Authorization and Access Control Flashcards

1
Q

Authorization

A

Process of determining exactly what an authenticated party can do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Access controls

A

Tools and systems you use to deny and allow access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the four basic tasks of access controls?

A

Allowing access
Denying access
Limiting access
Revoking access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Sandbox

A

Isolated environments containing a set of resources for a given purpose

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the two main uses of sandboxes?

A

Prevent contents of sandboxes from interacting with resources they shouldn’t
Contain things you don’t trust, eg, code from public websites

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the two main methods of implementing access controls?

A

Access Control Lists, ACLs or ackles
Capabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Access control list

A

Contains information about what kind of access certain parties are allowed to have in a given system
Often part of application or OS software
Ex: Badge readers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the two types of ACL?

A

File system ACL
Network ACL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the three types of permissions in file system ACLs?

A

Read
Write
Execute

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Characteristics of Network ACLs

A

Filter access based on identifiers used for network transactions, such as Internet Protocol (IP) addresses
Permissions are binary, not RWX
Grant permissions to traffic rather than users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are three main identifiers network ACLs use to filter traffic?

A

Media access controls
IP addresses
Port

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Media access controls (context: network ACLs)

A

Unique identifiers hard coded into each network interface in a given system
Easily changed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

IP addresses (context: network ACLs)

A

Unique address for a computer
ACL can filter single address or range of addresses
Can be falsified

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Port (context: network ACLs)

A

Numerical designation for one side of a connection between two devices
Ports are used as a convention, not by rule, ie, can be changed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Socket

A

When an ACL uses both an IP address and a port, it is called a socket

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Confused deputy problem

A

When software with access to a resource (the deputy) has greater level of permission to access the resource than the user who is controlling the software

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Cross-site request forgery (CSRF)

A

Example of confused deputy problem
If attacker knows of a website that had already authenticated user, he can embed a link in a web page or HTML email, such that when the target’s browser attempts to retrieve the image, it also executes additional malicious commands

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Clickjacking, AKA user interface redressing

A

Example of confused deputy problem
Attacker, who has control over some portion of a website, puts invisible layer over something the user would normally click. When user clicks, client executes command that is different from what user is expecting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Blackholing

A

Filtering large swaths of IP addresses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Capabilities

A

Can define permissions based on a user’s token or key, AKA capability
Relies purely on possession of token, not who possesses it
Not susceptible to confused deputy

21
Q

Access control model

A

Way of determining who should be allowed to access what resources

22
Q

Common access control models (6)

A

Discretionary access control
Mandatory access control
Rule-based access control
Role-based access control
Attributes-based access control
Multilevel access control

23
Q

Discretionary access control (DAC)

A

owner of the resource determines who gets access and the level of access they get

24
Q

Mandatory access control

A

Owner doesn’t decide–separate group or individual decides
Ex: government organizations label resource based on sensitivity level

25
Q

Rule-based access control

A

Allows access according to a set of rules defined by the system administrator

26
Q

Role-based access control (RBAC)

A

Allows access based on the role of the individual being granted access

27
Q

Attribute-based access control

A

Access based on specific attributes of a person, resource, or environment

28
Q

What are the three kinds of attributes in attribute-based access control?

A

Subject attributes
Resource attributes
Environmental attributes

29
Q

Subject attributes

A

Belongs to individuals
Ex: Must be this tall to ride, CAPTCHAs

30
Q

Resource attributes

A

Belong to a resource, such as an application or operating system
Ex: some software only works on certain OSes, some websites only work on certain browsers

31
Q

Environmental attributes

A

Can enable access controls based on environmental conditions
Ex: time of day, time limits until required reconnection for authorization

32
Q

Multilevel access control

A

Access control model that combines several of the common access control models discussed

33
Q

Bell-LaPadula model

A

Multilevel access control
Opposite of Biba model
Combines discretionary and mandatory access control models
Concerned with confidentiality of resource in question
Involves two security properties: simple security property and * property AKA star property

34
Q

Simple security property

A

Individuals cannot read resources at a higher level but can access and read resources at a lower level
No read up

35
Q
  • Property, AKA star property
A

Anyone accessing a resource can only write (or copy) its contents to another resource classified at the same level or higher
No write down

36
Q

The Biba Model

A

Multilevel access control
Opposite of Bell-LaPadula model
Concerned with protecting the integrity of data, even at the expense of confidentiality, ie, more important to keep people from altering data than accessing it
Two security principles: simple integrity axiom and *integrity axiom (star integrity axiom)

37
Q

Simple integrity axiom

A

Access to one level does not grant access to lower levels
No read down

38
Q
  • integrity axiom
A

Can only write (or copy) contents to a resource classified at same level or lower
No write up

39
Q

Brewer and Nash model

A

Multilevel access control
Designed to prevent conflicts of interest
Once a user accesses certain materials he would not be able to access materials that would create a conflict of interest
3 main resource classes: objects, company groups, conflict classes

40
Q

Objects (context: Brewer and Nash model)

A

resources, such as files or information, pertaining to a single organization

41
Q

Company groups (context: Brewer and Nash model)

A

All objects pertaining to an organization

42
Q

Conflict classes (context: Brewer and Nash model)

A

All groups of objects concerning competing parties

43
Q

Physical access controls

A

Concerned with controlling the movement of individuals and vehicles
Common concern: tailgating

44
Q

What are the two types of user accounts in Windows?

A

Local user account
Domain user account

45
Q

Local user account

A

Restricted to the operating system on which it was created
Ex: home users or small network without Active Directory server

46
Q

Domain user account

A

Used to access resource on a domain
Ex: file shares
Centrally managed through a system known as Active Directory, which is installed on a server called a domain controller

47
Q

Domain controller

A

Used for authentication and authorization of the users on a network

48
Q

What are the two ways by which domain users can be managed?

A

Active Directory Users and Computers
PowerShell

49
Q

Active Directory Users and Computers

A

Graphical tool by which domain users are managed