Module 04 - Identification, Authentication, and Authorization_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
EC-Council
Tags
Related
- Access Control Principles, Terminologies, and Models PDF
- Chapter 4 - 01 - Discuss Access Control Principles, Terminologies, and Models - 02_ocred.pdf
- Chapter 4 - 02 - Discuss Identity and Access Management (IAM) PDF
- Chapter 6 - Physical Security Controls PDF
- Security in Operating Systems PDF
- Authentication & Access Control PDF
Full Transcript
2] : » $ £ 1 e10, 0. 0 5. 9 E i i 1 ! 194 y/ ,‘0 ) T Tley. 0 i Certified | Cybersecurity Technician Module - 04 Identification, Authentication, and Authorization Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization Module Objectives Understanding the Termi...
2] : » $ £ 1 e10, 0. 0 5. 9 E i i 1 ! 194 y/ ,‘0 ) T Tley. 0 i Certified | Cybersecurity Technician Module - 04 Identification, Authentication, and Authorization Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization Module Objectives Understanding the Terminology, Principles, and Types of Access Control Overview of Identity and Access Management (IAM) Understanding the User Access Management Understanding the Different Types of Authentication Understanding the Different Types of Authorization Understanding the User Accounting Module Objectives The most serious risk that organizations are facing today is unauthorized access to sensitive data. To control such data breaches, organizations require strong identification, authentication, and authorization mechanisms to effectively manage access to critical assets and sensitive data. This module provides an overview of various methods and techniques used for the identification, authentication, and authorization of users accessing critical assets and resources. At the end of this module, you will be able to do the following: = Understand the terminology, principles, and types of access control = Describe identity and access management (IAM) * Understand user access management = Explain the different types of authentication = Explain the different types of authorization * Understand user accounting Module 04 Page 449 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization Module Flow 0O Discuss Access Control Principles, Terminologies, and Models ! 0,0 l \ L Discuss Identity and Access Management (IAIM) Copyright © by EC-{ L All Rights Reserved. Reproduction is Strictly Prohibited Discuss Access Control Principles, Terminologies, and Models The objective of this section is to explain the concept of access control by introducing the principles of access control, the terminologies used, and the different models that describe how access control helps in controlling the access of users to specific resources in a network. Module 04 Page 450 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization Access Control O Access control is the selective restriction of access to an asset or a system/network resource O It protects the information assets by determining who can access what O Access control mechanism uses user identification, authentication, and authorization to restrict or grant access to a specific asset/resource Grrrraassassssnsannrnninn - Authorization Database Administrator ‘ Authentication :. Authentication Function |..... aeeenap 5 Access Control v iz Control emction Sesscsnansvnnsl » A A System Resources Copyright © by EC L All Rights Reserved, Reproduction is Strictly Prohibited Access Control Access control is a method of limiting the access of an organization’s resources for the users. A crucial aspect of implementing an access control is to maintain the integrity, confidentiality, and availability of the information. An access control function uses identification, authentication, and mechanisms to identify, authenticate, and authorize the user requesting access to a specific resource. The access permissions determine the approvals or permissions provided to a user for accessing a system and other resources. The general steps involved in the access control mechanism are as follows: = Step 1: A user provides their credentials/identification while logging into the system. = Step 2: The system validates the user with the database on the basis of the provided credentials/identification such as a password, fingerprint, etc. = Step 3: Once the identification is successful, the system provides the user access to use the system. = Step 4: The system then allows the user to perform only those operations or access only those resources for which the user has been authorized. Module 04 Page 451 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization ,‘. s gpessssssssssnssnsssssssssnad Authorization Database A H Authentication 3 ‘.‘.....'." j ) ment'non Function ' '......:......’: 5 r ,Amss Contl’ol Fction User Access Control :.’"""':’""I’ [ENER A s. Administrator SE=s System Resources Figure 4.1: Access Control Mechanism Module 04 Page 452 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Identification, Authentication, and Authorization Exam 212-82 Access Control Terminologies This refers to a particular user or process that wants to access a resource This refers to a specific resource that the user wants to access such as a file or a hardware device It checks the access control rule for specific restrictions It represents an action taken by a subject on an object.... A)I Authentication Reference Monitor | Authorization Copyright © by EC cll All Rights Reserved. Reproduction is Strictly Prohibited Access Control Terminologies The following terminologies are used to define the access control