Pass Microsoft Security SC-900 Exam in First Attempt Easily
Latest Microsoft Security SC-900 Practice Test Questions, Security Exam Dumps
Accurate & Verified Answers As Experienced in the Actual Test!
Check our Last Week Results!
- Premium File 171 Questions & Answers
Last Update: Jun 2, 2023
- Training Course 147 Lectures
- Study Guide 413 Pages
Download Free Microsoft Security SC-900 Exam Dumps, Security Practice Test
Free VCE files for Microsoft Security SC-900 certification practice test questions and answers, exam dumps are uploaded by real users who have taken the exam recently. Download the latest SC-900 Microsoft Security, Compliance, and Identity Fundamentals certification exam practice test questions and answers and sign up for free on Exam-Labs.
Microsoft Security SC-900 Practice Test Questions, Microsoft Security SC-900 Exam dumps
1. Course Introduction
Identity is everything. This is what the attacker needs. It could be in the form of a user ID and password, typically called credentials. Or it could be your certificates. That's what the attackers can use to access your personal data in the cloud. Or it could be on premises. It could be for a user, or it could be the device in the hands of an attacker. The identity grants the access, just like the way you access it time and again, breach after breach. The modern attack cycle, particularly in the cloud, starts with identities. Attackers have found new ways to get into your information, discovering your credentials and identities, in order to access more and more information to get what they want. We are living in the Cloud Native era, and identities in the Cloud Native era are not just about simply securing your Microsoft Active Directory infrastructure.
In the cloud era, it's all about APIs. And these APIs are the gatekeepers of access. Identities are the new data plane. Today, we must not only work on network security, but also on securing your identities, what those identities can be used for, and how to protect them. The curriculum in SC 900 is about getting you familiarised with the various options that Microsoft provides in order to protect your data and identities. Let's go ahead and learn about the coverage of this course. SC 900, as a certification, has four modules. The first one is about understanding the concepts of security, compliance, and identity. The next one focuses on the capabilities of Microsoft identity and access management solutions. The third module focuses on the overall security solution that Microsoft provides and its capabilities. The last module, which is equally important, is about the capabilities of Microsoft Compliance Solutions. In this course, you will learn about the various nitty-gritty details of each of these modules.
And as we drill down into each of these subsections, you'll learn about the Zero Trust methodology, the Shared Responsibility Model, concepts of encryption, and the importance of Active Directory. how Active Directory has evolved into Azure Active Directory and the security features that Azure Active Directory provides. The capabilities of privileged identity management and privileged access management are equally important. Not only do various security solutions, such as Azure Firewall, Bash, and Host Web Application Firewall, work around networking capabilities, but how can you possibly encrypt your data in the cloud? All of this data can possibly flow into Azure Sentinel for better analysis and better aggregation of data.
You'll also learn about Microsoft 365 Defender services, cloud app security, the various reports and dashboards that can be generated with M365, and the licences that are associated with it. In order to secure your mobile devices, you can incorporate and make use of the Endpoint Security feature in the Microsoft Endpoint Manager Admin Center. As I did mention earlier, compliance is equally important for all kinds of organizations, so we'll understand the risk capabilities in Microsoft 365, the capabilities of the compliance center, information, protection, and governance capabilities, the Discovery capabilities, and also the audit and governance capabilities of Microsoft 365 and Azure.
All in all, SC 900 is a certification that familiarises you with the various concepts of Microsoft security, compliance, and identity. Let's get started with the first module, and that's where we'll learn about the concepts of security, compliance, and identity. Thanks for watching so far. I hope this course will be informative to you, and I'll see you in the next lesson. Bye.
