SC-900: Microsoft Security, Compliance, and Identity Fundamentals

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

Sensitivity label uses

*Encrypt email and/or documents *Mark content - via watermark, header, footer, etc. *Label automatically *Protect content in containers via sites or groups *Extend sensitivity labels to third-party apps and services *Classify content without using any protection settings, just for awareness

Microsoft's six key privacy principles

1) Control - put customer in control of their data 2) Transparency 3) Security 4) Strong legal protections - respect local privacy law and advocate for privacy as a human right 5) No content-based targeting - not using email, chat, files, or other personal content to target advertising 6) Benefits to you - if data is collected about the customer it benefits the customer (i.e. makes their experience better)

Microsoft 365 Defender suite protects..

1) Endpoints with Microsoft Defender for Endpoint 2) Email and collaboration with Microsoft Defender for Office 365 3) Identities with Microsoft Defender for Identity and Azure AD Identity Protection 4) Cloud Applications with Microsoft Cloud App Security

Authentication methods

1) Password hash synchronization 2) Pass-through authentication (PTA) 3) Federated authentication

Insider risk management principles

1) Transparency - balance user privacy vs org risk w/ privacy-by-design architecture 2) Configurable - policies configurable based on industry, geography, and business group 3) Integrated - Inegrated workflow across M365 compliance solutions 4) Actionable - insights to enable user notifications and data/user investigations

Configurations for Windows Hello

1) Windows Hello convenience PIN - configured by a user; no asymmetric or cert-based authentication 2) Windows Hello for Business - configured by Group Policy or MDM (mobile device management) policy such as Microsoft Intune; backed by key-based or cert-based authentication = safer than convenience PIN

Zero trust guiding principles

1. Verify explicitly - authenticate/authorize based on all data points (e.g. identity, location, device, service, data classification, anomalies, etc.) 2. Least privileged access - limit with JIT/JEA, risk-based adaptive policies, and data protection 3. Assume breach - Segment networks, users, devices, apps. Encrypt data. Use analytics to improve security.

Microsoft Cloud App Security (MCAS)

A Cloud Access Security Broker (CASB) A cross-SaaS solution that acts as an intermediary between a cloud user and the cloud provider including control over data travel (e.g. can't download red data) helps discover/control use of Shadlow IT of cloud apps being used Office 365 is a subset of MCAS

Microsoft Intune

A mobile device management (MDM) solution to manage devices

Azure Sentinel

A scalable, cloud-native SIEM/SOAR single solution for alert detection, threat visibility, proactive hunting, and threat response Spans all users, devices, apps, infrastructure (on-prem and in the cloud) Leverages Artificial Intelligence

Microsoft 365 Compliance Center

Available to customers with a M365 SKU with roles: GA, Compliance Admin, Compliance Data admin Overview of how the company is meeting compliance requirements Maps regulatory controls against recommended improvement actions in prioritized order Includes: Compliance Manager a Compliance Score Solution catalog - compliance solutions & actions Active alerts

Azure Defender plan options

Azure Defender for: Servers - Windows and Linux machines App Services Azure Storage containers SQL Kubernetes Container registries (Azure Resource Manager based registries) Key Vault

Azure Logic Apps

Can be used to automate and orchestrates tasks Integrated with Azure Sentinel in the SOC to automate workflows and playbooks in response to security events

Azure Monitor Workbooks

Canvas for data analysis with built-in and custom reports from Azure Sentinel integration from several data sources

Azure Key Vault

Centralized cloud service for storing app secrets including: 1) Secrets management (tokens, passwords, API keys, etc.) 2) Key management (private encryption keys) 3) Certificate management (provision/manage public and private SSL/TLS certs 4) Secrets backed by HSMs (Hardware Security Modules)

CASB

Cloud Access Security Broker - gatekeeper to broker real-time access between users and the cloud resources they use on any device in any location Provides: 1) Visibility to all cloud services (help identify Shadow IT) 2) Data Security - classified as Red 3) Threat protection 4) Compliance for cloud apps - meet regulatory standards (e.g. HIPPA)

MCAS tools/architecture

Cloud Discovery - map and identify cloud environment Sanctioning/unsanctioning apps in the Cloud App Catalog App connectors using provider APIs Conditional Access App Control protection Continuous control via policies to control/detect risky user behavior

Microsoft Defender for Identity

Cloud-based security tool using ON-PREM AD data/signals to identify, detect, and investigate threats of compromised identities and malicious insider actions Monitors user profiles and behaviors to identify suspicious accounts FKA Azure ATP (Advanced Threat Protection)

Microsoft Intune

Cloud-based service that focuses on MDM (mobile device management) and MAM (mobile application management) to control how org's devices (phones, tablets, laptops) are used Allows people to use personal devices and ensures company data stays protected and isolated from personal data Devices controlled via security baselines, compliance policies, and Conditional Access Integrates with Microsoft Defender for Endpoint for a Mobile Threat Defense solution for Android, iOS/iPadOS, and Win10 or later

Azure Sentinel Security Operation Areas

Collect Detect Investigate Respond

Data Loss Prevention Policies

Consist of: Conditions - content must match before a rules is enforced Action - what the admin wants to happen if conditions are met Locations - where policy will be applied (e.g. Exchange, SharePoint, OneDrive, MSFT Teams, etc.) Policies are applied/enforce in prioritized order

