CS-900 Microsoft Security Fundamentals Flashcards
Describe the shared responsibility model
Identifies which security tasks are handled by the cloud provider, and which security tasks are handled by you, the customer. The responsibilities vary depending on where the workload is hosted. It makes responsibilities clear.
Defense in Depth
Layered approach to security, rather than relying on a single perimeter. A defense in-depth strategy uses a series of mechanisms to slow the advance of an attack. Each layer provides protection so that, if one layer is breached, a subsequent layer will prevent an attacker getting unauthorized access to data.
Zero Trust Model
Assumes everything is on an open and untrusted network, even resources behind the firewalls of the corporate network. The Zero Trust model operates on the principle of “trust no one, verify everything.”
Encryption
Is the process of making data unreadable and unusable to unauthorized viewers. To use or read encrypted data, it must be decrypted, which requires the use of a secret key. There are two top-level types of encryptions: symmetric and asymmetric.
Hashing
Uses an algorithm to convert text to a unique fixed-length value called a hash. Each time the same text is hashed using the same algorithm, the same hash value is produced.
Salted
Refers to adding a fixed-length random value to the input of hash functions to create unique hashes for same input.
Data Compliance
Regulations to help protect and govern the use of data. From personal and financial information to data protection and
privacy, organizations can be accountable for meeting dozens of regulations to be compliant
Data residency
Governs the physical locations where data can be stored and how and when it can be transferred, processed, or accessed internationally. These regulations can differ significantly depending on jurisdiction.
Data sovereignty
The concept that data, particularly personal data, is subject to the laws and regulations of the country/region in which it’s physically collected, held, or processed. Can be subject to laws from different countries/regions if processing, storage or collection are done in different locations
Data privacy
Providing notice and being transparent about the collection, processing, use, and sharing of personal data are fundamental principles of privacy laws and regulations
Personal Data or PII
Any data that is directly linked or indirectly linkable back to a person
Azure Policy
Enforce standards and assess compliance across your organization no matter who you are, evaluates all
resources in Azure and Arc enabled resources
Azure Role Based Access Control (RBAC)
Manages who has access to Azure resources, what they can do with those resources,
and what areas they can access
Data Catalog
Find relevant data using a search experience with filters based on various lenses like glossary terms, classifications, sensitivity labels, and more
Data Estate Insights
Gives a bird’s eye view and at a glance understanding of what data is actively scanned, where sensitive data is, and how it moves
Data Map
Scanning registered data sources is able to capture metadata about enterprise data, to identify and classify sensitive data
Authentication (AuthN)
Process of proving that a person is who they claim to be.
Authorization (AuthZ)
What that person can see and touch and where they can go (Permissions).
Identity
Set of things that define or characterize someone or something. (Username and password)
4 Pillars:
Administration – creation and management/governance of identities for users, devices, and services
Authentication – sufficient proof that you are who you claim to be
Authorization – level of access granted to entity
Auditing – tracking of who does what, when, where, and how (in-depth reporting)
Identity Provider
Creates, maintains, and manages while providing authentication, authorization, and auditing
Active Directory
Stores info about members of the domain including devices and users, verifies their credentials and defines their access rights
Federation
Enables the access of services across organizational or domain boundaries by establishing trust relationships between the respective domain’s identity provider.
Azure AD Free
You can administer users, create groups, sync with on premise AD, create basic reports, config self service passwords, and enable single sign on
Office 365 Apps – Everything from free plus self-service password reset, device writeback (2-way access with on prem).
Everything from free plus self-service password reset, device writeback (2-way access with on premise).
Azure AD Premium 1
Everything from Free and Office 365 plus advanced admin, dynamic groups, self-service group management, Microsoft IAM, and cloud write back.
Azure Ad Premium 2
All of the above plus Azure ID protection (risked based conditional access to apps), Privileged ID Management (discover, restrict, and monitor) admins and their access
Users
Representations of something that is managed in Azure (employees, guests).