Module 1 Describe the concepts of security, compliance, and identity
1. Chapter 1 : Security concepts and methodologies – Introduction
Today's business data is not only being accessed from traditional corporate networks but also from locations outside them. And that's one reason security has become an overriding concern. Organizations need to understand how they can best protect their data, regardless of where it's accessed from and whether it's sitting on their corporate network or in the cloud. This module introduces some important security concepts and methodologies. We learn about the zero trust model, the shared responsibility model, and defence in depth. We will also be covering common cybersecurity threats. Finally, this lesson will introduce you to the concept of encryption, hashing, and signing as a way to protect your data. Let's get started with the first concept, the Zero Trust Methodology.
2. Zero Trust – Guidelines
So what is the Zero Trust methodology all about? The Zero Trust model assumes everything is on an open and untrusted network, even if your resources are behind the firewalls of your corporate network. A zero-trust model operates on just one principle: trust no one, but verify everything. The attacker's ability to bypass the conventional access controls ends the illusion that traditional security strategies are sufficient. By no longer trusting the integrity of the corporate network, security is strengthened. In practice, this means that we no longer assume that a password is sufficient to validate the user. So we add multi-factor authentication to provide additional checks.
So instead of granting access to all devices on the corporate network, users are allowed access only to specific applications or the data that they need. There are certain guidelines and principles behind The Zero Trust, and it's important to understand them. There are three main principles, and these are the basis of how security is implemented. They are verifying explicitly leased privileged access and assuming a breach. Let's talk about these one by one. Verify explicitly. This is where we always authenticate and authorise based on available data points, including the user's identity, location, the device from which they're trying to access the service or workload that they are trying to connect to, the data classification, and any particular anomalies.
The least privileged access is about limiting the user's access with just-in-time and just-enough access, as well as risk-based adaptive policies. You would have enough data protection measures to protect both the data and the productivity. Finally, assume a breach. Assume that breach segments can be accessed by network segments, users, devices, and applications. You will use encryption to protect the data and use analytics to get visibility, detect threats, and improve your security. Well, that's not it. We also need to talk about the six foundational pillars of the Zero Trust Model. Let's talk about it in the next lesson. Thanks for watching so far. see you there.
3. Zero Trust - Six Foundational Pillars
The zero trust model is about providing end-to-end security. But how do we achieve it? Well, there are six elements to these foundational pillars of the Zero Trust model. They are identical entities: devices, applications, data, infrastructure, and networks. What is an identity? Identity can refer to users in your organisation as well as the various services or devices to which users are attempting to connect. So when an identity attempts to access a resource, think about it like a user trying to access a file server. Then it must be verified with strong authentication methods. And as we discussed in the previous section, there was an element called least privileged access. Well, identities must follow the least privileged access principle on devices. Devices create a very large attack surface because the data flows from the device, which could be your laptop or a desktop, to an on-premise workload like a file server or a database server.
And these days, it's also going to the cloud. So the devices that your employees have are also accessing the data or files in the cloud. Monitoring the devices for health and compliance is an important aspect of security. The third pillar is applications. Applications are the way the data is consumed. And what does that include? It includes discovering all applications that are being used; sometimes we call it "shadow IT" because not all applications are managed centrally. So this pillar, which is the application pillar, includes managing permissions and access to them. the data pillar.
The data pillar is also very important. So you need to classify, label and encrypt based on its attributes and what could be these attributes. The security efforts are ultimately about protecting your data and ensuring that it remains safe when it leaves the devices, applications, or, more likely, your infrastructure and networks that your organisation eventually controls. So this data section, or the data pillar, is about classifying the data, labelling the data, and also encrypting the data. The fifth pillar is the infrastructure. Whether it is on-premise or cloud-based, the infrastructure will always represent a threat vector. In order to improve security, you assess various things, including the version, the configuration, and just-in-time access. Sometimes you also use telemetry to detect the attacks and anomalies. This will allow you to automatically block or flag the risky behaviour and take protective actions. Finally, the network pillar This is the foundation of everything in an organization. network should be segmented. This should include deeper micro segmentation. Also, real-time threat protection, end-to-end encryption monitoring, and analytics of the network should be employed by using the right set of tools. These are the six foundational pillars that work together with the Zero Trust Model in order to enforce the organization's security policy.
