So to get back to the crux of this message, I still hear people complain about having to learn things that they don’t have to know for their jobs and that they have to learn topics the way that (ISC)2 defines them. When I am teaching a class, I cover these complaints in-depth because students can erect these false barriers upon themselves, which will stand in the way of truly being educated.

For example, most students complain about the access control models that they have to learn about (Bell Lapadula, Biba, Brewer & Nash, Clark Wilson, etc.) for the CISSP exam. Now, if the student would take the time to really understand where these models fit in life – they would have much more appreciation for them.

Access control models are made up of formal or semi-formal rules that a software architect can follow to ensure that security is built into the foundation of an application or operating system and that a certain level of security is provided throughout the software no matter what procedure that is carried out by the code. You might say, I have never even heard of these models and there are old and out of date anyway. My response would be, “You don’t know these models because you have never worked as a software architect that is responsible for building these types of products. And if you don’t know these models, how would you know that they are out of date and useless?”

One reason why most people are unfamiliar with these access control models is because the software we commonly use day in and day out are not built on formal or semi-formal models.  Windows grew up from MS-DOS. Security was not an issue when we were using Windows 3.1, Windows 95, and even Windows 98. The code was developed to provide functionality – period. The evolution of Windows has brought about ways to ensure that the user could not make mistakes by adding a ton of code that keeps the user from the critical pieces of the operating system, as in the kernel. And as Windows became more popular, more non-technical people had to use these systems, so a requirement for “idiot proofing” the software increased and today we have a ton of wizards, help files, icons, etc.

So, is Windows built on one of the models you need to know for the CISSP exam? Until Vista was released, they were built with only functionality in mind. Does that mean that these models are not used? Nope. The access control models are used in software products that require a specific type and level of security. Are the access control models obsolete? Nope. These models are becoming more popular specifically because the industry needs more secure products. For example, SELinux is based on the Bell-Lapadula model, Vista integrates the Biba model, which you can read about here http://www.microsoft-watch.com/content/vista/gaging_vistas_integrity.html and the BSD UNIX OS is also based on both Biba and BLP.

If you attend a graduate security program at a university, you will have to know these models in-depth. So just because you are not aware of something does not mean that it is not important.

I could go on and on about specific topics that students commonly poo-poo and think that it is a waste of their time to learn. This attitude and statements, although common, are made out of ignorance. These people are yet to fully understand how security covers an amazing amount of spectrums in every organization in every industry. It isn’t just about firewalls and packets anymore.

Part 3 of 5 extracted from an original article written by Shon Harris entitled:

The CISSP Exam is Out of Date, Irrelevant, and Subjective
Busting through the Myths of the CISSP Exam

Read Part 1 - CISSP Exam – Learning Above Technology And Understanding Security In A Holistic Manner

Read Part 2 - Training For CISSP – The Early Days

Read Part 4 - Learning Security Through The View Of CISSP Versus Reality

Read Part 5 - CISSP Exam – Having The Right Perspective On The World Of Security