This book and its accompanying online resources are designed to be a complete preparation tool for your SC-100 exam.

The book is written in a way that means you can apply everything you’ve learned here even after your certification. The online practice resources that come with this book (Figure 1.1) are designed to improve your test-taking skills. They are loaded with timed mock exams, chapter review questions, interactive flashcards, case studies, and exam tips to help you work on your exam readiness from now till your test day.

Before You Proceed

To learn how to access these resources, head over to Chapter 11, Accessing the Online Practice Resources, at the end of the book.

Figure 1.1: Dashboard interface of the online practice resources

Here are some tips on how to make the most of this book so that you can clear your certification and retain your knowledge beyond your exam:

1. Read each section thoroughly.
2. Make ample notes: You can use your favorite online note-taking tool or use a physical notebook. The free online resources also give you access to an online version of this book. Click the BACK TO THE BOOK link from the dashboard to access the book in Packt Reader. You can highlight specific sections of the book there.
3. Chapter review questions: At the end of this chapter, you’ll find a link to review questions for this chapter. These are designed to test your knowledge of the chapter. Aim to score at least 75% before moving on to the next chapter. You’ll find detailed instructions on how to make the most of these questions at the end of this chapter in the Exam Readiness Drill – Chapter Review Questions section. That way, you’re improving your exam-taking skills after each chapter, rather than at the end of the book.
4. Flashcards: After you’ve gone through the book and scored 75% or more in each of the chapter review questions, start reviewing the online flashcards. They will help you memorize key concepts.
5. Mock exams: Revise by solving the mock exams that come with the book till your exam day. If you get some answers wrong, go back to the book and revisit the concepts you’re weak in.
6. Exam tips: Review these from time to time to improve your exam readiness even further.

In this chapter, we are going to cover the following main topics:

• What is cybersecurity?
• The evolution of cybersecurity from on-premises to the cloud
• Cybersecurity architecture use cases
• Understanding the scope of cybersecurity in the cloud

To be able to understand the role of the cybersecurity architect, you should first understand what is meant by the term cybersecurity. The term is used in many different contexts within security, compliance, and identity.

Cybersecurity refers to the practice of protecting systems, networks, and programs from digital attacks. These cyber-attacks are usually aimed at accessing, changing, or destroying sensitive information, extorting money from users, or interrupting normal business processes.

Significance in Modern Business

In today’s digital age, cybersecurity is crucial for several reasons:

• Protection of data: Businesses handle vast amounts of sensitive data, including personal information, financial records, and intellectual property. Cybersecurity measures help protect this data from breaches and theft.
• Business continuity: Cyber-attacks can disrupt business operations, leading to significant downtime and financial losses. Effective cybersecurity ensures that businesses can continue to operate smoothly.
• Reputation management: A data breach can severely damage a company’s reputation. Strong cybersecurity practices help maintain customer trust and protect the brand’s image.
• Compliance: Many industries are subject to regulations that require robust cybersecurity measures. Compliance with these regulations is essential to avoid legal penalties and maintain operational integrity.

Cybersecurity in the Context of the SC-100 Exam

The SC-100: Microsoft Cybersecurity Architect exam is designed for professionals who translate cybersecurity strategies into actionable capabilities that protect an organization’s assets, business, and operations. Key areas covered in the exam include the following:

• Zero-trust principles: Implementing security strategies that assume breaches will occur and verifying each request as though it originates from an open network.
• Identity and access management: Ensuring that only authorized users have access to specific resources.
• Platform protection: Safeguarding the underlying infrastructure, including servers and networks.
• Security operations: Monitoring and responding to security incidents.
• Data and AI security: Protecting data and AI models from unauthorized access and manipulation.
• Application security: Ensuring that applications are secure from development through deployment.
• Governance and risk compliance (GRC): Designing solutions that meet regulatory requirements and manage risk effectively.

Preparing for the SC-100 exam involves understanding these concepts and being able to design and implement security solutions that align with best practices and organizational needs.

To set a base level of understanding for this book, we will use the definitions provided by NIST, the National Institute of Standards and Technology. The reason for doing this is that many organizations use procedures and guidance from NIST and other agencies as the foundations of their own security standards, controls, and procedures.

According to NIST, there are multiple definitions for the term cybersecurity; the first part of the NIST definition is “the prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentications, confidentiality, and nonrepudiation.”

Cybersecurity is also defined by NIST as “the prevention of damage to, unauthorized use of, exploitation of, and – if needed – the restoration of electronic information and communications systems and the information they contain, in order to strengthen the confidentiality, integrity, and availability of these systems.”

Taken together, this can be stated more simply: cybersecurity is the defense of electronic communications, systems, and information, ensuring that they remain available, accurate, and consistent, and confidential information remains so.

Notice also that there is emphasis placed on the ability to recover communications, systems, and information from any event, whether malicious or not.

Finally, notice that nonrepudiation is explicitly mentioned. It is not enough to be able to recover from an event; you must also be able to attribute every action or event to the true source of that event due to legal and regulatory obligations that most businesses will have to adhere to depending on their legal and geographic jurisdiction.

Overall, the underlying factors here are that you must take the steps to provide assurance for maintaining the confidentiality, integrity, and availability of your data and systems.

Note

The glossary at the following URL links to a plethora of NIST publications that give detailed cybersecurity guidance and, as such, is a notable example of how cybersecurity might be implemented in organizations that you work for now and in the future. It is advisable to read these documents. Though it is not required for the exam, they will be advantageous to you in your career in cybersecurity: https://csrc.nist.gov/glossary/term/cybersecurity.

In the next section, you will learn more about how the role of cybersecurity has changed from an on-premises to a cloud network and infrastructure.

When protecting an on-premises data center and infrastructure, a cybersecurity architect designs various controls to safeguard physical assets and prevent unauthorized access at physical data center entry points or internet service provider (ISP) network entry points. Traditionally, these protections included a combination of physical security appliances, such as firewalls for packet inspection, and endpoint protection by allowing access to the data center only through SSL VPN-encrypted connections. These devices were managed by the company and given antivirus and anti-malware software to mitigate potential attacks.

As companies transition to more cloud-native applications, such as Microsoft 365, and build infrastructure on cloud providers like Microsoft Azure, the responsibility for security shifts from physical to virtual environments. This creates new vulnerabilities that the company must identify and plan ways in which to mitigate against threats. The following sections will discuss how a cybersecurity architect should plan for protection and controls within cloud and hybrid infrastructures.