on specific resources: Subject A subject can be defined as a user or a process that attempts to access the objects. The subjects are those entities that perform certain actions on the system. Object An object is an explicit resource on which an access restriction is imposed. The access controls implemented on the objects further control the actions performed by the user. Examples of an object are a file or a hardware device. Reference Monitor A reference monitor monitors the restrictions imposed on the basis of certain access control rules. It implements a set of rules on the ability of the subject to perform certain actions on the object. Operation An operation is an action performed by a subject on an object. A user trying to delete a file is an example of an operation. Here, the user is the subject, the action of deleting refers to the operation, and the file is the object. Module 04 Page 453 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Identification, Authentication, and Authorization m Request Exam 212-82 A R ce Monitor [eeeeeeeninasd Authentication goquest A Authorization Figure 4.2: Access Control Terminologies Module 04 Page 454 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization Access Control Principles Separation of Duties (SoD) » Involves a breakdown of the authorization process into various steps » Different privileges are assigned at each step to the individual subjects requesting for a resource iQ » This ensures that no single individual has the authorization rights to perform all functions and simultaneously denies access of all the objects to a single individual 4 r Need-to-know » Under the need-to-know access control principle, access is provided only to the information that is required for performing a specific task H 0 Principle of Least Privilege (POLP) » Principle of least privilege extends the need-to-know principle in providing access to a system » POLP believes in providing employees a need-to-know access, i.e., not more, not less; @ » It helps an organization by protecting it from malicious behavior, achieving better system stability, and system security cll ANl Rights Reserved. Reproduction is Strictly Prohibited Access Control Principles The principles of access control describe the access permission levels of users in detail. By enabling the access control process, the security of the processes and resources can be ensured. The process of access control should be based on the following principles: = Separation of Duties (SoD) This involves a breakdown of the authorization process into various steps. Different privileges are assigned at each step to the individual subjects requesting for a resource. This ensures that no single individual has the authorization rights to perform all functions and simultaneously denies access of all the objects to a single individual. This division ensures that a single person is not responsible for a larger process. For example, granting web server administrator rights to only configure a web server without granting administrative rights to other servers. = Need-to-know Under the need-to-know access control principle, access information that is required for performing a specific task. = is provided only to the Principle of Least Privilege (POLP) The principle of least privilege (POLP) extends the need-to-know principle in providing access to a system. In other words, POLP is based on providing employees exactly the need-to-know level of access i.e., not more and not less. It helps an organization by protecting it from malicious behavior as well as improving system stability and system security. Module 04 Page 455 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization Least privilege provides access permissions to only those users who really need the access and resources. The permissions granted depend on the roles and responsibilities of the user requesting the access. There are two underlying principles involved in the least privilege method: low rights and low risks. On the basis of these principles, a user needs to complete a task using the limited number of resources in a limited amount of time provided to them. This approach reduces the probability of unauthorized access to the system resources. Module 04 Page 456 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization Q Access control models are the standards which provide a predefined framework for implementing the necessary level of access control Mandatory Access Control (MAC) ¥ Only the administrator/system owner has the rights to assign privileges ¥ It does not permit the end user to decide who can access the information Discretionary Access Control (DAC) A ¥ End user has complete access to the information they own Role-based Access Control (RBAC) v Permission are assigned based on user roles Rule-based Access Control (RB-RBAC) v Permissions are assigned to a user role dynamically based on a set of rules defined by the administrator Copyright © by EC-C cIL All Rights Reserved. Reproductionis Strictly Prohibited Access Control Models Access control models are the standards implementing the necessary level of access subject can access an object. = which provide a predefined framework for control. Access control models specify how a Mandatory Access Control The mandatory access control (MAC) determines the usage and access policies for the users. A user can access a resource only if they have the access rights to that resource. MAC is applied in the case of data that has been marked as highly confidential. The administrators impose MAC depending on the