4. The Shared Responsibility Model
If you're coming from a cloud background, you're probably already aware of the "shared responsibility" model. Let's go ahead and understand this from a security perspective. The shared responsibility model involves identifying which security tasks are handled by the cloud provider and what kind of security tasks are handled by you, the customer. That means that there are certain sections of security that are handled by the cloud provider, and other parts are handled by the cloud customer. In organisations running only on-premise hardware and software, the organisation is 100% responsible for the implementation of security and compliance.
But with cloud-based services, the responsibility is shared between the customer and the cloud provider. Now it all depends on whether the organisation is using software services, platform services, infrastructure services, or an on-premises data center. The shared responsibility model makes responsibilities clear. When organisations move data to the cloud, some responsibilities transfer to the cloud provider and some to the customer's organization. The picture here demonstrates the areas of responsibility between the customer and the cloud provider, and this is totally based on where the data is held. So for an on-premises data center, it is clear that you have responsibility for everything from the physical security to encrypting the sensitive data. Now look at infrastructure as a service for all cloud services. Infrastructure as a service requires the most management by the cloud customer. With infrastructure as a service, you are using the cloud provider's computing infrastructure, which means that the cloud customer is not responsible for the physical components such as computers and the network or the physical security of the data center. However, the cloud customer is also responsible for certain things. For example, the operating system, the network controls, which means how do you access that virtual machine, the applications that are installed on the virtual machine, and also about protecting the data, including the encryption, So it looks like there are quite a lot of responsibilities still, even though your virtual machine, which is an infrastructure service, is in the cloud.
The next one is Platform as a Service. The platform as a service is providing an environment for building, testing, and deploying software applications. That means that it is best suited for developers, while the goal of Pass is to help you create an application quickly without managing your underlying infrastructure. The cloud provider manages many aspects of the stack with Platform as a Service. That means they manage the hardware and the operating system, but then the customer is still responsible for the applications and the data that are hosted on the platform. The next one is software services. Now, software services are hosted and managed by the cloud provider. For the customer, it just means that you are actually accessing a license-based program. It is licenced on a monthly basis or probably through an annual subscription.
Applications like Microsoft Office 365 or Skype Dynamics 365 are all examples of SAS software. The SAS requires the least amount of management by the cloud customer. The cloud provider is in charge of everything except data, the devices from which you connect, the accounts used to connect to the software service, and the identities that use the application. So for all cloud deployment types, you, the cloud customer, own your data and identities. That means for an infrastructure service or platform, a service, or a software service, you are responsible for your own data and your own identities that are accessing the data. You are responsible for protecting the security of your data and identities. So if I have to summarise the shared responsibility model, the responsibilities are always retained by the customer's organization. So the customer is responsible for the information, the data, and the devices that are accessing the data. It could be mobile phones or your laptops, and also the accounts and identities that are accessing the data. The shared responsibility model has a clear benefit in that organisations are clear about their responsibilities and their responsibilities as cloud providers. There's an important strategy when it comes to security and it's called "defence in depth." and that's very important as well. I will talk about the multiple layers of security and defence in depth in the next lesson. Thanks for watching so far, and I'll see you in the next lesson. Bye.
5. Defence in Depth Strategy
Defense in depth is another buzzword in the security world. Let's go ahead and understand the various layers that we can take care of in the Defense in Depth strategy. So what is defense? in-depth defense. Defense In Depth uses a layered approach to security. A Defense in Depth strategy uses a series of mechanisms to slow down the attack or slow down the advance of an attack. Each layer here provides protection so that if one layer gets breached, a subsequent layer will prevent an attacker from getting unauthorised access to the data. So what could be some possible examples of the different layers of security? We always had physical security, right from the beginning of our evolution. Physical security, such as limiting access to the datacenter to only authorised personnel, has been something we have been doing right from the beginning. Identity and Access Identity and access security is all about controlling access to the infrastructure. We also need change control mechanisms in place so that when something changes in your infrastructure, we know who made the change and that it is closed. The link to auditing perimeter security: what does that include? DDoS, or distributed denial of service, is a type of perimeter security. This is done to filter large-scale attacks before they cause a denial of service to users. Network Security Network security can limit communication between resources using a variety of techniques, including segmentation and access controls.
