Chapter 1
Introduction to Microsoft Azure

In this chapter, I discuss Microsoft Azure as a platform and the common security issues for cloud computing. Security issues include common vulnerabilities, types of security threats, and their potential impact on a company. My goal is to outline the problems that the Azure Security Engineer certification is trying to teach you to solve.

What Is Microsoft Azure?

Microsoft Azure is a cloud platform consisting of more than 200 products and cloud services. It allows you to have your own contained IT infrastructure, which is entirely physically hosted at one or more of Microsoft's data centers. Azure allows you to develop and scale new applications or to run existing applications in the cloud. Its cloud services include the following:

  • Compute  These services allow you to deploy and manage virtual machines (VMs), Azure containers, and batch jobs. Compute resources created in Azure can be configured to use public IP addresses or private addresses, depending on whether or not they need to be accessible to the outside world.
  • Mobile  These products and services allow developers to build cloud applications for mobile devices and notification services, as well as support for backend tasks and tools for building application programming interfaces (APIs).
  • Analytics  These services provide analytics and storage for services across your Azure environment. They include features for real-time analytics, big data analytics, machine learning, and business intelligence.
  • Storage  Azure supports scalable cloud storage for structured and unstructured data. It also supports persistent storage and archival storage.
  • Security  These specialized products and services help identify, prevent, and respond to different cloud security threats. They include data security features such as encryption keys and data loss prevention solutions.
  • Networking  Azure allows you to create virtual networks, dedicated connections, and gateways, as well as services for traffic management and diagnostics, load balancing, DNS hosting, and security features.

Cloud Environment Security Objectives

When studying for the MCA Azure Security Engineer certification. you must first know the overall objectives of security and the common challenges involved in securing a cloud environment. Knowing the objectives and the challenges are important to understand the practical implications of the concepts that are taught in this book and for directly answering many exam questions. So, the first thing we must review is the CIA triad (see Figure 1.1).

Schematic illustration of the CIA triad.

FIGURE 1.1 The CIA triad

CIA stands for confidentiality, integrity, and availability, the three goals you are trying to accomplish.

Confidentiality

Confidentiality means that only people with the right access should be able to access any piece of information. In this section of the CIA triad, the focus is on implementing proper security controls that prevent unauthorized access to your company's resources. A common example of a control used to maintain confidentiality is requiring a login username and password, the idea being that only an authorized person will be able to provide the credentials and gain access to your resource.

Integrity

Integrity means that only people with the correct access are able to change or edit any piece of information within a company. It ensures that information is always accurate and can be trusted to be free of manipulation. A common example of a security control used to ensure integrity is the use of a digital signature. A digital signature is an encrypted hash value used to prove that a message has not been altered and to prove the identity of the sender. In a communication between two people, the digital signature leverages hashing algorithms and public key encryption to create a unique hash value of the original message or document, which can only be decrypted and read by the receiver. The message or document is then digitally signed and sent to the receiver. Once the receiver gets the message or document, they can generate their own hash value for the message or document, and if it matches the hash value that was shared by the sender along with the message, then they know the message has not been changed in transit (i.e., when moving from the sender to the receiver over the Internet).

Availability

Availability means that you want to ensure that your information and services are always available for use by the right user. Think about a company website, for example. As a business, you want to ensure that your company's website is always working and available for customer interactions. However, cyberattacks like distributed denial-of-service (DDoS) attacks make these services unavailable and can cost businesses thousands or even millions of dollars. Common examples of security controls that help maintain website availability are next-generation firewalls and specialized DDoS protection software.

Nonrepudiation

A fourth term, nonrepudiation, isn't included in the triad, but it is associated with the first three. Nonrepudiation simply means that no one should be able to perform an action online and then deny that they performed that action. For example, if I send an email or delete a file, there must be proof that I performed this action so that I can't deny it at a later date. One way that we prove it is by using the previously discussed digital signature.

Pretty much everything that you do within your cybersecurity operations is related to one or multiple elements of this triad; it's the most commonly used framework for understanding what you are trying to achieve as a cybersecurity professional.

Common Security Issues

Now that you have a basic understanding of what cybersecurity generally is trying to achieve, let's look at some of the common issues that cloud security professionals must deal with. Many of Azure's tools are built to address these issues, and it's very likely you have come across some of them in your daily work.

Principle of Least Privilege

The principle of least privilege simply means that you should only give users the amount of privilege they need to do their job and nothing more. Giving users anything more than what is necessary creates risk for the company without providing any benefit. For example, giving users more privilege than needed can be detrimental in a situation where an employee is being fired. Disgruntled employees are one of the biggest threats to a company because they have access to the internal network and have a motive to damage or steal information from it. Roughly 59 percent of employees steal information when they quit or are fired from their company. The amount of information that they have access to steal can be limited if you implement the principle of least privilege. Even if it's not a situation where the employee is leaving, if an employee's account has a high level of privilege and that account is misused or hacked by a cybercriminal, they will be able to access more information and perform more harmful actions using that account than with an account that has limited privileges. Think of what an admin-level account would be capable of accessing compared to a normal user account. The amount of damage a cybercriminal could do is staggering in such cases.

