The author details his experience with the Security, Compliance, and Identity Fundamentals Certificate, particularly focusing on the Azure-related content. The author found the cybersecurity aspects straightforward due to his background but struggled with the compliance sections. He benefited from practice exams and an unrelated training video on Microsoft Sentinel, which unexpectedly aided in the exam. Despite initial nervousness, the author passed the exam and plans to pursue the AZ-500, Azure Security Engineer Associate certification next. The post reflects on the practical application of the learned material at work and his strategies for effective exam preparation.

I was awarded the certificate for Security, Compliance, and Identity Fundamentals today. Here are my thoughts.

Overall, I’ve been enjoying these training paths and exams so far. The point of this training is to learn, and I’ve learned a number of things as they pertain to Azure, which is the whole reason to do this, so that’s good. I’ve already been able to put into practice at work some of the things that I’ve learned.

I did the learning path for the SC-900 exam, as well as the recommended primer “Describe the basic concepts of cybersecurity” just so that I didn’t miss anything that might be referenced later. Again, the cyber security parts to the SC-900 were rather simple for me since that’s my background, it’s all the Azure specific stuff that required some learning.

The training course was good and, like I said, I learned a lot. Some of the sections just dragged, anything having to do with compliance and legal things was painful. I have to do compliance questionnaires at work already, and legal compliance is one of the driest topics for me, so all the Purview stuff didn’t really stick.

After completing the learning, I noticed a little link at the bottom of all of the modules about being able to take a practice exam for free, so I did just that, a few times. I bombed it the first time. Figures. I took it a few more times and did a lot better. The practice exams are an amazing little way to study actually since when you check each answer as you go, it gives you an explanation about each option, why the correct answer was correct and why the other answers wouldn’t be correct, and gives clarification about what they do, so not only does it help with testing your knowledge, it also helps to increase knowledge, and I actually ended up learning a couple things in this manner that I completely missed in my readings.

Another completely unrelated thing that really ended up helping for the exam, was that the other day I decided to watch a training video online about Microsoft Sentinel. We don’t use that product and never will, but I wanted to learn more about it just as a matter of professional curiosity. So I watched this 2 ½ hour video on it, and there ended up being questions on the exam that were talked about in that video.

Since I don’t use that product, I have no experience with it. Reading about it can only do so much for me. I find that the topics for this exam that pertain to Azure features that I actually use were much easier to remember and answer correctly, since I have that experiential knowledge. Something like Purview, which I don’t care about and also have no experience with, well those questions were a lot more difficult to recall. Watching that demo video on Sentinel was as close to experience as I was going to get, and that really helped. I’ll have to do that for each major product introduced for my next cert.

The exam itself went well enough. I tried taking it in a different room in my house, and that didn’t work out as well as I would have liked. I tried taking it in our homeschool room, and the proctor said there were too many posters and books around me, so I had to drag my desk to the center of the room out of view of everything all over the walls. I’m just going to take the next exam in my laundry room.

I did better on this exam than the one for my last cert, though I thought I was going to fail it while I was taking it. I wasn’t nervous before the exam, but I really was once I started, but at least that made my excitement all the greater once I was done and saw my score.

Now I move onto the next certificate, the one that I actually want to get, the AZ-500, Azure Security Engineer Associate.

Link to certificate: Credentials – InfosecGreg | Microsoft Learn

The author shares his experience of taking the Azure Fundamentals certificate exam. He describes the preparation process, the technical issues he faced, and the areas he struggled with. He also expresses his excitement and gratitude for passing the exam and his plans to pursue the security fundamentals certificate next.

I was awarded the certificate for Azure Fundamentals today. Here are my thoughts.

I did the learning path for the AZ-900 certificate first. Going in with no assumptions of my own abilities, I wanted to do all that I could to help myself with what I should know. The learning path was good, and though about a third of it was not anything new given my background as an SRE, I did learn a whole bunch of things which are unique to the Azure platform. It was an effective way to spend my time. 

