Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
CYB1UofI_FISCH3.3
Implementing Access Controls
| Question | Answer |
|---|---|
| what are the two main methods of implementing access controls | access control lists and capabilities |
| what do both access control lists and capabilities have | strengths and weaknesses |
| describe how access control lists and capabilities relate to each other when they carry out the four basic tasks: allowing access, denying access, limited access, revoking access | there are different ways of carrying out the four basic tasks |
| what is an access control list | are lists containing information about what kind of access certain parties are allowed to have to a given system |
| what does ACLs stand for | access control list |
| how is access control list pronounced | "ackles" |
| what do we see ACLs often implemented as | part of application software or operating systems & in the firmware of some hardware appliances (network infrastructure devices) |
| how are ACLs concepts extended into the physical world | through software systems that control physical resources (badge readers for door control systems) |
| Describe how the following ACL works (Figure 3-2) Alice | Allow Bob | Deny | Alice is allowed access to the resource, while Bob is specifically denied access |
| in larger implementations what can become quite complex | ACLs |
| what do organizations commonly use ACLs for | to control access in the file systems on which their operating systems run and to control the flow of traffic in the networks to which their systems are attached |
| what are the two types of ACLs | File System ACLs Network ACLs |
| how many types of permissions are in the ACLs in most file systems | three |
| what are the types of permissions that are in the ACLs in most file systems | read, write, execute |
| what are permissions | the authorizations that allow access to specific resources in a specific manner |
| what is the read permission for a file system ACL | allows a user to access the contents of a file or directory |
| what is the write permission for a file system ACL | allows a user to write to a file or directory |
| what is the execute permission for a file system ACL | allows a user to execute the contents of the file if that file contains either a program or a script capable of running on the system in question |
| True or False: A file or directory may also have multiple ACLs attached to it | True |
| Give an example in a Unix like operating system where a file or directory might have multiple ACLs attached to it | a given file might have separate access lists for specific users or groups. the system might give a certain individual user specific permissions, a certain group of users different permissions, and any other authenticated users a third set of permissions |
| what is an example of in UNIX like operating systems a given file might have separate access lists for specific users or groups: P1 system | system might give a certain individual user (like a dev) specific read, write and execute permissions |
| what is an example of in UNIX like operating systems a given file might have separate access lists for specific users or groups: P2 group | a certain group of users (entire dev group) different read, write, and execute permissions |
| what is an example of in UNIX like operating systems a given file might have separate access lists for specific users or groups: P3 other authenticated user | any other authenticated users a third set of read, write and execute permissions |
| on linux based operating systems you can view these three sets of permissions by issuing the following command | ls -la |
| what does ls-la do | shows the permission displayed in the system |
| what does each line represent after executing the ls-la command (Figure 3-3) | represents the permissions for an individual file |
| what is an example of the permissions for the first file (ucf.conf) displayed as (Figure 3-3) | -rw-r--r-- |
| how do we interpret the permission "-rw-r--r--" | divide into the following sections - | r w - | r - - | r - - |
| what does the first character of the permission generally represent | the file type |
| in the first character of the permission what does - represent | a regular file |
| in the first character of the permission what does d represent | a directory |
| what does the second segment of the permission represent | the user who owns the file permissions |
| what does it mean when the second segment of the permission is set to r w - | the user can read and write to the file but cannot execute it |
| what does the third segment of the permission represent | group permissions |
| what does it mean when the third segment of the permission is set to r - - | meaning that members of the group that was given ownership of the file can read it but not write or execute it |
| what is the last segment of the permission represent | other |
| what does it mean when the last segment of the permission is set to r - - | meaning that anyone who is not the user who owns the file or in the group that owns the file can also read it but not write or execute it |
| in Linux how do permissions apply for a user | the user permissions apply to a single user only |
| in Linux how do permissions apply for a group | the group permissions apply to a single group |
| what happens by using sets of file permissions | you can control access to the operating systems and applications that use your file systems |
| True or False: Most file systems use systems that are similar to the Linux/Unix system for assigning permissions | True |
| looking at the variety of activities that take place on networks (both private and public) what regulates the activity | you'll notice ACLs regulating the activity |
| how do you typically filter access in network ACLs | based on identifiers used for network transactions (internet protocol (IP) addresses, media access control addresses and ports |
| what are common identifiers used for network transactions | Internet Protocol addresses, Media Access Control addresses, and ports |
