Exam SC-100 topic 1 question 8 discussion

https://docs.microsoft.com/en-us/azure/security/fundamentals/backup-plan-to-protect-against-ransomware

Keyword are CONTROLS and ENSURE. So A & B both are the answer. https://docs.microsoft.com/en-us/azure/security/fundamentals/backup-plan-to-protect-against-ransomware

I think the correct answer is BC. The question states clearly "in the event of a successful ransomware attack". The ransomware attack does not delete backups and does not modify backup schedules. The attack purpose is to encrypt. That said by using option C (C. Encrypt backups by using customer-managed keys (CMKs)) you will guarantee that an additional encryption attempt made by Ransomware will not be successful as at that point the backups will be already encrypted.

'You need to recommend which CONTROLS must be enabled to ENSURE that Azure Backup can be used to RESTORE the resources in the event of a successful ransomware attack.' Whilst helpful for auditing purposes and detection of a malicious attack, monitoring configuration changes and alerting after a change is made does not represent a CONTROL which ENSURES Azure Backup can be used to RESTORE the resources. Answers are therefore A and B.

Soft delete protection, even if a malicious actor deletes a backup (or backup data is accidentally deleted). Backup data is retained for 14 additional days, allowing the recovery of a backup item with no data loss. As part of adding an extra layer of authentication for critical operations, you're prompted to enter a security PIN before modifying online backups. https://learn.microsoft.com/en-us/azure/security/fundamentals/backup-plan-to-protect-against-ransomware

Checks have been added to make sure only valid users can perform various operations. These include adding an extra layer of authentication. As part of adding an extra layer of authentication for critical operations, you're prompted to enter a security PIN before modifying online backups. Soft delete protection, even if a malicious actor deletes a backup (or backup data is accidentally deleted). Backup data is retained for 14 additional days, allowing the recovery of a backup item with no data loss

AB is the answer. https://learn.microsoft.com/en-us/azure/backup/backup-azure-security-feature-cloud Concerns about security issues, like malware, ransomware, and intrusion, are increasing. These security issues can be costly, in terms of both money and data. To guard against such attacks, Azure Backup now provides security features to help protect backup data even after deletion. One such feature is soft delete. With soft delete, even if a malicious actor deletes a backup (or backup data is accidentally deleted), the backup data is retained for 14 additional days, allowing the recovery of that backup item with no data loss. The additional 14 days of retention for backup data in the "soft delete" state don't incur any cost to you. https://learn.microsoft.com/en-us/azure/backup/backup-azure-security-feature#authentication-to-perform-critical-operations

Options B (Require PINs for critical operations), D (Perform offline backups to Azure Data Box), and E (Use Azure Monitor notifications when backup configurations change) are not directly related to ensuring the availability and restore capabilities of Azure Backup in the event of a ransomware attack. Therefore, the recommended controls to include in the strategy for protecting against ransomware attacks and ensuring the usability of Azure Backup for resource restoration are: A. Enable soft delete for backups C. Encrypt backups by using customer-managed keys (CMKs)

A. Enable Soft Delete for Backups: Soft delete adds an additional layer of protection for your backup data. Even if a backup is deleted (whether accidentally or maliciously), it is retained for an additional period (14 days by default for Azure VMs and 30 days for Azure Blob Storage). During this retention period, the backup data can be recovered, ensuring that you can restore from these backups even if they are targeted in a ransomware attack. B. Require PINs for Critical Operations: This control adds an extra layer of security by requiring a PIN for critical operations, such as deleting backup data or changing backup configurations. This can prevent malicious actors from easily performing destructive actions, even if they have compromised your environment. It's a form of multi-factor authentication that ensures only authorized users can perform sensitive operations on your backups.

To ensure that Azure Backup can be used to restore resources in the event of a successful ransomware attack, you should include the following controls: A. Enable soft delete for backups: This feature protects your backup data from accidental or malicious deletion by retaining deleted backup data for 14 additional days, allowing you to recover it before it’s permanently lost1. B. Require PINs for critical operations: This adds an extra layer of security by requiring a security PIN for critical operations, ensuring that only authorized users can perform such actions

Agreed with B and E A - enable soft delete on a resource, e.g storage account. not on backup C - does not help. D - "Store backups in offline or off-site storage" would be a perfect choice. but using Azure Data Box is incorrect, which is a data transfer device to move data from on-prem to Azure cloud. it is not a long-term data storage solution.

Currently the solutions published by Microsoft are BD: -Store backups in offline or off-site storage and/or immutable storage. -Require out of band steps (such as MFA or a security PIN) before permitting an online backup to be modified or erased. https://learn.microsoft.com/en-us/azure/security/fundamentals/backup-plan-to-protect-against-ransomware#steps-to-take-before-an-attack About Offline Backup -> https://learn.microsoft.com/en-us/azure/backup/offline-backup-overview

https://learn.microsoft.com/en-us/azure/backup/protect-backups-from-ransomware-faq

https://learn.microsoft.com/en-us/azure/security/fundamentals/backup-plan-to-protect-against-ransomware Please refer to the section 'Steps to take before an attack'. Some of the steps mentioned are: 1. Store backups in offline or off-site storage - (Option B) 2. Require out of band steps such as MFA or a security PIN (Option D) Option A - does not seem to be a valid choice as Soft Delete is enabled by default Option C - Not mentioned in the MS link above Option E- Not mentioned in the MS link above Therefore, B & D are the correct choices as per MS article and not what the votes indicate.

"Soft Delete" doesn't works with Storage Account : https://learn.microsoft.com/en-us/azure/backup/backup-azure-security-feature-cloud?tabs=azure-portal

Answer: BD Check this link (slide 20). https://view.officeapps.live.com/op/view.aspx?src=https%3A%2F%2Fdownload.microsoft.com%2Fdownload%2F7%2F5%2F1%2F751682ca-5aae-405b-afa0-e4832138e436%2FRansomwareRecommendations.pptx&wdOrigin=BROWSELINK

A, C, and E are best practices for ransomware attack: https://learn.microsoft.com/en-us/azure/backup/protect-backups-from-ransomware-faq The right answer is A, soft delete, and C, enabling CMK, to be able to restore after successful attack. If the attack deletes the data, enabled soft delete will restore it. If the attack encrypts the data, the backups that are encrypted by CMK cannot be tampered with and can be decrypted and restored.