Zero-Trust Model

A zero-trust model is a security concept stating that an organization shouldn't automatically trust implicitly any device or entity inside or outside its perimeter and instead should verify everything before granting the device or entity access to anything. This model may contradict what some people assume—that if a device is inside the company network, then it should be okay to trust and it's not harmful. However, this is certainly not the case. Insider threats, advanced persistent threats (i.e., threat actors that sit on the network for extended periods of time), and legitimate accounts that have been compromised are all examples of cyberthreats that sit inside the company perimeter but shouldn't be trusted. Keep in mind the words of Charlie Gero, CTO of Enterprise and Advanced Projects Group at Akamai Technologies in Cambridge, Massachusetts:

The strategy around Zero Trust boils down to don't trust anyone. We're talking about, “Let's cut off all access until the network knows who you are. Don't allow access to IP addresses, machines, etc. until you know who that user is and whether they're authorized…”

www.csoonline.com/article/3247848/what-is-zero-trust-a-model-for-more-effective-security.html

Defense in Depth

Defense in depth is the idea that any important network resource should be protected by multiple layers of security (see Figure 1.2). This means that you should not have a single point of failure when it comes to the security controls that you use. It requires that you implement a variety of controls covering different aspects of security. The layers include the following:

  • Policies, Procedures, and Awareness Training  While not technical controls, these documents and actions are part of overall security governance. They outline how the organization should approach their cybersecurity operations and mandate that certain actions must be taken to ensure the overall security of the company.
  • Physical Security  Even in a cloud environment, you should take time to audit how the cloud provider physically secures its servers and physical infrastructure. If someone is able to gain access to a machine physically, they can often bypass whatever security controls are in place on the machine itself. This can be as simple as disabling USB ports on a machine to prevent someone from plugging in a USB and uploading a virus. Also, in the event of a natural disaster, building fires, or other unforeseen circumstances, you must ensure that your systems are well protected.
  • Perimeter Security  Perimeter security is the first layer of security that sits between your digital network and outside attackers. It includes controls like perimeter firewalls, honeypots, and demilitarized zones (DMZs). Perimeter security is what separates your internal network from the outside world (the Internet). This area separates parts of your network so that only the resources that need to be exposed to the Internet will be exposed. For example, a DMZ is a separate part of the network, usually hosting only things like a web server that needs to be accessed by people outside the company network.
  • Network Security  Network security controls are located on the company network and are responsible for monitoring and controlling the company's internal network. These controls are not located on any one particular machine, but rather are attached to things such as a router, where they can monitor communications between different network devices and filter and block traffic accordingly. A common example of this is the network intrusion detection and prevention system (IDPS), which monitors all of the traffic on a network for signs of malicious activity. Once the IDPS locates such activity, it can provide alerts as well as take action to block that malicious activity from occurring.
  • Endpoint Security  Endpoint security controls are located on the actual endpoints on the network. An easy example to discuss is the antivirus software that you download to your computer. This antivirus software doesn't help to protect the network itself; it only scans files on your computer. The advantage is that it can do file-level detection as the software that operates on the network level cannot see the file or processes on any of the machines on the network. Endpoint security controls allow for more detailed detection and remediation.
  • Application Security  Application security is focused on securing the software applications that your business hosts. In the context of the cloud, many applications are hosted on cloud servers and are publicly available to anyone on the Internet. You need to know how to secure your applications so that people who visit the application and use it won't be able to exploit it. Application security begins during the creation of the application with source code reviews or dynamic application testing, where you try to find security bugs in the application. Once the application is completed, you need security like web application firewalls (WAFs) to protect the application from exploitation.
  • Data Security  The last element of defense in depth is data security—implementing controls that help you protect the data within your organization from being accessed by unauthorized people. A common security control is data encryption, which ensures that anyone who is eavesdropping will be unable to obtain information in a usable format. In a cloud environment, one of the biggest challenges is to control the access that people have so that only those who are supposed to have access to view information are able to.
Schematic illustration of defense in depth.

FIGURE 1.2 Defense in depth

Avoid Security through Obscurity

Security through obscurity is the idea that you can keep a system secure by keeping it a secret, which isn't a good idea. Although keeping the system hidden does reduce the number of threats that might target it, it's typically only a matter of time before an attacker finds out about it. If you didn't take time to protect it, then it's relatively easy for the attacker to discover and exploit. A lot of interconnectivity exists among the systems in a cloud environment, so even if that system isn't connected to the Internet directly, it may be connected through numerous other systems to a device exposed to the Internet, and it can be discovered that way.

The AAAs of Access Management

Another part of cloud environment security that's heavily focused on throughout the exam is identity and access management (IAM). IAM is about ensuring that only authorized people have access to resources within a company. If people are able to gain unauthorized access, they may be able to plant malware on company systems, steal company information, or perform other damaging actions on company devices. There are three main components to IAM that you must understand: authentication, authorization, and accounting (AAA).

