Module 9 Flashcards

Question

What are the key points/features of Azure Security Center

Answer 1

- Provides recommendations based on your configurations, resources and networks - Monitor security settings on-prem + cloud, auto apply security to services coming online - Continiously monitor security settings, perform auto assesments to identify vunrabilities before exploit - Uses machine learning to detect/block the install of malware on VMs, can define a list of validated apps to ensure only those apps can be executed - Analyse/Identify any potential inbound attacks + help investigate threats and carry out any post breach activity - Provide JIT access control for ports, reducing attack surface ensuing network only allows required traffic

Answer 2

Azure Security Centre is part of CIS (center for Internet Security) recommendations

Answer 3

- Free - As part of Azure subscription, limited to assessments + recommendations for Azure resources only - Standard - Full suite of security related services including continuous monitoring, threat detection, JIT access for ports and more

Answer 4

Access a 30 day trial of standard tier from within the Azure Security Centre dashboard

Answer 5

Azure Security Center standard tier is $15 per node per month

Answer 6

To reduce cost/damage you should have incident response plan before an attack

Answer 7

Many Organisations only learn to respond after suffering an attack.

Answer 8

Detect Assess Diagnose

Answer 9

- Detect - Review 1st indication of an event investigation (e.g. use security center dashboard to review initial verification that high-priority security alert was raised)

Answer 10

Access - Perform initial assessment to obtain more information re suspect activity (e.g. obtain more information about the alert)

Answer 11

Diagnose - Conduct technical investigation and identify containment, mitigation, workround stratergies (e.g. follow remediation steps described by security centre for alert)

Answer 12

- Reduce chances of security event by configuring security policy then implement recommendations by security center - Security policy defines a set of controls recommended for resources within subscription or resource group - define policies according to companies security requirements - Security Centre analyzes state of Azure resources, when potential vulnerabilities are identified it creates recommendations based on controls set in security policy. - Recommendations guide you through config of security controls (E.G. Workloads that do not require SQL to use TDE, recommendation turn of at subscription level and enable it on resources where it is required)

Answer 13

Network perimeters have become increasingly porous with BYOD, mobile Apps and Cloud Apps. Identity has become new primary security boundary

Answer 14

*Identity has become new primary security boundary so proper authentication, assignment of privileges is critical to maintaining control of your data.* **Authentication and Authorization - Two fundamental concepts**

Answer 15

- Process of establishing the identity of person or service - Involves challenging for legitimate credentials, provides the basis for creating a security principal for identity and access control. - *Establishes if they are who they say they are.*

Answer 16

- Process of establishing level of access for a person or service - Specifies what data they can access and what they can do with it.

Answer 17

Azure Active Directory

Answer 18

- Cloud based identity service, supports syncing to on-prem AD or can act standalone - All Apps - Onprem, cloud and mobile can use same credentials - Admins/Devs control data to internal and external data/apps using centralized roles and policies configured in Azure AD