Defense-in-Depth Security Strategy

When protecting cloud and hybrid infrastructure, there are many aspects that need to be considered. As you go through the various solutions offered within Microsoft 365 and Azure, such as Microsoft Sentinel, the Microsoft Defender suite, and Microsoft Entra, the defense-in-depth methodologies and principles, which are explained in the next section, are essential for effectively protecting resources, identity, and data.

Building a Defense-in-Depth Security Posture

To protect your company from cyber-attacks, it is essential to implement controls that address each stage of an attack and maintain a defense-in-depth security posture. This approach ensures multiple layers of protection, making it harder for attackers to penetrate your defenses.

When considering your infrastructure, there are many logical layers that could potentially be breached through misconfiguration or exploitation of vulnerabilities.

These layers are shown in Figure 1.2.

Figure 1.2: Logical layers of defense-in-depth posture/infrastructure

In Figure 1.2, we see the logical layers in the technology stack. It is these layers where an attacker may be able to gain access to systems and/or data.

In the following sections, you will explore these logical layers in depth, learning what each layer entails and how they can be secured.

Physical Layer

The Physical layer of defense includes the actual hardware technology and spans the entire data center facility. This includes the compute, storage, and networking components, rack spaces, power, internet, and cooling. It also includes the room that the equipment is housed in, the building location and its surroundings, and the processes that are in place for the guards, physical security staff, or guests that access these locations.

Protecting the physical layer encompasses how we create redundancy and resiliency in IT systems, and how we record and audit who accesses the building and systems. This could include gated fences, guard stations, video surveillance, logging visitors, and background checks. These physical controls should be in place for any company that utilizes its own private data center.

Although some of the considerations here may not seem related to an intrusion, it’s important to remember that an attacker’s goal is not always to access data. Sometimes, the objective is disruption, which is why redundancy and resiliency are mentioned in this section.

When utilizing Microsoft cloud services, the physical controls are Microsoft’s responsibility. We will discuss shared responsibility for cloud security in the next section.

Identity and Access Layer

Since the provider is responsible for the physical controls within cloud services, identity and access become the first line of defense that a customer can configure and protect against threats. This is why statements such as “Identity is the new control plane” or “Identity is the new perimeter” have become popular when discussing cloud security. Even if your company maintains a private data center for the primary business applications, there is still a good chance that you are consuming a cloud application that uses your company identities or credentials. For this reason, having the proper controls in place, such as multi-factor authentication (MFA), conditional access policies, and Microsoft Entra Identity Protection, will help to decrease vulnerabilities and recognize potential threats before a widespread attack can take place.

Perimeter Security Layer

Within a private data center, where the company controls the internet provider connection terminations and has firewall appliances, intrusion detection and protection solutions, and DDoS protection in place and fully configured, the protection of the perimeter is a straightforward architecture.

When working within cloud providers, perimeter security takes on a different focus. The cloud providers have agreements with the internet providers that provide services to their data centers, and these providers terminate these connections within their own hardware. The company perimeter security then becomes more of a virtual perimeter to their cloud tenant, rather than a physical perimeter to the data center network facilities. The company now relies on the provider’s ability to protect against DDoS attacks at the internet perimeter.

Within Microsoft, DDoS protection is a free service since Microsoft wants to avoid a DDoS attack that would bring down many customers in a data center. For additional perimeter protection, the company can implement virtual firewall appliances to protect the tenant perimeter, to block port- and packet-level attacks, and additional solutions, such as Application Gateway, with a web application firewall (WAF) to protect from application-layer attacks.

Network Security Layer

The perimeter and network security layers work closely together. Both focus on the network traffic aspect of the company infrastructure. Where perimeter security handles the internet traffic that is entering the tenant, or data center, network security solutions protect how and where that traffic can be routed once it passes through the perimeter. Once an attacker can gain access to a system on the network, they will want to find ways to move laterally within the network infrastructure. Having proper IP address and network segmentation on the network can protect against this lateral movement taking place.

On a private data center network, this can be accomplished within switch ports with virtual local area networks (VLANs), configured to block traffic between network segments. In a cloud provider infrastructure, virtual networking, or VNETs, can accomplish similar network segmentation. In an Azure infrastructure, network security groups and application security groups can also be configured on network interfaces with additional port, IP address, or application-layer rules for how traffic can be routed within the network.

Compute Layer

After network security, we begin to get into the resources that hold our data. The first of these is our compute resources. To maintain clarity, we will generalize the compute layer as the devices with an operating system, such as Linux or Windows. Compute resources also include platform-based services where the compute layer is managed by the cloud provider, such as Azure App Service, Azure Functions, or containers. Within your own private data center with equipment that you own, protecting the host equipment and avoiding exposure by hardening the virtual hypervisor is necessary. In the public cloud, Microsoft or another cloud provider will be responsible for this. The customer responsibility for virtual machines in the cloud is focused on maintaining regular application of software updates and security fixes (often referred to as patching), to prevent exploitable vulnerabilities within the operating system. In addition, encrypting virtual machine operating systems and disks with Azure Disk Encryption will protect the disk images and contents from being exposed.

A common attack at the compute layer is scanning and gaining access to management ports on devices. Not exposing these ports, 3389 for Windows Remote Desktop Protocol (RDP) and 22 for the Linux Secure Shell (SSH) protocol, to the internet will provide a layer of protection against these attacks. Within Microsoft Azure, this can be accomplished with network security group rules, removing public IP addresses on virtual machines, bastion hosts, and/or utilizing just-in-time virtual machine access. Many of these security options will be discussed in Chapter 7, Design a Strategy for Securing Server and Client Endpoints.

Application Layer

The layer of defense that is closest to our data is our applications. Applications present data to users through our internet websites, intranet sites, and our line of business applications that are used to perform our day-to-day business. A cybersecurity architect will determine how to protect applications against common threats, such as cross-site scripting on our websites. To protect against these common threats, a WAF can be used for proper evaluation of the traffic accessing our applications. Using Transport Layer Security (TLS) protocol encryption can also help avoid the exposure of sensitive data to unauthorized individuals.

Prior to an application being moved to production, it should be rigorously tested to make sure that there are no open management ports and that all API connections are also secured.

If the application references connections to databases and storage accounts, the secrets and keys should not be exposed and a key management solution, such as Azure Key Vault, should be in place for the proper rotation of secrets, keys, and certificates. Properly securing these areas of our applications will help avoid exposure of sensitive data to those not authorized.