Authentication pertains to confirming that a user is who they claim to be. Each user has unique identification information that sets them apart from all other users, and that information can be used to prove their identity when needed. For example, when you log into a website, you provide a username and a password. That combination of information should only be known by you, the owner of the account, and it provides the website with a somewhat reliable method of authenticating their users.

There are three primary categories of authentication:

  • Something you know (for example, a password)
  • Something you have (for example, an access card)
  • Something you are (for example, your fingerprint)

When you require a user to have at least two authentication methods across two categories, it's called multifactor authentication, which makes it much harder for attackers to authenticate themselves as someone else because they must steal two different sets of information.

The second A in AAA is authorization, which is the process of granting or denying a user access to system resources once the user is authenticated. Authorization determines the amount of information or services that a user can gain access to. If you've ever watched a military movie or worked in the military, you may have heard them use the phrase “classified information.” Classified information means that only people who have a certain authorization level can access classified information. While your environmental resources may not be as important as classified military information, you should apply the same principle and work to limit user access to the least amount that they need in order to do their job (refer back to the principle of least privilege from earlier). On the system side, it means figuring out the privileges the user's account needs to work. For example, you must decide whether you are provisioning an account with guest access, regular user access, or administration-level privileges.

The final A in AAA stands for accounting, which is the ability to track a user's activity while accessing the company's resources and includes the amount of time spent on the network, the services accessed while there, and the amount of data transferred during their session. While this might seem invasive, it's an essential part of your organization's security policy. Accounting data is used for many things. First, this information enables you to perform a trends analysis and identify failed login attempts, which could indicate an attack. This information can also aid in detecting data breaches, forensics and computer investigations, billing, cost allocation, audits, and much more. It's important to be able to trace events back to specific user accounts during an investigation. For example, if you have a malware outbreak in the company, you want to know what account the malware originated from, how it could have spread, and if the situation has been contained. By tracing the events back to a specific user account, you can identify where it started from, whom it may have spread to, and therefore, if it has been contained based on the actions of that user account.

Properly enforcing the AAAs is your only reliable defense against insider threats. As stated previously, insider threats include disgruntled employees—people who feel like they've been mistreated by the company or perhaps are about to be fired. Having this accounting data can help you identify these bad actors ahead of time and prevent them from doing something malicious. Insider threats also can include employees who are committing fraud. By collecting this information on a regular basis, you will detect clues about those committing fraud and who are using their company position to hide it. Keep in mind that for IAM accounting to be effective, you should eliminate the use of generic or shared accounts. If an action on your system can't be tracked back to a single person, then it's not going to be very useful information to single out the bad actor in most cases.

Encryption

Encryption is an essential part of security in a cloud environment. Encryption is the process of encoding information so that it cannot be read by anyone other the intended recipient. This process begins with the original message (plaintext), which is encoded and converted into ciphertext, sent to the recipient, and then converted back into plaintext, where it can be read. Because a cloud environment can only be accessed over the Internet, a larger than normal opportunity exists for users to “eavesdrop” or gain unauthorized access to network resources. Therefore, you must encrypt your communications (e.g., email) whenever you are going to be sending sensitive data over the Internet.

Several types of encryption exist:

  • End-to-end encryption
  • Symmetric key encryption
  • Asymmetric key encryption (public key cryptography)

End-to-End Encryption

End-to-end encryption is a system of communication where only the communicating users can read the messages. When the information is not being read by one of the users, it is always encrypted. As you read through this study guide, an emphasis is placed on trying to obtain end-to-end encryption wherever possible. This is important for preventing third parties from eavesdropping on your communications. You should have encryption through the entire communicating process with any sensitive information to avoid data leaks. The only time when sensitive information should be in plaintext, or unencrypted, is when it is in use.

Symmetric Key Encryption

In this form of encryption, the same or identical encryption keys are used to both encrypt and decrypt information (see Figure 1.3). An encryption key is a string of characters that is used to encode or decode data. Symmetric key encryption is divided into stream ciphers and block ciphers. Stream ciphers encrypt the message one bit at a time in a continuous flow, which is why it's called a stream cipher because it is a constant stream of bits being encrypted. A block cipher breaks the message up into a predetermined number of bits and encrypts them as a unit, one block at a time, until the entire message is encrypted. Symmetric encryption is typically less secure than asymmetric because it requires you to share the encryption key with everyone that you want to communicate with. However, it is much faster and best used in situations where you value speed over security.

Asymmetric Key Encryption

In asymmetric key encryption (see Figure 1.4), different keys are used for encryption and decryption of a message. First, the message is encrypted using a public key, which is shared between both users. Then the message is decrypted using a private key, which only the recipient of the message has. Asymmetric key encryption is arguably more secure than symmetric key encryption because you never have to send the decryption key over an insecure channel—your private key is kept on your personal workstation and is never emailed, thus reducing the risk of being read by attackers. Also known as public key encryption, this type of encryption is best suited for situations where you are processing smaller datasets and where speed isn't a huge concern.