Answer 19

``` Authentication SSO App Management B2B Identity Services B2C Identity Services Device Management ```

Answer 20

- Verifying ID to access apps and resources - Provides SSO, MFA and Custom banned password list - Smart lockout devices - functionality.

Answer 21

- Enables user to remember one ID and password - Simplifies security model - As users change roles/leave modifications are only made to one identity, reducing effort to change or disable accounts

Answer 22

Manage cloud and on prem apps using Azure AD application proxy, SSO, the MyApps portal (AKA Access Panel) and SaaS apps

Answer 23

Manage Guest/External partners maintaining control over data

Answer 24

Customize/control users signup/sign in + manage profile within Apps and Services

Answer 25

Manage how cloud/on prem devices access your corporate data

Answer 26

- More Ids to manage means a greater risk of security related incident - More IDs = More passwords and more password policies, increasing difficult for user - Harder logistics to manage passwords and more strain on help desks - Challenging to track down all accounts when someone leaves - Single sign on reduces all this, only remember ine ID and Password, modifications need only be made to One ID

Answer 27

- Using Azure Ad for SSO, able to combine multiple data sources into intelligent security graph, enabling threat analysis and real time identity protection to all Azure AD accounts including those sync'd from Azure AD - Centralised ID provider gives centralised Security Controls, Reporting, alerting and admin of identity infrastructure.

Answer 28

- Provides additional security by requiring 2 or more elements for full authentication. - *Something you...Know(P/WD or Security Question), Posess (Mobile App or Token) and Are (Biometric).* - Increases security by limiting impact of credential exposure, an attacker would need to possess multiple factors of AuthN to authenitcate - Benefits are huge - Azure AD has MFA capabilities and will intergrate with 3rd party MFA providers - MFA should be used for global admin accounts and can be used for all accounts.

Answer 29

- Valuable for services to have ID's, often credentials are embedded into config files which is against best practice, with no security around config files - anyone with system access can get credentials - Azure AD addresses this problem with 2 methods (Service Principals and Managed Identities)

Answer 30

- **Identitiy - thing that can be Authenticated (i.e a user with username and password)** - **Principal - Identity acting with certain roles or claims.** - **Usually not helpful to consider identity and principal seperately - think of SUDO or "Run as Administrator" - where you are still logged in as the same person but with a role change** N.B. Groups are often considered principals.

Answer 31

Identity used by service or application?

Answer 32

- Creation of service principals can be tedious, lots of touch points making maintaining difficult - Managed Identities for Azure Services is much easier and does much of work for you - A managed ID can be instantly created for any azure service supporting it - When you create, you create account on your Orgs AD (a specific Orgs AD instance is known as an AD tenant) - Azure Infrastructure will take care of AuthN for the Service + managing the account - Use account like any other Azure AD account incl; allowing AuthN service secure access of other Azure Services

Answer 33

Roles are sets of permissions (read-only, contributor etc) that users can be granted access on Azure Service instance

Answer 34

IDs mapped to roles directly, through group membership, separate security principals, access permissions and resources provides simple access management and fine grained control.

Answer 35

Roles can be granted at individual service instance level, but also flow down Azure Resource Manager Hierarchy - i.e. Roles at higher scope(s) are inherited by child scopes. - Management Group - Subscription - Resource Group - Resource

Answer 36

Privileged ID Management provides overview of role assignments, self service and JIT role activation Azure AD and Azure Resource Access reviews

Answer 37

Azure AD Privileged Identity management (PIM) is additional paid for offering

Answer 38

Data is the most valuable and irreplaceable asset

Answer 39

Encryption

Answer 40

- Process of making data unreadable/unusable to un AuthZ users - To use of read encrypted data it must be decrypted requiring a secret kep - Two top level types of encryption → Symmetric and Asymmetric

Answer 41

**Symmetric Encryption → Uses same key to encrypt and decrypt data** **Asymmetric Encryption → Uses Public and Private Key pair, either key can encrypt but a single key can't decrypt it's own encrypted data.** To decrypt you need the paired key, used for things like TLS (Transport Layer Security) used in HTTPs + Data signing

Answer 42

Encryption at Rest | Encryption in Transit

Answer 43

- Data at rest has been stored on physical medium, could be disk of server, or in DB or in a storage account. - Regardless of storage method encryption ensures the data at rest is in unreadable when stored without the keys and secrets need to decrypt - If attacker got HDD of encrypted data the attacker could not compromise without great effort.

Answer 44

- Data in transit is actively moving from one location to another, such as across internet or private network - Secure transmission can be handled by different layers, it could be done via the App layer prior to sending over the network (e.g. HTTPs is app layer encryption in transit encryption) you could also setup a secure channel like a VPN at the network layer to transmit data between 2 systems - Encrypting data in transit protects from outside observers and privdes a mechanism to transmit data while limiting the risk of exposure.