Security token

Cryptographically signed document issued to identity after authenticating with IdP Used as proof of identity with servers Contains 'claims' associated with the identity

B2C Access Management

Customer Identity access management (CIAM) solution that allows users to sign-in with their preferred social, enterprise, or local account identities to get SSO to your apps Managed in the Azure B2C directly and separately from the organization's employee and partner directory SSO to customer owned apps within B2C tenant are supported

On-prem datacenter

Customer responsible for EVERYTHING from physical security to encrypting sensitive data

Azure Sentinel costs

Data for security analytics is stored in an Azure Monitor Log workspace Billing based on volume of data ingested and stored Billed in two models: 1) Capacity reservations - fixed fee based on the selected tier 2) Pay-As-You-Go - Billed per GB for volume of data ingested and stored

EDRM

Electronic Discovery Reference Model

Microsoft 365 Defender

Enterprise defense suite that protects against sophisticated cyberattacks Covers threats detection --> response across all service domains including applications, email, endpoints, identities, and data NOT domain-specific, threat detection and responses across all domains Default workflows and custom workflows available

Microsoft Defender for Office 365 Plan 2

Everything in Plan 1 +: Threat trackers - latest intelligence on cybersecurity issues and allows org to take action BEFORE a threat Threat Explorer - real-time report that allows you to identify and analyze recent threats AIR (Automated Investigation and Response) - set of security playbooks and recommended actions Attack Simulator - run realistic attack scenarios in your org

XDR

Extended Detection Response - system that delivers intelligent, automated, and integrated security across an org's domain Prevents, detects, and responds to threats across identities, endpoints, applications, email, IoT, infrastructure, and cloud platforms Provided via Microsoft 365 Defender and Azure Defender integrated with Azure Sentinel

FERPA

Family Educational Rights and Privacy Act - rules to protect student information

HIPAA

Health Insurance Portability and Accountability Act - rules on how health-related info should be protected

Microsoft Defender for Endpoint

Help protect endpoints via technology embedded into Windows 10 and MSFT cloud services including endpoint behavioral sensors from the OS Uses AI FKA Microsoft Defender ATP (Advanced Threat Protection)

Communication compliance

Helps minimize communication risks by enabling orgs to detect, capture, and take remediation actions for inappropriate messages scan internal and external communications for policy matches to be reviewed Uses this workflow: 1) Configure - identify compliance requirements and configure applicable comms policies 2) Investigate - admins look deeper into issues detected when communication matches policy 3) Remediate - options include an alert, tagging a message, notifying a user, escalating to another reviewer, marking as false positive, removing a message in Teams, and escalating for investigation 4) Monitor - keep track of and manage compliance issues identified by comms compliance policies through the entire workflow process

Cloud-only model

Identities are created and wholly managed in Azure AD Both cloud-only and hybrid identities can access both cloud and on-prem resources

Azure Active Directory Premium P1

Includes all features in Free + O365 features + Advanced admin (including dynamic groups) Self-service group management Microsoft Identity manager (on-prem IAM suite) Cloud write-back capabilities (allow self-service password reset for on-prem users)

Microsoft 365 Defender Endpoint reports

Includes: Threat protection report - high level info about threat trends and alerts generated in your org Device health and compliance report Vulnerable devices report - includes their exposure to vulnerabilities, severity, etc.

Rootkits

Intercept and change the standard OS process. Can then report the device is healthy and not infected so can't be trusted

Content search actions

MSFT created several Security and Compliance Center PowerShell scripts to complete content search-related tasks including: search-specific mailbox or sites search for list of users Manage multiple searches Clone a search

Microsoft's XDR tools

Microsoft 365 Defender & Azure Defender Both integrate with Azure Sentinel

MAM

Mobile Application Management - gives admins ability to protect corporate data at the app level (let users use their personal devices, but protect org's data) supports BYOD

Azure Security Center

Network security monitoring service that provides infrastructure level security management to strengthen your security posture Includes: *Continuous assessment of environments and prioritized recommendations for hardening tasks *Network maps - look at topology of workloads to ensure nodes are properly configured and how they are connected to block unwanted/unnecessary connections *Threat protection - detect and prevent threats on IaaS, non-Azure servers, & PaaS; integrates with MSFT Defender for Endpoint Azure Defender Off mode is free; Defender On costs

Microsoft Intune security baselines

ONLY for windows devices and MSFT applications

Microsoft Defender for Office 365 Plan 1

Offers config, protection, and detection tools for your Office 365 suite including: Safe attachments (checks for malicious content) Safe Links (links scanned for malicious sites) Safe attachments for SharePoint, OneDrive, and MSFT Teams Anti-phishing protection Real-time detection of threats

Crucial events

Part of Advanced Auditing Includes: *MailItemsAccess - when mail was accessed *Send - when a user sends/replies/forwards and email (does not include content, just header/metadata) *SearchQueryIntiatedExchange - when a user searches something in the search bar in Outlook on the web (OWA) to search for items in a mailbox *SearchQueryInitiatedSharePoint - when a person searches for something in the SharePoint home site for your org