Schematic illustration of symmetric encryption.

FIGURE 1.3 Symmetric encryption

Schematic illustration of asymmetric encryption.

FIGURE 1.4 Asymmetric encryption

Network Segmentation

The next element of cybersecurity we are going to discuss is network segmentation, which is all about dividing your computer network into smaller physical, or logical, components. Two devices on the same network segment can talk to each other directly, while separating a network into segments enables you to create some boundaries. Typically, each network segment will have data filtered by a router and a firewall (which is usually one device). Requiring data traffic to pass through a device allows for traffic to be inspected and security policies to be applied.

Network segmentation is a great way to limit the damage of data breaches. For example, the ability of ransomware or any other malware to spread is greatly reduced when a network is segmented properly and usually limits the malware to only the network segment where the infection began. Second, it helps to enforce the principle of least privilege by limiting an individual's access to certain network segments they need access to. Also, if you need to provide access to a third party, you can isolate the resource that they need to its own subnet and keep the third party isolated from the rest of your resources. Network segmentation can also boost the performance of a network because with fewer hosts on a subnet, local traffic is reduced. With less overall traffic on each subnet, it's also easier for you to identify potential suspicious behavior on each subnet because there is less noise to go through.

Basic Network Configuration

You always want to ensure that a firewall is located between you and the Internet to filter traffic that comes through to your internal network. In Figure 1.5, you see an example of simple but effective network segmentation for your organization. Called a demilitarized zone (DMZ), this is where you want to put your Internet-facing servers. You don't want application servers sitting on the same subnet as your internal servers. You also shouldn't have all of your Internet-facing servers on the same DMZ—only those that must communicate with one another regularly should be placed on the same DMZ. This way, if a hacker is able to compromise these Internet-facing servers, they'll be limited to its restricted zone.

Traffic from the DMZ1 zone is allowed to come in from the servers and workstations in the internal zone, but it cannot send information to the internal zone. Only traffic from DMZ2 is allowed to flow both ways. Because traffic from the Internet is routed to DMZ1, you'll want to prevent DMZ1 from sending traffic directly to the internal servers. Therefore, any traffic that needs to go to the internal servers must be routed to DMZ2, through the firewall, and then passed on to the internal zone. No traffic should go directly from the Internet to your internal zone, inbound or outbound.

Another important aspect is that typically Internet user access should be routed from an HTTP proxy server, which in Figure 1.5 is located on DMZ1. Again, you need to place a buffer between your internal network and the Internet because this is where most of your threats will be located.

Schematic illustration of a DMZ setup.

FIGURE 1.5 A DMZ setup

Finally, traffic for every subnet should be restricted to certain ports that are necessary for their job function and everything else should be closed. This restriction limits the number of attack options that a hacker has, because each open port on your machine represents a potential entry point to the machines on that subnet.

Unsegmented Network Example

To illustrate how important this is, let's use an example of a famous data breach that only occurred because the company's network was not segmented properly. In 2013, the department store Target had a data breach. This data breach began with a phishing email that was opened by an employee of a small HVAC company that did business with Target. The malware from this breach remained on the network of the HVAC company for two months before spreading to Target's network. Once inside Target's network, it was able to move laterally through the network and eventually installed itself on the point-of-sale (POS) terminals at many of the company's stores. The result: Over 110 million customers' data was compromised, resulting in over 100 lawsuits being filed and banks handing over $200 million to customers as a result. If Target had used proper network segmentation, this attack probably would have never happened, because the third party's network access would have been restricted to its own subnet. The cost of this data breach to Target itself was an estimated $61 million.

Internal and External Compliance

As a security engineer, you will be responsible for managing several network devices and ensuring that they are compliant with both internal and external standards. It will be at your company's discretion to determine the internal configuration standards to which your machines should adhere. External standards are less flexible and require that your environment have certain security measures in place to protect the data of your customers. The regulations you need to be aware of vary, depending on the type of business you work for. However, here's a summary of some of the most common ones.

PCI-DSS

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that accept or process credit cards in any way. In September 2006, five major credit card brands (Visa International, MasterCard, American Express, Discover, and JCB) established the Payment Card Industry Security Standards Council (PCI SSC). PCI SSC was created for and continues to oversee PCI DSS. Failure to comply with the rules outlined in this standard can result in heavy penalties. For example, one Tennessee-based retailer was charged $13.2 million by Visa for failure to meet these standards. Typically, fines range from $5,000 to $10,000 per month until compliance is achieved, but these fines increase the longer a company doesn't meet compliance. Also, fines ranging from $50 to $90 can be charged per affected customer if a data breach occurs.

CCPA

The California Consumer Privacy Act (CCPA) gives California residents more control over the personal information that businesses collect on them. CCPA applies only to for-profit businesses that do business in California (regardless of where your headquarters are located) and that meet any of the following requirements:

  • Have a gross annual revenue of over $25 million
  • Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices
  • Derive 50 percent or more of their annual revenue from selling California residents' personal information

The CCPA doesn't apply to nonprofit businesses or government agencies. It fines a maximum civil penalty of $2,500 for every unintentional violation and $7,500 for every intentional violation of the law.