I did end up completing a module that was not a part of the learning path for this certificate. I clicked on some continue link suggested by the site after I completed one of the modules, and it had nothing to do with what I was trying. So, after that mistake, I made sure to check the path after I completed each module so that I would stay on track. The module I ended up doing was about an hour, and it was all about the business and cost side of Azure migration plans, so it was not a complete waste of time, but I would have liked to have not gone through it. 

After completing the learning modules, I scheduled an exam. The exam is managed through Pearson VUE. I have delt with them in the past, back in the day when there were no online options and you had to drive to a physical testing center. I am grateful for the online choice now. 

There is an executable that you download which walks you through the technical steps for the exam, and a part of it checks running processes on your machine. This is fine and all, except that it started yelling at me about the Razer gaming center and light management programs. So, after mucking about in task manager, I got all that killed, and then the program said that taskmgr was still open and needed to be closed, which is an issue since I use taskmgr to close tasks, and you cannot use it to kill itself. I went to the bathroom at this point. When I came back and tested again, everything reported as good. 

It was a rocky start. The proctor had a question about something in my office, and he was hard to understand, so after cranking my speakers up all the way, and asking for him to repeat the question a few times, I found that he was inquiring about a box on my wall. I have a five-port switch mounted to my wall next to my desk, and as it is not normal for people to have networking equipment bolted to their walls. Once that was resolved, I was able to begin. 

I don’t test well. I do my best to take my time and read and understand the questions, but I am easily thrown off by certain wordings of questions. It did feel like I was just guessing on some of them, picking the best sounding answer. For the questions about the specific product names as they exist in Azure, and what they do and do not do, I faltered a bit. I certainly could use some more familiarity with that. As for the general cloud concepts, I did very well, not only how it felt in taking the exam, but also according to the nice little bar graph you get at the end. So, I do know where I need a bit more study and experience. 

I am always nervous about things like this, about testing and exams and the like. Failure was a possibility, which is perhaps why I get nervous. I am grateful that I was able to recall the information that I had studied and the experiences that I have had. 

I was extremely excited once I finished and got the results. I was and am incredibly happy to have passed. Having taken this exam I now have a better understanding of the process and the style of questions that I might expect for future exams. 

My next steps are to go through the learning path for the SC-900 security fundamentals and take that exam. I am excited to begin with the hope of a successful completion.

Link to the certificate:

• https://learn.microsoft.com/api/credentials/share/en-us/InfosecGreg/D224F904B52B5559?sharingId=CC7ED1C075CCA55A

The author of this blog post shares his certification roadmap for the year 2024, which focuses on Azure cloud security. He plans to obtain four certifications: Azure Fundamentals (AZ-900), Security, Compliance, and Identity Fundamentals (SC-900), Azure Security Engineer Associate (AZ-500), and Cybersecurity Architect Expert (SC-100). He explains the rationale behind his choices and provides some reference links for each certification. He also intends to write a post for each learning path and exam he completes.

I recently decided to change my focus in cybersecurity from red team to blue team. Though I am not abandoning the increasing of my knowledge and understanding of TTPs, the change is more in the “why” as opposed to the “what.” I can use my offensive skills for defensive purposes.

With this modification of professional direction, the pursuit of new certifications is in order. Since one of my main job responsibilities currently is the security of our cloud environments, it would make sense that I should invest in certificates related to cloud security. The year 2024 will be a focus on Azure, and if all goes well, the year 2025 will be a focus on AWS.

For the upcoming year, I have mapped out which certifications I want to get. So here is my certificate roadmap.

Azure Fundamentals (AZ-900): As the name states, the training for this certification is on the fundamentals about the Azure platform. At the time of writing, I have already begun the learning path for this. For me, a lot of this so far has been review of what I already know, though I have learned some new things. Not only do I have experience specifically with Azure, but I also have a background as an SRE and system administrator in AWS and GCP. I wanted to start with this certificate since it really is the start of any other Azure learning pathways.

Security, Compliance, and Identity Fundamentals (SC-900): You had me at “Security.” This certificate is another foundational one which I think will be beneficial for me to earn since it takes what I already know about security and puts it into the scope of Azure and Microsoft products and platforms. 

