Merge pull request #270391 from TerryLanfear/sec-240327

Freshness update

Author: prmerger-automator[bot]

articles/security/fundamentals/best-practices-and-patterns.md

@@ -7,7 +7,7 @@ ms.assetid: 1cbbf8dc-ea94-4a7e-8fa0-c2cb198956c5
 ms.service: security
 ms.subservice: security-fundamentals
 ms.topic: conceptual
-ms.date: 11/13/2023
+ms.date: 03/27/2024
 ms.author: terrylan
 
 ---
@@ -17,7 +17,7 @@ This article contains security best practices to use when you're designing, depl
 
 ## Best practices
 
-These best practices are intended to be a resource for IT pros. This might include designers, architects, developers, and testers who build and deploy secure Azure solutions.
+These best practices are intended to be a resource for IT pros. IT pros include designers, architects, developers, and testers who build and deploy secure Azure solutions.
 
 * [Best practices for protecting secrets](secrets-best-practices.md)
 * [Azure database security best practices](/azure/azure-sql/database/security-best-practice)
@@ -27,7 +27,7 @@ These best practices are intended to be a resource for IT pros. This might inclu
 * [Azure operational security best practices](operational-best-practices.md)
 * [Azure PaaS Best Practices](paas-deployments.md)
 * [Azure Service Fabric security best practices](service-fabric-best-practices.md)
-* [Best practices for Azure VM security](iaas.md)
+* [Best practices for IaaS workloads in Azure](iaas.md)
 * [Implementing a secure hybrid network architecture in Azure](/azure/architecture/reference-architectures/dmz/secure-vnet-hybrid)
 * [Internet of Things security best practices](../../iot/iot-overview-security.md)
 * [Securing PaaS databases in Azure](paas-applications-using-sql.md)
@@ -36,4 +36,4 @@ These best practices are intended to be a resource for IT pros. This might inclu
 
 ## Next steps
 
-Microsoft has found that using security benchmarks can help you quickly secure cloud deployments. Benchmark recommendations from your cloud service provider give you a starting point for selecting specific security configuration settings in your environment and allow you to quickly reduce risk to your organization. See the [Microsoft cloud security benchmark](/security/benchmark/azure/introduction) for a collection of high-impact security recommendations you can use to help secure the services you use in Azure.
+Microsoft finds that using security benchmarks can help you quickly secure cloud deployments. Benchmark recommendations from your cloud service provider give you a starting point for selecting specific security configuration settings in your environment and allow you to quickly reduce risk to your organization. See the [Microsoft cloud security benchmark](/security/benchmark/azure/introduction) for a collection of high-impact security recommendations to help secure the services you use in Azure.

articles/security/fundamentals/data-encryption-best-practices.md

@@ -9,7 +9,7 @@ ms.assetid: 17ba67ad-e5cd-4a8f-b435-5218df753ca4
 ms.service: security
 ms.subservice: security-fundamentals
 ms.topic: article
-ms.date: 01/22/2023
+ms.date: 03/27/2024
 ms.author: terrylan
 
 ---

articles/security/fundamentals/network-best-practices.md

@@ -8,7 +8,7 @@ ms.assetid: 7f6aa45f-138f-4fde-a611-aaf7e8fe56d1
 ms.service: security
 ms.subservice: security-fundamentals
 ms.topic: article
-ms.date: 01/29/2023
+ms.date: 03/27/2024
 ms.author: terrylan
 
 ---

articles/security/fundamentals/physical-security.md

@@ -9,7 +9,7 @@ ms.assetid: 61e95a87-39c5-48f5-aee6-6f90ddcd336e
 ms.service: security
 ms.subservice: security-fundamentals
 ms.topic: article
-ms.date: 01/13/2023
+ms.date: 03/27/2024
 ms.author: terrylan
 
 ---

articles/security/fundamentals/subdomain-takeover.md

@@ -9,7 +9,7 @@ manager: rkarlin
 ms.service: security
 ms.subservice: security-fundamentals
 ms.topic: article
-ms.date: 01/19/2023
+ms.date: 03/27/2024
 ms.author: terrylan
 
 ---
@@ -33,7 +33,7 @@ A common scenario for a subdomain takeover:
 
     1. The Azure resource is deprovisioned or deleted after it is no longer needed.
 
-        At this point, the CNAME record `greatapp.contoso.com` *should* be removed from your DNS zone. If the CNAME record isn't removed, it's advertised as an active domain but doesn't route traffic to an active Azure resource. This is the definition of a "dangling" DNS record.
+        At this point, the CNAME record `greatapp.contoso.com` *should* be removed from your DNS zone. If the CNAME record isn't removed, it's advertised as an active domain but doesn't route traffic to an active Azure resource. You now have a "dangling" DNS record.
 
     1. The dangling subdomain, `greatapp.contoso.com`, is now vulnerable and can be taken over by being assigned to another Azure subscription's resource.
 