GDPR

The General Data Protection Regulation (GDPR) is a privacy law set out by the European Union (EU). GDPR became effective as of May 25, 2018. Even though it was set in place by the EU, it affects all companies that collect information for citizens of the EU. Ernst & Young estimate that the world's 500 biggest corporations are on track to spend up to $7.8 billion on GDPR compliance (www.securitymetrics.com/blog/how-much-does-gdpr-compliance-cost). As of January 2020, GDPR has led to over $126 million in fines, with the biggest fine of €50 million paid out by Google. GDPR fines up to €20 million ($24.1 million), or 4 percent of annual global turnover, whichever is higher (www.cnbc.com/2020/01/19/eu-gdpr-privacy-law-led-to-over-100-million-in-fines.html).

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996. The privacy aspect of HIPAA is overseen and enforced by the U.S. Department of Health and Human Services (HHS) office, starting in April 2003. From a compliance point of view, HIPAA is about mandating the protection of consumer health information, which is referred to as HIPAA privacy regulation. HIPAA privacy regulation requires healthcare providers and their business associates to develop and follow procedures to ensure the confidentiality and protection of protected health information (PHI).

PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a regulatory requirement that applies to private sector organizations that collect personal information in Canada. It's designed to ensure the protection of personal information in the course of commercial business. Compliance requires that you follow 10 fair principles, which govern the collection, use, and disclosure of personal information, as well as provide access to personal information for customers. PIPEDA fines can reach up to $100,000 per violation.

Cybersecurity Considerations for the Cloud Environment

Roughly 94 percent of organizations are concerned about cloud security, according to a cloud security report (www.checkpoint.com/cyber-hub/cloud-security/what-is-cloud-security/top-cloud-security-issues-threats-and-concerns) conducted by CheckPoint.com. Among the top concerns are misconfiguration, unauthorized access, insecure interfaces, and hijacking of accounts. Next, we're going to review some of the main cybersecurity issues that occur in a cloud environment:

Configuration Management

In the Check Point survey, misconfiguration was ranked the highest, with 68 percent of respondents saying that it was a concern for their business (www.checkpoint.com/cyber-hub/cloud-security/what-is-cloud-native-security/the-biggest-cloud-security-challenges-in-2021). First, cloud infrastructure is designed to be easy to use and enable easy data sharing between parties, which makes it difficult to ensure that data is only accessible to authorized parties. Second, organizations do not have complete visibility or control over their cloud infrastructure. Typically, they will rely on the security controls that the cloud provider supplies to protect their environment, which is limiting. Third, many companies may not be familiar with securing a cloud environment and could end up with multiple deployments, each with different configurations, which makes it easy for a mistake to occur. Finally, unlike physical machines that are owned and maintained by your company, in a cloud environment you may have multiple users who have the ability to create new compute instances. Depending on how these instances are configured, you run the risk of people introducing vulnerabilities into your environment. To fix this issue, you need an effective way of knowing when people create new instances and the ability to ensure that all of these instances follow the proper configuration systems that you lay out for your business.

Unauthorized Access

Cloud-based deployments are typically accessible by the Internet. While this is convenient for employees and customers, it also makes it easier for an attacker to gain unauthorized access to an organization's cloud-based resources. An improperly configured security feature or compromised credentials could provide an attacker with access to your company's network, and because so many users connect remotely, the company often never knows.

Insecure Interfaces/APIs

Cloud service providers (CSPs) often provide customers with a lot of application programming interfaces (APIs) as well as interfaces for their customers. Many times these APIs are well documented and made available to the public to make them easier to use for CSPs' customers. However, because this information is readily available, it can also be found by potential hackers. If the company fails to properly secure these APIs, they can be found and exploited for accessing and stealing data from the company.

Hijacking of Accounts

About 50 percent of respondents claimed that the hijacking of accounts was a major concern in their cloud infrastructure. Many people use weak or commonly used passwords, and as a result, they can be easily guessed by cybercriminals. The problem only gets worse when you consider techniques such as phishing, which is when someone sends a fake message designed to trick someone into revealing sensitive information or installing malware. Phishing is commonly used to steal people's login information. As with any other network, gaining full access to someone's credentials can provide hackers with access to a lot of company information. In a cloud environment, companies usually have a diminished ability to identify and respond to these types of situations.

Compliance

Compliance refers to regulations that affect companies depending on their industry, size, and geographical location, and where their customers are. Your cloud environment holds information related to your company and its customers. You need to be sure that all of the data collection, storage, processing, and deletion in your cloud environment is happening in accordance with your company's compliance requirements. At first glance, this might seem straightforward, but there are some cloud-specific considerations that you must be aware of. First, you must understand how your servers are being physically stored and secured; then you need to understand how the data on the servers is being deleted and wiped when these instances are terminated. Forty-two percent of organizations surveyed by CheckPoint.com stated that they needed a specialized cloud compliance solution.

