Lab Setup for SC-900 Microsoft Security, Compliance, and Identity Fundamentals

Type of attacks:

• Phishing; same naughty message to hundred of people
• Spear phishing; a naughty message designed to specifically target an individual, indicating the hacker has research you first, and the email comes from your boss, colleague, family, etc
• Password spray; flood an organisation with known weakest password and see if there is a match
• Ransomware; encrypt your files and ask for cash to unlock them
• DDsS (Distributed Denied of Service); makes the service or application unavailable to the user. Azure DDoS Infrastructure Protection helps protects all Azure services, you can use the IP Protection or the Network Protection packages
• Cryptojacking; affected computers are used to mine for hackers

Zero-Trust; The Foundation Pillars for Zero-Trust are Identities, Devices, Applications, Data, Infrastructure and Networks. The traditional network design that we have known for years and years, is no longer applicable to a modern world immerse in cloud technologies. The firewall is needed, of course, but not a valid perimeter anymore

The Corporate Perimeter network has changed, so with the mobile workforce in place we cannot trust any devices, even those to belong to the company. There is no implicit trust granted to assets or user accounts based solely on their physical or network location, therefore don't trust a laptop or user just because it belongs to the company. Zero-Trust model implies:

• Verify Explicitly; we don't accept just username and password but also verify location, device, service, etc
• Least Privilege Access; limit users with just in time and just enough access
• Assume Breach; segment access by network, user, devices and application, using encryption to protect data and analytics to get visibility

Defence in Depth; uses a layer approach for security, and if one layer is breached a subsequent layer will prevent an attacker from getting access to the data

Encryption vs Hashing; encryption protects data with keys and need to be decrypted to be used, while hashing is only meant to verify that data hasn't been altered; hashing is used to store password on database, so that they are hash instead of saved on plain text

Salting; means adding a random value known only to you to the input, for example for a password Get#This3 you can add the salt word 'YES' at the end of it, Get#This3YES

Identity Provider; rather than using a single credential for each service, the identity provider (like Azure) provides single-sing-on for multiple different devices. Federation is multiple Identity Provider that link to one another, where you can sign in with Google, Microsoft, Apple, work account and other Identity Providers

GRC Framework (Governance, Risk and Compliance); GRC is a structure way to align IT with business goal while managing risks and meeting all industry and governance regulations. Governance is a set or policies, procedures, rules and frameworks. Risk Management is the process of identifying, assessing and responding to threats. Compliance refers to the laws and regulations that the organisation must follow. See the below some example of security standards:

• GDPR; standard or European data regulation
• HIPPA; standard for the medical industry
• NIST; National Institute of Standard and Technology
• PCI-DSS; for payment compliance of standards securities

Microsoft Entra ID; it comes with 3 licenses, free, Premium 1 and Premium 2. In addition, it has the following add-ons

1. Entra ID Governance; advance set of identity governance capabilities for P1 and P2 customers
2. Entra Permissions Management; Cloud Infrastructure Entitlement Management (CIEM) provides comprehensive visibility into permission across multicloud infrastructure (Amazon AWS, etc)
3. Entra Workload ID Premium; it allows you to control workload identity access with adaptive policies, reduce the risk exposure from lost, stolen, etc

1) Entra B2B (business to business); added as 'guest', the external user sign in using their own credentials, yahoo, M356, etc. Entra B2B APIs allow developer to customise invitation, and B2B users are manage in the same directory as the internal users. You can actually visit a SharePoint site and invite the user directly from there, and the user will be automatically added to Entra ID

2) Entra External ID for Customers; is a fully customised authentication solution made to be used with your custom apps and websites. Azure AD B2B; is Microsoft original cloud offering for Customer Identity and Access Management (CIAM), is still supported but soon will be faced out

Hybrid Identities; still needed if you have files or application on-prem. The tool Microsoft Entra Connect is used to sync on-prem with Entra ID. The synchronisation can work in three ways:

1. Password Hash Synchronisation; the Entra Connect app hash the password during the sync. This method enabled leaked passwords, and accounts are secured
2. Pass-through Authentication; this is when organisation don't want to save their password on the cloud, so users logon with the same password, but the password validation is done by a software agent that runs on-premises
3. Federation Authentication; Entra ID uses AD FS (AD Federation Services) to authenticate, and no passwords are saved on the cloud

