions per role, multiple roles per permission.

pandimus

Excuse me for seeming ignorant, but I just printed up the objectives for the sec+, It says you need to know Access controls Specifically MAC/DAC/RBAC..

Why does it not specify specific models of Access controls and the asociated type? I/E Bel-Lapudlula??

My all in one book, (not saying it is the authority in this) doesnt mention Bel-lapadula, lattice or anything of the sort.. It talks a bit about the rainbow books written by the Gov, other than that it explains the access controls a bit..

thanks for the clarification

Webmaster

pandimus wrote:

Why does it not specify specific models of Access controls and the asociated type? I/E Bel-Lapudlula??

I will save my full review after I took the exam myself next month or so, but during my preparation and writing TechNotes (I have 4 coming for this exam soon) I can only conclude that CompTIA is doing a terrible job with the Security+ exam... The objectives shows that they don't really know what they are talking about, and the same goes for a lot of study material for this exam out there...

But to answer your question: MAC, DAC, RBAC and a whole bunch of others are Access Control Models. Biba, BLP, etc are full blown security models using functions of one ore more access control models. These informal models are often referred to as multi-level security systems. Relating them 1-on-1 would not be entirely accurate. Bell and LaPadula formalized MAC, they developed the early MAC model. Hence for the CompTIA exam BLP = MAC. Basically that is correct, the BLP model uses primarily Mandatory Access Controls, but BLP is not 100% MAC alone, and MAC is not just BLP.

I hope I'm not confusing things here... I've read about a hundred pages about these models the last couple of days and realized that the current MAC/DAC/RBAC TechNotes need to be rewritten and expanded. Although the current information is technically accurate, I can imagine it currently doesn't solve all possible confusion about this topic.

pandimus

Your not confusing me at all.. Actually helping me out.. I will read your references here and compare them with my notes. By what i have read (on your forum and others) i seem to agree with you on the fact that Comptia is kinda screwing the pooch on this one. Apparently alot of there stuff in this exam is either biased or not completely relevant.

Thank you very much for your help..

Pandimus

pandimus

I understand these three now..

Bel-lapadula- MAC
Bipa-MAC
Clark-willson-Rbac

ARe there other pertinint ones?

pmann

Thanks for all the comments and answers guys.

To study for this I used the MS Security+ book and the Exam Cram 2. I worked all the questions in the two books, all of the PrepLogic tests and all the free tests I could find. This was my normal pattern of study and I must admit to being a little surprised when I failed. I must have gotten 20% of the questions wrong, which is one in every five. I still find that hard to believe since I had enough time in the exam to double check my answers too.

I think there were also a lot of questions where the answer was open to debate. "What is the most common form of attack?"; Email, Spam, Buffer Overflow or DoS? I could probably make an arguement for any one of those answers! Spam is sent by email, which also carries viruses, hoaxes etc. Spam is very common but is actually a form of DoS attack etc. It also depends on what is being attacked, is it a personal computer, a server a mail relay agent or what.

Not sure whether to retake it or to do an MS security elective instead. Its an expensive exam and I dont want to waste the time and money on another attempt, especially if I get more of those lucky dip questions.

If I do it again I think I need to get some better documentation (Tcat's guide seems to get good reviews) and maybe do the transcender or boson tests.

janmike

If you take the Sec+ and pass next time, you can still do the M$ security speciality in either MCSA or MCSE and use the Sec+ to substitute for one of the two required M$ security exams.

Best of luck on your decision!

robocal2

ok im confused on what LATTICE is....???

RussS

That is a very interesting question.

Lattice is sometimes used as another name for Mandatory Access Control and shares the idea with BLP that users and objects (files usually) are given labels. Whether a user has access to an object is done by comparing their labels - if a users label is equal or greater then that user can access that object.

"Webmaster ... I wish I could post a diagram here ..... "

User Classification Object Classification

Top Secret

Secret Secret

Confidential

Restricted

OK - in the above example our designated user is Top Secret - he can therefore access any data that is labelled Top Secret or below.

pmann

So in an RBAC model, a user can have several roles. If a user is a member of a "junior" role and a "clerk" role, can that user see files that are restricted to clerks only? i.e. is it similar to share/NTFS permissiions where the most permissive permissions apply or the most restrictive apply.

On a completely different point, in Kerberos, the big 'selling point' is that the users password is never transmitted across the network. But it has to get from the users terminal to the AS somehow? So the password IS transmitted across the network. Am I missing something?

Also, why does the AS generate two session keys, why not just one?

Webmaster

pmann wrote:

So in an RBAC model, a user can have several roles. If a user is a member of a "junior" role and a "clerk" role, can that user see files that are restricted to clerks only? i.e. is it similar to share/NTFS permissions where the most permissive permissions apply or the most restrictive apply.?

I'm not sure, but this probably differs per implementation of RBAC, but in most cases the permissions will be cumulative.

On a completely different point, in Kerberos, the big 'selling point' is that the users password is never transmitted across the network. But it has to get from the users terminal to the AS somehow? So the password IS transmitted across the network. Am I missing something?

No, the password is really not transmitted over the line. This is also the case in CHAP.

Also, why does the AS generate two session keys, why not just one?

Have you read the part about CHAP and Kerberos in our Authentication TechNotes yet? www.techexams.net/technotes/securityplus/authentication.shtml

To put it very simple: if you are the server and I am the client, you know the password (i.e. password is 101)and I know the password. I would ask you to log me on, you would challenge me and ask me "what is your password multiplied by 2? I would respond 202.
As you can see the password itself is never exchanged.

pmann

ok, I get it. Thanks.

I think I will take another shot at this exam, but rather than dive in again, Im going all the way back to the beginning to cram up on every little detail and make sure everything has really soaked in. In reading through some other books, Ive already found some deep holes in the MS and QUE books.

Webmaster

Yeah, this is definitely an exam for which you have to find out the real details yourself from reputable sources, which don't include most of the available security+ books... I think several publishers have underestimated the Security+ exam topics and didn't made an effort to have the books reviewed by actual security specialist or at least people that know how to do proper research. Sybex send me a review copy of the Security+ guide last year and I found some horrible mistakes in it. I send a doc with comments and corrections and will give them a chance to correct it/place it on their errata etc. before I post it here. Though, if you own the book, just skip the 802.1x paragraph entirely... instead, if you use Windows XP, search for 802.1x in Help and Support. I will also cover it in the Remote Access Technologies TechNotes for the Security+ exam, which should be finished before next month.

awaisyboy

sql security model based on users,objects and actions

JDMurray

In all of the Security+ study materials that I looked at--including Tcat's full PDF--I've never saw a mention of the Biba or Clark-Wilson security models and how they relate to the MAC, RBAC, and DAC access control models. Only Lattice and Bell LaPadula was discussed and how they relate to each other and to MAC. There was also nothing on the practical application of these models, such as which model(s) is used by Unix, Windows, SQL Server, etc.

Based on this, I saw nothing about control and access models on my Security+ exam that I didn't expect.