Answer 45

- Azure storage service Encryption - Auto Encrypts data before persisting it to Azure Managed disks, blob storage, Azure files, Azure Queue storage and decrypts before retrieval. - This whole process **(Encrypting - Encrypted - Decyption - Key management)** is transparent to Apps.

Answer 46

Leverages bitlocker or dm-crypt to provide volume encryption for OS and data disks

Answer 47

Integrated into Azure key vault to help control and manage encryption keys and secrets (and you can use managed service identities for access to key vault)

Answer 48

- TDE helps protect Azure SQL DB and AZure Data warehouse | - Performs real time encryption/decryption of database, backups and log files at rest with no app changes.

Answer 49

Yes, TDE is auto enabled

Answer 50

- Encrypts storage of entire DB using symmetric key (DEK) - Azure provides unique encryption key per logical SQL Server instance - BYOK is supported with keys stored in Azure Key vault.

Answer 51

Azure Key Vault

Answer 52

Azure Key Vault is a centralised cloud service for storing app secrets

Answer 53

Helps control by keeping secrest in a single, central location, providing secure access, permission control and access logging capabilitites

Answer 54

- USAGE: Secrets Management - Securely store tightly controlled secrets - USAGE: Key Management - Makes it easier to create/control encryption keys - USAGE: Certificate Management - Provision, manage, deploy public and private keys (SSL/TLS) for your Azure and internally connected resources more easily.

Answer 55

Store Secrets backed by Hardware security modules (HSMs), Secrets and keys can be protected either by Software or FIPS 140.2 Level 2 validated HSMs

Answer 56

- Centralised application secrets, controlled distribution with less chance of being leaked - Securely stored secrets/keys using industry standard algorithms - Monitor Access and Use - you can monitor and control access to secrets - Simplified admin - easier to enroll and renew certs from CAs, you can scale up and replicate in content within regions and use standard management tools - Integrate with other Azure Services, i.e. Storage accounts, container registries, event hubs and more - Because Azure ADs can be granted access to azure key vault secrets, application with managed service IDs enabled can Auto/seamlessly get the secrets they need.

Answer 57

- Certificates in Azure are "x.509 v3" - signed by Trusted CA or Self Signed - Self Signed= Signed by creator, should only be used for Test and Dev, not trusted by default but most browsers can ignore this problem

Answer 58

Public or Private Key and Thumbprint

Answer 59

Thumbprint to identify certificate in unambiguous way, Thumbprint used in Azure config file to Identify which certificate a cloud service should use.

Answer 60

- In Azure certificates are for two primary purposes and are given a specific designation based on their intended use. - These are Service (Used for cloud services) and Management Certificates (used for AuthN with management API)

Answer 61

Attached to cloud services and enable secure comms to and from that service (i.e. if you deploy a website you would supply a certficate that can AuthN an exposed HTTPs endpoint) N.B. Service certs defined in service definition, are auto deployed to VM running an instance of your role.

Answer 62

Upload via Azure Portal or classic deployment model

Answer 63

- Can be managed separately from services by different people (e.g. a developer could upload a service package that refers to a certificate that an IT Manager has previously uploaded to Azure.) - Updating without service package is possible - store name and location of cert is in service definition file, whilst thumbprint is in service configuration file. So it is only necessary to upload new cert and change the thumbprint value.

Answer 64

- Allow you to AuthN with classic deployment model - Many programs and tools (Visual Studio/Azure SDK) use these certs to automate the config/deployment of various Azure services, however these certs are not related to cloud services

Answer 65

- Create certificates in key vault or import existing. - Securely store/manage certs without interaction of private key material. - Create policy directly in key vault to manage lifecycle of cert - Provide contact into for notification of lifecycle events (expiry, renewal) - Auto renew with selected issuers, key vault partner x509 certificate providers/authority

Answer 66

Automating certificate management helps reduce or eliminate the error prone task of manual certificate management.

Answer 67

A layered approach to network security - Not enough to secure network preimeter or focus on network security between services inside network - Layered approach brings multiple levels of protection - if attacker gets through core layer further protections are in place.

Answer 68

Start by assessing internet facing resoirces, only allows inbound/outbound comms where necessary. - Identify all resources that allow inbound network traffic of any type and ensure they are restricted to only ports and protocals required

Answer 69

Azure Sercurity center is a good starting point, it will Identify any internet facing resources that don't have associated NSGs and resources not secured behind a firewall

Answer 70

- Service that grants server access based on originating IP of request - Create firewall rules that specify ranges of IP addresses, also generally include a specific network protocol or port info

