Authorization and Access Control Flashcards
What is Authorization?
The process of determining precisely what a party is allowed to do.
What is Access Control?
The tools and systems used to deny or allow access.
What are some examples of Access Controls?
Car keys
House keys
Building Badges
Passwords
What are the four basic tasks of Access Control?
Allowing, Denying, Limiting, and Revoking access.
What is an example of Allowing Access?
Granting access to a file or directory.
What is an example of Denying Access?
Blocking access based on time of day or unauthorized individuals.
What is an example of Limiting Access?
Providing limited access to certain resources, like a master key granting access only to specific areas.
What is an example of Revoking Access?
Removing access when an employee leaves a company or changes departments.
What is an Access Control List (ACL)?
A list containing information about what kind of access a party has.
What are common network ACL attributes?
MAC address, IP address, Ports, and Sockets.
What is the Confused Deputy Problem?
A vulnerability where software has more access permissions than the user controlling it.
What is CSRF (Cross-Site Request Forgery)?
An attack that misuses the authority of a browser to execute unintended actions.
What is Clickjacking?
An attack that replaces existing links on a website to trick users into performing unintended actions.
How do Capabilities differ from ACLs?
Capabilities are token-based access control methods that eliminate the Confused Deputy Problem.
What is Discretionary Access Control (DAC)?
The resource owner decides who gets access and at what level.
What is an example of DAC?
Microsoft SharePoint, where the owner controls access to files.
What is Mandatory Access Control (MAC)?
A separate authority (not the owner) determines access based on security labels.
What is an example of MAC?
Government organizations using Top Secret, Secret, Confidential, and Public classifications.
What principle is associated with MAC?
The Principle of Least Privilege (PoLP), where users get only the access they need.
What is Rule-Based Access Control?
Access is granted based on predefined system rules, such as firewall ACLs.
What is Role-Based Access Control (RBAC)?
Access is determined by the user’s role in an organization.
What is an example of RBAC?
A data entry clerk only has access to the file they need to edit.
What is Attribute-Based Access Control (ABAC)?
Access is based on user, resource, or environmental attributes.
What is an example of Subject Attributes in ABAC?
Height restrictions on amusement park rides or CAPTCHA verification.
What is an example of Resource Attributes in ABAC?
Software that only runs on specific operating systems.
What is an example of Environmental Attributes in ABAC?
Access restrictions based on time or location.
What is Multilevel Access Control?
A combination of multiple access control models.
What is the Bell-LaPadula Model?
A model combining DAC and MAC, focused on confidentiality.
What are the two main rules in the Bell-LaPadula Model?
Simple Security Property (No Read Up) and * Property (No Write Down).
What is the Biba Model?
An integrity-focused model that prevents unauthorized data modification.
What are the two main rules in the Biba Model?
Simple Integrity Axiom (No Read Down) and * Integrity Axiom (No Write Up).
What is the Brewer and Nash Model?
Also called the “Chinese Wall Model,” it prevents conflicts of interest.
What are Physical Access Controls?
Methods to control the movement of people and vehicles in a secure area.
What are examples of Physical Access Controls?
Access cards, security guards, biometric scanners.
What is Tailgating in Physical Security?
When an unauthorized person follows an authorized person through a secured entry point.