Service Principal
Identity for an application, register with Azure AD, enables AuthN and AuthZ
Managed Identities
Type of service principal that are automatically managed in Azure AD. Eliminate the need for developers to manage credentials
System Assigned Identity
When you enable managed identity on a service instance. Tied to lifecycle and is deleted when resource is deleted.
User Assigned Identity– manage as a stand alone can be assigned to 1 or more instances of a service.
Manage as a stand alone can be assigned to 1 or more instances of a service.
Azure AD Registered Devices
Provides users with support for bring your own device (BYOD) or mobile device.
Azure AD Joined
Device joined to Azure AD through an organizational account, which is then used to sign into the device. Azure AD joined devices are generally owned by the organization
Hybrid Azure AD Joined
Existing on-premises Active Directory implementations can benefit from the functionality provided by Azure AD. The devices are joined to your on-premises Active Directory and Azure AD requiring organizational account to sign into the device
External Identities
Set of capabilities that enable organizations to allow access to external users, such as customers or partners
B2B
Allows you to share your organization’s applications and services with guest users from other organizations, while maintaining control over your own data
B2C
Customer identity access management (CIAM) solution. allows external users to sign in with their preferred social, enterprise, or local account identities
Hybrid Identity
Identity solutions span on-premises and cloud-based capabilities and create a common user identity for authentication and authorization to all resources, regardless of location
Azure AD Password hash synchronization
Simplest way to enable authentication for on-premises directory objects in Azure AD
Azure AD pass through authentication
Allows users to sign into both on-premises and cloud-based applications using the same passwords
Federated authentication
Azure AD hands off the authentication process to a separate trusted authentication system, to validate the user’s password
Windows Hello
Replaces passwords with strong two-factor authentication on devices. Key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (biometrics)
Fido2
Open standard for password less authentication uses an external security key, or a platform key built into a device
Azure AD Password Protection
Detects, and blocks known weak passwords and their variants, and can also block other weak terms that are specific to your organization
Protecting against password spray
Password spray attacks submit only a few of the known weakest passwords against each of the accounts in an enterprise
Hybrid security
Component installed in the on-premises environment receives the global banned password list and custom password protection policies from Azure AD
Conditional Access
Policies that provides an extra layer of security before allowing authenticated users to access data or other assets.
Conditional Access Signals
User or group membership, Named Location, Device, Application, Real time sign in risk detection, Cloud apps or actions, User risk
Access Controls
Decisions to grant access, block access, that require extra verification (MFA, Device or App is Compliant, etc.)
Sessions controls
Enable limited experiences within specific cloud apps. (Blocking copy, paste, cut, print, etc.…)
Built-in-Roles
Pre-Configured and can not be altered in anyway (Global Admin, User Admin, Billing Admin)
Custom Roles
Allows you to choose permissions from a list of available permissions in the system
Scope
Set of Azure AD resources the role member has access to.
Azure AD Specific
Grant permissions to manage resources with Azure only
Azure AD Service Specific
For major Microsoft 365 services Azure has built in roles that grant permissions to manage those services
Azure AD Cross Service
Roles that span across services like security admin and compliance admin
Azure AD Cross Service
Roles that span across services like security admin and compliance admin
Azure AD RBAC
Control access to Azure AD resources like groups, users, and apps
Azure RBAC
Control access to Azure resource like virtual machines or storage
Identity Governance
Gives the ability to control the identity lifecycle, access lifecycle, and secure privileged access for admins
Identity Lifecycle
No access (Pre-Employment), Join (Hired), Move (Role change), Leave (retirement). Updating access to what a user needs access to at each point in the journey
Privileged access Lifecycle
Monitoring of admin access to reduce risk of misuse
Entitlement Management
Enables managing identity and access at scale by automating access request workflows, access assignments, reviews, and expirations
Challenges when managing employee access to resources
Access for external users
Internal users do not know what access they need
Getting approval for access
Holding access for longer than needed
Capabilities to address these challenges
Delegate to non admins
users can be invited into directory and removed automatically
Access Reviews
Enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignment
Terms of use
Are presented to users prior to access, relevant disclaimers
Conditional Access
Requires users to accept terms of use prior to gaining access
Privileged Identity Management (PIM)
Enables you to manage, control, and monitor access to important resources
Security information and event management (SIEM)
Identity protection tool like Microsoft Sentinel
Sign-in Risks Detected by Azure AD
Anonymous IP address Atypical travel Malware linked IP address Unfamiliar sign-in properties Password spray Azure AD threat intelligence
User Risks Detected by Azure AD
Leaked credentials
Azure AD threat intelligence
Azure Identity Protection reports
risky user, risky sign ins, risk detections
Distributed Denial of Service (DDoS)
Purpose is to overwhelm the resources of your apps and services making them slow and unresponsive
Volumetric attacks
Flood the network with seemingly legitimate traffic, overwhelming the available bandwidth.