Data Layer

Always at the center of our defense-in-depth security posture is our data. Data is the primary asset of our company. This includes the business and financial data that is necessary for the company’s survival and the personal information of our employees and customers. Exposure or theft of this information would have potentially catastrophic effects on the company’s ability to continue. These effects could be reputational and involve financial loss.

As a security professional, one must protect data from intentional and accidental exposure to those who are not authorized to view it. Data resides in various areas within our technology infrastructure. Data can be found primarily in different storage accounts, such as blob containers or file shares, and within relational and non-relational databases. The widespread practice to accomplish this is through encryption.

Encryption makes data unreadable to those who are not properly authenticated and authorized to view it. Encryption can be used in diverse ways with data. First, there is encrypting data at rest, which is when it is stored and not being accessed. Next, there is encryption in transit, or while it is being delivered from where it is stored to the person requesting access. Finally, there is encryption in use, which maintains the encryption of the data within the application throughout the time that it is being viewed. This is the more complex of the types of data encryption since it requires the application to have the capability of presenting the encrypted data. Microsoft provides options for these encryption types that will be discussed later in this book.

Encrypting our data in our storage accounts and databases decreases its potential to be exposed to those not authorized. Additionally, requiring verification through authentication and authorization maintains the protection of data. This includes preventing anonymous access to storage accounts and masking sensitive data within our databases. The most important aspect of protecting our data is knowing where our sensitive data is located and planning proper steps to avoid it being exposed to the unauthorized. Bringing together the protection of data within the entire defense-in-depth strategy provides us with an effective way to protect against vulnerabilities and threats.

Maintaining a proper security posture across all defense-in-depth layers is the best way to protect our company from loss or exposure across cyber-attack stages. These stages will be further discussed later in this chapter. As security professionals, it is important that we take ownership of the planning, execution, monitoring, and management of all these layers and work with other stakeholders at each of these layers to maintain the overall security posture of the company.

Special considerations need to be accounted for within this security posture when utilizing public cloud services. In the next section, we will discuss how this shared responsibility for cloud services requires adjustments to our defense-in-depth security approach.

Shared Responsibility in Cloud Security

As technology has evolved and more resources have a level of exposure to external internet connections, the attack surface that is potentially vulnerable also increases. We must understand this and know where our responsibilities lie for each of the areas within our defense-in-depth security approach.

Remember that in the on-premises model, and in a hybrid cloud model, you may be solely responsible for everything within your data centers. This excludes the physical layer, which may be shared. You are likely not to build, own, and operate your data center facilities unless you are a large enterprise.

Where you operate in a cloud or hybrid model, the concept of shared responsibility comes to the fore and is the relationship between the customer and the cloud provider at each of the layers of defense in depth. This relationship differs depending on the technology that is being consumed.

Shared responsibility focuses on who has the ownership to interact at a specific level of protection. This may be physical ownership of equipment or administrative ownership for enabling various controls. The level of ownership between the company using the service and the cloud provider changes depending on the type of service that is being consumed by the company.

Table 1.1 shows shared responsibility for customers and Microsoft within the various cloud and on-premises services. We will learn more about these in depth later in the chapter; however, a brief description of them is as follows:

• Infrastructure as a service (IaaS): IaaS provides virtualized computing resources over the internet. With Microsoft Azure, you can access essential infrastructure such as virtual machines, storage, and networking. This allows businesses to scale their IT resources as needed without investing in physical hardware.
• Platform as a service (PaaS): PaaS delivers a platform that allows developers to build, deploy, and manage applications without worrying about the underlying infrastructure. Microsoft Azure App Service offers tools and services for application development, such as databases, middleware, and development frameworks.
• Software as a service (SaaS): SaaS provides access to software applications over the internet on a subscription basis. Microsoft Office 365 is a prime example, offering applications such as Word, Excel, and Outlook, which are hosted and maintained by Microsoft, eliminating the need for businesses to install and manage software on their own systems.

Table 1.1: Shared responsibility in the cloud

As you look at the customer’s and Microsoft’s responsibilities for security, the cybersecurity architect should determine the levels of controls that the company should have in place for each of the areas of potential vulnerabilities and exposure to attacks.

Understanding the Stages of a Cyber-Attack

Now that we have discussed the various layers within the defense-in-depth model, it is important to discuss the stages of a cyber-attack. This will demonstrate the importance of defense in depth. In other words, it will show why you cannot rely on a single security control in a single layer within the infrastructure.

There are many ways that an attacker can attempt to access resources within the company. How they gain this access and what they attempt to accomplish once they gain access is the foundation of a cyber-attack. Figure 1.3 shows the stages of a cyber-attack in a linear format.

This is the Cyber Kill Chain, which is a cybersecurity model developed by Lockheed Martin in 2011. It outlines the stages of a cyber-attack to help security teams identify and stop malicious activities. The model is based on a military concept and breaks down an attack into several phases to aid in identifying and stopping attacker activity.

Figure 1.3: Stages of the Cyber Kill Chain

In many cases, an attacker attempts to enter and do some level of damage at one of these stages. Sophisticated attackers may go through every one of these stages to gain full access to resources and increase the amount of damage that they can do to a company. Let us define each of these stages for further understanding:

