Host and app security Flashcards
What is the difference between antivirus and EDR?
Endpoint detection and response.
Antivirus generally detects malicious code through the use of signatures. while EDR is able to use machine learning and process monitoring to do behavioral analysis of what a file is doing.
EDR is also capable of investigating the threatening file and doing a root cause analysis, as well as responding to the threat by isolating the system, quarantine, rolling back to a previous config, etc without needing any user intervention whatsoever.
What is a TPM?
Trusted Platform Module
A piece of hardware to help with cryptographic functions inside the operating system.
This can include a cryptographic processor which is used for key generations.
This will also typically come with unique keys that are burned in during production and cant change.
This can also store keys and hardware configuration information.
Already built with an anti brute force technology.
What is an HSM?
Hardware Security Module
What is UEFI BIOS secure boot?
A way of keeping integrity in the BIOS and the operating system.
BIOS includes the manufacturers public key.
Digital signature is checked during a BIOS update.
Secure boot (once activated) verifies the bootloader's digital signature to make sure that no malicious software has changed any part of the bootloader. Bootloader must be signed by a trusted certificate that is compared to the digital signature that is in the bootloader.
What is trusted boot?
Once the secure boot process is complete we move to the trusted boot process.
The bootloader will verify the digital signature of the operating system kernal.
This ensures that the operating system kernal has not been modified by any malware.
The kernal of the operating system will then verify other parts of the OS such as the boot drivers and startup files.
Just before loading the drivers a service called ELAM(early launch anti malware) is launched, checking to see that every driver has not been modified and ensures that they are all in a trusted state. There is a digital signature associated with each of these drivers, and they will all be checked.
What is measured boot?
Once secure boot is complete, and then trusted boot is complete and the drivers have now been loaded, we can now move to the measured boot process.
This is the process that allows us to measure if any measures that have occurred in the operating system.
UEFI BIOS stores a hash of the firmware, boot drivers, and everything else loaded during the trusted boot and secure boot process. The hash created by that is stored in the TPM.
Remote attestation will now happen, our device will send an encrypted and signed verification report showing all of this information to the attestation server.
That server is then going to receive the boot report and compare the information in that report to the information that it knows to be trusted in that system.
What is tokenization?
A technique that involves storing sensitive information in a database with a non-sensitive placeholder instead.
Basically the idea is to store a temporary token that can be validated by an external server instead of the real raw data, effectively working the same way but without having to store sensitive information.
After a token is used it will be thrown away and then a new token will be used next time.
There is also no encryption or hashing happening here requiring much less overhead. The token is created completely independently of the real information.
When using a salt in combination with hashing and storing passwords, where is the salt commonly stored?
The unique salt added is typically stored with the password.
In regards to input validation, what is normalization?
This is checking and correcting all input.
A zip code should only be X characters.
Fix any data with improper input.
What is dynamic analysis(fuzzing)?
This is the process of sending random input to an application looking for something out of the ordinary to happen.
Fuzzing will take an automated approach to trying to break an application or at least find something that isn’t operating correctly.
A fuzzing engine takes a lot of time and a lot of resources to operate.
What is the difference between a normal cookie and a secure cookie?
Secure cookies have an attribute on them that declares that if it is being sent over a network, you must use HTTPS.
What are HTTP secure headers?
A way of configuring a web server to restrict the capabilities of a browser to be able to perform certain functions.
This means that we can tell the end user’s browser to either allow or not allow certain tasks to occur while this application is in use.
For example we may configure a secure header that tells the clients browser to only communicate to the web server using HTTPS.
Or we might try preventing XSS attacks by telling the browser to only allow scripts, stylesheets, or images to load from the web server.
What is code signing?
The use of digital signatures to prove the authenticity of an application.
The developer signs the code with their private key and their public key can be used to verify that is is authentic.
What is a static code analyzer?
What is SAST?
SAST is static application security testing.
When using SAST we can use static code analyzers to basically run a vulnerability scan on the code of an application.
These will not be helpful for finding errors with insecure cryptography or authentication security, their main focus is on identifying places where there may be vulnerabilities such as buffer overflows, database injections etc.
You need to check for false positives just like a normal vulnerability scanner.
What is the registry on a computer?
The primary configuration database for windows systems.
Almost everything can be configured from the registry.