Answer 71

Azure Firewall | Azure Application Gateway

Answer 72

- Managed, cloud based, network security service to protect Azure vNet resources - Fully stateful firewall as a Service, built in HA and unrestricted cloud scalability. - Provides inbound protection for non HTTP/S protocols (RDP, SSH, FTP) and outbound network level protection for all ports and protocols. And application level protection for outbound HTTP/S.

Answer 73

- Load balancer that includes a Web application Firewall (WAF) - Providing protection from common known vunrabilities in websites, designed to protect HTTP traffic

Answer 74

Ideal for non-http services or advanced configs - similar to H/W firewall applicances

Answer 75

Attempt to overwhelm resource by sending many requests to make resource slow or unresponsive

Answer 76

Combining Azure DDoS protection with application best practices can help defend against DDoS attack.

Answer 77

- DDoS protection leverages scales and elasticity of MS global network to bring DDoS mitigation capacity to every azure region. - Azure DDoS protection protects apps by monitoring traffic at azure network edge before it can impact service availability. - Notifies you within minutes of attack using Azure Monitor metrics

Answer 78

Basic | Standard

Answer 79

- Auto Enabled - Always on traffic monitor + real time mitigation of common network level attacks - Same defenses MS services use. - Azure Global network used to distribute and mitigate attack traffic acrros regions

Answer 80

- Additional mitigation capability tuned for MS azure vNet resources. - Simple to enable - no app changes required. - Protection policies tuned through dedicated traffic monitoring and ML algorithms - Policies are applied to public IPs associated with resources deployed in vNets, such as Azure Load balancer and Application gateway.

Answer 81

- Volumetric Attack - flood network layer with substantial amount of seemingly genuine traffic - Protocol Attack - Render targer inaccessible bu exploiting weakness in layer 3 and 4 of protocol stack - Resource (App) layer attack - Attacks target web application packets to disrupt transmission of data between hosts.

Answer 82

Network Security Groups (NSGs)

Answer 83

- NSGs allow filter of network traffic to and from Azure resources in Azure vNet - NSG can contain multiple inbound and outbound security rules, enable filtration of traffic to and from resources by source and destination IP address, port, protocol, provide list of allows and denies comms to and from network interfaces. - Subnets are fully customizable - Can completely remove public internet access by restricting access to services endpoints - With service endpoints, Azure service access can be limited to your vNet.

Answer 84

VPN Connection | Express Route

Answer 85

Connecting between Azure vNet and on-prem VPN is a great way to achieve secure comms between your network and Azure vNet.

Answer 86

Lets you extend your network into MS cloud with a private connection facilitated by a connectivity provider - Can establish connection to MS cloud services (Azure, Office 365, Dynamics 365) - Improve Security by sending over private circuit instead of public internet. - Dont need allow access to these services for end users over public internet. - Send this traffic through appliances for further inspection

Answer 87

Microsoft Azure Information Protection

Answer 88

Microsoft Azure Information Protection (AIP) = Cloud based solution to: - Classify and optionally protect documents and emails by applying labels - Labels can be applied Automatically based on rules/conditions or can be applied manually - Guide users to choose labels with a combination of Automatic and manual stpes.

Answer 89

- Analyse data flows to gain business insight - Detect risky behaviour and take corrective measures - Track access to documents - Prevent data leakage or misuse of confidential info

Answer 90

- Analyse data flows to gain business insight - Detect risky behaviour and take corrective measures - Track access to documents - Prevent data leakage or misuse of confidential info

Answer 91

Azure Advanced Threat Protection (ATP) is a cloud based solution to identify, detect and help investigate: Advanced Threats, Compromised IDs and Malicious Insider actions

Answer 92

- ATP is capable of detecting known malicious attacks, techniques + security issues and risks against your network.

Answer 93

ATP Portal ATP Sensor ATP Cloud Service

Answer 94

- Own portal to monitor and respond to suspicious activity - Create ATP instance, view data from ATP sensors - Monitor/Manage/Investigate threats in your network environment - Use → portal.atp.azure.com - User accounts must be assigned to Azure AD Security group with access to azure atp portal.

Answer 95

- Installed directly on your domain controllers | - Monitors domain controller traffic without requirement for dedicate server or configuration of port monitoring

Answer 96

- Runs on Azure Infrastructure - Currently deployed in US, Europe and Asia - Connected to MS intelligent security graph.

Answer 97

- Azure ATP part of Enterprise Mobility + Security E5 Suite (EMS E5) - Also available as stand alone license - Acquire license from Enterprise Mobiltiy + Security pricing options page, or through cloud solution provider licensing model. - Not available to purchase via Azure Portal

Answer 98

- SDL (MS Security Development Lifecycle) introduces security and privacy considerations throughout all phases of developement process. - Helps developers build highly secure software, address security compliance requirements and reduce development costs. - The guidance, tools, best practices, processes in the SDL are used internal at Microsoft

