Chapter 3 Flashcards by Yakkie Poo

What is the next step after a user is identified and authenticated?

Authorization

How well did you know this?

Not at all

Perfectly

_______ defines what the user can access, modify, and delete.

Authorizarion

How well did you know this?

Not at all

Perfectly

Policies or procedures used to control access to certain items

Access Controls

How well did you know this?

Not at all

Perfectly

The lowest level of authorization allowed to a user to perform duties

Principles of Least Privilage

How well did you know this?

Not at all

Perfectly

A user having more access than usual is an example of a violation of _________

Principles of Least Privilage

How well did you know this?

Not at all

Perfectly

Giving access to resources

Allowing Access

How well did you know this?

Not at all

Perfectly

Preventing a given party from accessing the resource(s) in question

Denying Access

How well did you know this?

Not at all

Perfectly

Allowing partial access to resources

Limiting Access

How well did you know this?

Not at all

Perfectly

A set of resources devoted to a program, process, or similar entity, outside of which the entity cannot operate.

Sandbox

How well did you know this?

Not at all

Perfectly

Taking access that was once allowed away from the user.

Revoking Access

How well did you know this?

Not at all

Perfectly

What is often referred to as “ackles”?

Access Control Lists (ACLs)

How well did you know this?

Not at all

Perfectly

Lists containing information about what kind of access certain parties are allowed to have to a given system

Access Control Lists (ACLs)

How well did you know this?

Not at all

Perfectly

Used to control access in the file systems on which our operating systems run and control the flow of traffic in the networks to which our systems are attached

Access Control Lists (ACLs)

How well did you know this?

Not at all

Perfectly

Commonly discussed in the context of firewalls and routers

Access Control Lists (ACLs)

How well did you know this?

Not at all

Perfectly

ACLs

Access Control Lists

How well did you know this?

Not at all

Perfectly

Access Control Lists in most file systems have three types of permissions

Read
Write
Execute

How well did you know this?

Not at all

Perfectly

Can a file or directory have multiple Access Control Lists attached to it?

Yes

How well did you know this?

Not at all

Perfectly

In the case of Network ACLs, we typically see access controlled by the identifiers we use for network transactions, such as __________________, ______________, and ____________.

Internet Protocol addresses (IP Addresses)
Media Access Control addresses (MAC Addresses)
Ports

How well did you know this?

Not at all

Perfectly

MAC Address

Media Access Control Address

How well did you know this?

Not at all

Perfectly

IP Address

Internet Protocol Address

Permissions in network Access Control Lists tend to be __________________ in nature.

Binary

When there are only two possible values

Binary

The owner of the resource determines who gets access to it and exactly what level of access they can have

Discretionary Access Control (DAC)

Access to resource determined by job duties

Role-Based Access Control

Determined by a group or individuals who have authority to decide who has access

Mandatory Access Control (MAC)

Determined by the traits of a person, resource, or environment

Attribute-Based Access Control

The act of doing something that is prohibited by law or rule

Violation

An attack that misuses the authority of the browser on the user's computer

Cross-Site Request Forgery (CSRF)

Allows access according to a set of rules defined by the system administrator

Rule-Based Access Control

Primarily concerned with protecting the integrity of data

Biba Model

An Access Control model designed to prevent conflicts of interest

Brewer and Nash Model

aka Chinese Wall model

Brewer and Nash Model

What are the three main resource classes of the Brewer and Nash Model?

Objects Company Groups Conflict Classes

(Brewer and Nash Model) Resources, such as files or information, pertaining to a single organization

Objects

(Brewer and Nash Model) All objects pertaining to an organization

Company Groups

(Brewer and Nash Model) All groups of objects concerning competing parties

Conflict Classes

____________ are often concerned with controlling the movement of individuals and vehicles

Physical Access Controls

DAC

Discretionary Access Control

A separate group or individual has the authority to set access to resources.

Mandatory Access Control (MAC)

MAC

Mandatory Access Control

CSRF

Cross-Site Request Forgery

An attack that forces an end user to execute unwanted actions on a web application in which they are currently unauthenticated

Cross-Site Request Forgery (CSRF)

A combination of Discretionary Access Control (DAC) and Mandatory Access Control (MAC). Primarily concerned with the confidentiality of the resource in question.

Bell-LaPadula Model

An access control model that includes many tiers of security and is used extensively by military and government organizations and those that handle data of a very sensitive nature.

Multilevel Access Control

A client-side attck that involves an attacker placing an invisible player over something on a website that the user would normally click on in order to exclude a command differing from what the user thinks they are performing

Clickjacking

A unique address assigned to each device on any network that uses the Internet Protocol for communication

IP Address

This problem occurs when the software with access to a resource has a greater level of permission to access the resource than the user who is controlling the software. These attacks are common in systems that use ACLs.

Confused Deputy Problem

Unique identifiers hard-coded into each network interface in a given system

Media Access Control addresses (MAC Addresses)

Use these to determine who should be allowed access to what resources

Access Control Models