Chapter 3 Flashcards
What is the next step after a user is identified and authenticated?
Authorization
_______ defines what the user can access, modify, and delete.
Authorizarion
Policies or procedures used to control access to certain items
Access Controls
The lowest level of authorization allowed to a user to perform duties
Principles of Least Privilage
A user having more access than usual is an example of a violation of _________
Principles of Least Privilage
Giving access to resources
Allowing Access
Preventing a given party from accessing the resource(s) in question
Denying Access
Allowing partial access to resources
Limiting Access
A set of resources devoted to a program, process, or similar entity, outside of which the entity cannot operate.
Sandbox
Taking access that was once allowed away from the user.
Revoking Access
What is often referred to as “ackles”?
Access Control Lists (ACLs)
Lists containing information about what kind of access certain parties are allowed to have to a given system
Access Control Lists (ACLs)
Used to control access in the file systems on which our operating systems run and control the flow of traffic in the networks to which our systems are attached
Access Control Lists (ACLs)
Commonly discussed in the context of firewalls and routers
Access Control Lists (ACLs)
ACLs
Access Control Lists
Access Control Lists in most file systems have three types of permissions
Read
Write
Execute
Can a file or directory have multiple Access Control Lists attached to it?
Yes
In the case of Network ACLs, we typically see access controlled by the identifiers we use for network transactions, such as __________________, ______________, and ____________.
Internet Protocol addresses (IP Addresses)
Media Access Control addresses (MAC Addresses)
Ports
MAC Address
Media Access Control Address
IP Address
Internet Protocol Address
Permissions in network Access Control Lists tend to be __________________ in nature.
Binary
When there are only two possible values
Binary
The owner of the resource determines who gets access to it and exactly what level of access they can have
Discretionary Access Control (DAC)
Access to resource determined by job duties
Role-Based Access Control
Determined by a group or individuals who have authority to decide who has access
Mandatory Access Control (MAC)
Determined by the traits of a person, resource, or environment
Attribute-Based Access Control
The act of doing something that is prohibited by law or rule
Violation
An attack that misuses the authority of the browser on the user’s computer
Cross-Site Request Forgery (CSRF)
Allows access according to a set of rules defined by the system administrator
Rule-Based Access Control
Primarily concerned with protecting the integrity of data
Biba Model
An Access Control model designed to prevent conflicts of interest
Brewer and Nash Model
aka Chinese Wall model
Brewer and Nash Model
What are the three main resource classes of the Brewer and Nash Model?
Objects
Company Groups
Conflict Classes
(Brewer and Nash Model)
Resources, such as files or information, pertaining to a single organization
Objects
(Brewer and Nash Model)
All objects pertaining to an organization
Company Groups
(Brewer and Nash Model)
All groups of objects concerning competing parties
Conflict Classes
____________ are often concerned with controlling the movement of individuals and vehicles
Physical Access Controls
DAC
Discretionary Access Control
A separate group or individual has the authority to set access to resources.
Mandatory Access Control (MAC)
MAC
Mandatory Access Control
CSRF
Cross-Site Request Forgery
An attack that forces an end user to execute unwanted actions on a web application in which they are currently unauthenticated
Cross-Site Request Forgery (CSRF)
A combination of Discretionary Access Control (DAC) and Mandatory Access Control (MAC). Primarily concerned with the confidentiality of the resource in question.
Bell-LaPadula Model
An access control model that includes many tiers of security and is used extensively by military and government organizations and those that handle data of a very sensitive nature.
Multilevel Access Control
A client-side attck that involves an attacker placing an invisible player over something on a website that the user would normally click on in order to exclude a command differing from what the user thinks they are performing
Clickjacking
A unique address assigned to each device on any network that uses the Internet Protocol for communication
IP Address
This problem occurs when the software with access to a resource has a greater level of permission to access the resource than the user who is controlling the software. These attacks are common in systems that use ACLs.
Confused Deputy Problem
Unique identifiers hard-coded into each network interface in a given system
Media Access Control addresses (MAC Addresses)
Use these to determine who should be allowed access to what resources
Access Control Models