operating system and the security kernel. It does not permit the end-user to decide who can access the information. The following are the advantages and disadvantages of MAC: o It provides a high level of security since the network defenders determine the access controls. o The MAC policies minimize the chances of errors. o Depending on the MAC, an operating system marks and labels the incoming data, thereby creating an external application control policy. Examples of MAC include Security-Enhanced Linux (SELinux) and Trusted Solaris. = Discretionary Access Control Discretionary access control (DAC) determines the access control taken by any possessor of an object in order to decide the access control of a subject on that object. DAC is Module 04 Page 457 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization alternatively named as a need-to-know access model. The decision taken by the owner depends on the following measures: o File and data ownership: Determines the access policies of the user o Access rights and permissions: Involves the possessor setting the access privileges to other subjects An owner can provide or deny access to any particular user or a group of users. The attributes of a DAC include the following: o The owner of an object can transfer the ownership to another user. o The access control prevents multiple unauthorized attempts to access an object. o The DAC prevents unauthorized filename, directory path, etc. o The DAC uses access control lists in order to identify and authorize users. Disadvantage: A DAC requires from maintenance permissions for the users. Examples control. = users viewing of the details access like control the file size, list and access of DAC include UNIX, Linux, and Windows access Role-Based Access Control In a role-based access control (RBAC), the access permissions are available based on the access policies determined by the system. The access permissions are beyond the user control which implies that users cannot amend the access policies created by the system. The rules for determining the role-based access controls are as follows: o Role assignment: A certain role is required to be assigned to a user which enables them to perform a transaction. o Role authorization: A user needs to perform a role authorization in order to achieve a particular role. o Transaction authorization: Transaction authorization allows the users to execute only those transactions for which they have been authorized. * Rule-based Access Control (RB-RBAC) Permissions are assigned to a user role dynamically based on a set of rules defined by the administrator. Module 04 Page 458 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization Logical Implementation of DAC, MAC, O DAC Implementation: Windows Logical implementation of access control is performed File Permissions using access control lists (ACLs), group policies, passwords, and account restrictions | ® Oums/Propaties Gererdl OS X Do you want to allow this app to make changes to C\Demo Admrestrator your To change permiasions. cick Ede Permussons for SYSTEM Program name: EaseUS Data Recovery Wizard Verfied publisher. CHENGDU YIWO Tech Development Co., Ltd. File ongin: Hard drrve on this computer thei Ed MNew Ful contral v Mogty v Fead§ execite Lt folder corterts Read v v v | vize T o =] hange when Customize £2 Admratraton CND Admnatraton) PC S Previcus Versors & Mot matn@CND com) User Account Contrel ) Securty Growp or uter names ‘ 0 Shamng Otectname. MAC Implementation: The User Account Control (UAC) tool of Windows and RBAC For v Cermizsons of 3 anced setngs Dery “I o v ) notdications appear Copyright © by Logical Implementation of DAC, MAC, L All Rights Reserved. and RBAC Reproductionis Strictly Prohibited (Cont’d) RBAC Implementation: Just Enough Administration (JEA) st RBAC Implementation:Windows Admin Center (WAC) Copyright © by Logical Implementation of DAC, MIAC, L All Rights Reserved. Reproductions Strictly Prohibited and RBAC In the Windows operating system (0S), the User Account Control (UAC) feature implements the MAC security model. It restricts the installation of any application software only through administrator authorizations. In other words, users without administrative privileges are restricted to install any application on the system. Module 04 Page 459 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Identification, Authentication, and Authorization. Exam 212-82 User Account Control X Program name: EaseUS Data Recovery Wizard Verified publisher: CHENGDU YIWO Tech Development Co. Ld. File origin: Haed drive on this computer Show detsls e Figure 4.3: Mac Implementation: The User Account Control tool of Windows OS Logical Implementation of DAC: Windows File Permissions In the Windows OS, DAC is implemented for assigning file permissions to specific groups/users. Permissions to access files and folders on a system, to access files that exist on an old account of a user, or to edit system files are all controlled using DAC. ~ Demo Properties General Sharing Object name: X Securly Previous Versions Customize C:\Demo Gr!