1. Reconnaissance: This is the planning stage of the attack, in which the attacker gathers information about the company or companies they will be targeting. They may use social media, websites, phishing, or social engineering of personnel within the company. Another aspect of this stage is port scanning of known management ports, such as RDP port 3389 or SSH port 22. The goal at this stage is to attempt to find ways to access systems. Port scanning helps determine which ports and services are open, closed, or filtered by sending packets to specific ports on a host and analyzing the responses.
2. Intrusion: Using the information gathered during reconnaissance, the attacker attempts to gain unauthorized access to the systems. One common method of intrusion is a brute-force attack, where the attacker tries multiple combinations of usernames and passwords to break into the system. This type of attack is described in more detail later in this chapter, in the Common Threats and Attacks section.
3. Exploitation: In this stage, the attacker has gained access to a system on the company network and now they want to exploit that system. A description of some of these attacks and exploits is covered in more detail later in this chapter, in the Common Threats and Attacks section. This is where the attacker begins to show malicious intent. They will begin to use this access to deliver malware across the network.
4. Privilege Escalation: Once the attacker has gained access to a system, they will want to elevate to administrator-level access to the current resource (privilege escalation), as well as additional resources on the network (lateral movement). If they have gained access to a virtual machine on the network, they could have administrative login privileges to other virtual machines and resources on the network.
5. Lateral Movement: Companies that use the same administrator username and password could allow the attacker to gain access to other systems across the network. This lateral movement could lead the attacker from a system without sensitive information to one that has extremely sensitive information.
6. Obfuscation/Anti-Forensics: As is the case with any attack or crime, the person or people involved do not want to be found or traced. Therefore, they attempt to keep their access anonymous. If they have gained access through someone’s credentials within the company, this could help to decrease their traceability.
7. Denial of Service: When an attacker cuts off access to resources, this is a denial of service. This may be through an attack such as a SYN flood, where they send many requests to a company’s public IP address that cannot be processed quickly enough. This flood of requests blocks legitimate requests from being able to access resources. Another means of denial of service could be a ransomware attack. This is not a typical blocking of information but more the withholding of information through encryption so that a company and its users can no longer access that information. The attacker then extorts the company for payment to make the information accessible.
8. Exfiltration: The final aspect of the cyber-attack is exfiltration. This is where the attacker gains access to sensitive information, and they can take that information to do harm in some way. This could be banking information, personally identifiable information (PII) about personnel or customers, or other valuable data.

The ability to protect against each of these aspects of the cyber-attack is how we break the Cyber Kill Chain/stop an attack before it can complete its ultimate objective. Each of these stages of the kill chain becomes an area to focus on protecting with cybersecurity controls. Understanding vulnerable areas and the potential threats to them in your infrastructure will allow you to determine ways to address and create a secure architecture.

Another popular framework is the MITRE ATT&CK framework. The MITRE ATT&CK framework was developed by the MITRE Corporation in 2013. It was initially created to document adversarial behavior and improve cybersecurity defenses by understanding how attackers operate.

Microsoft Defender for Cloud threat protection alert events are categorized based on the MITRE ATT&CK framework to understand and investigate potential attacks. Figure 1.3 shows the Cyber Kill Chain.

For more information on the MITRE ATT&CK framework, visit https://attack.mitre.org/.

Now that we understand security posture, defense in depth, and shared responsibility, as you begin to architect cybersecurity for the cloud, we will discuss the makeup of a security operations team and the levels of a cybersecurity attack so that you gain an understanding of how cybersecurity architecture can help protect against these threats. You will see that a successful cybersecurity architecture is about more than just infrastructure and tooling; it is as much about people and processes as it is about technology.

Security Operations

In discussing security operations, you will hear terms such as red team, blue team, yellow team, purple team, white hat, and black hat. Let us define each of these:

• Red team: This is a team within the cybersecurity operation of the company that will conduct simulated attacks and penetration testing on the company infrastructure.
• Blue team: This team focuses on the defenses and the response to attacks. These are the incident responders within cybersecurity operations.
• Yellow team: These are developers and third-party developers that the blue team should be working with on defenses within the development of controls.
• Purple team: This team focuses on the methodology around the security architecture and protection. The purple team works closely with the red and blue teams to maximize the cybersecurity capabilities of the company. The purple team relies on the continuous feedback and lessons learned from the red and blue teams to improve the effectiveness of controls that are in place for vulnerability assessment, threat hunting and detection, and network monitoring.
• White hat: These are considered ethical hackers. Ethical hackers use the tools of a bad or malicious hacker to attack a company’s systems but with their permission.
• Black hat: These are malicious hackers who are attempting to gain some level of control and do harm to the company that they are attacking.

Now that you understand the roles and responsibilities within the Security Operations department, the next section will discuss the scope of cybersecurity in a cloud infrastructure.

Understanding the Scope of Cybersecurity in the Cloud

A key to building a cybersecurity architecture is to know your responsibility as a cybersecurity architect and the responsibility of the cloud provider, depending on the type of services that you are utilizing.

In the following sections, you will learn how security controls will be utilized and put into place by the cybersecurity architect based on the shared responsibilities between the cybersecurity architect and providers.

Shared Responsibility Scope

It is important for a customer or company to understand their relationship to properly protect and secure their environment on the cloud. Let us discuss each of the services and the level of security responsibility. As a cybersecurity architect, you should think about how a control pertains to the shared responsibility model and to a defense-in-depth security approach.

On-Premises Responsibility

Although it may not seem directly relevant to a topic on cloud computing, most organizations that are not start-up businesses will commence their cloud journey with an on-premises infrastructure. They are likely to have a hybrid cloud infrastructure for many years after starting a cloud migration project, before finally having a fully cloud-native architecture (though for some businesses, it may not be practical or possible from an operational and/or regulatory perspective to be fully cloud-native).

On-premises infrastructure would be synonymous with a private data center. This is the equipment and infrastructure that the company owns. Therefore, the responsibility for security controls across all the levels of defense in depth is the company’s responsibility. We have yet to consume any cloud services, so there is no responsibility for the cloud provider.

IaaS Shared Responsibility

Infrastructure-as-a-service, or IaaS, is the service that is most like a private data center. The primary difference between IaaS infrastructure and an on-premises data center is that the cloud provider is responsible for the physical security of the data center, any physical network equipment, and the hosts that provide our virtual servers. The customer is responsible for the following for IaaS:

• Putting all security controls in place to protect and patch the operating system
• Creating rules and infrastructure services such as firewalls to protect the network
• Managing and protecting applications from common threats
• Protecting identities and controlling access
• Patching and protecting endpoint devices

The customer is always responsible for the protection and governance of their data. This is shared across any of the cloud services in the shared responsibility model.

PaaS Shared Responsibility

Platform-as-a-service, or PaaS, removes the customer’s responsibility for maintaining the operating system. The cloud provider handles all security patches and updates. Platform services have baseline security controls for the network, applications, and identity infrastructure. These are in place to protect against threats that could affect multiple customers who are utilizing these platform services. These baseline controls may not be seen as enough for some companies, so options to increase these controls are in place, and it is the customer’s responsibility to turn them on. Many of these capabilities will be discussed later in this book. Within PaaS, the responsibility for access management, endpoint protection, and data protection and governance remains the sole responsibility of the customer.

SaaS Shared Responsibility

SaaS, or software-as-a-service, provides an application where you purchase a license on a per-user basis, log in to that application, and use it immediately. This simplifies these services to the consumer level, as there is a level of configuration that takes place for business applications. Microsoft 365 is an example of a SaaS application. The suite of software, Office 365 and SharePoint, for example, is available to use when you assign a license to a user. The cloud provider – in this case, Microsoft – has all the security controls in place for protecting the application, network, operating system, and physical environment.