Lack of Visibility

Since an organization's cloud infrastructure is located outside the corporate network, many companies lack the security tools for properly monitoring the network. Also, whoever is responsible for security in that organization may not have the ability to monitor all of the systems in the cloud, and this limits the organization's ability to monitor their cloud-based resources.

Accurate Logging

You need to know what's going on in your environment, and the best way to do this is through accurate detection of errors and suspicious activities. One of the best ways to reliably accomplish this is through the logging of important events on the network. One of the complications with logging on a cloud environment is the synchronization of the time zones, because you may have servers operating out of different locations in different time zones, and correlating events to get an accurate depiction of what is happening can be difficult. In addition, you may have several machines existing on the network and many new instances being created on a regular basis, so you need a logging solution that is flexible enough to monitor and log all of the events of interest.

Cloud Storage

As with logging, you must have a good solution for storing your information on Microsoft Azure. This is important for storing company logs as well as other important company and customer information. This information needs to be easily accessible and configured so that only the right people can access that information. Such storage also includes backing up the data of your important files for later access if required.

Vendor Contracts

You should understand what your cloud provider (in this case, Microsoft) guarantees when it comes to their service level agreements (SLAs). An SLA is a commitment between a service provider and their client on the particulars of a service (e.g., quality, availability, and responsibilities). As mentioned previously, availability is one of the three important aspects of security. In the case of a cloud environment, you are affected by your provider's ability to provide you with good uptime for your cloud network. Understanding what your provider's SLA outlines in terms of availability and other aspects of your cloud environment will determine what additional steps you might need to take to ensure that your cloud environment is always available. It's vital that you and your company understand the provider's committed level of access because that will determine how much availability you can expect for your IT infrastructure.

Link Sharing

Cloud environments are designed for the easy sharing of information and invite collaborators via an email or link to a shared resource. The only problem with this method is that these invitations can be passed on to anyone, making it much more difficult to regulate exactly who has access to what on a network. Once the link is shared with a user, it's usually impossible to revoke access to just that single user without disabling the link entirely. In addition, revoking the link may not be feasible if it's been forwarded on to enough people and they've been given access via that method.

Major Cybersecurity Threats

Cybersecurity attacks consists of three elements. First is a vulnerability, which is a weakness found in a system or process that could lead to the compromise of that machine by a threat actor/agency. Second, a threat actor is someone or something that exploits a vulnerability to cause a compromise of that machine. Third is an exploit, which is the method that a threat actor uses to compromise a machine. In this chapter, we review some of the most common cyberattacks to an organization. This will help you to understand the remainder of this chapter and the book overall. As you read this book keep in mind that these are the attacks that you are trying to defend against when you implement the security controls highlighted in later chapters.

DDoS

Distributed denial of service (DDoS) occurs when a hacker makes a computer or console unable to respond, or at least much slower to respond (or lag). They do this by consistently sending traffic to that machine so that it becomes overwhelmed and cannot respond to legitimate traffic. In a cloud environment, hackers may send tons of traffic to your company's web servers (or another important part) in an attempt to make them unavailable. In a such an environment, companies might share hardware resources with other clients of the cloud provider via virtualization, which increases the risk of a DDoS attack affecting either company. Virtualization is the process of creating a virtual version of something rather than a physical one. In this situation, rather than having two physical hard drives for two different virtual machines, a cloud provider may use the same physical hard drive and simply divide its resources into two groups using virtualization. If a DDoS attack hits the physical machine, both VMs are affected.

Social Engineering

Social engineering is the practice of manipulating people into performing actions or giving up confidential manipulation. It's one of the most common attack vectors in security. One of the most common types of social engineering techniques used on companies are phishing attacks delivered through email. Phishing is the act of pretending to be a legitimate person in order to get someone to give up personal information such as their usernames, passwords, credit cards, and employee information. Eighty percent of all security incidents involve the use of a phishing attack (https://spanning.com/blog/cyberattacks-2021-phishing-ransomware-data-breach-statistics/#:~:text=Phishing%20attacks%20are%20responsible%20for,65%25%20of%20all%20phishing%20attacks). Figure 1.6 is a fine example of well-crafted phishing email.

Schematic illustration of sample phishing email.

FIGURE 1.6 Sample phishing email

The goal of this email is to have the recipient click the login link, which then sends them to a replica of the PayPal site. Once the recipient enters their login information, it is then sent directly to the hacker to use however they wish.

Another way hackers use email in their attacks is to attach malware that looks like a real attachment in order to trick the user into downloading it. Many software packaging tools can be used to make programming scripts look like a PDF or Word document, with the correct file extension and icon. Additionally, hackers can write malware as macros, which can be attached to a legitimate Excel or Word file, and once it is downloaded and macros are enabled, the program can run automatically.