The compute layer can secure access to a virtual machine, and that could be either on premises or in the cloud. and this is done by closing certain ports. The application-layer security ensures that applications are secure. They are free from any kind of security vulnerability, so there are minimal chances of some attacker exploiting them. The data layer is secure. Now, this is also a security control in order to protect the business and customer data using mechanisms like encryption. There is another core factor that I want to talk about, something called the CIA triad. This is something that plays a major role in the IT security world. The CIA is commonly referred to as the Central Intelligence Agency, but this is not the case. It stands for confidentiality, integrity, and availability. But let's park this discussion for the next lesson. Well, thanks for watching so far, and I'll see you in the next lesson. Bye.
6. The CIA Triad
The Central Intelligence Agency is most likely the first thing that comes to mind when you hear the term "CIA." This is an independent site. The government agency in charge of providing national security intelligence to policymakers in the United States. However, what many people do not realize is CIA tried" actually stands for something else. So we are now talking about the CIA in terms of information security. So we're talking about confidentiality, integrity, and availability. Now, this is a way to think about security tradeoffs.
This is not a Microsoft model, but it is common to all security professionals. So what is confidentiality? Confidentiality refers to the need to keep sensitive data confidential, such as customer information, passwords, or financial data. You can encrypt the data to keep it confidential, but then you also need to keep the encryption keys confidential. Confidentiality is the most visible part of security. So we can clearly see the need for sensitive data, the keys, the passwords, and other secrets to be kept confidential. It is very crucial in today's world for people to protect their sensitive private information from unauthorised access. So protecting confidentiality is dependent on being able to define and enforce certain access levels for the information. In certain cases, doing this will involve separating information into various collections that are organized by who needs access to the information and how sensitive that information actually is. The amount of damage suffered if confidentiality is breached will again be massive.
Let me give you certain common examples of confidentiality. So this will include access control lists, volumes, file encryption, and also file permissions in both NTFS and Unix formats. Integrity. The I in the CIA stands for integrity. This is an essential component of the CIA's arsenal and is designed to protect data from deletion or modification by an unauthorized party. So it ensures that when an authorised person makes a change that should not have been made, the damage can be reversed. So integrity is about keeping data or messages correct. So, for example, when you send an email message, you want to make sure that the message is received exactly the way it was sent. Another example we can talk about is the data storage in a database. So when you store data in a database, you want to make sure that the data you retrieve is the same as the data you stored. Encrypting data keeps it confidential, but you must be able to decrypt it so that it's the same as before it was encrypted. Integrity is about having confidence that data hasn't been tampered with or altered with. Availability is the last section of the CI Triad, but equally important, and it refers to the actual availability of your data. How do you ensure the data is always available to the business users or your customers? The authentication mechanisms, the access channels, and the systems all have to work properly to protect the information they contain.
And ensure that it's available when it's needed. So you need to build and design highly available systems for the compute resources that you're protecting. You need to have the right architecture and designs in place to improve the availability. Depending on the high availability system design, this may now target hardware failures, upgrades, or power outages to help improve availability. So, what is available and what is it all about? to keep it simple? It's all about making data available to those who need it. It's important to the organisation to keep the customer data secure, but at the same time, it must be available to the employees who deal with the customers. Well. All the sides of this triangle, the CIA Model or the CIA Triad, are important, but there are always certain trade-offs that need to be made.