Protection within SaaS is focused on identity and access management for the customer. Therefore, proper configuration of the identity and access controls is extremely important and ties into additional controls within endpoint protection, data protection, and governance. In a cloud infrastructure, SaaS, PaaS, and IaaS are all at play and need to be focused on within the cybersecurity architecture.

Note in Table 1.1 that, although there may no longer be an on-premises infrastructure, there is a shared responsibility for the identity infrastructure. Microsoft does provide a level of security controls to protect user identities as a baseline, but the customer is responsible for increasing that level of protection. An example here would be turning on multi-factor authentication; it is provided by Microsoft, but the customer needs to enable the service for some or all users.

Many companies continue to have this private infrastructure while also utilizing public cloud services. These hybrid infrastructures vary across all the areas of responsibility to account for their overall security posture. As we continue through this book, the services that are discussed fall into one of the three main categories of IaaS, PaaS, or SaaS, but may also have a hybrid component to support on-premises infrastructure.

You now should have a strong understanding of defense-in-depth security and shared responsibility in the cloud. As you should have noticed, account and access management are an area of customer responsibility no matter what service is being consumed.

Principles of the Zero-Trust Methodology

In the previous section, we identified that the responsibility for securing the physical infrastructure for cloud services lies with the cloud provider, Microsoft. Since Microsoft is responsible for the first layer of defense in our defense-in-depth security posture, the first layer that we are responsible for as a company is the identity and access layer.

In Chapter 2, Build an Overall Security Strategy and Architecture, you will explore the role of identity and access management within a cloud and hybrid infrastructure and the services that Microsoft provides for protecting resources at this layer. It is important to understand the core concept that a company should adhere to when securing identity and access. This concept is the zero-trust methodology.

The zero-trust methodology is a process of continuously requiring someone on the network to verify that they are who they say that they are. The concept is straightforward and simple, but if you were to constantly ask users to enter their usernames and passwords, they would get frustrated.

To avoid this frustration, a zero-trust implementation utilizes various signals that alert about potentially anomalous behavior, leaked credentials, or insecure devices that trigger the need for a user to reverify their identity. These signals lead to a decision on what is needed to provide access to applications, files, or websites. This architectural pattern of zero-trust identity is shown in Figure 1.4:

Figure 1.4: A flowchart where an initial signal leads to an informed decision based on organizational policy, which is then enforced across resources

Note

While not covered in detail in the exam, other important research to review on zero trust is the Cybersecurity and Infrastructure Security Agency (also known as CISA) Zero Trust Maturity Model (ZTMM), recently updated to version 2.0. For more information on the CIA ZTMM, go to this link: https://www.cisa.gov/zero-trust-maturity-model.

As we discussed in the Building a Defense-in-Depth Security Posture section earlier in the chapter, in the defense-in-depth strategy, the physical controls are provided by Microsoft or the cloud provider; therefore, identity and access become the first layer of defense for a company and a cybersecurity architect to protect. The zero-trust model goes much further than simply identity and access, with networks, devices, applications, infrastructure, and data within the model and the defense-in-depth strategy. As demonstrated, there are several layers within your infrastructure where you could defend against attack, but also opportunities for attackers to gain access to your systems and data.

In the later Defense in Depth: A Real-Life Example section, we will demonstrate how this all comes together by looking at a real-world example of an attack.

A cybersecurity architect needs to know what the company can expect when it comes to vulnerabilities and attacks. The following sections will define some common internal and external threats and attacks.

Common Threats and Attacks

As cybersecurity architects, it is our responsibility to identify and design controls that address and protect against threats within our company infrastructure, whether on-premises, hybrid cloud, or cloud-native.

Threats can be internal or external. They also are not always malicious or meant to cause harm to the organization. We will discuss this in more detail as we identify some of these threats in the next sections. The threats listed are examples of internal and external threats and are not expected to be an exhaustive list.

When architecting a security operations infrastructure, many solutions utilize the MITRE ATT&CK framework for hunting for and identifying threats.

Note

For more information, please use the following link: https://attack.mitre.org/matrices/enterprise/cloud/.

This framework is extensive and covers the many diverse types of tactics, techniques, and procedures (TTPs) that can be used by attackers in combination, across several layers of the infrastructure, something that is often referred to as an attack path.

While the MITRE ATT&CK framework could fill a book, we can cover in this book some of the types of threats that are common, and later demonstrate how they can be chained together to form an attack path.

The Cloud Security Alliance (CSA) also provides guidance about common attacks and threats to cloud environments.

Note

More information can be found at this link: https://cloudsecurityalliance.org/artifacts/security-guidance-v5.

Finally, it is important to be aware of and understand the Open Web Application Security Project (OWASP) Top 10 Application Security Threats.

OWASP is a nonprofit organization dedicated to improving the security of software. It provides free and open-source tools, documentation, and training for web application security.

One of OWASP’s most well-known projects is the OWASP Top Ten, a standard awareness document for developers on web application security. It highlights the most critical security risks to web applications and offers guidance on how to mitigate them.

The current Top 10 at the time of writing is as follows:

1. Broken access control: Improperly enforced restrictions on authenticated users, allowing them to access unauthorized functions or data.
2. Cryptographic failures: Issues related to the protection of data in transit and at rest, often due to weak or improperly implemented cryptographic algorithms.
3. Injection: Flaws such as SQL, NoSQL, and LDAP injection, where untrusted data is sent to an interpreter as part of a command or query.
4. Insecure design: Security weaknesses due to design flaws, rather than implementation issues.
5. Security misconfiguration: Incorrectly configured security settings or default configurations that are insecure.
6. Vulnerable and outdated components: Using components with known vulnerabilities or outdated software.
7. Identification and authentication failures: Issues with authentication mechanisms, such as weak passwords or flawed session management.
8. Software and data integrity failures: Problems with software updates, critical data, and CI/CD pipelines that can lead to unauthorized access or data corruption.
9. Security logging and monitoring failures: Inadequate logging and monitoring, which can delay the detection of breaches.
10. Server-side request forgery (SSRF): When a web application fetches a remote resource without validating the user-supplied URL, leading to the potential exposure of internal systems.

These categories help organizations prioritize their security efforts and address the most pressing vulnerabilities.