Compliance Manager

Part of the Service Trust Portal Compliance Manager - measures your progress in completing actions to reduce risk around data protection and regulatory standards

Identity Protection reports

Risky users Risky sign-ins Risk detections

Microsoft Intune: RBAC

Role-based Access Control - assign roles to Intune users to limit what they can see/edit/download

Microsoft Defender for Office 365

Safeguards your organization against malicious threats posed by email message, links (URLs), and collaboration tools including MSFT Teams, SharePoint Online, OneDrive for Business, and other Office clients FKA Office 365 ATP (Advanced Threat Protection) Available in two plans: Microsoft Defender for Office 365 Plan 1 and Plan 2 Included in certain subscriptions or available as a standalone add on

Azure Secure Score

Score given by Azure Security Center based on aggregate of assessment of resources, subscriptions, and org for security issues High the score, the lower the risk (e.g. 90% secure is very secure) Improve your score by following provided security recommendations via manual changes or by using the Quick Fix! option

SIEM

Security Information and Event Management - tool used to collect data from across the whole estate, including infrastructure, software, and resources Performs analysis, looks for correlations/anomalies, and generates alerts and incidents

SOAR

Security Orchestration Automated Response - takes alerts from many sources including SIEMs and then triggers action-driven automated workflows and processes to run security tasks to mitigate the risk

PTA (Pass-through authentication)

Simple password validation for Azure AD authentication services by using a software agent that runes on on-premis servers. Server validates the users directly with an on-prem AD so it doesn't happen in the cloud

SSO

Single Sign-On - user logs in once and that credential is used across multiple apps/resources

The security admin wants to protect Azure resources from DDoS attacks, which Azure DDoS Protection tier will the admin use to target Azure Virtual Network resources?

Standard (not Basic) - The Standard service tier provides additional mitigation capabilities that are tuned specifically to Microsoft Azure Virtual Network resources

Office 365 Cloud App Security

Subset of MCAS that provides enhanced visibility and control for Office 365

An organization needs to continuously monitor the security status of its network. What Security Center tool would they use?

The network map provides a map of the topology of your network workloads, which lets you block unwanted connections.

Cloud Security Posture Management (CSPM)

Tools designed to improve your cloud security management and disrupt attackers ROI Assesses systems and automatically alerts security staff in your IT department when a vulnerability is found Tools include: 1) Zero Trust-based access control 2) Real-time risk scoring 3) Threat and Vulnerability Management (TVM) 4) Discover sharing risks -data exposure of company IP 5) Technical policy - apply technical controls to audit/enforce policies 6) Threat modeling systems and architecture

Resource locks

Used to prevent critical resources from being accidentally deleted or changed Options: CanNotDelete (can still modify) or ReadOnly (cannot modify) Resources can have both locks at once

Types of Azure AD Identities

User Service Principal Managed Identity Devices

User risk vs sign-in risk

User risk - probability that a given identity or account is compromised (i.e. leaked credentials on the web) Sign-in risk - probability that a given authentication request isnt authorized by the identity owner (i.e. likelihood sign-in not performed by the user based on location)

User administrator

Users with this role can create and manage all aspects of user and groups Also have ability to support tickets and monitor service health

Global admin (GA)

Users with this role have access to all admin features in Azure AD

Billing administrator

Users with this role make purchases, manage subscriptions & support tickets, and monitor service health

Trainable classifiers

Uses AI and machine learning to classify data based on what the item/document is (e.g. contract, invoice, customer records, etc.) not elements in the item (e.g. pattern matching an SSN) Once trained/ready, can sort through items in locations like SharePoint Online, Exchange, and OneDrive, and classify the content Two types: 1) Pre-trained classifiers - provided by MSFT and ready to go with no training (e.g. resumes, source code, harassment, profanity, and threat) 2) Custom trainable classifiers - classifying data unique to an org like contracts and customer records; provide with many samples to "train"

Asymmetric encryption

Uses a public key and private key pair Examples: TLS (Transport Layer Security) for the HTTPS protocol, and data signing

Hashing

Uses and algorithm to convert original text into a unique fixed-length hash value Used to store passwords Best practice: salt passwords

Password write-back

When password is changed via SSPR, is written back to on-prem AD in real-time

Azure AD Connect

When updates to user accounts, groups, and contacts are made in your on-prem DS, all are synchronized to Azure AD via Azure Ad Connect

An organization uses different types of devices, including Windows, iOS, and Android devices. Admins for that organization have created a security baseline profile in Intune that they want to apply across the devices. To which devices can the security baseline profile be applied?