_xp of user names: | SY EM & Madin (matin@CND com) 2 Administrator !l 82 Administrators (CND\Administrators) To change permissions, ciick Edt. Ede. Pemissions for SYSTEM Full control Figure 4.4: DAC Implementation: Windows File Permissions Logical Implementation of RBAC: Just Enough Administration (JEA) The Just Enough Administration (JEA) management framework of in the Windows OS implements RBAC to restrict the rights of IT administrators in remote PowerShell sessions. Using JEA a fine-grained access control can be implemented for non-administrators to run specific commands, scripts, and executables. Module 04 Page 460 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Identification, Authentication, and Authorization Exam 212-82 B Adriritrpze Wndows Ponerihet 15 Fle » Ede View < Toohh | Debug Addoms o. Help ‘ » " &R - — - - &n e Unttied! pst*(Recovered) X € New-1tem New-PiRo ‘ e 2 14 7S NOUserAccess TeCagabr Ity i le. \CNOUserAccess RoleCapa ~Path New-Pilessionlonfigurationiile Y Teit-FiSessrononfigurationfile 150 CNOE Stetsr0n g = Copy-1tes £33 4 0 -Path Doma 1 (NDUsericcess C:\Wners\Administrator> : ! e PS «Path Reat c o. 2 JEARole. pare eMemiteler o ve M Ces Fat» A. " NOE~dpoint. psac erolle ~Destination 5% 4 DosainControlle): '\ B onduseraccess tenType 2.9%8 New-Pifens Con e CNOLserACcCess foleCapabilitien’ 4 s 11 & «Path -0 Enter-PSSession 'Ci'\Progras L1900 ¢ ~ComputerNane Ci:\Users\Adeinistrator Files \Documsents» windowsPower Shell modules” ~-ToSess19n [Regrater -Pite Ssessron -Force rath « -Recurse -ToSession NOC Ssession Name -Force "CNDUserAccess” DomainComtrolle Cet -PSSessronlonfiguration ONDUserAccess 5.1 COND\alirce AccessA) lowed microsof t, powershell : NT AUTHORITY AccessAl : INTIRACTIVE AccensAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Us Jowed microsoft, powershel ]l. workflow : BUILTIN\Adwinistrators AccessAllowed, BUILTIN\Remote Masagement Users of t, powershel 132 (CRAR ~ PESERRES———_N u [ & User V. l'lllllllllllllll) Il‘lI'llllllllllll.) Single Sign-on (SSO) Authentication i APPLICATION F EMAILSERVER l DATABASESERVER SERVER Figure 4.15: Single Sign-On (SSO) Authentication Advantages of SSO: * Reduces the chances of reauthentication, thereby increasing the productivity. * Removes the chances of phishing. * Provides a better management of applications owing to a centralized database. * Assists with the account lifecycle. Provisioning and simplified by the availability of a single source of truth. Module 04 Page 488 deprovisioning of accounts is Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization = No need to remember passwords of multiple applications or systems. = Reduces the time for entering a username and password. Disadvantages of SSO: = Losing credentials has a high impact as all the applications of the central service become unavailable. = There are many vulnerability issues related with the authentication for all the applications. = |tis an issue in multiuser computers and requires the implementation of certain security policies to ensure security. Module 04 Page 489 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Identification, Authentication, and Authorization Exam 212-82 User Access Management < (AM): Authorization Authorization involves controlling the access of information for an individual (E.g.: A user can only read a file, but not write in it or delete it) = I7 Application Server Application Server Read only Access Control Authorization User System g Application Server Copyright © by k User Access Management L All Rights Reserved. Reproduction is Strictly Prohibited (AM): Authorization (Cont’d) Types of Authorization Systems Centralized Authorization Implicit Authorization v’ Authorization for network access is done using a single v’ Users can access the requested resource on ¥’ It maintains a single database for authorizing all the network resources or applications v The access request goes through a primary resource to access the requested resource v’ Itis an easy and inexpensive authorization approach centralized authorization unit behalf of others 6 = Decentralized Authorization v’ v Each network resource maintains its authorization unit and performs authorization locally It maintains its own database for authorization il I @.. Explicit Authorization 1 \® v Unlike implicit authorization, explicit authorization requires separate authorization for each requested resource v It explicitly maintains authorization for each requested object ) e L Al Rights Reserved. Reproduction is Strictly Prohibited User Access Management (AM): Authorization Authorization refers to the process of providing permission to access the resources or perform an action on the network. s can decide the user privileges and access permissions of users on a multiuser system. The mechanism of authorization can allow the administrator to create access permissions for users as well as verify the access permissions created for each user. Module 04 Page 490 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization ¥, Application Server A e Read-write rrosesecsnsessentsscsnsnnssasaesnsnns " Application Server Read only P SRR A% AR F " Access Control Authorization User System Application Server Figure 4.16: lllustration of an authorization system Authorization can take different forms based on the needs of the organization. = (Centralized Authorization The need for centralized authentication came into existence when it became difficult to implement the authorization process individually for each resource. It uses a central authorization database that allows or denies access to the users and the decision on the access depends on the policies created by the centralized units. This enables an easy authorization for users accessing different platforms. Centralized authorization units are easy to handle and have low costs. A single database provides access to all applications, thereby enabling an efficient security. A centralized database also provides an easy and inexpensive method of adding, modifying, and deleting the applications from the centralized