3) Authorization and Access Control Flashcards
What dictates that we should only allow the bare minimum of access, as needed?
Principle of least privilege
Restricting access to resources.
Denying access
Giving access to resources.
Allowing access
Partial access to resources.
Limiting access
(T/F) Access controls are policies or procedures used to control access to certain items.
True
Access to a resource is determined by the resource owner.
Discretionary access control
Access to a resource is determined based on job duties.
Role-based access control
Access to a resource is determined by a group or an individual who has the authority to decide who gets access.
Mandatory access control
Access to a resource is determined by the traits of a person, resource, or an environment.
Attribute-based access control
What is implemented through the use of access controls?
Authorization
Enables us to determine what users are allowed to do.
Authorization
States that we should allow only the bare minimum access required in order for a given party to perform a needed functionality.
Principle of least privilege
The act of doing something that is prohibited by a law or rule.
Violation
An act that grants a particular party access to a given resource.
Allowing access
An act that prevents a party from accessing something, such as logging on to a machine or entering the lobby of our building after hours.
Denying access
An act that allows some access to a given resource, but only up to a certain point.
Limiting access
A set of resources devoted to a program, process, or similar entity, outside of which the entity cannot operate.
Sandbox
The ability to remove access from a resource at any point in time.
Revocation
Typically built to a certain resource, these contain the identifiers of the party allowed to access the resource and what the party is allowed to do.
ACLs
ACLs are typically built to a certain resource, they contain the identifiers of the party allowed to access the resource and what the party is allowed to do. What does ACL stand for?
Access control list
In this method of security, a person’s capabilities are oriented around the use of a token that controls their access.
Capability-based security
A type of attack that is more common in systems that use ACLs rather than capabilities.
The confused deputy problem
A type of attack that misuses the authority of the browser on the user’s computer.
CSRF
CSRF is a type of attack that misuses the authority of the browser on the user’s computer. What does CSRF stand for?
Cross-site request forgery