Chapter 3: Authorization and Access Control

Question 1

enables us to determine, what the party in question are allowed to do (after identification and authentication

Answer 1

Authorization

Question 2

when only the bare minimum of access to a party is allowed to ensure that it is able to perform the functionality needed of it

Answer 2

Principle of Least Privilege

Question 3

giving particular people or set of people access to a given resource

Answer 3

Allowing Access

Question 4

opposite of allowing access

Answer 4

Denying Access

Question 5

allowing some access to resources, but only to a certain extent

Answer 5

Limiting Access

Question 6

taking the access of resources away

Answer 6

Revoking Access

Question 7

Allowing Access

Limiting Access

Denying Access

Revoking Access

Answer 7

Access Control

Question 8

referred to as “ackles”. Controls access in the file systems on the operating system or controls the flow traffic in the networks

Answer 8

ACL (Access Control List)

Question 9

mostly uses three permissions: read, write, and execute

Answer 9

File system ACLs

Question 10

IP, MAC, and ports

Answer 10

Network ACLs

Question 11

define the permissions based on a giving resource, an identity and a set of permissions

Answer 11

ACLs

Question 12

oriented around the use of a token that controls our access

Answer 12

Capability-based security

Question 13

based entirely on possession of the token ,and not who possesses it

Answer 13

Capability based security

Question 14

attack common in systems that use ACLs

Answer 14

Confused Deputy Problem

Question 15

when the software with access to a resource has a greater level of permission to access the resource that the user who is controlling the software

Answer 15

Confused Deputy Problem

Question 16

attacks that take advantage of weaknesses in applications that are running on the computer being operated directly by the user

Answer 16

client-side attacks

Question 17

misuses the authority of the browser on the user’s computer

Answer 17

CSRF(cross site request forgery)

Question 18

also known as user interface redressing, that takes advantage of some of the page rendering features (new Web browser)

Answer 18

clickjacking

Question 19

is a model of access control based on access being determined by the owner of the resource

Answer 19

Discretionary access control

Question 20

is a model of access control in which the owner of the resource does not get to decide who gets to access it, but instead access is decided by a group or individual who has the authority to set access on resources

Answer 20

Mandatory Access Control

Question 21

a model of access control that is similar to MAC, however this form of the access control is based on the role the individual being granted access is performing

Answer 21

Role-base access control

Question 22

is logically based on attribute, particular person, resource or of an environment

Answer 22

attribute-based access control (ABAC)

Question 23

used when other access control models are not adequate

Answer 23

multilevel access control

Question 24

a model that uses a combination of DAC and MAC and is primarily concerned with the confidentiality of the resource in question

Answer 24

Bell-LaPadula Model

Question 25

How interact MAC and DAC when implemented together?

Answer 25

MAC takes precedence over

DAC, and DAC works within the access allowed by MAC permissions

Question 26

the level of access granted to an individual must be at least as high as the classification of the resource in order for the individual to be able to access it

Answer 26

the simple security property/no read up (Bell-LaPadula)

Question 27

anyone accessing a resource can only write its contents to one classified at the same level or higher

Answer 27

the * property axiom/ no write down(Bell-LaPadula)

Question 28

model of access control is primarily concerned with protecting the integrity of data, even at the expense of confidentiality

Answer 28

Biba Model

Question 29

the level of access granted to an individual must be no lower than the classification of the resource

Answer 29

the simple integrity axiom/no read down (Biba Model)

Question 30

Anyone accessing a resource can only write its contents to one classified at the same level or lower

Answer 30

the * integrity axiom/no write up (Biba Model)

Question 31

an access control model designed to prevent conflicts of interest. Commonly used in industries that handle sensitive data

Answer 31

the Brewer and Nash Model/Chinese Wall

Question 32

consists of three main classes : objects, company groups, and conflict classes

Answer 32

The Brewer and Nash model

Question 33

resources such as files or information, pertaining to a single organization

Answer 33

objects (Brewer and Nash)

Question 34

all objects pertaining to a particular organization

Answer 34

Company groups (Nash and Brewer)

Question 35

all groups of objects that concern competing parties

Answer 35

conflict classes(Nash and Brewer)

Question 36

concerned with controlling the access of individuals and vehicles

Answer 36

Physical Access Controls

Question 37

the simple security property

Answer 37

no read up

Question 38

the *property axiom

Answer 38

no write down

Question 39

the simply integrity axiom

Answer 39

no read down

Question 40

the *integrity axiom

Answer 40

no write up

Question 41

the simple security property is part of what model

Answer 41

Bell-Lapadula

Question 42

the *property axiom is part of what model

Answer 42

Bell-LaPadula

Question 43

the simple integrity axiom is part of what model

Answer 43

Biba Model

Question 44

the *integrity axiom is part of what model

Answer 44

Biba Model

Question 45

Bell-LaPadula Model

Answer 45

write up, read down (WURD)

Question 46

Bell-LaPadula

Answer 46

read up, write down (RUWD)