Answer 99

- SDL first shared in 2008 and have been continiously updated to cover new scenarios such as Cloud, IOT and ML.

Answer 100

- All must know how to build security into software, services, whilst still addressing business needs + delivering user value. - Training will complement + reinforce security policies - Whilst security is everyones job, not everyone needs to be an expert, but ensuring everyone understands the attackers perspective, goals and the art of the possible will raise the collective knowledge bar.

Answer 101

- Regardless of development methodology, security requirements must be updated continuously to address functionality changes + changes in threat landscape.

Answer 102

- Optimal time to define security requirements is during initial design/planning stage, early planning allows dev team to intergrate security in ways that minimize disruption.

Answer 103

- Legal and Industry requirements, Internal standards and coding practices, review of previous incidents, known threats.

Answer 104

- Requirements should be tracked through a system or telemetry derived from the engineering pipeline.

Answer 105

- Defining expectations early helps team understand risks and identify/fix security defects during development + apply standards through out project - Setting a meaningful bar involves clearly defining severity thresholds of security vulnerabilities and helps establish plan of action when vulnerabilities encountered (e.g all known vunrabilities with critical/important severity must be fixed within a certain time frame)

Answer 106

To track these KPIs and ensure security risks are completed, bug and/or work tracking mechanisms (such as Azure DevOps) should allow for security defects/work to be clearly labelled as such.

Answer 107

- Allows team to consider, document, discuss the security implication of designs in context of planned ops environment. - Applying this structured approach to threat scenerios allows more effective less expsensive identifications of security vunrabilities. - Determine risk from those threats to make security feature recommendations + establish appropriate mitigations - Apply at component/app/system level.

Answer 108

To achieve this assurance, technologies such as "cryptography" and "AuthN" and "logging" are typically used

Answer 109

- In some cases selecting/implementing security features has proven to be complex and thus leading to further vunrabilities, therefore it is vital security features are applied consistantly with a consisten understanding of the protection they provide.

Answer 110

Encryption

Answer 111

- Making an incorrect choice when using any aspect of cryptography can be catastrophic - Best to develop clear encryption standads that provide specifics on every element of encryption implementation. - Encryption should be left to experts so only use industry vetted encryption libraries. - Implement encryption that allows for easy replacement.

Answer 112

- Have an accurate inventory of these components + a plan to respond t new vunrabilites - Consider additional validation depending on organisations risk tollerance + type of component being used + potential impact of security vulnerability. Use Approved Tools - Define and Publish a list of approved tools - Engineers should strive to use the latest version of these tools (such as compiler versions)

Answer 113

- Analysing source code prior to compilation provides highly scalable method of security code review, also enables source code polices to be followed - Static Analysis Security Testing (SAST) is typically integrated into commit pipeline to identify vulnerabilities each time the software is built or packaged. - Some offerings intergrate development environment to spot flaws such as banned or unsafe functions and replicae whilst the developer is coding - No one size fits all approach.

Answer 114

- Performing runtime verification of your fully complied or packaged software, checks functionality that is only apparent when all components are intergrated and running - Typically achieved using a tool, a suite of pre-built attacks or tools that specifically monitor app behaviour for memory corruption, user privacy issues and other critical security problems - Again no one size fits all aproach

Answer 115

- Security Analysis of software system by skilled professional who simulates tha action of a hacker - Objective to uncover potential threats from code errors, sys config faults or other deployment weaknessess - Typically pen testing finds broadest variety of vulnerabilities and is used in conjunction with auto/manual code reviews.

Answer 116

- Incident response plan is crucial for addressing new threats that can emerge over time

Answer 117

- Who to contact in case of security emergency - Establish protocol for security servicing - Be tested before it's needed

Answer 118

...reduce likelihood of vunerabilities in products and services and avoid making some security mistakes

Answer 119

...less time and cost spent on triage after the fact.

Answer 120

- Think about security as multi ____ and multi _____ concern.

Answer 121

- Azure has out the box help, first steps is assess how much help we can used based on what we are using (i.e. PaaS, SaaS, IaaS)

Answer 122

Azure Security center centralises much help that Azure can offer, providing single dashboard with view into many of your services, it helps make sure you are following best practices.

Module 9 Flashcards

(146 cards)