@@ -49,15 +49,15 @@ A common scenario for a subdomain takeover:
 
 ## The risks of subdomain takeover
 
-When a DNS record points to a resource that isn't available, the record itself should have been removed from your DNS zone. If it hasn't been deleted, it's a "dangling DNS" record and creates the possibility for subdomain takeover.
+When a DNS record points to a resource that isn't available, the record itself should be removed from your DNS zone. If it isn't deleted, it's a "dangling DNS" record and creates the possibility for subdomain takeover.
 
 Dangling DNS entries make it possible for threat actors to take control of the associated DNS name to host a malicious website or service. Malicious pages and services on an organization's subdomain might result in:
 
-- **Loss of control over the content of the subdomain** - Negative press about your organization's inability to secure its content, as well as the brand damage and loss of trust.
+- **Loss of control over the content of the subdomain** - Negative press about your organization's inability to secure its content, brand damage, and loss of trust.
 
-- **Cookie harvesting from unsuspecting visitors** - It's common for web apps to expose session cookies to subdomains (*.contoso.com), consequently any subdomain can access them. Threat actors can use subdomain takeover to build an authentic looking page, trick unsuspecting users to visit it, and harvest their cookies (even secure cookies). A common misconception is that using SSL certificates protects your site, and your users' cookies, from a takeover. However, a threat actor can use the hijacked subdomain to apply for and receive a valid SSL certificate. Valid SSL certificates grant them access to secure cookies and can further increase the perceived legitimacy of the malicious site.
+- **Cookie harvesting from unsuspecting visitors** - It's common for web apps to expose session cookies to subdomains (*.contoso.com). Any subdomain can access them. Threat actors can use subdomain takeover to build an authentic looking page, trick unsuspecting users to visit it, and harvest their cookies (even secure cookies). A common misconception is that using SSL certificates protects your site, and your users' cookies, from a takeover. However, a threat actor can use the hijacked subdomain to apply for and receive a valid SSL certificate. Valid SSL certificates grant them access to secure cookies and can further increase the perceived legitimacy of the malicious site.
 
-- **Phishing campaigns** - Authentic-looking subdomains might be used in phishing campaigns. This is true for malicious sites and for MX records that would allow the threat actor to receive emails addressed to a legitimate subdomain of a known-safe brand.
+- **Phishing campaigns** - Malicious actors often exploit authentic-looking subdomains in phishing campaigns. The risk extends to both malicious websites and MX records, which could enable threat actors to receive emails directed to legitimate subdomains associated with trusted brands.
 
 - **Further risks** - Malicious sites might be used to escalate into other classic attacks such as XSS, CSRF, CORS bypass, and more.
 
@@ -91,7 +91,7 @@ Run the query as a user who has:
 - at least reader level access to the Azure subscriptions
 - read access to Azure resource graph
 
-If you're a global administrator of your organization's tenant, elevate your account to have access to all of your organization's subscription using the guidance in [Elevate access to manage all Azure subscriptions and management groups](../../role-based-access-control/elevate-access-global-admin.md).
+If you're a Global Administrator of your organization's tenant, follow the guidance in [Elevate access to manage all Azure subscriptions and management groups](../../role-based-access-control/elevate-access-global-admin.md) to gain access to all your organization's subscriptions
 
 > [!TIP]
 > Azure Resource Graph has throttling and paging limits that you should consider if you have a large Azure environment.
@@ -106,17 +106,17 @@ Learn more about the PowerShell script, **Get-DanglingDnsRecords.ps1**, and down
 
 ## Remediate dangling DNS entries
 
-Review your DNS zones and identify CNAME records that are dangling or have been taken over. If subdomains are found to be dangling or have been taken over, remove the vulnerable subdomains and mitigate the risks with the following steps:
+Review your DNS zones and identify CNAME records that are dangling or taken over. If subdomains are found to be dangling or have been taken over, remove the vulnerable subdomains and mitigate the risks with the following steps:
 
 1. From your DNS zone, remove all CNAME records that point to FQDNs of resources no longer provisioned.
 
-1. To enable traffic to be routed to resources in your control, provision additional resources with the FQDNs specified in the CNAME records of the dangling subdomains.
+1. To enable traffic to be routed to resources in your control, provision more resources with the FQDNs specified in the CNAME records of the dangling subdomains.
 
 1. Review your application code for references to specific subdomains and update any incorrect or outdated subdomain references.
 
-1. Investigate whether any compromise has occurred and take action per your organization's incident response procedures. Tips and best practices for investigating this issue can be found below.
+1. Investigate whether any compromise occurred and take action per your organization's incident response procedures. Tips and best practices for investigating:
 
-    If your application logic is such that secrets such as OAuth credentials were sent to the dangling subdomain, or privacy-sensitive information was sent to the dangling subdomains, that data might have been exposed to third-parties.
+    If your application logic results in secrets, such as OAuth credentials, being sent to dangling subdomains or if privacy-sensitive information is transmitted to those subdomains, there is a possibility for this data to be exposed to third parties.
 
 1. Understand why the CNAME record was not removed from your DNS zone when the resource was deprovisioned and take steps to ensure that DNS records are updated appropriately when Azure resources are  deprovisioned in the future.