CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [223]
While single sign-on is not the opposite of multi-factor authentication, they are often mistakenly thought of that way. One-, two-, and three-factor authentication merely refers to the number of items a user must supply to authenticate. Authentication can be based on something they have (a smart card), something they know (a password), something unique (biometric), and so forth. After factor authentication is done, then single sign-on can still apply throughout the user’s session.
User and Group Role Management
The process of user, group, and role management involves recognizing how work is accomplished in an organization. Most organizations have a high level of standardized tasks that can be accomplished without a great deal of privileged information. Some departments may routinely work with sensitive information about the organization or its customers. A clear set of rules specifying and limiting access can make the job of managing the process much simpler.
Let’s take the example of a small business. Company XYZ has departments that are involved in sales, finance, manufacturing, vendor relations, and customer relations. Each of these departments has different information needs.
The sales department may not need to access all of the company’s financial information. However, someone in manufacturing might need that information. The job of establishing the various privilege levels in a company can become complicated. Some individuals may need to view certain information but should be prohibited from changing it, whereas other individuals may need to update that same information.
In a company of several dozen employees, establishing access control can be difficult, but in a company of thousands, establishing access control at an individual level can be overwhelming. If each individual needs different access capabilities, thousands of access rules are required.
Most operating systems allow you to organize users into groups with similar access needs so that you can more easily manage an otherwise cumbersome access puzzle. Individuals, and even other groups, can then be embedded into top-layer groups known as security groups.
A security group can have predefined access capabilities associated with it. In this way, you can develop a comprehensive security model that addresses the accessibility needs of everyone in an organization. Figure 8.9 illustrates the group process. In this example, most individuals are placed into one of two departmental groups. The top user in the picture only has access to accounting applications on the ACCTG server, the middle user has access to both, and the bottom user only has access to the APPS server. Departmental groups access information based on established needs and predefined access.
FIGURE 8.9 Security grouping
Each department may have different access capabilities. In some cases, different roles within a department have different needs. Although you may want a supervisor to have access to information about a department’s performance, you may not want a clerical worker to have that same access. It comes down to an issue of trust, experience, and need.
Privilege Escalation
Privilege escalation is the process of increasing permissions. Often this is done temporarily and innocently, but it can also be accomplished by exploiting local vulnerabilities.
For example, many utilities in the Unix/Linux environment require permissions beyond those given to a user, but a user must run them to accomplish their task. An example is the password utility that allows users to change their passwords. Because the passwords are stored in files that aren’t normally accessible by users, during the time that the user is making the change, the