Protocol attacks
Render a target inaccessible by exhausting server resources with false protocol requests that exploit weaknesses in layer 3 (network) and layer 4 (transport) protocols.
Resource (application) layer attacks
Target web application packets, to disrupt the transmission of data between hosts.
Azure DDoS Protection
Designed to protect apps and servers by analyzing network traffic and discarding anything that looks like a DDoS attack
Always on
Azure Firewall
Managed, cloud-based network security service that protects your Azure virtual network (VNet) resources from attackers
Azure Firewall Features
Built-in high availability and availability zones
Network and application-level filtering
Outbound SNAT and inbound DNAT to communicate with internet resources
Multiple public IP addresses
Threat intelligence
Integration with Azure Monitor
Web Application Firewall (WAF)
Centralized protection of your web applications from common exploits and vulnerabilities
Azure Virtual Network (VNet)
Fundamental building block for your organization’s private network in Azure.
Network security groups (NSGs)
Allow you to filter network traffic to and from Azure resources in an Azure virtual network
Inbound & Outbound Security
Evaluated by priority using five information points: source, source port, destination, destination port, and protocol to either allow or deny the traffic
Can not be removed but can be overwritten by new rules with higher priority
NSG Rule Properties
unique name that describes its purpose priority order, with lower numbers processed before higher numbers. Source or destination Protocol Direction, in or out Port range Action
Azure Bastion
Service you deploy that lets you connect to a virtual machine using your browser and the Azure portal
Just in Time Access (JIT)
Allows lock down of the inbound traffic to your VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed
Microsoft Defender for servers to be enabled
Bastion Features
DP and SSH directly in Azure portal
Remote session over TLS and firewall traversal for RDP/SSH:
No Public IP required on the Azure VM
No hassle of managing NSGs
Protection against port scanning
Hardening in one place to protect against zero-day exploits
Azure Storage Service Encryption
Protects data at rest by automatically encrypting it and decrypts the data before retrieval
Azure Disk Encryption
Encrypt Windows and Linux IaaS virtual machine disks (bitlocker)
Transparent Data Encryption (TDE)
Real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application
Azure Key Vault
Centralized cloud service for storing your application secrets
Cloud security posture management (CSPM)
New class of tools designed to assess system automatically and alert IT if vulnerability is found
Microsoft Defender for Cloud
Tool for threat protection and security posture management by protecting workloads running in
Azure, hybrid, and other cloud platforms by continuously assessing, securing, and defending
Cloud workload Protection (CWP)
Detect and resolve threats to resources, workloads, and services
Defender for Cloud Free
Provides the secure score and its related features: security policy, continuous security assessment, and actionable security recommendations
Defender for Cloud Enhanced Security
Extends the capabilities of the free mode to workloads running in Azure, hybrid, and other cloud platforms, providing unified security management and threat protection across your workloads
Defender Enhanced Security Features:
Comprehensive endpoint detection and response.