unit. = Decentralized Authorization A decentralized authorization maintains a separate database for each resource. The database contains the details of all users who are permitted to access a particular resource. The decentralized authorization process enables users to provide access to other users as well. This increases the level of flexibility of the users in using the decentralized method. However, certain issues related to the decentralized authorization include cascading and cyclic authorizations. * Implicit Authorization Implicit authorization provides access to the resources indirectly. A task is possible after a user receives authorization for a primary resource through which access to the requested resource is possible. For example, a user requesting a web page has permission to access the main page as well as all pages linked to the main page. Hence, the user is gaining an indirect access to the other links and documents attached to the main page. The implicit authorization provides a level of higher granularity. Module 04 Page 491 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization = Explicit Authorization An explicit authorization maintains separate authorization details for each resource request. This technique is simpler than the implicit technique. However, it takes up a large amount of storage space for storing all authorization details. Module 04 Page 492 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Identification, Authentication, and Authorization Exam 212-82 User Access Management (AM): Accounting O Accounting is a method of keeping track of user actions on the network. It keeps track of who, when, and how the users access the network O It helps in identifying authorized and unauthorized actions O The account data can be used for trend analysis, data breach detection, forensics investigations, etc. (What rights do you have?) User Access Management (AM): Accounting User accounting involves tracking the actions performed by a user on a network. It keeps track of who, when, and how the users access the network. This includes verifying the files accessed by the user and functions such as alteration or modification of the files or data. It helps in identifying authorized and unauthorized actions. The account data can be used for trend analysis, data breach detection, forensics investigations, etc. » Q Authentication ‘ @ (Who are you?) Authorization » a Identity (What rights do you have?) » fi Object Figure 4.17: User Accounting Module 04 Page 493 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization Account Types e User Accounts Guest Accounts Service Accounts = = = * Default accounts of operating systems passwords, created to share Run with the least privileges, with permissions such as running * and manipulating files = services to communicate with the operating system Do not have any privileges to and run programs modify system files, directories, or settings Administrator/Root Accounts o Domain or local accounts that allow applications or system resources applications/programs and creating o Least privileged accounts without. N Ha.svadmmlstratlve privileges based on the application requirement Privileged Accounts Privileged accounts that can perform = various system-level functions such Have administrative control over one or several systems as install and uninstall applications or system software and modify system-level settings = Permitted to access any resources in the system, configure drivers, add/discard applications from service, etc. Copyright © by | L All Rights Reserved. Reproductionis Strictly Prohibited Shared/Generic Accounts = (Credentials are shared among multiple users = Typically used when the network is divided and needs individual centralized units for network management Application Accounts * Used by applications to interact with databases and execute batch scripts * Have wide access to the data stored in the organization’s database Group-based Account = (Created to simplify the process of allocating access rights to individual users = Asingle user can be a participant in several groups and can have permissions from all the participating groups Third-party Accounts = Used by enterprises to handle cloud applications or other third-party services = Set up with a cryptographic key or password-based authentication to use hosts through APIs or SSH Copyright © by | L All Rights Reserved. Reproductionis Strictly Prohibited Account Types Organizations use different types of privileged accounts for managing systems, applications, and networks. Privileged accounts may be assigned to system or network engineers, network devices, and services. These accounts can be primary targets for attackers because they have elevated access to critical assets. Improper management or misuse of these accounts cause invite significant threats to the entire business infrastructure. Module 04 Page 494 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization The following are common account types generally found in every organization. User accounts: User accounts are the default accounts of operating systems (OSes). User accounts permit individuals to log into the system and access resources. Initially, the system can be accessed by a single account that an administrator creates during the OS installation. These accounts run with the least privileges, with permissions such as running applications/programs and creating and manipulating files that belong to their profile. Guest accounts: Guest accounts are least privileged accounts and have no password; they are created