| what does IP stand for | Internet Protocol (IP) addresses |
| where do you see network ACLs | at work in network infrastructure (routers, switches & firewall devices) and in software firewalls, websites FB/Google, email, other forms of software) |
| how would you describe permissions in network ACLs | tend to be binary in nature, they generally allow or deny activity |
| how are network ACLs binary in nature | either allow or deny some activity |
| what do network ACLs not do | assign permissions based on read, write and execute |
| network ACLs typically grant permission to who | traffic |
| network ACLs do not grant permission to | individual users |
| how does a network ACL work when you set up the ACL | you use your chosen identifier or identifiers to dictate which traffic you're referring to and whether traffic is allowed |
| what is best to rely on to filter traffic when using network ACL | multiple identifiers |
| what is media access control | form of network oriented ACLs |
| what is one of the simplest forms of network oriented ACLs | media access control |
| what are media access control addresses | are unique identifiers hard coded into each network interface in a given system |
| what is the problem with using media access control addresses as a unique identifier of a device on a network | the software settings in most operating systems can override a network interfaces media access control address. changing this address is easy, so its not a good choice for a unique identifier of a device on the network |
| software settings in most operating systems can | override a network interfaces media access conrol addresses |
| what is considered easy to change in regards to network ACLs | changing the media access control address |
| what is not a good choice for a unique identifier of a device on the network | media access control address |
| what can you use as an identifier for a network ACL | IP addresses |
| what is an IP address theoretically | is a unique address assigned to each device on any network that uses the Internet Protocol for communication |
| True or False: Can filter based on individual addresses or an entire range of IP addresses | True |
| describe the scenario: using an IP address range to allow and deny access with a network ACL | you could allow the IP address 10.0.0.2 through 10.0.0.10 to pass traffic but deny any traffic from 10.0.0.11 and higher |
| what is the issue with using IP addresses as identifiers for filtering | you can falsify IP addresses and they're not unique to a network interface, IP addresses issues by internet service providers are subject to frequent change |
| what do organizations do to block out known attacks, spammers and other undesirable traffic | apply large scale filtering |
| what organizations apply large scale filter to block out known attacks, spammers and other undesirable traffic | those that operate web servers, mail servers, and other services exposed to the internet |
| what is large scale filtering used for | block out known attacks, spammers and other undesirable traffic |
| organizations use what filtering strategies | includes dropping traffic from individual IP addresses, ranges of IP addresses, or the entire IP spaces of large organizations, internet service providers or even entire countries |
| what is blackholing | organizations apply large scale filtering (including dropping traffic from individual IP addresses, ranges of IP addresses, or the entire IP spaces of large organizations, internet service providers or even entire countries) |
| why is the process called blackholing | from the users perspective, any traffic sent to filtered destinations appears to have vanished into a black hole |
| what is the third way of filtering traffic | is by the port used to communicate over the network |
| what is a network port | is a numerical designation for one side of a connection between two devices |
| how do we used network ports | we use them to identify the application to which traffic should be routed |
| what do many services and applications use for filtering traffic | use specific ports |
| describe examples of common services and applications that use specific ports | FTP uses ports 20-21 to transfer files Internet Message Access Protocol (IMAP) uses ports 143 for managing email Secure Shell (SSH) uses port 22 to manage remote connection to systems |
| what does IMAP stand for | Internet Message Access Protocol |
| what does SSH stand for | Secure Shell |
| how many ports in all are there | 65,535 ports |
| how can you control the use of applications over the network | by allowing or denying traffic originating from or sent to any ports that you care to manage |
| what is the problem with using ports | you can with relative ease, change the ports that application use to entirely different ones |
| specific ports used for applications are | conventions not absolute rules |
| what happens if you use any single attribute (Media Access Control, IP addresses, ports) to construct a network ACL | you'll encounter a variety of issues |
| what issues will you encounter if you only use IP addresses to construct your network ACL | your attribute might not necessarily be unqiue |
| what issues will you encounter if you only use Media Access Control addresses to construct your network ACL | your attribute will be easy to alter |
| what issues will you encounter if you only use ports to construct your network ACL | your banking on conventions rather than rules |
| how do you prevent a verity of issues when constructing your network ACL | combining several attributes |
| what does combining several attributes when constructing your network ACL do | begin to arrive at a more secure technique |
| what is a socket | uses both an IP address and a port |
| what happens when you use sockets | you can allow or deny network traffic from one or more IP addresses with one or more applications on your network in a workable fashion |
| what can you construct an ACL to filter | filter based a wide variety of other criteria (besides IP addresses, media access control addresses, and ports) |