Windows devices NOT Android or iOS devices

Core eDiscovery workflow

a basic tool that orgs can use to search and export content in M365 Starts from the M365 Compliance Center 1) Create a case and add members to it 2) Create an eDiscover hold - may take up to 24 hours to take effect, infinite or specify date range 3) Search for content via queries 4) Export content - to a results.csv file 5) Close, reopen, and delete a core eDiscovery case - 30 day grace period when holds are turned off

Azure Defender

a built-in threat protection tool built into Azure Security Centerthat protects workloads running in Azure, on-prem, hybrid, and other clouds Uses policies including those built-in by default, custom, and regulatory standards such as NIST and Azure CIS, and the Azure Security Benchmark

Content explorer

a tab in the data classification pane of the MSFT Compliance Center gain visibility into content that has been scanned Access strictly limited to two roles: 1) Content explorer list viewer 2) Content explorer content viewer

Endpoint Security Manager

admin role in Microsoft Intune that grants access to the Microsoft Endpoint Manager admin center

Privileged ACCESS management (PAM)

allows granular access control over privileged admin TASKS in M365 Different than PIM because It is scoped at the TASK level with ability to execute multiple tasks; PIM is at the AD roles and role group level

unified audit log

allows orgs to view user and admin activity in one place across several services (MSFT 365 services, Dynamics 365, MSFT Power Apps, MSFT Power Automate, PowerBI, AAD, etc.)

zero standing access

any user who needs privileged access must request permissions for access and will only receive the level they need when they need it (JEA/JIT)

Advanced eDiscovery workflow

builds on core eDiscvoery solution that aligns with EDRM (Electronic Discovery Reference Model) 1. Add custodians to a case - someone who has admin control of a document or file 2. Search custodial data sources for data relevant to the case - search custodian locations 3. Add data to a review set - add search results to a review set; data is copied, indexed, & moved to secure location ion Azure Storage 4. Review and analyze data in a review set 5. Export and download case data - copy to a different Azure Storage location

Microsoft 365 Defender incidents que

central location to prioritize cross-domain attacks and alerts into single incidents and severity of incident shows number of alerts, type, impact, and how it maps to THE MITRE attack framework

Web App Firewall (WAF)

centralized protection of web apps from common exploits Can be deployed via Azure Application Gateway, Azure Front Door, Azure Content Delivery Network (CDN) services from MSFT

Shared controls

controls both your organization and Microsoft share responsibility for implementing

audit log record retention

dependent on O365 or M365 Enterprise subscription and the type of license assigned to specific users core audit capability, audit record is kept for 90 days can take 30 min-24 hours after an event occurs for the audit log record to be returned in a search

Azure Policy

designed to help enforce standards and assess compliance across the org via aggregate view of all resources can remediate in bulk if issue identified evaluates whether properties of resources match with policy definitions ;(outlined in JSON format)

Microsoft Information Protection (MIP)

discovers, classifies, and protects sensitive and business critical content/data throughout its lifecycle manages your content lifecycle using solutions to import, store, and classify business-critical data so you can keep what you need and delete what you don't for on-orem, cloud, and hybrid environments

eDiscovery tools

eDiscovery tools can be used to search for content in Exchange Online mailboxes, Microsoft 365 Groups, MSFT Teams, SharePoint Online, OneDrive for Business conversations, and Yammer teams Search via the Content search tool Used if company is involved in litigation

Content Search eDiscovery tool

enables search for in-place items such as email, documents, and IM conversations Must be a member of the eDiscovery Manager role group Accessible via Compliance Center in O365 or M365

Compliance Manager

end-to-end solution in M365 Compliance Center that helps admins manage org's compliance requirements easier Includes: Prebuilt assessment and customizable templates with common industry and location regulations/standards

Customer Lockbox

ensures MSFT can't access an org's content to resolve a case requiring assistance from a MSFT without explicit customer approval

Sensitive information types

figures with set patterns that can be used to identify them (e.g. SSN = XXXX-XX-XXXX) that can be identified by MSFT Compliance Center Also able to set custom patterns for org-specific requirements Examples include: Credit card numbers, passport or ID numbers, bank account numbers, health services numbers

Advanced Audit

helps orgs conduct forensic and compliance investigations by increasing audit log retention required to complete investigation requires one of the following: *M365 E5 or E3 license *O365 E3 license with MSFT E5 Compliance *M365 E5 eDiscovery and Audit add-on license Includes crucial events retains all Exchange, SharePoint, and AAD audit records for one year, max available is 10 years with additional license

Microsoft 365 Defender portal

helps security admins and SOC teams manage and protect their org by showing the common security cards in navigation panel w/ ability to customize by individual a specialized workspace designed to meet the needs of security teams and provides actionable insights to help reduce risks and safeguard your digital estate Includes a Microsoft Secure Score (broader than Azure Secure Score) combines MCAS, Defender for O365/Identity/Endpoint, and AAD

Azure Disk Encryption

helps you encrypt Windows and Linux IaaS virtual machine disks via BitLocker

Endpoint data loss prevention

how protection/monitoring capabilities of DLP for sensitive content can be extended to Windows 10 devices Can be extended to MSFT Teams chat and channels admins can audit and manage activities that users complete on sensitive content including: Creating an item Renaming an item Copying items to removable media Copying items to network shares Printing documents Accessing items using unalloyed apps and browsers

Label policies

how sensitivity labels are applied to users or groups admins can: *Choose who can see the labels *Apply a default label *Require justification for label change *Mandatory labeling (require users to apply a label) *Link users to help pages describing meaning of labels

Cloud App Security portal

lets you see the security posture of your cloud-based apps

Solution catalog (compliance)

links to collections of integrated compliance solutions across 3 areas: 1) information protection & governance 2) Insider risk management - identify & act before an incident 3) Discover & respond section - find and respond to compliance issues