to share system resources. These accounts do not have any privileges to modify system files, directories, or settings. Windows automatically configures guest accounts, but they can be enabled or disabled based on preferences. In Linux-based systems, an administrator is required to manually create a guest account after installing the OS. Most web services have default guest accounts that allow users to access web servers without providing credentials. Service accounts: Service accounts, referred to as domain or local accounts, allow applications or services to communicate with the OS and run programs or services. Service accounts may also have administrative privileges based on the application requirement or purpose they are intended to serve. Windows has three types of services: system, local, and network services. System services run with higher privileges compared to other accounts. These services use a local system account to start the OS and will have complete privileges on the running system. Local and network services run with the same privileges as a standard user and are allowed to access only network resources. Linux also creates service accounts while installing web servers and applications. Administrator/root accounts: These accounts are privileged accounts that can perform various system-level functions such as installing and uninstalling applications or system software; modifying system-level settings; and reading, modifying, or deleting any file on the system. It is recommended to create a small number of such accounts with elevated privileges to perform administrative activities and access the components of the file system. In general, it is difficult to remove default administrator accounts, which are created by the application or OS during its installation. The default account can have all the permissions enabled. These accounts are also known as superuser accounts. They are called administrator accounts in Windows environments and root accounts in Linux environments. Privileged accounts: Privileged accounts are granted administrative control over one or several systems. These accounts are permitted to access any resources in the system, configure or run drivers, add/discard applications from services, and make configuration changes. Typically, few accounts will have this type of elevated privileges to manage the system, network, or applications. Shared/generic accounts: In shared accounts, the login credentials are shared among multiple users. This approach is typically used when the network is divided and needs Module 04 Page 495 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization individual centralized units for network management. Shared accounts can violate the non-repudiation mechanism; further, they can make the task of maintaining accurate audit trails challenging. If an organization’s password policy requires frequent password changes, then a password change needs to be intimated to every user having access to a shared account, which is a challenging task and may lead to many security risks. Shared accounts are not considered a best security practice because there is high probability of their credentials being compromised. = Application accounts: Application accounts are used by applications to interact with databases, execute batch scripts, and allow access to other applications. These accounts have wide access to the data or information stored in the organization’s database. If the credentials for these accounts are integrated and saved in unencrypted files, may pose a severe threat to the organization. = Group-based accounts: Group-based accounts are created to simplify the process of allocating access rights to individual users. Instead of providing rights directly, the owner of the system allocates them to individual group accounts. The rights are then reflected for all the group members. A single user can be a member of several groups; they can acquire permissions and access rights from all those groups. * Third-party accounts: Third-party credentials are used by enterprises to handle cloud applications or other services provided by third-party vendors. Along with administrative sign-ins, third-party services or devices should be set up with a cryptographic key or password-based authentication to use hosts through APIs or SSH. Inefficient handling of these keys or passwords, such as their insertion in code in an unencrypted form, can cause several security breaches. Module 04 Page 496 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Identification, Authentication, and Authorization Module Summary This module discussed the terminology, principles, and types of access control It covered identity and access management (I1AM) It also discussed user access management Furthermore, this module discussed the different types of authentication and authorization Finally, this module presented an overview of user accounting The next module discusses administrative network security controls in detail h 4 Copyright © by EC-CounciL Al ights Reserved. Reproductionisstrictly Prohibited. | Module Summary This module discussed the terminology, principles, and types of access control. It covered identity and access management (IAM). It also discussed user access management. Furthermore, this module discussed the different types of authentication and authorization. Finally, this module presented an overview of user accounting. The next module discusses administrative network security controls in detail. Module 04 Page 497 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.