2.3 Authorization and Access Control

Question 1

Discuss the difference between authorization and access control.

Answer 1

Authorization is determining exactly what an authenticated party can do.
Access Control are the tools and systems used to deny or allow access

Question 2

What does the Brewer and Nash model protect against?

Answer 2

Conflicts of interest. Example is the Lawyer not having access to multiple industry info. Its a conflict of interest.

Question 3

Why does access control based on the Media Access Control address of the systems on our network not represent strong security?

Answer 3

Because an operating systems software controls can override the network interfaces media access control list

Question 4

Which should take place first, authorization or authentication?

Answer 4

Authentication - then authorization

Question 5

What are the differences between the MAC and DAC models of access control?

Answer 5

DAC - discretionary access control lets the user define access. In most operating systems.
MAC -Mandatory, a separate group decides the access level. Most government systems.

Question 6

The Bell–LaPadula and Biba multilevel access control models both have a primary security focus. Can these two models be used together?

Answer 6

Bell-LaPadula is concerned with confidentiality while Biba is concerned with data integrity. Cannot be used together because they counteract eachother in the read and write philosophies.

Question 7

If you have a file containing sensitive data on a Linux operating system, would setting the permissions cause a potential security issue? If so, which portions of the CIA triad might be affected?

Question 8

Which access control model could you use to prevent users from logging into their accounts after business hours?

Answer 8

Attribute based access control - would implement an environmental based attribute.

Question 9

Explain how the confused deputy problem could allow users to carry out activities for which they are not authorized.

Answer 9

The software with access to resource has greater level of permission than user controlling the software. - Can happen by tricking the user into doing something they don’t realize, usually a client-side attack. examples, embedded code, click on images, pdf’s.

Question 10

What are some of the differences between access control lists and capabilities?

Question 11

What is a sandbox and give an example of a type.

Answer 11

An isolated environment that protects a set of resources. Can we used to protect against malicoous code from the internet. Java Virtual MAchine is a program.

Question 12

What are the three types of permissions an access list can have?

Answer 12

1. read
   2.write
2. execute

Question 13

What access control list combines the two techniques of filtering and limiting access by using IP address and Ports?

Answer 13

Firewall ACL

Firewall ACLs effectively combine IP address and port-based filtering to manage network access, ensuring that only authorized devices and services can communicate within a network.

Question 14

What is cross-site request forgery?

Answer 14

Missuses users browser on computer by inserting code. Example, user clicks on a link or image that has embedded code and server allows access (confused deputy) and performs action since they’ve been authenticated and authorized.

Question 15

Describe clickjacking or user interface readdressing.

Answer 15

Attacker must get control of a website and adds a layer something a user would click. executes a command

Question 16

_________ and ________ are two main methods of Implementing access controls.

Answer 16

Access control lists (ACLs) and capabilities

Question 17

Network ACLs filter access based on ______ ______ Permissions are usually _______ (allow or deny).

Answer 17

network identifiers
binary

Question 18

_______ define permissions based on a user’s token or key. They can protect against ______ ______ attacks.

Answer 18

Capabilities
confused deputy

Question 19

What does the Bell - LaPadula Access control entail?

Answer 19

Combination of DAC and MAC. Primarily concerned with the confidentiality of the resource questioned.

Question 20

In the Bell-LaPadula access model, which direction can you read and write data.

Answer 20

When handling classified material, you cannot read items up (beyond your authorized level) and you cannot write down (Must write at the same level or above)

Question 21

The Biba Model of access control is primarily concerned with what?

Answer 21

Protecting the integrity of the data, even at the expense of confidentiality. It’s more important to keep people from altering the data than viewing it.

Question 22

How is access in the Biba access control method summarized?

Answer 22

No read down - no write up

Question 23

What is the Brewer and Nash or Chinese Wall access model designed to do?

Answer 23

To prevent conflict of interests. Used in industries that handle sensitive data, financial, medical, legal industries.

Question 24

What 3 main resource classes does the Brewer and Nash Model consider?

Answer 24

• Objects: Resources such as files or info, pertaining to a single organization
• Company Groups: All objects pertaining to an organization.
• Conflict classes: All groups of objects concerning competing parties.

Question 25

What’s a common security issue with regulating people’s access into buildings?

Answer 25

tailgating. Creates an inaccurate number of people in building.

Question 26

How to solve the tailgating issue?

Answer 26

Polices that forbid it.
turnstile. Combination of solutions will work better.

Question 27

You implement _____ by using access controls

Answer 27

authorization

Question 28

What are the two access control methods?

Answer 28

access control lists
capabilities

Question 29

Which access control method safe guards against the confused deputy attack?

Answer 29

capabilities.

Question 30

What access models do industries that handle more sensitive data use (government, military, medical, legal)?

Answer 30

Multilevel access control
Bell-LaPadula, Biba, Brewer and Nash.

Question 31

Describe the Principle of Least Privilege?

Answer 31

Principle of giving a party the bare amount of privliege to do a job.

Question 32

Which phase of the incident response (IR) process includes putting the system back better than the original state?

Answer 32

Recovery
At this stage, the incident response team returns systems to normal operation. Compromised accounts are given new, more secure passwords, or replaced with a more secure access method. Vulnerabilities are remediated, functionality is tested, and normal operations resume.

Question 33

_________ are performed to ensure compliance with applicable laws, policies, and other administrative controls is being accomplished as well as detecting misuse.

Answer 33

Audits

Question 34

Permissions in network ACLs tend to be ________ in nature, consisting of _______or _______.

Answer 34

binary
deny or allow