RBAC vs ABAC Quiz

Questions and Answers

What does RBAC stand for?

Role-Authorized Access Condition

Role-Based Access Control (correct)

Role-Based Approval Code

Role-Assigned Behavior Control

In an RBAC system, a department manager has the right to modify any data within their department.

False

What is a major disadvantage of ABAC as mentioned in the content?

Changing user permissions

In RBAC, user permissions are based solely on the user's assigned __________.

role

Match the role in an RBAC system with their corresponding access level:

Administrator = Full access to the database Department Manager = Access to departmental information Employee = Access to personal data only

Which of the following is true about ABAC?

It considers dynamic attributes for user permissions.

What does the Trusted Computing Base (TCB) primarily consist of?

A combination of hardware, software, and controls

RBAC allows for user permission adjustments based solely on changes in user roles.

True

How does ABAC differ in flexibility compared to RBAC?

ABAC takes dynamic attributes into account, whereas RBAC only considers assigned roles.

A larger TCB provides less flexibility for developers.

False

Name one advantage of a small TCB.

Easier to protect from vulnerabilities.

Three elements that are inside the TCB are: Kernel, _____, and the cryptography component.

authentication mechanisms

Which of the following should probably not be included in the TCB?

Third-party applications

The biggest threat to the TCB is the software it runs.

False

What is a supply-chain attack?

A method of compromising hardware through its external supply sources.

Match the elements with their description regarding the TCB:

Kernel = Core component managing system resources Authentication mechanisms = Methods for verifying user identity Cryptography component = Ensures secure data encryption and decryption Third-party applications = Software not essential to the TCB's core functions

What should the Trusted Computing Base (TCB) be in relation to a system's security needs?

As small as possible, yet adequate

The principle of least privilege suggests that users should be granted maximum privileges to perform their tasks.

False

What can be affected if the authorization mechanism is compromised?

Integrity of the software

If a user can perform administrative tasks without proper authorization, it indicates a possible _____ in the system's security.

vulnerability

Match the following user roles with their respective privileges:

Root user = Can perform all administrative operations Basic user = Limited to standard user tasks Sudo user = Can execute commands with root privileges Attacker = Exploits vulnerabilities to gain unauthorized access

Why is confidentiality important in a system?

To ensure sensitive content is protected

A user granted unauthorized access to change another user's password indicates a well-functioning authorization mechanism.

False

What does the term 'privilege escalation' refer to in system security?

A basic user gaining unauthorized administrative access

What are the two concepts that RBAC-A utilizes?

Static role definition and dynamic attributes

In RBAC-A, permissions are determined at the time of role definition.

False

Name one of the MAC systems used by Linux.

SELinux or AppArmor

In ABAC, the rule format includes 'If the role is ______ and working day is ______...'

teller, Tuesday

Match the following MAC systems with their characteristics:

SELinux = Implements a robust MAC framework AppArmor = Path-based access control RBAC = Role-based access control MLS = Multi-level security enforcement

Which statement accurately describes SELinux?

It combines RBAC, type enforcement, and multi-level security.

AppArmor restricts applications based on roles.

False

What type of permissions can be added or removed in RBAC-A?

Permissions based on dynamic attributes

Study Notes

Trusted Computing Base (TCB)

• TCB is the combination of hardware, software, and controls that work together to enforce computer security policies.
• A larger TCB offers broader security coverage through more comprehensive security mechanisms (e.g., logging, encryption). This allows for more flexible use due to numerous built-in functions.
• A smaller TCB is easier to protect because it has fewer components, which decreases vulnerabilities. Smaller TCBs are also portable.
• Three common elements within a TCB include the kernel, authentication mechanisms (biometrics/passwords), and cryptography components (key management and encryption).
• Three elements that should not typically be part of a TCB include third-party applications, activity surveillance mechanisms (like loggers), and unnecessary user applications. These add unnecessary complexity and vulnerability.

Authorization & Privilege Escalation

• User privileges are the operations a user is permitted to perform within a system. These depend on the user's role and context, including actions like reading, writing files, installing/removing software, or managing accounts.
• Phishing for user credentials does not directly break the authorization mechanism, but instead compromises the confidentiality property of the system.
• Compromising a piece of software running as root to gain root privileges breaks the authorization mechanism by granting unauthorized access.
• If an attacker gains the right to change another user's password, the authorization framework is compromised as it grants excessive privileges.
• A privilege escalation occurs when an attacker manipulates a system to obtain higher-level privileges.

Role-Based Access Control (RBAC)

• RBAC is an access control model that allows access based on functions a user is permitted to perform.
• Role-based access controls are defined by functions or roles, and users are assigned these roles. Examples are: administrator, manager, department manager, or employee. These roles determine access levels to data and features.
• A use case of RBAC is in a company database with financial data. The administrator has full database access followed by progressively narrowed access down to employees, only seeing their data.

Attribute-Based Access Control (ABAC)

• ABAC allows permissions based on dynamic attributes, including those tied to time of day or context.
• RBAC is stricter and roles are static, where ABAC is more flexible and allows user permissions to change based on real-time conditions.
• A potential disadvantage of ABAC is the complexity of changing permissions based on numerous attributes.
• RBAC-A combines static roles with dynamic attributes in order to avoid ABAC's complexity.

Description

Test your knowledge on Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC). This quiz covers various aspects of these access control models, including their advantages, disadvantages, and components of the Trusted Computing Base (TCB). Challenge yourself to match roles with access levels and understand important security principles.