Microsoft Cybersecurity Architect Exam Ref SC-100

# Microsoft Cybersecurity Architect Exam Ref SC-100 ![rw-book-cover](https://m.media-amazon.com/images/I/81RgnlAbPBL._SY160.jpg) ## Metadata - Author: [[Dwayne Natwick and Rod Trent]] - Full Title: Microsoft Cybersecurity Architect Exam Ref SC-100 - Category: #books ## Highlights - Data can be found primarily in different storage accounts, such as blob containers or file shares, and within relational and non-relational databases. ([Location 523](https://readwise.io/to_kindle?action=open&asin=B0B39CSKP8&location=523)) - Figure 1.10 – A cross-site scripting attack ([Location 916](https://readwise.io/to_kindle?action=open&asin=B0B39CSKP8&location=916)) - Figure 1.11 – Security risk ([Location 925](https://readwise.io/to_kindle?action=open&asin=B0B39CSKP8&location=925)) - Figure 2.1 – MCRA topics ([Location 995](https://readwise.io/to_kindle?action=open&asin=B0B39CSKP8&location=995)) - Zero-trust user access: Zero trust is the concept of requiring constant verification of resources for access. ([Location 1006](https://readwise.io/to_kindle?action=open&asin=B0B39CSKP8&location=1006)) - risk to an asset. To accomplish this, you must take into account the combination of the asset along with any vulnerabilities and the potential threat that the vulnerability will be exploited. As an equation, this would look like this: Asset (A) + Vulnerability (V) + Threat (T) = Risk (R) ([Location 1063](https://readwise.io/to_kindle?action=open&asin=B0B39CSKP8&location=1063)) - Exposure factor (EF) is the impact that is measured by the percentage loss of an asset if the risk is realized. Single loss expectancy (SLE) is the value of the asset multiplied by the exposure factor. This will place a financial value on the asset loss when exposed. The annualized rate of occurrence (ARO) is the possible number of times that this risk may be exploited over the year. The annualized loss expectancy (ALE) is the combined financial impact of the SLE times the ARO, thus providing an annual cost of loss for the asset. ([Location 1073](https://readwise.io/to_kindle?action=open&asin=B0B39CSKP8&location=1073)) - The following is a good resource if you would like to learn more about cyber threat analysis: https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final. ([Location 1086](https://readwise.io/to_kindle?action=open&asin=B0B39CSKP8&location=1086)) - Figure 2.3 – Defense-in-depth security diagram ([Location 1105](https://readwise.io/to_kindle?action=open&asin=B0B39CSKP8&location=1105)) - When evaluating and determining the workflow for a response, the following should be accounted for when evaluating security operations: ([Location 1605](https://readwise.io/to_kindle?action=open&asin=B0B39CSKP8&location=1605)) - System for Cross-Domain Identity Management (SCIM) protocol can be used. SCIM is an open source protocol that can be configured with a user management API to synchronize and automatically provision users and groups to an application in Azure AD. ([Location 1834](https://readwise.io/to_kindle?action=open&asin=B0B39CSKP8&location=1834)) - If you are creating resources within specific regions, you should have policies in place that have location parameters to only deploy within those regions. ([Location 2326](https://readwise.io/to_kindle?action=open&asin=B0B39CSKP8&location=2326)) - cloud security posture management (CSPM). CSPM is the method for monitoring and managing these defenses to audit, assess, and identify potential vulnerabilities and threats that may be within our infrastructure. ([Location 2420](https://readwise.io/to_kindle?action=open&asin=B0B39CSKP8&location=2420)) - Microsoft provides guidance and pre-configured settings within server and client operating systems to build that baseline. This guidance includes downloading the Security Compliance Toolkit (SCT), which helps administrators manage security baselines. ([Location 2873](https://readwise.io/to_kindle?action=open&asin=B0B39CSKP8&location=2873)) - Azure provides options so that you can avoid having these ports open to the internet, while still making them available to you to manage at the operating system level remotely. The two that will be discussed are Just-in-Time (JIT) virtual machine access and Azure Bastion. Azure Arc allows remote management of on-premises servers through SSH for Linux and Windows Admin Center for Windows devices. ([Location 3026](https://readwise.io/to_kindle?action=open&asin=B0B39CSKP8&location=3026)) - Some popular metrics should be considered when evaluating the company’s security operations’ effectiveness. A cybersecurity architect that is brought in to evaluate the effectiveness of the current team should use these metrics to gain insights. These metrics are as follows: Mean time to acknowledge (MTTA) is a metric that identifies the speed that a security operations team acknowledges an alert at the tier 1 level. This