Records management

management solution to manage regulatory, legal, and business-critical records across their corporate data when content is labeled as a record, the following happens: 1) restrictions are put on it to block certain activities (e.g. deletion) 2) activities are logged 3) proof of disposition is kept at end of retention period (proof of deletion?) Rules for 'records': 1) regulatory label can't be removed when content is marked as a regulator record, not even by a GA (irreversible) 2) retention periods cannot be made shorter after the label has been applied

Microsoft Secure Score

measure of the company's security posture of the organization across your apps, devices, and identities higher score = better protection provides benchmarks and KPIs provides recommendations/actions to improve score for M365, AAD, Microsoft Defender for Identity/Endpoint, and MCAS

Compliance Score & types

measures the progress in completing recommended improvement actions within controls related to compliance Improvement action types: 1) Your improved actions (responsibility of org/company) 2) Microsoft actions (responsibility of Microsoft to manage Or: 1) Mandatory - should/can NOT be bypassed (e.g. password requirement) 2) Discretionary - depends on the user adherence (e.g. lock laptop when leave it) Sub categories: Preventative Detective Corrective

Sensitivity labels

orgs decide on sensitivity labels applied to content such as emails and documents each item can only have one sensitivity label on it at a time they are: customizable (e.g. red, orange, yellow, green) clear text - stored in clear text so TPO can read and apply their own protect actions Persistent - becomes part of metadata for that content and moves with it

Advanced eDiscovery

part of M 365 and provides ability for: Content Search Core eDiscovery Advanced eDiscovery

Transparent Data Encryption (TDE)

protects Azure SQL Database and Azure Data warehouse

Azure Storage Service Encryption

protects data at rest by automatically encrypting BEFORE persisting it to Azure storage decrypts before retrieval

Azure Blueprints

provides a way to define a repeatable set of Azure resources; can be replicated to multiple Azure regions enables dev teams to rapidly provision and run new environments that are known to be in compliance with org's requirements examples include: *Role Assignments *Policy Assignments *Azure Resource Manager (ARM) templates *Resource Groups

Service Trust Portal

provides info, tools, and other resources about Microsoft security, privacy, and compliance practices Includes: Compliance Manager - measures company's progress Trust Documents - links to a docs Industries & Regions - compliance info in different areas Trust Center - security, compliance, and privacy in the Microsoft Cloud

Azure Resource Manager (ARM)

provides management layer that enables admins to create, update, and delete resources in an Azure account admins can use RESOURCE LOCKS to secure resources after deployment

Azure Security Benchmark (ASB)

provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure Spans network security, IAM, data protection/recovery, incident response, and more

Activity explorer

provides visibility into what content has been discovered and LABLED/CLASSIFIED and where it is at; includes label downgrades (e.g. Red --> Green data data classification) admins have 30+ filter options

Trust relationship

relationship between the server and the IdP to that is used to validate the security token granted to the client

Information Barriers

restrict communication/searching for a user between groups to avoid conflict of interest from occurring in an org supports only TWO-way restrictions, not one-way examples: *students can't look up other student info or chat with them *legal - lawyers keep client info separate from other clients *professional services

ISO 27701

rules and guidance to manage personal information and demonstrate compliance

Retention labels

used to assign settings at an ITEM level, such as a folder, document, or email and label travels with content an item can only have one retention label assigned to it at a time can be applied manually or automatically if matches conditions a default label can be applied for SharePoint documents takes priority over retention policy (e.g. site has retention policy of 5 years, you need document for 10 - apply retention label to that document only)

Retention policies

used to assign the same retention settings to content at a (WEB)SITE level or MAILBOX level 1 policy can be assigned to multiple locations Items inherit retention settings from their container specified in the retention policy, if content moves out of a container a copy is stored but retention settings don't travel with the content to its new location

Microsoft 365 Defender portal security report

view info about security trends by CATEGORY or GROUP: Group by CATEGORY: Identities - users Data - emails and document cotents Devices - computers, mobile phones, and other devices Apps - programs and attached online services Group by TOPIC: Risk - entities that are at highest risk Detection trends - new threats Configuration and health - configuration and deployment of security controls

Microsoft Intune Endpoint security node

where admins go to configure and manage/enforce security tasks for at-risk devices

Windows Hello lets users authenticate to

1) A Microsoft account 2) An AD account 3) An AAD account 4) Identity provider or Relying Party Services that supports FIDO v2.0

Key features of Azure Firewall

1) High availability and ability to span multiple availability zones 2) Network and app level filtering 3) Outbound SNAT (Source Network Address Translation) 4) Inbound DNAT (Destination Network Address Translation) 5) Multiple public IP addresses 6) Threat intelligence filterning 7) Integration with Azure Monitor to analyze logs

Types of DDOs attacks

1) Volume-based attacks -flood the network with seemingly legit traffic to not allow legit traffic to get through 2) Protocol attacks - overwhelm with false protocol requests in layer 3 (network) and layer 4 (transport) 3) Resource (application) layer attacks -target web application packets to disrupt transmission of data between hosts

Pillars of Identity

1. Administration - creation and management (LCM) of identities 2. Authentication (AuthN)- proving identity, how much evidence needed 3. Authorization (AuthZ) - determine level of access an authenticated identity has 4. Auditing - tracking via logs who does what, when, where, & how via reporting alerts and governance

Azure AD editions

1. Azure Active Directory Free 2. Office 365 Apps 3. Azure Active Directory Premium P1 4. Azure Active Directory Premium P2

What security tasks ALWAYS responsibility of the customer?

