M5 - U3 - S1 - Access Controls

0.0(0)
studied byStudied by 0 people
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/19

encourage image

There's no tags or description

Looks like no tags are added yet.

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

20 Terms

1
New cards

Access Control System

Set of technical controls that govern how subjects may interact with objects

  • Subject — Users or software processes/anything that can request and be granted access to a resource

  • Objects — The resources (e.g. networks, servers, databases, files etc)

2
New cards

Access Control List (ACL)

List of subjects and the rights or permissions they have been granted on the object

  • Typically the basis of an Access Control System

3
New cards

  • Identification

  • Authentication

  • Authorisation

  • Accounting

The 4 main processes that describe an Access Control System

4
New cards

Identification — (Access Control System)

Creating an account or ID that identifies the user or process on the computer system.

5
New cards

Authentication — (Access Control System)

Proving that a subject is who or what it claims to be when it attempts to access the resource

6
New cards

Authorisation — (Access Control System)

Determining what rights or permissions subjects should have on each resource and enforcing those rights

7
New cards

Accounting — (Access Control System)

Tracking authorised and unauthorised usage of a resource or use of rights by a subject

  • Audit logs support this process/feature

  • Logging events support this process/feature

8
New cards

Least Privilege

The premise that a user should be granted rights necessary to perform their job and no more

9
New cards

Implicit Deny

Ruleset/Principle that unless there is a rule specifying that access should be granted (explicit authorization), any request for access will not be granted

10
New cards

True

  • Firewall filters access requests using a set of rules

    • These rules are processed from top to bottom

    • If a request does not fit any of the rules, it is handled by the last (default) rule, which is to refuse the request

True or False: Firewall policies employ the principle of implicit deny

11
New cards

Receive rights

An important consideration in designing a security system is to determine how users ______ to access resources

  • Can also be interpreted as how Access Control Lists are written

12
New cards

  • Discretionary Access Model (DAC) — Owner

  • Role-based Access Control (RBAC) — Users allocated roles

  • Mandatory Access Control (MAC) — Security Clearance

  • Rule-based Access Control — System-enforced rules

Access Control/Authorisation model classes

13
New cards

Discretionary Access Control — (Access Control Model)

This Access Control Model stresses the importance of the owner

  • The owner is originally the creator of the resource, though ownership can be assigned to another user

  • Owner is granted full control over the resource. He or she can modify its ACL to grant rights to others

14
New cards

Role-based Access Control (RBAC) — (Access Control Model)

This Access Control Model adds an extra degree of administrative control to another model

  • A set of organisational roles are defined and users allocated to those roles

    • A simple version of this model in visible in Windows user account types e.g. Admins and Standard Users

15
New cards

Mandatory Access Control (MAC) — (Access Control Model)

This Access Control Model is based on the idea of security clearance levels

  • Each object and each subject is granted a clearance level, referred to as a label

    • If the model used is hierarchical, subjects are only permitted to access objects at their clearance or below

    • OR each resource and user can be labelled as belonging to a domain (compartmentalised) — user may only access a resource if they belong to the same domain

16
New cards

Rule-based Access Control — (Access Control Model)

This Access Control Model is based around access control policies being determined by system-enforced rules rather than system users

  • Some other access control models are examples of this control model

  • Continuous authentication is an example of this model

    • E.g. UAC is activated once a change to the OS is being made, regardless of if the admin is signed in already

17
New cards

True

  • This is an example of rule-based access control

    • The admin, despite being signed in already, has to answer a prompt due to a rule being in place

True or False: UAC prevents/protects against account hijacking by a malicious script or similar

18
New cards

Non-Repudiation

The principle that the user cannot deny having performed some action

19
New cards

Logging Events

Actions by a user that are recorded by the access control system

  • E.g. a user signing in or attempting to modify a file or install an app

  • E.g. history of URLs visited kept by a web browser

20
New cards

  • Video

  • Biometrics

    • Strong authentication can prove that a person was genuinely operating their user account, not an intruder

  • Signature

    • Physical or digital signature can prove that the user was an author of a document

  • Receipt

    • Issuing a token with respect to some product or service is proof that a user requested that product and it was delivered

The 4 examples of mechanisms that provide non-repudiation