Chapter 3

Question 1

What is the next step after a user is identified and authenticated?

Answer 1

Authorization

Question 2

_______ defines what the user can access, modify, and delete.

Answer 2

Authorizarion

Question 3

Policies or procedures used to control access to certain items

Answer 3

Access Controls

Question 4

The lowest level of authorization allowed to a user to perform duties

Answer 4

Principles of Least Privilage

Question 5

A user having more access than usual is an example of a violation of _________

Answer 5

Principles of Least Privilage

Question 6

Giving access to resources

Answer 6

Allowing Access

Question 7

Preventing a given party from accessing the resource(s) in question

Answer 7

Denying Access

Question 8

Allowing partial access to resources

Answer 8

Limiting Access

Question 9

A set of resources devoted to a program, process, or similar entity, outside of which the entity cannot operate.

Answer 9

Sandbox

Question 10

Taking access that was once allowed away from the user.

Answer 10

Revoking Access

Question 11

What is often referred to as “ackles”?

Answer 11

Access Control Lists (ACLs)

Question 12

Lists containing information about what kind of access certain parties are allowed to have to a given system

Answer 12

Access Control Lists (ACLs)

Question 13

Used to control access in the file systems on which our operating systems run and control the flow of traffic in the networks to which our systems are attached

Answer 13

Access Control Lists (ACLs)

Question 14

Commonly discussed in the context of firewalls and routers

Answer 14

Access Control Lists (ACLs)

Question 15

ACLs

Answer 15

Access Control Lists

Question 16

Access Control Lists in most file systems have three types of permissions

Answer 16

Read
Write
Execute

Question 17

Can a file or directory have multiple Access Control Lists attached to it?

Answer 17

Yes

Question 18

In the case of Network ACLs, we typically see access controlled by the identifiers we use for network transactions, such as __________________, ______________, and ____________.

Answer 18

Internet Protocol addresses (IP Addresses)
Media Access Control addresses (MAC Addresses)
Ports

Question 19

MAC Address

Answer 19

Media Access Control Address

Question 20

IP Address

Answer 20

Internet Protocol Address

Question 21

Permissions in network Access Control Lists tend to be __________________ in nature.

Answer 21

Binary

Question 22

When there are only two possible values

Answer 22

Binary

Question 23

The owner of the resource determines who gets access to it and exactly what level of access they can have

Answer 23

Discretionary Access Control (DAC)

Question 24

Access to resource determined by job duties

Answer 24

Role-Based Access Control

Question 25

Determined by a group or individuals who have authority to decide who has access

Answer 25

Mandatory Access Control (MAC)

Question 26

Determined by the traits of a person, resource, or environment

Answer 26

Attribute-Based Access Control

Question 27

The act of doing something that is prohibited by law or rule

Answer 27

Violation

Question 28

An attack that misuses the authority of the browser on the user’s computer

Answer 28

Cross-Site Request Forgery (CSRF)

Question 29

Allows access according to a set of rules defined by the system administrator

Answer 29

Rule-Based Access Control

Question 30

Primarily concerned with protecting the integrity of data

Answer 30

Biba Model

Question 31

An Access Control model designed to prevent conflicts of interest

Answer 31

Brewer and Nash Model

Question 32

aka Chinese Wall model

Answer 32

Brewer and Nash Model

Question 33

What are the three main resource classes of the Brewer and Nash Model?

Answer 33

Objects
Company Groups
Conflict Classes

Question 34

(Brewer and Nash Model)

Resources, such as files or information, pertaining to a single organization

Answer 34

Objects

Question 35

(Brewer and Nash Model)

All objects pertaining to an organization

Answer 35

Company Groups

Question 36

(Brewer and Nash Model)

All groups of objects concerning competing parties

Answer 36

Conflict Classes

Question 37

____________ are often concerned with controlling the movement of individuals and vehicles

Answer 37

Physical Access Controls

Question 38

DAC

Answer 38

Discretionary Access Control

Question 39

A separate group or individual has the authority to set access to resources.

Answer 39

Mandatory Access Control (MAC)

Question 40

MAC

Answer 40

Mandatory Access Control

Question 41

CSRF

Answer 41

Cross-Site Request Forgery

Question 42

An attack that forces an end user to execute unwanted actions on a web application in which they are currently unauthenticated

Answer 42

Cross-Site Request Forgery (CSRF)

Question 43

A combination of Discretionary Access Control (DAC) and Mandatory Access Control (MAC). Primarily concerned with the confidentiality of the resource in question.

Answer 43

Bell-LaPadula Model

Question 44

An access control model that includes many tiers of security and is used extensively by military and government organizations and those that handle data of a very sensitive nature.

Answer 44

Multilevel Access Control

Question 45

A client-side attck that involves an attacker placing an invisible player over something on a website that the user would normally click on in order to exclude a command differing from what the user thinks they are performing

Answer 45

Clickjacking

Question 46

A unique address assigned to each device on any network that uses the Internet Protocol for communication

Answer 46

IP Address

Question 47

This problem occurs when the software with access to a resource has a greater level of permission to access the resource than the user who is controlling the software. These attacks are common in systems that use ACLs.

Answer 47

Confused Deputy Problem

Question 48

Unique identifiers hard-coded into each network interface in a given system

Answer 48

Media Access Control addresses (MAC Addresses)

Question 49

Use these to determine who should be allowed access to what resources

Answer 49

Access Control Models