Lastly, we have spear phishing, which is the same as a phishing email but targeted for a specific individual. This attack type requires the hacker to do research beforehand in order to craft an email tailored to its recipient. Because these messages are so tailored, the hackers have a much higher chance of success than when using a regular phishing email. Spear phishing against high-level company executives like chief executive officers (CEOs), chief security officers (CSOs), or chief information officers (CIOs) is referred to as whaling.

Password Attacks

As mentioned previously, account hijacking is one of the big concerns when it comes to cloud computing. One way that this is often exploited is through password attacks. A password attack is any type of cyberattack that is used to guess/crack a user's passwords. The first and most basic type of attack is a brute-force attack, which is when a hacker tries random combinations in an attempt to correctly guess a user's password. This type of attack is extremely time consuming and is not very popular as a result. A more common method is a dictionary attack, which is where a hacker uses a preset list of passwords (possibly hundreds or thousands of them) to attempt to guess the user's correct password. Because many people use the same passwords or small variations thereof, this type of attack can be very effective and is how several accounts are compromised every year.

Malware

Malware, or malicious software, is any piece of code that is harmful to a computer system. Malware can do all sorts of harm to your machines, such as stealing information, stealing processing power, displaying malicious ads, or even using that machine to perform attacks on other machines. You should be aware of the following malware types.

Adware

Adware is a relatively harmless type of malware. After being installed, adware shows users advertisements meant to make profit for the hacker. Much of the software that is installed for legitimate applications is technically adware. Outside of being an annoyance, it doesn't do any harm to your computer except use up some of its resources.

Ransomware

One of the most popular and profitable types of malware is ransomware. This malware encrypts all of the information located on an infected system and demands payment from the system's owner in order to have the files restored to normal. It is consistently used against businesses and generates a large amount of revenue every year. In 2020 alone, ransomware cost each victim on average $2.09 million in remediation costs (www.forbes.com/sites/forbestechcouncil/2021/07/13/with-ransomware-costs-on-the-rise-organizations-must-be-more-proactive/?sh=2729af292dd5).

Spyware

Spyware is a type of malware that sits on your computer, collecting information, and then sends that information back to the attacker. This information can include the websites you visited or your mobile phone's location. Spyware may even turn on your camera to view your environment or to take pictures. This malware type is usually used to covertly steal either customer information or business secrets that can be resold by a hacker for profit.

Backdoors

A backdoor is a piece of malware that enables an attacker to connect to your computer at any time. Once a hacker gains access to your computer system, one of the first things they do is set up a backdoor. Doing so provides them with repeated access—they won't have to spend time hacking into your computer system again in the event that you fix the vulnerability that let them in, change your password, or otherwise improve the security of your system.

Bots/Botnets

Bot/botnet malware are pieces of software that lie dormant on a computer until a hacker gives it a command using a command-and-control (C&C) server. At that point, the bot malware becomes active and takes control of the computer to perform a certain task assigned to it by the hacker (see Figure 1.7). One controlled computer is called a bot, and a collection of controlled computers is known as a botnet.

Cryptojacker

A cryptojacker is a type of malware that uses your computer's processing power to mine cryptocurrency and generate profit for a hacker. Usually, they target hundreds or thousands of computers so that they can mine cryptocurrency very quickly and for a large profit.

Keylogger

Keyloggers are a type of malware that records the keystrokes on a computer and sends that information back to the attacker. Generally, this information is used to discover people's usernames, passwords, personal identification numbers (PINs), and other login information. It can also be used to obtain other personal information, but that is less common.

Schematic illustration of how botnets work.

FIGURE 1.7 How botnets work

RAM Scraper

Remote access memory (RAM) is a type of temporary storage location on a computer. A RAM scraper collects information from the RAM and sends it back to the hacker. RAM scrapers can be very profitable for hackers gaining entrance into point-of-sale (POS) systems like cash registers, because for a brief period the systems store credit card numbers unencrypted. By collecting that information, a hacker gains access to credit card payment information that can be either reused or sold to other people for profit.

Browser Hijacking

Browser hijacking is when malware alters the way your web browser works to either redirect you to a website that the hacker wants you to visit, or to steal your information from the cookies that your web browser stores about your online activity. A cookie is a small piece of data that your web browser generates as you browse the Internet. Cookies are how websites are able to remember that you are logged in, save your shopping carts, recommend products to you based on your search history, and so forth.

Summary

Cloud computing continues to be a popular way for organizations to create scalable and convenient IT infrastructure at a fraction of the cost of creating an on-premises solution. However, cloud computing comes with many unique security challenges that must be addressed. Even in a cloud-computing environment, companies are still required to maintain the same level of security, and in some cases, even more so. In order for a cloud network to be accessible, it must be exposed to the Internet, which means that it can be seen by anyone located outside the network. Potential risk of exposure and attack is increased, thus making it even more important to have good security practices set in place.

Exam Essentials

Be able to define the CIA triad.  The CIA triad consists of three core principles for having a good cybersecurity program. First is confidentiality, which means that only people with the right access should be able to access any piece of information. Second is integrity, which means that only people with the correct access should be able to change or edit any piece of information; integrity seeks to make sure that the information is always accurate. Third is availability, which means that you must ensure that information and services are always available for use by the right user.

