SC-900 Flashcards
Zero trust
Assume everything behind the firewall is unsafe
Zero trust principles
- Verify explicitly
- Use least priviliged access
- Assume breach
How can you validate identity and authorization
- User ID and password
- Multifactor authentication (code from another app)
- Limit access to certain geographic locations
- Check device they are using
JIT
Just In Time
- Temporary permissions that will expire after a certain amount of time
JEA
Just Enough Access
- Different people have different levels of access e.g some read only or only access to certain files
Security inside network
Encryption - application to application communciation should be in an encrypted channel
Segmentation - break network into segments and authentication is properly set on different segments
Threat detection - active and intelligent threat detection for example machine learning and ai technologies to detect suspiscious behaviours
On Premises (On-Prem) responsibilty
- If you have your own servers you have all the responsibility of securing it
IasS
Infrastructure as a Service
- where you can rent servers for a period of time
IasS responsibilty
- when using a third party provider to host servers then third party provider is responsible for the physical location
- however you are still responsible for the OS e.g security updates, migrating to new OS. Also responsible for the network, applications, identity and directory infrastructure, accounts, devices and information
PasS
Platform as a service
- Microsoft has the servers and you upload the code, settings and date then Microsoft runs it
PasS responsibility
-Microsoft responsible for physical location and the OS
- You are responsible for adding additional firewalls, your own application, data, devices and accounts
SaaS
Software as a service
SaaS responsibility
- Microsoft responsible for physical location, OS, Network controls and the application
- You cannot change any underlyin code but can grant user access and specific roles
- You are responsible for the data, devices and accounts
common threats to security
Data breaches
Dictionary attack
Ransomware
Denial of service attacks
Entry point for data breaches
Phishing attack
millions of emails are sent and a few people click on the link and enter details on a fake webpage therefore getting their details stolen
Entry point for data breaches
Spear phishing
Target specific individuals for a specific purpose using phishing method
Entry point for data breaches
Tech support scam
Someone will call, email or message you to try trick you into installing malware
Entry point for data breaches
SQL Injection
programs that try to use your website or application to extract data in a way that is not authorized
- done by putting codes into text fields and hope the website is misconfigured so code will run
Entry point for data breaches
malware, trojans, viruses
Any system that tries to make you download malware, trojans or viruses
Dictionary attack
attempting to brute force entry into an account by guessing popular passwords
Ransomware
Locking a company from its computers and data resources and demanding a payment in exchange for the key
DoS Denial of service attack
a type of cyber attack in which a malicious actor aims to render a computer or other device unavailable to its intended users by interrupting the device’s normal functioning.
Asymetric encryption
Anyone can use the public key to encrypt the message to you then you use your private key to decrypt the message
Symetric encryption
you use the same key for encryption and decryption
so both people must have the same key
AES
Advanced Encryption Standard
- most commonly used
- Symetric
Hashing
A one way function that signifies the original message has not been altered
DES
Data Encryption Standard
- considered to weak for use nowadays
- Symetric
RSA
- encryption used by HTTPS and SSL
- asymetric
Identity Provider
Username and password is sent to third party identity provider and if this is correct it will then a security token to the client which can be passed to the server and gives access to the client
ECC
- encryption used by bitcoin
- asymetric
Authorization
Princ
SSO
Single Sign On