Note

You can read more about OWASP at https://www.owasp.org.

Internal Threats

Internal threats are caused when a vulnerability is exposed by an internal user or resource. As stated previously, these are not always malicious or meant to cause harm; they can be accidental and created due to a lack of education and awareness. These internal threats, in some cases, can become vulnerabilities subject to external attacks. We will discuss this more as we discuss some of these internal threats in this section.

Shadow IT

Shadow IT is extremely common within companies. This is caused when people in the organization use applications not tested and approved by the company. Not all shadow IT causes a threat to the company, but not properly monitoring these applications can create vulnerabilities within the company. One way to discourage shadow IT is to have company policies in place regarding the use of third-party applications that are not approved on devices that access company resources. In addition, utilizing mobile device management or mobile application management can also deter the use of these applications by blocking access to them with device policies and conditional access. Educating users is another valuable aspect of stopping shadow IT from becoming prevalent within the company.

The life cycle of monitoring and preventing shadow IT within your company is shown in Figure 1.5:

Figure 1.5: Shadow IT prevention life cycle

Figure 1.5 shows that Phase 1 is Discover and identify, that is, identifying shadow IT (IT not managed by the IT department) and assessing the risk of those apps.

It then moves into Phase 2, where we evaluate whether the applications identified are compliant with relevant company and regulatory standards and risk appetite, before analyzing the usage of those applications.

Finally, we move into Phase 3: Manage and monitor. In this phase, we manage those discovered shadow applications, apply appropriate security controls, and then monitor them.

The entire process is depicted as a life cycle, as the security posture must be continuously assessed to ensure a secure environment.

Patch Vulnerabilities

Patch vulnerabilities are another internal threat to a company. These vulnerabilities can be created by users who defer patch installation and the restarting of their devices due to inconvenience. The most frequent patches that are provided for device operating systems are security patches. Therefore, if these patches are not installed company-wide in a timely manner, the entire company is vulnerable to potential exploitation. As was the case with shadow IT, a way to discourage deferring patch installation is through educating users on the risks that avoiding these updates poses to the company and their own devices. Automating patch updates and turning off the ability to defer them through mobile device management is also an option for companies to mitigate this threat.

Elevated Privileges

Elevated privileges are created when users have administrative rights to resources within the information technology environment that may not be required for them to complete the job tasks. A user with these privileges is an internal and external threat. As an external threat, if a user’s credentials are compromised, then an attacker could gain access to sensitive information. As an internal threat, someone who has elevated privileges that allow them to access information that they are not required to view for their job could represent a privacy concern for the company. Therefore, it is important to review and audit user access and do our proper due diligence so that sensitive information is only available to those required to access it.

Developer Backdoors

When developing applications, access to the application infrastructure may be provided through an open port or service path. While the application is in development and isolated from the production infrastructure and data, this access helps developers gain access, work on, and test the application. However, if these developer backdoors are left in place after production, this could allow access to sensitive data and even access to application code that could be altered. Like privileged access, this could be thought of as an internal and an external threat. The exposure of these backdoors becomes a vulnerability that can be leveraged by attackers. It is an internal threat since it was created through the internal application development process.

Data Exposure

Data exposure is another threat here that could fall into both the internal and external threat categories. Companies must protect their sensitive data from being exposed to those not authorized to access it. Not having proper controls in place to protect sensitive data through access, authentication, and authorization could lead to exposure from either internal or external sources. Therefore, masking data from unauthorized users can protect against this exposure of data. Avoiding open and anonymous access to storage accounts will also protect against data exposure.

Perimeter Threats

The final internal threat that we will discuss in this section is perimeter threats. These threats are considered internal because they are created by inadequate controls in place to protect the internal infrastructure. Perimeter threats could be caused by allowing users to access resources through insecure open ports or transferring data through unencrypted transmission channels. IT professionals should have proper controls in place to avoid these threats and to monitor who is accessing data from inside and outside the company firewall.

As stated in the previous sections, internal threats can also become external vulnerabilities if not properly addressed with controls. It is an IT professional’s responsibility to use proper due care and due diligence to protect the company.

Now that we have discussed some potential internal threats, let us review some potential external threats.

External Threats

The previous section focused on threats that are created internally by users, developers, or IT staff that could cause data exposure to unauthorized personnel or allow external attackers into the company infrastructure. In this section, we will discuss external threats that are initiated by external sources. These external threats can cause disruption to the company and customers, causing decreases in efficiency and revenue.

Denial-of-Service Attacks – Network and Application Layer

Denial-of-service attacks are a common external threat to companies. Also referred to as distributed denial-of-service, or DDoS, these attacks flood your ISP with thousands of requests to overwhelm the ISP and the company infrastructure to the point that actual users attempting to access resources cannot get through and their requests time out. A DDoS attack is not a threat that is based on theft, and no personal or company data is at risk during these types of attacks. These attacks are damaging to a company from a revenue and efficiency standpoint. For example, remote internal users may not be able to access the resources required to perform their job-related tasks. In addition, customers may not be able to access the company website to browse and order, costing the company revenue.

Figure 1.6 shows how these attacks threaten the ability of an actual user to access a system:

Figure 1.6: Illustration of a denial-of-service attack

The longer that a company is subject to these types of attacks, the greater the cost in lost revenue and time. Therefore, it is important that a company monitors these attacks and can block their source quickly to minimize the impact.

Brute-Force Attacks – Network and Application Layer

In contrast to a DDoS attack, where there is no threat of personal or company data being stolen, this is not the case with a brute-force attack. A brute-force attack is a threat with the primary purpose of gaining access to a company’s systems to digitally burglarize data. Brute-force attack threats are commonly tied to some of the internal threats mentioned previously in this chapter. These types of threats attempt to gain access to the company systems by finding an opening within those systems and then, as the name suggests, using brute force to access them. These attacks are carried out by scanning for ports that are open to the internet, finding systems that have public internet addresses on those ports, and then using commonly used usernames and passwords on systems to gain access.

Figure 1.7 shows how an attacker utilizes multiple systems and attempts to gain access to systems:

Figure 1.7: An attacker scanning public IP addresses for open ports, then attempting to gain access using common usernames once an open port is found

When a brute-force attack is successful, the company is exposed to potential theft of sensitive personal or company data that may be on that system, or other databases and file shares that are accessible from that system.