1. Data 2. Devices 3. Accounts/Identities

Zero trust foundational pillars

1. Identities - can be users, services, or devices 2. Devices - monitor for health/compliance 3. Apps - manage permissions/access 4. Data - should be classified, labeled, and encrypted where appropriate 5. Infrastructure - understand baseline to detect anomalies and flag risky behavior to take action 6. Networks - should be segmented and include real-time threat monitoring and protection

Cloud Adoption Framework for Azure Lifecycle

1. Strategy: define business justification and expected outcomes of adoption. 2. Plan: align actionable adoption plans to business outcomes. 3. Ready: Prepare the cloud environment for the planned changes. 4. Adopt -Migrate: Migrate and modernize existing apps AND/OR -Innovate: Develop new cloud-native or hybrid apps 5. Govern: Govern the environment and workloads. 6. Manage: Operations management for cloud and hybrid solutions.

Azure Firewall

A managed, cloud-based network security service that protects your Azure VNet resources Advantage of model is ability to scale up/centrally exert control over multiple VNets across different subscriptions

NSG priority

A number between 100-4096, security rules are processed in order of priority (lower --> higher numbers) Once a a traffic matches a rule, processing stops

Zero Trust

A security model that assumes everything is on an open and untrusted network, even resources behind firewalls "Trust no one, verify everything"

FIDO2

Abbreviation for Fast Identity Online - an alliance that promotes open authentication standards and aims to reduce reliance on passwords FIDO2 allows users to sign-in with an external security key such as a USB, lightning connector, Bluetooth, or NFC Azure AD supports FIDO2

AD

Active Directory - set of directory services developed by Microsoft as part of Windows 2000 for on-premises domain-based networks

AD DS

Active Directory Domain Services - stores information about members of the domain, including devices and users, verifies their credentials, an defines their access rights. A server running AD DS is a domain controller (DC) Supports on-premises IT infrastructure for multiple domains using a single identity per user Does not natively support mobile devices, SaaS applications, or apps that require MODERN authentication

Azure Active Directory Premium P2

All P1 features + Azure AD Identity protection to provide risk-based Conditional Access to apps and data PIM - Privileged Identity Management to help discover, restrict, and monitor admins and access to resources & provide (just-in-time) JIT access when needed

Modern authentication

All services and information are are managed by a central identity provider Client authenticates with IdP. Once authenticated, the IdP sends the client a security token. The token is used as proof of identity that is sent to the server The server has a trust relationship with the IdP so it verifies with the IdP and trusts the security token

Azure Network Security Group (NSG)

Allow you to allow or deny inbound/outbound network traffic based on rules to/from Azure resources that exist in your Vnet (e.g. a vm)

Access packages

Allows users (including external users) to request/receive access to groups of resources together (e.g. IAM access) bundled together to improve efficiency

Azure Active Directory Free Edition

Allows you to administer users groups Synchronize with AD (on-prem) Configure self-service password change for cloud users Enable SSO across Azure, M365, and other SaaS apps Included with subscriptions to O365, Azure, Dynamics 365, and Power Platform

B2B Collaboration

Allows you to share your orgs apps and services with guest users from other orgs while maintaining control over your data Uses invitation and redemption process and managed in Azure AD as guests Allows external users to access your resources with their credentials Supports SSO for guests to all Azure AD-connected apps

NSG information points

Allows/denies traffic to Azure resources based on 5 by priority using 5 evaluation points: 1/2) Source/Destination (IP address range, service tag, or app security group) 3/4) Source/Destination port (range) 5) Protocol (TCP, UDP, ICMP, or Any)

CA access controls

At time of auth requerts, can: 1) Block access 2) Grant Access 3) Require one or more conditions to be met before granting access (MFA, compliant device, hybrid joined, password change, etc.) 4) Control user access based on session controls (e.g. don't allow ability to download sensitive data)

Password spray attack

Attempts to match a username against a list of weak passwords

Dictionary attack

Attempts to steal identity by trying a large number of known passwords AKA Brute force attacks

Windows Hello for Business

Authentication feature built into Windows 10, replaces passwords with strong 2FA on PCs and mobile devices using a biometric or PIN Stores PIN and biometric data locally on device (never sent to external devices or servers) = safer b/c no collection point for attackers to compromise

Federated authentication

Azure AD redirects the client requesting authentication to a separate trusted identity provider such as AD FS (AD Federation SErvices) to validate user's password

Azure AD External identity types

B2B: allows you to share apps and resources with external users B2C: Identity management solution for consumer and customer facing apps Both included in Premium P1 and Premium P2 Azure AD editions

Defaults for admins using SSPR

By default admin accounts: Are enabled for SSPR Are required to use 2FA Cannot use security questions (weak)

Azure AD registered devices

Can be Windows 10, iOS, Android, or macOS devices Typically a personal device that is signed in with a personal Microsoft account or another local account