Azure Security Engineer Associate (AZ-500): This is the certificate that I’m most looking forward to getting. I could have just started on this learning path, but I wanted to build for myself a solid foundation with the other two certifications so that I could focus on just the security topics for this learning path and not have to backtrack on the basics. If I’m only able to get this certification by the end of next year, then that will be good enough for me, though I don’t plan to stop here.

Cybersecurity Architect Expert (SC-100): Do I need this one? No. Is it going to be a great benefit to me in my current position? I have no idea, but I’m a sucker for achievements that have prerequisites. The AZ-500 is one of the certifications that is needed to get the SC-100, so sign me up. In all honesty though, I love architecting things, and that those things would be security related is even better.

In theory, I should be able to earn each of the four certificates in a year, given that I intend on going through each learning path fully, and I can only invest so much time each day for professional development.

I also plan to write a post as I complete each of the learning paths and attempt related exams.

Reference links just for fun:

• https://learn.microsoft.com/en-us/credentials/certifications/azure-fundamentals/
• https://learn.microsoft.com/en-us/credentials/certifications/security-compliance-and-identity-fundamentals/
• https://learn.microsoft.com/en-us/credentials/certifications/azure-security-engineer/
• https://learn.microsoft.com/en-us/credentials/certifications/cybersecurity-architect-expert/

A handy pdf for these and other certifications:

• https://aka.ms/traincertposter

In this blog post, the author shares his personal journey of pursuing his childhood dream of becoming a hacker. He recounts how he was inspired by movies, how he learned various skills in technology, and how he eventually achieved his OSCP certification. However, he also reveals that he realized he had no passion for offensive security, and that he was happier as a programmer and a cloud security engineer. He expresses his relief and excitement for his new path, and invites the readers to follow his progress.

I used to want to be a hacker.

I wanted to be a hacker, just like in the movies. When I was a child, I saw the movie, Hackers. This was back in 1995, and it changed me, I knew what I wanted to be when I grew up. For most of my life I didn’t follow through with this though since back in the 90’s and early 2000’s there wasn’t really much opportunity to be a white hat, since that didn’t really exist as a concept, all hackers were bad, there was no real information security, at least not like how it is today. 

I spent most of my life in technology though. I went to a trade school for electronics and continued in the electronics field in the Navy after high school, specializing in communications. After this I got a job doing electronics assembly and repair. After a few years I started messing around with spreadsheets in order to keep track of the repairs I was doing, and I started to implement simple analytics in Excel. At this time, a friend in IT at the company where I worked, told me that I should really just start using a database. From there I got into IT proper, as well as started to learn how to program. 

A long story short, I continued in IT in many forms both general and specific. Then I decided to try for my childhood dream. Times had changed and you could actually make a really good living in infosec, it was a thing now and it was legal. I studied for and received my OSCP back in 2018. I was on my way. 

Here now at the end of 2023 I’ve come to realize a lot of things. The main one is that I don’t care to be a hacker. I have no passion for offensive security, for pentesting, for red teaming. I tried. I really did. I wanted to be something so badly, that all I did, and thought was around that one goal, being a hacker. For some, that’s great, it just wasn’t for me. 

I realized that I was just LARPing as a hacker. I found myself becoming increasingly arrogant towards the “blue team” and any defensive systems. They were the enemy, and what did they know? The real cool guys in the infosec world are the hackers, all dressed in black hoodies sitting in some basement surrounded by neon lights like some cross between Mr. Robot and Cyberpunk 2077. 

There are legitimate white hats out there, they are amazing and great and do some really impressive work. That’s just not me. For the first time I’m actually happy. I’m not defeated, I’ve dealt with that a lot, I’m not burdened, I have been before with these things, but for the first time, I feel relieved. I don’t have to pretend any more. 

I am a far better programmer than I am a hacker. I am far better at DevOps than red teaming. I’m actually looking forward to working toward and getting cloud security certs for Azure, since that’s what my job is currently, a security engineer specializing in cloud security. For the first time, I’m totally okay with that, and I’m excited to start getting better at it. 

A new journey is beginning for me. I’ve made it through the Swamp of Sorrow, and Artax is no longer with me, but that’s okay, because I’m riding high on Falkor! Okay, that’s enough of that movie. Seriously though, things are good, and I look forward to posting more here as my new journey continues.