Authorisation

Question 1

Authorisation

Answer 1

security mechanism which grants/denies access to system based on identity and permissions

Question 2

Why is authorisation difficult to implement?

Answer 2

Users may fall into a number of groups or roles with different abilities or privileges

Authorisation conflicts can occur and stop production

Users may try and bypass authorisation methods

Question 3

Policy Enforcement Phase

Answer 3

Done by a reference monitor which takes as input the access request and current security policy, then decides if the access request complies with the security policy.

Should always be NEAT: non-bypassable, evaluable, always-invoked, tamperproof

Question 4

Difficulty of Authorisation

Answer 4

Developers frequently underestimate the difficulty of implementing authorisation schemes. Often they simply evolve along with the application which can make it very difficult to comprehend once an application nears deployment (flawed).

Question 5

Flawed Authorisation

Answer 5

Many flawed authorisation schemes are not difficult to discover and exploit - devastating consequences as attackers can delete, edit, exploit etc.

Question 6

Administrative Interfaces

Answer 6

Allows web admins to manage users, data and content efficiently. However due to their power it makes them a frequent prime target for attack - both inside and outside the organisation.

Question 7

Path Traversal

Answer 7

The Path Traversal attack allows an attacker to access files, directories and commands that reside outside the web root directory.

Attackers could manipulate a URL in such a way that the app will reveal contents of files anywhere on the server. dot dot slash (../) attack as it uses a special character to alter resource location in the URL.

Question 8

Role Based Access Control

Answer 8

RBAC is a method for controlling access based on roles assigned to users. Means lower level roles can’t access sensitive information or perform high-level tasks.

Question 9

Principle of Least Privilege

Answer 9

Limit users to the absolute minimum required role necessary for them to complete assigned tasks

Question 10

Benefits of RBAC - Improving operation efficiency

Answer 10

Decrease need for paperwork and password changes.

Lets organisations quickly assign and change roles.

Can integrate third party users much easier

Question 11

Benefits of RBAC - Enhancing Compliance

Answer 11

RBAC systems help meet the regulatory and statutory requirements for confidentiality as it effectively manages how data is accessed and used.

Question 12

Benefits of RBAC - Giving Admins Increased Visibility

Answer 12

RBAC gives network administrators more visibility and oversight into the business.

Question 13

Benefits of RBAC - Reducing Costs

Answer 13

Organisations can conserve or more cost effectively use resources such as network bandwidth, memory and storage.

Question 14

Benefits of RBAC - Decreasing Risk

Answer 14

Restricted access to sensitive information reduces the potential for data breaches or leakage.

Question 15

RBAC Issues - Role Explosion

Answer 15

When the granularity needed for access control is too detailed. Difficult and costly to manage and makes control confusing and complicated, reducing effectiveness.

More roles can lead to security holes that are difficult to find and close.

Question 16

RBAC Issues - Security Risk Tolerance

Answer 16

If an organisation is averse to security risks, RBAC may not be the optimal way to secure access.

Once deployed it is hard to react to changing threats and risks.

Question 17

RBAC Issues - Scalability and Dynamism

Answer 17

When RBAC is first deployed it is known exactly what roles need to be defined. However as an organisation grows, new job definitions may not be updated or clearly defined - RBAC becomes difficult to manage and maintain.

Question 18

RBAC Issues - Expensive and Difficult

Answer 18

If an organisation chooses to upgrade to a RBAC, there is added cost and risk with migrating users while phasing out older ones. Migrations often have a variety of difficulties and unforeseen challenges, resulting in security holes along with costly defects - data loss and unplanned downtime.

Question 19

RBAC vs Access Control List

Answer 19

RBAC is superior to ACL in terms of security and administrative overhead.
ACL is better for implementing security at the user level and for low-level data.

Question 20

RBAC vs Attribute Based Access Control

Answer 20

ABAC is more dynamic and uses relation-based access control. RBAC can determine broad access while ABAC offers more granularity.

RBAC system can grant access to all managers but an ABAC policy will only grant access to managers that are part of a certain department. ABAC is more complex, in both processing power and time, so only needed when RBAC is insufficient.