Hybrid Azure AD joined devices

Can be Windows 7, 8.1, or 10 OR Windows Server 2008 or newer Owned by the org and signed in with an AD Domain services (on-prem) account. Exists in the cloud and on-prem

Microsoft Identity Manager

Can import records from on-prem HR systems such as SAP HCM, Oracle eBusiness, and Oracle PeopleSoft

Windows Hello for Business

Configured by Group Policy or MDM (mobile device management) policy such as Microsoft Intune; backed by key-based or cert-based authentication = safer than convenience PIN

Microsoft Cloud Adoption Framework for Azure

Consists of documentation, implementation guidance, best practices, and tools designed to help businesses adopt cloud

Azure Role-Based Access Control (RBAC)

Control permissions to manage Azure AD resources Supports built-in and custom roles (requires Premium P1 or P2 license): Global Administrator User administrator Billing administrator

DNAT

Destination Network Address Translation - inbound internet traffic to the firewall public IP address is translated and filtered to the private IP address of resources on the virtual network

Azure AD joined devices

Devices that exist only in the cloud that can be configured for all Win10 devices Owned by the organization and signed in with Azure AD or synced AD work or school account

DC

Domain Controller - server running Active Directory Domain Services

Office 365 Apps (Azure AD) Edition

Free features + self-service password RESET for cloud users Device write-back (two-way synchronization between on prem and Azure AD) Included with subscriptions to O365, E1, E3, E5, F1, and F3

Azure AD identity governance tasks

Govern identity LCM Govern access LCM Secure privileged access for admins for employees, business partners and vendors, and across services and applications on-prem & in the cloud

Azure DDoS Protection

Identifies an attacker's attempt to overwhelm the network and blocks the traffic from the attacker Tiers: 1) Basic - enable for every property in Azure at no additional cost and includes real-time mitigation of common network-level attacks using MSFTs global network to distribute attacks 2) Standard - provides extra mitigation capabilities including dedicated traffic monitoring and machine learning algorithms

Shared responsibility model

Identifies which security tasks are handled by the cloud provider vs the customer Types: SaaS (Software as a Service) PaaS (Platform as a Service) IaaS (Infrastructure as a Service) On-premises data center (On-prem)

Hybrid Identity model

Identities are created/managed in AD DS or another on-premis identity provider and then synchronized to Azure AD Both cloud-only and hybrid identities can access both cloud and on-prem resources When updates to user accounts, groups, and contacts are made in your on-prem DS, all are synchronized to Azure AD via Azure Ad Connect Identities can be authenticated by Azure AD (managed authentication) or Azure AD redirects the client requesting the authentication to another identity provider (federated authentication)

Managed Identities

Identities automatically managed in Azure AD and typically used to manage credentials for authenticating a cloud application with an Azure service

What is the new security perimeter?

Identity - how a user, app, device, etc. can be verified and authenticated to be who they say they are such

Managed authentication

In the hybrid model, authentication is done by Azure AD

PIM characteristics

JIT/JEA access Time-bound (assign start and end dates) - can be helpful for guests leaving by x date Approval-based to activate privileges Visible/transparent by sending notifications when privileged roles are activated Auditable

Azure Active Directory

Microsoft's cloud based identity provider that provides organizations with IDaaS (Identity as a Service) solution for all apps across cloud and on-premises Enables employees, guests, and others to sign-in and access internal services (apps developed internally) and external services (SaaS apps like O365, Azure portal, etc.) Can enable orgs to securely enable use of personal devices and collaboration with business partners and customers

Microsoft Authenticator app

Mobile app (available for Android and iOS) for MFA and can be configured to use biometrics such as fingerprint or facial scan

OATH

OATH (Open Authentication) - open standard that specifies how time-based, one-time password (TOTP) codes are generated to authenticate a user Can be software tokens (e.g. MSFT Authenticator app) or hardware tokens that refreshes every 30-60 seconds

An organization has recently conducted a security audit and found that four people who have left were still active and assigned global admin roles. The users have now been deleted but the IT organization has been asked to recommend a solution to prevent a similar security lapse happening in future. Which solution should they recommend?

PIM - Privileged Identity Management mitigates the risks of excessive, unnecessary, or misused access permissions.

Why is Windows Hello safer than a password?

PIN is tied to device and useless w/o hardware PIN never transmitted anywhere, so no central location for attackers Windows Hello PIN is backed by a TPM (Trusted Platform Module) chip with built-in physical security that is tamper resistant

Conditional Access

Premium feature of Azure AD that provides extra layer of security before allowing authenticated users to access data or other assets managed through CA policies created and managed in Azure AD Policies analyses signals including user/group membership, location via IP address range, device compliance, application, cloud apps, real-time sign-in risk detection (via Azure AD Identity Protection), or user risk (via Identity protection)

PIM

Privileged Identity Management is a service in Azure Active Directory that enables you to manage, control, and monitor access to important Microsoft resources in your org (Azure AD, Azure, M365, Microsoft Intune) Part of Premium P2 only Helps you minimize number of people who have access to resources across Azure AD