If you have noticed a trend in the CIA Triad, you will say that the CIA Triad is all about information. CI Triad is considered a core factor in the majority of its security and the businesses that support it. It's important that you understand the CI tribe, how it is used to plan, and also how to implement a quality security policy while understanding the various principles behind it. It's also important to understand the limitations it presents. When you're informed, you can utilise the CIA Triad for what it has to offer and also avoid the consequences that may come along from not understanding it. All right, now we're moving on to the next section, which is more about the different kinds of common threats that we have in today's world. I hope there's was informative to you. Thanks for watching so far, and I'll see you in the next lesson.
7. Describe Common Threats
There are different types of security threats. Some of them aim to steal data; some of them aim to extort money. And there could be others who have the simple aim of disrupting the normal operations. For example, the denial of service attack This topic here, which describes common threats, is all about looking at some of those threats.
Data Breach A data breach is when data is stolen, and that includes your personal data. And personal data means any information that is related to an individual and can be used to identify them directly or indirectly. There are different kinds of security threats that can result in a breach of personal data, and they include spear fishing and a lot of tech scams that you might have heard of, like SQL injection and malware designed to steal passwords or bank details. The dictionary attack is a type of identity attack where a hacker attempts to steal an identity by trying a large number of passwords. The tool that is used for a dictionary attack will be automatically testing each password against a known username.
The dictionary attacks are also known as "brute force attacks." One of the most popular tools in this area is called John the Ripper. This is an awesome tool that does not need any introduction. It has been a favourite choice for performing brute-force attacks for a very long time. The Infamous Ransomware Attacks Before we talk about ransomware, let's talk about what the malware is. Malware is the term used to describe malicious applications and the code that is associated with them. The code running that malicious application can cause damage and disrupt the normal use of devices. The malware can give attackers unauthorised access, which will allow them to use system resources, lock you out of the computer, and sometimes ask for a ransom as well. Ransomware is a type of malware that will encrypt files and folders, prevent access to your important files as well, and ransomware attempts to extort money from victims, usually in the form of cryptocurrency. Heard of Bitcoin, right? So in exchange for a decryption key, you had to hand over a whole lot of Bitcoins to the malicious attacker. The cyber criminals that distribute malware are often motivated by money and will use infected computers to launch attacks, obtain banking credentials, and possibly collect information. They could also be selling your computing resources or extorting payment from victims. Let's talk about disruptive attacks.
You may have already guessed what I'm talking about: disruption or the attacks that caused disruption. a distributed denial of service. also known by the acronym DDoS. This is the kind of attack that attempts to exhaust an application's resources, making the application unavailable to legislative users. DDoS attacks can be directed at any publicly accessible endpoint on the internet. There are other kinds of threats as well, which include coin miners and rootkits Trojan worms and exploit kits Root kits intercept and change the standard operating system process. After a root kit infects a device, you cannot trust any information that the device reports about itself. Trojans are a common type of malware. You might have heard of the Troy and Trojan stories. Now, this cannot spread on its own. This means they either have to be downloaded manually or another piece of malware needs to be downloaded and installed on them.
Trojans often use the same filenames as real and legitimate applications. So it's easy to accidentally download a Trojan, thinking that it is legitimate. What is a worm? A worm is a type of malware that can copy itself and often spreads through a network by exploiting security vulnerabilities. It can spread through email attachments, text messages, file-sharing programs, social networking sites, network shares, removable USB drives, and other software vulnerabilities. Exploits always take advantage of vulnerabilities in software. A vulnerability is like a hole in your software that malware uses to get into your device. The malware exploits these vulnerabilities to bypass your computer security and infect your device. These examples are just a few of the common threats that we have seen around the world. And just like information security, the threat vectors are also a constantly evolving area, and new threats emerge all the time.
Microsoft Security SC-900 Exam Dumps, Microsoft Security SC-900 Practice Test Questions and Answers
Do you have questions about our SC-900 Microsoft Security, Compliance, and Identity Fundamentals practice test questions and answers or any of our products? If you are not clear about our Microsoft Security SC-900 exam practice test questions, you can read the FAQ below.
Purchase Microsoft Security SC-900 Exam Training Products Individually