MFA (Multi Factor Authentication); is a combination of something that you know (a password) plus any of something that you have (a phone, fob) or something that you are (a finger, eye scan, face). The authenticator app is recommended instead of the SMS, as the number can really get hacked too, the text messages can be intercepted

Password-less is the most secure option to logon, no need of passwords at all, just use Authenticator. Use the Just Enough Access (JEA) also known as Less-Permissions-Privileage, and ensure the list of Global Admins is reduce to a minimum

Self-Service Password Reset (SSPR) when enabled, users must specify at least another authentication method in order to reset their own passwords. To reset your password visit https://passwordreset.microsoftonline.com/ or this other link which is the same: https://aka.ms/sspr The Microsoft Global Password Banner List won't allow users to reset to passwords that are well know. You can also configure the "Custom banner password enforce list" that can include words like the company name, etc

Entra ID Governance; allows you to balance your organisation's need for security and employee productivity with the right processes and visibility, providing you with capabilities to ensure that the right people have the right access to the right resources. Entra ID Governance provides Identity, Access and Privileged Life cycle but using 4 fundamental tools:

1. Access Reviews; a cool feature that allows you to send to the owner of the group the list of users member of the group to review, choose always Microsoft recommendations
2. Entitlement Management; a feature by which you build an access package (add groups, sharepoints sites, apps, etc) and then check who can request access to these access package as a project
3. Privilege Identity Management (PIM); provides just-in-time privilege access to Entra ID and Azure resources, where users can request access to certain roles in Azure for just a few hours
4. Entra ID Protection; logon risk levels are used by Conditional Access to trigger certain actions

Advance functionalities requires the Microsoft Entra ID Governance add-on, guest will also need licenses for features that affects them

Azure Network Security Groups (NSG); contain security rules that filter network traffic to/from Azure resources in an Azure Virtual Network. On NSG, lower number priority applies first than higher number. NSG protects the VMS, while Azure Firewall adds a complementary protection for the whole network, with network and application-level filtering. You can compare the different version of Azure Firewalls here on this link: https://learn.microsoft.com/en-us/azure/firewall/choose-firewall-sku

Azure Web Application Firewall (WAF); provides centralised protection of your web application from common exploits and vulnerabilities, protecting from SQL injections, Cross-site scripting and remote file inclusion for up to 40 web applications

DevSecOps; Development, Security and Operations is a practice that integrates security initiatives to deliver robust and secure applications

CWPP; Cloud Workload Protection Platform; a security tool that detects and remove threats inside cloud software

CSPM; Cloud Security Posture Management is a market segment for IT security tools that are designed to identify misconfiguration issues and compliance risks in the cloud. Misconfiguration of a cloud environment are the most common mistake in the cloud which can potentially lead to data breach; CSPM tools can reduce cloud-base security incidents by continuous monitoring. CSPM includes tools like Zero-Trust based access control, Real-time risk scoring, threat and vulnerability management, discovering sharing risks, technical policies and threat modelling

Defender for Cloud; is a cloud-native application protection platform that is made up for security measures and practices that are designed to protect cloud-based application for cyber attack threats and vulnerabilities. The Secure Score in Defender Cloud will give you recommendations to hardening your security. Defender on the Cloud can help you meet regulatory standards such a NIST SP 800-53 (by US Government) or the more popular ISO 27001, an international standard for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS). Qualys provides Defender with the capabilities to scan for vulnerabilities for VMs and Containers

Introduction to SIEM, SOAR and XDR, are a set of security tools, SIEM and SOAR are providing by Microsoft using Microsoft Sentinel, while XDR is provided by Micrososft using Microsoft Defender XDR (formally known as Microsoft 365 Defender)

• SIEM (Security Incident and Event Management) collects and analyses data from your digital state and send you alerts when 
• SOAR; Security Orchestration Automated Response) able to collect data, just like SIEM, but it able to trigger automated workflow to mitigate issues
• XDR; Extended Detection and Response is a security threat detection that protect identities, endpoint, infrastructure and more

Microsoft Sentinel; collect data on-prem and in cloud, detect uncovered threat and investigate them with AI, responding to incidents. Sentinel uses many connectors to collect your data, because without data it is useless. Workbooks are a flexible canvas for data analyses and rich visual reports in Azure, basically they are dashboards, for example you can build a workbook for SharePoint, another one for One Drive, etc