| what are other criteria that you can construct an ACL to filter | in some cases you want to allow or deny traffic based on more specific information (the content of an individual packet or a related series of packets) |
| how would you filter out traffic related to networks used to illegally share copyrighted material using a network ACL | construct an ACL to filter based on allowing or deny traffic based on specific information such as the content of an individual packet or a related series of packets |
| what are the weakness of ACL systems | vulnerable to a type of attack called the confused deputy problem |
| systems that use ACLs to manage permissions are | vulnerable to a type of attack called the confused deputy problem |
| what is the confused deputy problem | problem occurs when software with access 2 a resource(the deputy)has greater lvl of permission 2 access resource than user who is controlling software. if you can trick the software into misusing its greater level of authority,u can carry out an attack |
| how many attacks take practical advantage of the confused deputy problem | several |
| what do the attacks that take practical advantage of the confused deputy problem involve | these often involve tricking the user into taking some action when they really think they are doing something else entirely |
| the attacks that take practical advantage of the confused deputy problem generally are | client side attacks |
| what do client side attacks take advantage of | weaknesses in applications running on the user's computer |
| what are examples of the client side attacks that take advantage of the confused deputy problem | these attacks might be code sent through the web browser and executed on the local machine malformed PDF files images and videos with attack code embedded |
| what have software vendors become aware of in the past several years | have become increasingly aware of such attacks (attacks that take advantage of the confused deputy problem, client side attacks) |
| what have software vendors been doing in response to becoming increasingly aware of such attacks (attacks that take advantage of the confused deputy problem, client side attacks) | they have begun building defensive measures into their software but new attacks appear on a regular basis |
| what are two of the more common attacks that exploit the confused deputy problem | cross-site request forgery (CSRF) and clickjacking |
| what is CSRF stand for | cross-site request forgery |
| what is a cross-site request forgery | an attack that misuses the authority of the browser on the user's computer |
| what happens during a cross-site request forgery P1 | if the attacker knows of/can guess a website that has already authenticated the user (a common site) the attacker can embed a link in a web page or HTML based email (generally to an image hosted from a site controlled by the attacker) |
| what happens during a cross-site request forgery P2 | When the target's browser attempts to retrieve the image in the link, it also executes the additional commands the attacker has embedded in it, often in a fashion completely invisible to target |
| what is an example of a CSRF attack | the attacker has embedded a request to transfer funds from an account at BankCo to the attackers offshore account. As the BankCo server sees the request as coming from an authenticated and authorizated user, it proceeds with the transfer. |
| in the BankCo CSRF attack who is the confused deputy | bank server |
| what is clickjacking also known as | user interface redressing |
| what is clickjacking | is a particularly sneaky and effective client side attack that takes advantage of some of the page rendering features that are available in newer web browsers |
| what happens when carrying out a clickjacking attack P1 | the attacker must legitimately control or have taken control of some portion of a website. The attacker constructs or modifies the site by placing an invisible layer over something the client would normally click. |
| what happens when carrying out a clickjacking attack P2 | This causes the client to execute a command that's different than the one they think they're performing. |
| what can clickjacking be used for | to trick the client into making purchases, changing permissions in their applications or operating systems, or performing other unwanted activities |
| what do ACLs define permissions based on | a given resource, an identity and a set of permissions |
| where do ACLs hold permissions based on a given resource, an identity and a set of permissions | generally held in a file of some sort |
| what can you define permissions based on | a user's token, or key |
| what is capacity | define permissions based on a user's token, or key |
| what is not a physical object in most cases | a token |
| how can you think of a token like | as badge u might use 2 open door of building. building has 1 door & many people have a token that will open it, but each has a different level of access. (one may have permission to enter the building any day of the week, another only weekdays) |
| in capability based systems the right to access a resource is | based entirely on possession of the token rather than who possesses it |
| what happens if you were to give the token or badge to someone else in a capability based system | they would be able to use it to access the building with whatever permission you have |
| when it comes to logical assets, applications can | share their token with other applications |
| what happens if you were to use capabilities instead of ACLs to manage permissions | you could protect against confused deputy attacker |
| what types of attacks wouldn't be possible if you use capabilities instead of ACLs to manage permissions | CSRF and clickjacking |
| why are CSRF and clickjacking attacks not possible if you use capabilities instead of ACLs to manage permissions | the attacker wouldn't be able to misuse the authority of the user unless they had access to the users token |
Created by:
user-1830624
Popular Computers sets