Vulnerability scanning for virtual machines, container registries, and SQL resources
Multi-cloud security
Hybrid security
Threat protection alerts
Track compliance with a range of standards
Access and application controls
Azure Security Benchmark (ASB) - provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure (Very similar to the CCM)
Provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure (Very similar to the CCM)
Security Baselines for Azure
Provide organizations a consistent experience when securing their environment through improved tooling, tracking, and security features
Security information event management (SIEM)
Tool to collect data from across the whole estate, including infrastructure, software, and resources and analyzes, looks for correlations or anomalies, and generates alerts and incidents
Security orchestration automated response (SOAR)
Takes the alerts and triggers action driven automated workflows and process to run security and mitigate issues
Sentinel
Single solution for alert detection, threat visibility, proactive hunting, and threat response.
End-to-end functionality of Microsoft Sentinel
Collect
Detect
Investigate
Respond
Capacity Reservations
You’re billed a fixed fee based on the selected tier, enabling a predictable total cost for Microsoft Sentinel
Pay-As-You-Go
You’re billed per gigabyte (GB) for the volume of data ingested for analysis in Microsoft Sentinel and stored in the Azure Monitor Log Analytics workspace.
365 Defender
Enterprise defense suite that protects against sophisticated cyberattacks that can natively coordinate the detection, prevention, investigation, and response to threats across endpoints, identities, email, and applications
Defender for Office 365
Safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools
Defender for Office 365 Keys areas of cover
Threat protection policies
Reports
Threat investigation and response capabilities
Automated investigation and response capabilities
Defender for Endpoint
Is a platform designed to help enterprise networks protect endpoints by preventing, detecting, investigating, and responding to advanced threats. This technology built into Windows 10 and MSFT cloud services.
Defender for Endpoint includes
Threat and vulnerability management Attack surface reduction Next generation protection Endpoint detection and response Automated investigation and remediation Microsoft Threat Experts Management and APIs
Defender for cloud
Comprehensive cross-SaaS solution that operates as an intermediary or CASB between a cloud user and the cloud provider
Cloud Access Security Broker (CASB) - a gatekeeper to broker real-time access between your enterprise users and the cloud resources they use at all times and on any device
Gatekeeper to broker real-time access between your enterprise users and the cloud resources they use at all times and on any device
Defender for cloud Four Pillars
Visibility
Threat Protection
Data Security
Compliance
Defender for cloud Framework
Discover and control the use of Shadow IT
Protect against cyberthreats and anomalies
Protect your sensitive information anywhere in the cloud
Assess your cloud apps’ compliance
Defender for Cloud Features and Functionality
Cloud Discovery Sanction and un-sanctioning apps App Connectors Conditional Access Policies
Defender for Identity
Uses on premises Active Directory Data to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions
Defender Portal
Natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks
Must be assigned the appropriate role to access the Portal
Hunting
Query-based threat-hunting tool that lets security professionals explore up to 30 days of raw data
Threat Analytics
Threat intelligence solution from expert Microsoft security researchers
Secure Score
Represents a company security posture
Learning Hub
Official guidance from resources such as the Microsoft security blog, the Microsoft security community on YouTube, and the official documentation at docs.microsoft.com
Reports
General security report, and branch into specific reports about endpoints, email & collaboration
Service Trust Portal
Provides information, tools, and other resources about Microsoft security, privacy, and compliance practices
Trust Portal Provides Access to
Compliance Manager Trust Documents Industries & Regions Trust Center Resources My Library More - Global admin only
Privacy Principles
Control Transparency Security Strong Legal Protection No Content Based Targeting Benefits to You
Priva
Microsoft’s way of assisting customers with privacy. Using a privacy by default stance
Purview Compliance Portal
Tools and data that are needed to help understand and manage an organization’s compliance needs
Requires Global Admin, Compliance Admin, or Compliance data admin to access
Compliance Manager
Feature of Purview to help with compliance requirements by inventorying risks, managing controls, staying current with regulations and certs
Compliance Manager Key Elements
Controls - requirement of a regulation, standard, or policy defining how to assess and manage
Assessments - grouping of controls from a specific regulation, standard, or policy
Templates - help admins to quickly create assessments, can be modified for specific needs