Software Vulnerabilities – Application, Network, Endpoint, Identity, and Access Management Layers

Software vulnerabilities allow external threats where attackers take advantage of some of the controls that are not in place to protect the company. Some of these vulnerabilities can be caused by the internal threats that were mentioned in the previous section, such as development backdoors and patch vulnerabilities. Improperly securing application APIs also creates a vulnerability that an attacker can exploit. The threat of a software vulnerability may lead to data breaches where an attacker can gain unauthorized access to sensitive information and applications.

Many vulnerability exploits are caused by operating system code, third-party libraries, or application code that an attacker has found could be exploited. These are called zero-day exploits and are the most common of widespread threats to systems. Keep in mind that this is an external attack but is initiated through an internal user accessing a malicious email or link. Proper user education regarding the origination of emails and links can assist in preventing these exploits from becoming attacks.

Figure 1.8 illustrates the life cycle of a zero-day threat, detailing the stages from the creation and discovery of a vulnerability, through the availability of an exploit, the period of risk before and after public disclosure, and finally, the release and installation of a patch by the vendor.

Figure 1.8: The vulnerability management life cycle

IP or Identity Spoofing

An IP or identity spoofing threat comes from an attacker pretending to be someone within the company or utilizing an IP address that is seen by systems as internal. Attackers that leverage these threats have gathered information on the company through some type of phishing campaign that has allowed them to identify usernames, passwords, and IP addresses that have access to systems. These attacks are used to gain access to systems. Social engineering and phishing attacks are methods that can be used to gain this level of access.

Figure 1.9 shows an attacker that has gained access to an authorized user’s identity to gain access to another user:

Figure 1.9: Attacker-in-the-middle (AiTM) attack: Attacker intercepts and impersonates users in a communication

Proper user education on phishing email campaigns and having a zero-trust model for user authentication and access will help to protect against these types of attacks.

Injection Attacks – Application and Data Layers

Injection attacks are a threat primarily to databases that are connected to our applications. These threats are like brute-force attacks, as they make an active effort to gain access to systems. The way that injection attacks gain access is by sending a command or query to a database that takes advantage of a known flaw in the database. This command code or query is then executed without proper authorization, allowing the attacker to gain access to sensitive data.

Figure 1.10 illustrates the process of how this attack may take place on a SQL database:

Figure 1.10: SQL injection attack: Hacker injects malicious SQL to access and manipulate database records

This injection attack is caused by poor authentication and monitoring controls for the database. Figure 1.11 shows the process of how the attacker gains access to the user’s session cookies:

Figure 1.11: Cross-site scripting (XSS) attack: An attacker injects a malicious script into a vulnerable website to steal visitors’ session cookies

The visitor to the website has no knowledge that their session cookie has been intercepted and that they have been redirected. This allows the attacker to interact with the user’s device and activate malicious code and malware.

Note

The external threats to companies and users are always evolving. A great resource to keep up with the most current risks is the OWASP Top 10 Web Application Security Risks: https://owasp.org/Top10/.

Figure 1.12: Security risk matrix visualized

In Figure 1.12, the x axis shows the impact scale, indicating the severity of the risk. The y axis shows the likelihood scale, representing the probability of the risk occurring. The intersection of these scores generates a risk score, guiding the prioritization of remediation efforts.

Throughout this book, we will discuss the ways that a cybersecurity architect can evaluate and design infrastructures to protect and remediate potential internal and external threats and vulnerabilities before they are exploited and turn into attacks.

Social Engineering

Social engineering attacks manipulate human behavior to gain unauthorized access to systems or information. Here are some common types and techniques:

• Phishing: Attackers send fraudulent emails or messages that appear to come from legitimate sources, tricking recipients into revealing sensitive information or clicking on malicious links.
• Spear phishing: A more targeted form of phishing, where attackers customize their messages to a specific individual or organization, often using personal information to appear more convincing.
• Whaling: Like spear phishing but targets high-profile individuals such as executives, aiming to gain access to sensitive corporate information.
• Baiting: Attackers offer something enticing, such as free software or a gift, to lure victims into providing personal information or downloading malware.
• Pretexting: Attackers create a fabricated scenario to trick victims into divulging information or performing actions that compromise security.
• Quid pro quo: Attackers promise a service or benefit in exchange for information or access, such as pretending to be IT support and offering help in return for login credentials.
• Tailgating/piggybacking: Attackers physically follow authorized personnel into restricted areas without proper authentication.
• Vishing: Voice phishing, where attackers use phone calls to trick victims into revealing personal information.
• Smishing: SMS phishing, where attackers send fraudulent text messages to deceive victims into providing sensitive information.
• Honeytrap: Attackers use romantic or seductive approaches to manipulate victims into sharing confidential information.

Understanding these techniques helps in developing effective security awareness programs and implementing measures to protect against social engineering attacks.

So far in this chapter, we have discussed the various logical layers in a technology stack, the types of controls that you may choose to configure in some or all of these layers, and the types of attacks that your infrastructure might face, from internal and external sources.

What we have not yet done is brought this all together to demonstrate the real, tangible benefit of a defense-in-depth strategy.

Now that you know about the foundational components, it’s time to refer to a real-world example of a successful cyber-attack by a persistent and well-resourced attacker, where you will gain an understanding of the stages of the attack and the opportunities for defense that could have prevented the attack from being successful or limited the impact from it.

On December 13, 2020, news broke in IT, security, and even mainstream news media of a breach of SolarWinds, a company that makes software to manage networks and IT infrastructure.

Cybercriminals believed to be working for a nation-state had managed to insert a backdoor into their widely used software, Orion. A backdoor is where a malicious actor inserts software code or a misconfiguration that allows them to gain access to the software of a system at will without being detected. It is called a backdoor because, though you might lock the front door of your home and have security measures, if you leave your back door open, you are vulnerable to intrusion.

The initial discovery was not made by SolarWinds, but by one of its customers, a computer security firm called FireEye. Their investigation led them to the conclusion that they had been breached using Orion, and that there was what looked like a backdoor in the Orion software.

An advisory issued by the U.S. Department of Homeland Security indicated that the affected versions of SolarWinds Orion were versions 2019.4 through 2020.2.1 HF1. In total, more than 18,000 SolarWinds customers installed malicious updates.

This attack is commonly referred to as a supply chain attack – the affected businesses were impacted by a compromise of software that they consume, from a vendor in their supply chain.