Sign-in risk

Probability that a given auth request isn't authorized by the identity owner Can be calculated in real-time or offline using MSFT threat intelligence sources (Identity protection) Examples: anonymous or malware IP address, atypical travel, password spray, AAD threat intelligence (meets attack pattern)

Platform as a Service (PaaS)

Provides an environment to build, test, and deploy software applications by providing underlying infrastructure including the hardware and OS

User

Representation of something managed by Azure AD such as employees and guests (B2B) Use groups to provide access to several members at once vs assigning individually

Service Principle

Security identity used by apps or services to access specific Azure resources (i.e. an identity for an application) App must first be registered with Azure AD which creates a global unique app object that is stored in the Azure AD tenant

SSPR

Self Service Password Reset - feature of Azure AD that allows users to change or reset their password, or unlock their account without an admin or help desk Auth methods available include: mobile app notification, mobile app code, email, mobile phone, office phone, security questions User must be assigned an Azure AD license and registered with at least 1 authentication method

Azure AD External Identities

Set of capabilities that enable organizations to allow access to external users, such as customers or partners to "bring their own identities" to sign in Enabled through Azure AD support of external identities like other Azure AD tenants, Facebook, Google, or enterprise identity providers if admins set up federation with them

Federation

Single Sign-On between multiple identity providers Enables access of services across organizational boundaries by establishing trust relationships between the domain/entities' identity provider Trust is not always bidirectional

Software as a Service (SaaS)

Software hosted and managed by the cloud provider for the customer. Cloud provider manages everything aside from data, devices, accounts, and identities Examples include: Microsoft 365, Skype, and Dynamics CRM

SNAT

Source Network Address Translation - translates private IP address of network resources in Azure public IP address to identify and allow traffic originating from the virtual network to internet destinations

Directory Services

Stores directory data (hierarchical structure of info on the network) and makes available to users, admins, services, apps, etc.

Types of managed identites

System-assigned - created as part of an Azure service/resource and only that resource and tied to LCM of that service (i.e. if service is deleted, so is the identity) User-assigned - a standalone Azure resource that is assigned to one or more instances of an Azure service and is shared as a single identity across multiple Azure services

Azure Identity Protection

Tool that allows orgs to: Automate detection and remediate identity-based risks based on Microsoft learnings from trillions of data points with its customers Investigate risks using data in the portal Export risk detection data to a third-party utilities for further analysis Categorizes into three tiers: low, medium, and high Risk detections can trigger actions such as requiring users to provide MFA, reset their password, or block access until an admin takes action Requires Premium P2

Password hash synchronization

Used to authenticate on-prem directory objects in Azure AD. Users have same username and password that they use on-prem

Symmetric encription

Uses the same secret key to encrypt and decrypt

Entitlement management

automates access request workflows, access assignments, reviews, and expiration to allow orgs to manage IAM at scale via access packages feature of Azure Ad Premium P2 (along with access reviews)

Dynamic groups

enable admins to create attribute-based rules to determine membership of groups when attributes of a user or device change, the system evaluates all dynamic group rules in a directory to see if the change would trigger any users to be added or removed from a group. If yes, added and if no longer, removed from group

Azure virtual network (VNet)

enables different Azure resources (e.g. Azure virtual machine) to securely communicate with other VNets, the internet, or your on-prem network can be divided into multiple subnetworks (subnets) secured by network security groups (NSGs)

Password Protection

feature of Azure AD that reduces risk of users setting weak passwords based on password spray attacks Detects and blocks known weak passwords automatically via a default global banned password list AND can weak terms specific to your org Can be integrated with an on-prem AD environment

Infrastructure as a Service (IaaS)

leveraging the cloud provider's cloud infrastructure (physical) including computers, network, and physical security of the datacenter. Customer still manages software components.

Device

piece of equipment such as a mobile device, laptop, printer, server, etc. Device identities can be set up in 3 different was in Azure AD: 1) Registered devices 2) Joined devices 3) Hybrid joined devices

User risk

probability a given identity or account is compromised Calculated offline via threat intelligence sources Examples: leaked credentials found on the dark web, AAD threat intelligence (meets attack patters or is not consistent with typical user behavior)

Azure Bastion

provides secure and seamless RDP (Remote Desk Protocol)/SSH (Secure Shell) connectivity to your virtual machines directly from the Azure portal using TLS (Transport Layer Security) Does not require a public IP address, agent, or special client software More secure because does not expose RDP/SSH ports to the public (protects against port scanning) Protects against zero-day exploits 1 Azure Bastion deployed per VNet Does not require management of NSGs

Security defaults

set of basic identity security mechanisms recommended by Microsoft Includes: Required MFA registration for all users Forcing admins to use MFA Requiring standard users to complete MFA when needed

Common claims of security tokens

subject - unique, unchanging identifier of the client issued at - when security token was issued expiration - when the security token should expire audience - describes the recipient of the token so the token cannot be forwarding to others. If audience does not list recipient it is dropped


Set pelajaran terkait

Ch 22: The Role of Life insurance in Estate Planning

View Set

Job Related Services Quiz 3: Area and Volume

View Set

Sect 3: Food Safety & Supply Topic B

View Set

Chapter 12 - IP Addressing and Subnetting

View Set

the complete ap econ review guide

View Set

Bone, cartilage tendon and muscle

View Set