can be the time from the alert created to a security analyst viewing the incident to identify whether it is a false positive or an actual threat. Mean time to remediate (MTTR) is a metric that identifies how long it has taken to remediate an incident and remove an attacker’s access within the environment and the exposure to resources. Incidents remediated are the number of incidents resolved either manually through the security operations team or with an automated response. Escalations between tiers track the incidents that have had to be moved to different teams. If incidents are being moved quickly to escalation or escalated to the wrong teams, this could identify a requirement for additional training within the security operations team. ([Location 3101](https://readwise.io/to_kindle?action=open&asin=B0B39CSKP8&location=3101)) - Among these requirements, you must include, but are not limited to, the following settings and security features: Within Azure Storage, you should turn on soft delete for blob data and file shares. This protects data from accidental deletion and allows deleted items to be recovered. ([Location 3336](https://readwise.io/to_kindle?action=open&asin=B0B39CSKP8&location=3336)) - Anonymous or default internet access to storage accounts should not be used. Misconfigured access creates a potential network vulnerability for the data. ([Location 3345](https://readwise.io/to_kindle?action=open&asin=B0B39CSKP8&location=3345)) - When using shared access signatures (SAS), they should also be limited to connections through HTTPS. SAS access should have time-bound access and expire within a reasonable period to provide access to the user or resource while limiting the time that that information could be exposed if that SAS path is compromised. SAS should be used to provide non-Azure AD users and resources access to storage accounts. Shared key authorization should not be used. When possible, customer-managed, not Microsoft-managed, keys should be used to protect and encrypt storage account data at rest. ([Location 3351](https://readwise.io/to_kindle?action=open&asin=B0B39CSKP8&location=3351)) - Secrets, credentials, API tokens, and private keys should be called from Azure Key Vault rather than stored in code or configuration files. ([Location 3382](https://readwise.io/to_kindle?action=open&asin=B0B39CSKP8&location=3382)) - To protect data access on these devices, you should utilize tools to protect identities, such as Conditional Access policies and multi-factor authentication (MFA). Mobile device management (MDM) and mobile application management (MAM) ([Location 3763](https://readwise.io/to_kindle?action=open&asin=B0B39CSKP8&location=3763)) - Azure Backup and Azure Site Recovery Services. ([Location 3780](https://readwise.io/to_kindle?action=open&asin=B0B39CSKP8&location=3780)) - Note: Prongs of antiramsomeware with app white - Data protection solutions within Microsoft for internal and external risks to data can be used, such as Insider Risk Management, Microsoft Defender for Cloud Apps, and Conditional Access policies. ([Location 3825](https://readwise.io/to_kindle?action=open&asin=B0B39CSKP8&location=3825)) - Azure provides three types of server-side encryption for service-managed keys: storage service encryption (SSE), Azure disk encryption (ADE), and transparent data encryption (TDE). ([Location 3903](https://readwise.io/to_kindle?action=open&asin=B0B39CSKP8&location=3903)) - SSE is the encryption service within Azure Storage accounts for encrypting data at rest. ([Location 3908](https://readwise.io/to_kindle?action=open&asin=B0B39CSKP8&location=3908)) - Azure disk encryption (ADE) is used to encrypt virtual machines and their attached disks. ([Location 3923](https://readwise.io/to_kindle?action=open&asin=B0B39CSKP8&location=3923)) - ADE for Windows virtual machines utilizes BitLocker for encrypting the virtual machine and attached disks. DM-Crypt is used for Linux virtual machines and attached disks. ([Location 3926](https://readwise.io/to_kindle?action=open&asin=B0B39CSKP8&location=3926)) - TDE is encryption at rest for data that is stored within SQL Databases, SQL Managed Instances, and Azure Synapse Analytics. ([Location 3932](https://readwise.io/to_kindle?action=open&asin=B0B39CSKP8&location=3932)) - Azure AD Identity Protection will monitor user and sign-in risks. The risks include common attack vectors such as brute-force identity attacks. Azure AD Password protection can be used to protect against brute-force attacks by setting parameters for login frequency to block them. Password strength can be enforced by creating a dictionary of blocked passwords. ([Location 4075](https://readwise.io/to_kindle?action=open&asin=B0B39CSKP8&location=4075)) ## New highlights added April 2, 2023 at 7:19 PM - Figure 2.2 – Risk assessment matrix ([Location 1067](https://readwise.io/to_kindle?action=open&asin=B0B39CSKP8&location=1067))