If you are wondering what the defense-in-depth angle is here, there were several ways in which customers could have avoided being vulnerable to the Orion compromise:

• Had they not exposed their Orion servers to the internet, the threat actors could not have compromised their systems by exploiting the backdoor – this is a network security layer control. Microsoft Defender for Cloud and Microsoft Defender XDR may have been able to detect these publicly accessible servers and alert them that they should be remediated.
• Had they been vigilantly updating and patching the software, they would not have been running the vulnerable versions for as long – this is an application layer control. Microsoft Defender for Cloud and Microsoft Defender XDR could have alerted about old software versions with known vulnerabilities. While this vulnerability was not yet known, all software has bugs and vulnerabilities – a regular update cadence helps ensure that known issues are resolved before they can be exploited.

Similarly, the SolarWinds compromise, which allowed the threat actors access to their systems to add the backdoor into their software without being detected, could have been either averted or detected sooner through the following:

• Microsoft Defender for Cloud may have been able to detect weaknesses in the software development processes in SolarWinds, such that the attempt to insert malicious code may have been detected.
• Had SolarWinds had more extensive logging, linked to a security information and event management (SIEM) platform such as Microsoft Sentinel, they may have been able to spot unusual or malicious behavior in their systems.
• The initial access vector for compromising SolarWinds was a compromised virtual private network (VPN) account belonging to one of their employees. Had SolarWinds been monitoring credentials, the behavior of identities, and other signals, they might have identified earlier that a malicious attacker had gained unauthorized access to their network – this is the identity and access layer. Products such as Microsoft Defender for Identity and Microsoft Entra Conditional Access are designed to surface insights such as this.

What you should take away from this chapter and this very high-level summary of a now infamous attack is that no single security control is infallible; you need as many security controls in as many layers of your infrastructure as you can afford and are reasonable given the risk appetite of your business.

If a single control fails, other controls may yet prevent a successful compromise, reduce lateral movement, or alert you sooner to unauthorized activity.

Note

You can read the full, detailed writeup on Wired.com at this link: https://www.wired.com/story/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever/.

In October 2023, Okta experienced a significant security incident that underscores the importance of defense in depth. What follows is a detailed summary of the incident, its impact, response, and remediation, highlighting where defense in depth could have mitigated the breach.

Initial Signs of Compromise

The breach began when attackers used stolen credentials to access Okta’s customer support system. The initial signs of compromise were detected when unusual activity was observed in the support system, specifically unauthorized access to HTTP Archive (HAR) files uploaded by customers.

Impact

The attackers gained access to sensitive data, including authentication tokens and personal information of Okta’s customer support users. This breach affected nearly all customer support users, exposing names, email addresses, and other sensitive details. Approximately 1% of Okta’s 18,000+ customers had their authentication tokens stolen, which could be used to alter customer accounts.

Impact

Okta’s response involved several critical steps:

1. Engagement with law enforcement: Okta promptly notified law enforcement agencies to investigate the breach.
2. Customer notifications: Affected customers were informed, and Okta provided a customized impact report along with recommendations to mitigate potential phishing and social engineering attacks.
3. Publication of indicators of compromise (IOCs): Okta shared IOCs to help customers identify and respond to similar threats.
4. Enhanced security measures: Okta reviewed and enhanced the security of its support system, including changes to access provisioning and data retention policies.

Remediation

To prevent future incidents, Okta implemented several remediation measures:

1. Zero standing privileges: Admin roles are now requested, approved, and assigned only for the duration needed.
2. Multi-factor authentication (MFA): MFA is required for critical actions in the admin console.
3. Dynamic zones: Okta introduced the ability to detect and block requests from anonymizers to protect critical assets.
4. IP binding: Sessions are invalidated if the source IP changes during the session, preventing session takeover.
5. Allowlisted network zones for APIs: This restricts attackers from stealing and replaying tokens outside specified IP ranges.

Defense in Depth

The breach could have been mitigated or even avoided with stronger defense-in-depth strategies:

1. Credential management: Implementing stricter controls on credential storage and usage could have prevented the initial compromise – for example, ensuring that service account credentials are never stored on personal devices.
2. MFA: Enforcing MFA for all administrative accounts would have added an additional layer of security, making it harder for attackers to gain access even with stolen credentials.
3. Network segmentation: Isolating the support system from other critical systems could have limited the attackers’ ability to move laterally and access sensitive data.
4. Regular audits and monitoring: Continuous monitoring and regular security audits could have detected the unusual activity sooner, allowing for a quicker response.

This incident highlights the critical need for a multi-layered security approach to protect against sophisticated cyber threats. By implementing defense-in-depth techniques, organizations can significantly reduce the risk and impact of security breaches.

Note

You can read more about this incident and response at https://sec.okta.com/harfiles.

In this chapter, we discussed multiple areas to consider as a cybersecurity architect within cloud and hybrid infrastructures. This included the variations in cybersecurity for on-premises data centers versus moving to cloud environments. As you move on to the next sections of this book and begin to determine how Microsoft’s capabilities can be used to design a cybersecurity architecture for a company, these concepts and topics will be important to reference.

The key takeaways from this chapter are that there are a wide variety of TTPs employed by attackers to disrupt access to or gain unauthorized access to systems and data, both on-premises and in the cloud. These attacks can occur across multiple layers of your technology stack, and attackers often chain TTPs together, exploiting small vulnerabilities to create significant risks. Also, a defense-in-depth approach is essential for securing your systems and data. Finally, Microsoft offers several products designed to detect and protect against these risks across various layers.

The next chapter will discuss how to build an overall security strategy and architecture with a focus on the Microsoft Cybersecurity Reference Architectures.

Apart from mastering key concepts, strong test-taking skills under time pressure are essential for acing your certification exam. That’s why developing these abilities early in your learning journey is critical.

Exam readiness drills, using the free online practice resources provided with this book, help you progressively improve your time management and test-taking skills while reinforcing the key concepts you’ve learned.

How to Get Started

1. Open the link or scan the QR code at the bottom of this page.
2. If you have unlocked the practice resources already, log in to your registered account. If you haven’t, follow the instructions in Chapter 11 and come back to this page.
3. Once you have logged in, click the START button to start a quiz.

We recommend attempting a quiz multiple times till you’re able to answer most of the questions correctly and well within the time limit.

You can use the following practice template to help you plan your attempts:

The above drill is just an example. Design your drills based on your own goals and make the most of the online quizzes accompanying this book.

First time accessing the online resources?

You’ll need to unlock them through a one-time process. Head to Chapter 11 for instructions.