Improvement Actions - centralize compliance activities, recommended guidance to align with data protection regulations and standards
Benefits of Compliance Manager
Translating complicated regulations, standards, company policies, or other control framework
Providing access to a large variety of out-of-the-box assessments and custom assessments
Mapping regulatory controls against recommended improvement actions
Providing step-by-step guidance on how to implement the solutions
Helping admins and users to prioritize actions that will have the highest impact
Use and Benefits of Compliance Score
Measures progress in completing recommended improvement actions within controls
Understand current compliance posture
Prioritize actions based on their potential to reduce risk
Purview Data Lifecycle Management
Import, store, and classify business-critical data so you can keep what you need and delete what you don’t
Know your data
Understand data landscape and identify important data across on-premises, cloud, and hybrid environments
Protect your data
Apply flexible protection actions including encryption, access restrictions, and visual markings
Prevent data loss
Detect risky behavior and prevent accidental oversharing of sensitive information
Govern your data
Automatically keep, delete, and store data and records in a compliant manner
Three ways to identify items for classification:
Manually, pattern recognition, machine learning
Sensitivity Labels
Add layer of security that is used to determine what can be done with the content
Label Policies
Publish labels to be used to groups or users
Endpoint data loss Prevention
Extends the activity monitoring and protection to items that are physically stored
Data loss prevention in Microsoft Teams
Administrators can define policies that prevent users from sharing sensitive information in a Teams chat session or channel, whether in a message, or a file
Retention Label and Policies
Help organizations to manage and govern information by ensuring content is kept only for a required time, and then permanently deleted
Records Management
solution to manage regulatory, legal, and business-critical records across their corporate data
Records Management Features
Labeling content as a record.
Establishing retention and deletion policies within the record label
Triggering event-based retention.
Reviewing and validating disposition.
Proof of records deletion.
Exporting information about disposed items.
Insider Risk Management
Helps minimize internal risks by enabling an organization to detect, investigate, and act on risky and malicious activities.
Insider risk management workflow
Identify, investigate, and address internal risks using policy templates, comprehensive activity signaling across Microsoft 365, and a flexible workflow
Insider risk management is centered around
Transparency
Configurability
Integrated
Actionable
Communication Compliance
Helps minimize communication risks by enabling organizations to detect, capture, and take remediation
actions for inappropriate messages
Information Barriers
policies that admins can configure to prevent individuals or groups from communicating with each other
Can only be used as a two-way solution. Cannot block in one direction
eDiscovery Solutions in Purview
identifying and delivering electronic information that can be used as evidence in legal cases.
Three Levels of eDiscovery Solutions
Content Search - tool to search for content across Microsoft 365 data sources and then export the search results to a local computer
eDiscovery (Standard) – above plus, enabling you to create eDiscovery cases and assign eDiscovery managers to specific cases.
eDiscovery (Premium) – above plus, provides an end-to-end workflow to identify, preserve, collect, review, analyze, and export content that’s responsive to your organization’s internal and external investigations
Audit Solutions in Purview
help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations
Audit Standard
Ability to log and search for audited activities and power your forensic, IT, compliance, and legal investigations. On by default for all orgs
Audit Premium
Builds on standard with audit log retention policies and longer retention of audit records, audit records for high-value crucial events to help investigate possible security or compliance breaches and determine the scope of compromise, more bandwidth to access auditing logs
Azure Policy
Enforce standards and assess compliance across your organization no matter who you are, evaluates all resources in Azure and Arc enabled resources
Azure Policy Triggers
A resource has been created, deleted, or updated in scope with a policy assignment.
A policy or an initiative is newly assigned to a scope.
A policy or an initiative that’s been assigned to a scope is updated.
The standard compliance evaluation cycle (happens once every 24 hours
Azure Blueprints
Way to define a repeatable set of Azure resources, for rapid deployment and provisioning of new environments
Microsoft Purview
Unified data governance service that helps organizations manage and govern their on-premises, multi-cloud, and software-as-a-service (SaaS) data. With Microsoft Purview, organization can create a holistic, up-to-date map of the organization’s data landscape with automated data discovery, sensitive data
classification, and end-to-end data lineage.
