3) Authorization and Access Control Flashcards
What dictates that we should only allow the bare minimum of access, as needed?
Principle of least privilege
Restricting access to resources.
Denying access
Giving access to resources.
Allowing access
Partial access to resources.
Limiting access
(T/F) Access controls are policies or procedures used to control access to certain items.
True
Access to a resource is determined by the resource owner.
Discretionary access control
Access to a resource is determined based on job duties.
Role-based access control
Access to a resource is determined by a group or an individual who has the authority to decide who gets access.
Mandatory access control
Access to a resource is determined by the traits of a person, resource, or an environment.
Attribute-based access control
What is implemented through the use of access controls?
Authorization
Enables us to determine what users are allowed to do.
Authorization
States that we should allow only the bare minimum access required in order for a given party to perform a needed functionality.
Principle of least privilege
The act of doing something that is prohibited by a law or rule.
Violation
An act that grants a particular party access to a given resource.
Allowing access
An act that prevents a party from accessing something, such as logging on to a machine or entering the lobby of our building after hours.
Denying access
An act that allows some access to a given resource, but only up to a certain point.
Limiting access
A set of resources devoted to a program, process, or similar entity, outside of which the entity cannot operate.
Sandbox
The ability to remove access from a resource at any point in time.
Revocation
Typically built to a certain resource, these contain the identifiers of the party allowed to access the resource and what the party is allowed to do.
ACLs
ACLs are typically built to a certain resource, they contain the identifiers of the party allowed to access the resource and what the party is allowed to do. What does ACL stand for?
Access control list
In this method of security, a person’s capabilities are oriented around the use of a token that controls their access.
Capability-based security
A type of attack that is more common in systems that use ACLs rather than capabilities.
The confused deputy problem
A type of attack that misuses the authority of the browser on the user’s computer.
CSRF
CSRF is a type of attack that misuses the authority of the browser on the user’s computer. What does CSRF stand for?
Cross-site request forgery
A client-side attack that takes advantage of some of the page rendering features that are available in newer browsers.
Clickjacking
Access is determined by the owner of the resource in question.
DAC
DAC is determined by the owner of the resource in question. What does DAC stand for?
Discretionary access control
Similar to MAC in that access controls are set by an authorized person responsible for doing so, rather than by the owner of the resource. In this model, access is based on the role the individual is performing.
RBAC
RBAC is based on the role the individual is performing. What does RBAC stand for?
Role-based access control
Access is based on attributes.
Attribute-based access control
Attributes of a particular individual.
Subject attributes
Attributes that relate to a particular resource.
Resource attributes
Attributes that relate to environmental conditions.
Environmental attributes
Designed to prevent conflicts of interest. Three main resource classes are considered in this model: objects, company groups, and conflict classes.
The Brewer and Nash model
A combination of DAC and MAC, primarily concerned with the confidentiality of the resource. Two security properties define how information can flow to and from the resource: the simple security property and the * property.
The Bell-LaPadula model
Primarily concerned with protecting the integrity of data, even at the expense of confidentiality. Two security rules: the simple integrity axiom and the * integrity axiom.
The Biba model
A method by which a person follows directly behind another person who authenticates to the physical access control measure, thus allowing the follower to gain access without authenticating.
Tailgating
Access controls that regulate movement into and out of buildings or facilities.
Physical access controls
An access control model that includes many tiers of security and is used extensively by military and government organizations and those that handle data of a very sensitive nature.
Multilevel access control model
Access is decided by a group or individual who has the authority to set access on resources.
MAC
MAC is decided by a group or individual who has the authority to set access on resources. What does MAC stand for?
Mandatory access control
A client-side attack that involves the attacker placing an invisible layer over something on a website that the user would normally click on, in order to execute a command differing from what the user thinks they are performing.
Clickjacking
What type of access control can prevent the confused deputy problem.
Capability-based security
Confidential Services Inc. is a military-support branch consisting of 1,400 computers with Internet access and 250 servers. All employees are required to have security clearances. What access control model would be most appropriate for this organization?
Mandatory access control
A user who creates a network share and sets permissions on that share is employing which model of access control?
Discretionary access control
A VPN connection that is set to time out after 24 hours is demonstrating which model of access control?
Attribute-based access control