Defender XDR; is a unified pre and post breach enterprise defence suite that natively coordinates detection , prevention, investigation and response, providing integrating protections against sophisticated attacks. Microsoft Defender XDR has the following services: Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender Vulnerability Manager, Defender Threat Intelligence and Defender for Cloud Apps

Defender for Identity provides visual lateral Movement attacks, quite nice. Defender for Identity uses reconnaissance of rogue users, compromised credentials, lateral movements and domain dominance

Microsoft Security Copilot integrates with Defender XDR and Sentinel, helping you analyse incidents by asking questions with natural language, asking how this happens, create a presentation for the incident, reverse engineer and attack, thus making security more professional

Shadow IT; imagine your company uses SharePoint and blocks external sharing for security reasons, and yet your employees get a Dropbox subscription to share files with external partners; that's lack of security and compliance 

• Rule in IT: is the better that your users have more permissions/feature inside your system (fox example the facility to share external files) than then having content somewhere else you have no idea about and no control at all  (for example, them using tools like dropbox to bypass these restrictions)

Defender for Cloud Apps; is a Cloud Access Security Broker that identify the cloud apps that are use inside your firewall

Microsoft Six Privacy Principles; [Control, Transparency, Security], Strong Legal Protection, No content-based targeting and Benefits to You. The Microsoft Service Trust Portal is a single location where you can find audit reports, pen tests, security assessments and more information about how Microsoft do its job regarding regulatory compliance: https://servicetrust.microsoft.com/ 

Microsoft Priva; available as an add-on for about £5 a month per user, it proactively identifies and protects against privacy risks such as data hoarding, enabling users to effectively manage data and take steps to comply with evolving privacy regulations. With Microsoft Priva you can create these kind of policies:

1. Limit data exposure by creating alerts if personal data is accessible by too many people
2. Monitor transfer of data between departments, different world regions or between internal and external users
3. Detect data that has been stored for a certain amount of time

Microsoft Priva Rights Request is a solution that alleviate the complexity and length of time involved in responding to data subject requests (dSR)

Microsoft Purview: is a comprehensive set of solutions that can help your organisation govern, protect and manage data wherever it lives. Purview is the name for the suite of all Microsoft compliance solutions, the central location for all compliance tools is in https:// compliance.microsoft.com Microsoft Purview requires 365 E3 or E5 licenses. The compliance score is  quick way to understand your compliance posture.

Microsoft Purview Data Lifecycle Management manage risk and liability by only keeping the data that you need, deleting the rest. The principles of Data Purview are Know your data >> Protect your data >> Prevent data loss >> Govern your data

1. Know your data; Microsoft uses classification system that can detect many types of data, this is done by trainable classifiers, sensitive information type, exact data match (EDM) based classification. Content Explorer is also use
2. Protect your data; use sensitivity labels when working with Word, you need to have Purview configured else this option will be greyed out
3. Data Loss Prevention (DLP); you can use policies to prevent sharing certain type of data like credit card number
4. Govern your data; setup a retention policy for data, and delete the data that has no business value. Retention Labels for specific items (keep this doc for 1 year) take precedence over Retention Policies on areas (keep this folder for 6 months)

Communication Compliance; monitors the chats on your organisation ensuring they are not inappropriate messages (swearwords, etc)

Information Barriers; prevent individuals or groups from communicating with each other

The Six Stages of eDiscovery are: Identification, Preservation, Collection, Processing, Review and Production

Purview Auditing; Microsoft offers Standard (180 days retention for logs) and Premium licenses (1 year retention)

References

• https://learn.microsoft.com/en-us/credentials/certifications/resources/study-guides/sc-900
• https://learn.microsoft.com/en-us/credentials/certifications/security-compliance-and-identity-fundamentals/?practice-assessment-type=certification
• https://learn.microsoft.com/en-gb/office/developer-program/microsoft-365-developer-program-faq#who-qualifies-for-a-microsoft-365-e5-developer-subscription-
• Entra ID Licenses; https://www.microsoft.com/en-gb/security/business/microsoft-entra-pricing#x876db66a00f74682a1743910e827c64f 
• https://mrshannon.wordpress.com/
•