CISSP Flashcards: Identity and Access Management, Authentication, SSO, Access Models

The three authentication factors are something you know such as a password, PIN, or security question; something you have such as a smart card, hardware token, or mobile device; and something you are such as a fingerprint, retinal scan, or facial recognition, collectively called biometrics. Multi-factor authentication requires at least two different factors, not two instances of the same factor. Using a password and a PIN is single-factor because both are something you know. Using a password and a fingerprint is true multi-factor.

Identification is claiming an identity, such as entering a username. Authentication is proving that identity through credentials like a password or biometric. Authorization is determining what the authenticated user is permitted to access based on policies and permissions. Accounting, also called auditing, is recording what the user did for accountability and forensics. These four steps occur in sequence: you cannot authorize without first authenticating, and you cannot authenticate without first identifying. The acronym IAAA helps remember the order.

The principle of least privilege states that users, processes, and systems should be granted only the minimum access rights necessary to perform their assigned tasks and no more. This limits the damage that can result from accidents, errors, or unauthorized use. A database administrator who only needs to run reports should not have write access to production data. Least privilege applies to user accounts, service accounts, application permissions, and network access. It is implemented through role-based access control, just-in-time access, and regular access reviews.

Role-Based Access Control, or RBAC, assigns permissions to roles rather than individuals, and users receive access by being assigned to roles matching their job functions. Discretionary Access Control, or DAC, lets the resource owner decide who can access their resources, common in operating systems where file owners set permissions. Mandatory Access Control, or MAC, assigns security labels to both subjects and objects, and the system enforces access based on label comparison rather than owner discretion, common in military environments. RBAC is the most widely used in enterprises.

Single sign-on, or SSO, allows users to authenticate once and gain access to multiple applications and systems without re-entering credentials. Benefits include improved user experience, reduced password fatigue, fewer help desk calls for password resets, and centralized access management. The primary security risk is that compromising the SSO credential gives an attacker access to all connected systems, making it a single point of failure.

Kerberos is a network authentication protocol that uses symmetric key cryptography and a trusted third party called the Key Distribution Center, or KDC, to authenticate users without transmitting passwords over the network. The process works in three exchanges: the user authenticates to the Authentication Server and receives a Ticket Granting Ticket, or TGT. The user presents the TGT to the Ticket Granting Service to obtain a service ticket for the specific resource. The user presents the service ticket to the target server for access.

Multi-factor authentication, or MFA, requires users to provide at least two different types of authentication factors before gaining access. Combining a password with a one-time code from a mobile authenticator app is MFA because it uses something you know and something you have. MFA dramatically reduces the risk of account compromise because an attacker must obtain multiple independent credentials. Even if a password is stolen through phishing, the attacker still needs the second factor. NIST SP 800-63B recommends MFA for all systems handling sensitive data.

Privilege escalation occurs when an attacker gains higher access rights than originally authorized. Vertical escalation means gaining administrator or root privileges from a standard user account, such as exploiting a kernel vulnerability to gain system-level access. Horizontal escalation means accessing resources of another user at the same privilege level, such as viewing another customer's account data.