Know the purpose of a demilitarized zone (DMZ).  A DMZ is a subnetwork containing an organization's exposed, Internet-facing servers and acts as an exposed point to untrusted networks. For example, this is where companies typically place their web servers that need to be exposed to the Internet.

Be able to describe the principle of least privilege.  This principle states that you should give users the least amount of privilege that they need to perform their job and nothing more. Giving users anything more than what is necessary creates risk for the company without providing any benefit.

Know the AAAs of access management.  First is authentication, which is all about confirming that a user is who they claim to be. It's based on the idea that each user has unique information that sets them apart from all other users and can be used to prove their identity when needed. Next is authorization, which is the process of granting or denying a user access to system resources once the user has been authenticated. Authorization determines the amount of information or services to which the user can get access. The last A in AAA stands for accounting, which is the ability to track a user's activity while accessing the company's resources.

Be familiar with the two types of encryption.  The first is symmetric key encryption, where the same or identical encryption keys are used to both encrypt and decrypt information. The advantage of symmetric key encryption is that it's faster but typically less secure. The second type is asymmetric key encryption, where you use two different keys for the encryption and decryption of the message. This type of encryption is the more secure of the two, but it is much slower and is best suited for situations where you are processing smaller datasets and where speed isn't a huge concern.

Be able to define the zero-trust model.  This is a security concept stating that an organization shouldn't automatically trust anything inside or outside its perimeter, and instead, should verify everything before granting it access to anything. Azure has many features that seek to authenticate users inside and outside the network before granting them privileged access.

Review Questions

  1. Which of the following is not an element of the CIA triad?
    1. Confidentiality
    2. Integrity
    3. Availability
    4. Nonrepudiation
  2. Which element relates to holding users accountable for their actions?
    1. Confidentiality
    2. Integrity
    3. Availability
    4. Nonrepudiation
  3. Which element refers to protecting information from unauthorized access?
    1. Confidentiality
    2. Integrity
    3. Availability
    4. Nonrepudiation
  4. Which element refers to protecting information from unauthorized changes, thus ensuring accuracy?
    1. Confidentiality
    2. Integrity
    3. Availability
    4. Nonrepudiation
  5. Which element refers to ensuring that information is available when you need it?
    1. Confidentiality
    2. Integrity
    3. Availability
    4. Nonrepudiation
  6. What does the principle of least privilege relate to?
    1. Limiting user accounts
    2. Limiting user access to what's needed
    3. Removing user access
    4. Removing access after terminating employees
  7. What is the principle of a zero-trust model?
    1. Authenticate users who are outside a network.
    2. Authenticate all users with multifactor authentication (MFA).
    3. Authenticate users who are inside and outside the network.
    4. Do not allow anyone to authenticate to vital resources.
  8. What is the core principle of defense in depth?
    1. Having multiple types of security features in place
    2. Having multiple layers of security features in place
    3. Having backups for each of your security features
    4. Investing heavily in security software for your company
  9. Which of these is not a layer in defense in depth?
    1. Physical security
    2. Encryption security
    3. Application security
    4. Policies, procedures, and awareness training
  10. What is security through obscurity?
    1. Hiding features of your security program
    2. Relying on hiding something to keep it secure
    3. Keeping information confidential
    4. Keeping your applications code a secret as a security practice
  11. Which of these is not part of access management?
    1. Authentication
    2. Authorization
    3. Availability
    4. Accounting
  12. Which type of encryption uses the same key for encryption and decryption?
    1. Public key encryption
    2. Asymmetric encryption
    3. Symmetric encryption
    4. End-to-end encryption
  13. Which type of encryption uses a different key for encryption and decryption?
    1. Shared key encryption
    2. Asymmetric encryption
    3. Symmetric encryption
    4. End-to-end encryption
  14. What is a DMZ used for?
    1. Segmenting a network
    2. Hosting network resources that are exposed to an untrusted network
    3. Hosting firewalls that are exposed to the Internet
    4. Serving as a type of network subnet
  15. What is configuration management?
    1. How you set up company systems
    2. Ensuring that your systems are configured according to your company standards
    3. Ensuring that your systems don't have vulnerabilities
    4. A type of vulnerability management
  16. What is a DDoS attack?
    1. It's a type of malware.
    2. It makes company resources unavailable.
    3. It's a type of web application attack.
    4. It mimics legitimate website traffic.
  17. Which of these is not a major cybersecurity threat?
    1. DDoS
    2. Phishing
    3. Ransomware
    4. Adware
  18. Which of the following doesn't determine your company's compliance requirements?
    1. Industry
    2. Company size
    3. Geographic location
    4. Type of software
  19. What is an example of a security control used to maintain integrity?
    1. Username and password
    2. Proxy servers
    3. Digital signature
    4. Antivirus software
  20. Which of these is not a type of malware?
    1. Ransomware
    2. Adware
    3. Rootkit
    4. Web cookies
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.118.193.7