1.11 Undersand and Apply Threat Modeling Concepts

Question 1

What is the goal of Threat Modeling?

Answer 1

Threat Modeling aims to systematically idenitify threats and their severity, which in turn makes risk management more effective and accurate.

Question 2

What 3 things do Threat Modeling Metholodiges help in terms of threats related to an asset?

Answer 2

Can help systematic identification of threats | Enumeration of Threats | and Prioritization of Threats.

Question 3

What are the Three Major Threat Modeling Methodologies?

Answer 3

STRIDE (Microsoft) | Process for Attack Simulation and Threat Analysis (PASTA) | DREAD

Question 4

What is STRIDE an acronym for?

Answer 4

Spoofing | Tampering |Repudiation | Information Disclosure | Denial of Service | and Elevation of Privilege

Question 5

Stride is considered a ____ focused methodology.

Answer 5

Threat.

Question 6

Pasta is considered a ____ focused methodology.

Answer 6

Attacker.

Question 7

What are the seven stages of PASTA threat-modeling?

Answer 7

Define Objectives | Define Technical Scope |Application Decomposition | Threat Analysis | Vulnerability and Weakness Analysis | Attack Modeling | Risk and Impact Analysis.

Question 8

In PASTA, what is Define Objectives for?

Answer 8

Considering inherent application risks profiles and addressing business impact consideration early.

Question 9

In PASTA, what is Define Technical Scope for?

Answer 9

To decompose the technology stack that supports the application components that realize the business objectives outlined in step 1.

Question 10

In PASTA, what is Application Decomposition for?

Answer 10

Understanding the data flows among application components and services in the application threat model.

Question 11

In PASTA, what is Vulnerability and Weakness Analysis for?

Answer 11

Identifying vulnerabilities and weaknesses within the application design and code and correlates to see if it supports the threat assertions from prior stages.

Question 12

In PASTA, what is Attack Modeling for?

Answer 12

Emulating attacks that could exploit identified vulnerabilites and weaknesses from the prior stage. Helps to determine the threat viability via attack patterns.

Question 13

In PASTA, what is Risk and Impact Analysis for?

Answer 13

Remediation of vulnerabilities or weakenesses in code or design that can faciliate threats and underlying attack patterns. May warrant some risk acceptance by broader application owners or development managers.

Question 14

The DREAD Threat Model is primarily used to ____ and ____ the severity of threats.

Answer 14

Measure | Rank

Question 15

How can DREAD be implemented to the results of the STRIDE threat model?

Answer 15

Dread can be used to rank results of the STRIDE model.

Question 16

How does DREAD scope vulnerabilities?

Answer 16

On a scale of 1-3 for 5 categories. Ultimately, ranking them on a scale of 5-15.

Question 17

What does DREAD stand for?

Answer 17

Damage, Reproducability, Exploitability, Affected Users, and Discoverability.

Question 18

Define purpose of each DREAD stage.

Answer 18

Damage: Assess amount of damage a threat can cause.
Reproducability: How easily can a Threat be replicated?
Exploitability: How easy can a threat be exploited?
Affected Users: How many users are affected? Internal, external?
Discoverability: How easy is it to discover the threat?

Question 19

What is Social Engineering?

Answer 19

The manipulation of people’s actions through intimidation and/or deception.

Question 20

What is the biggest security weakness to an organization?

Answer 20

Their employees.

Question 21

Why is Social Engineering so prevalent?

Answer 21

Because it is so effective.

Question 22

Define Intimidation, Deception, and Rapport.

Answer 22

Using fear to intimidate someone (Blackmail) | Tricks someone in some manner or another (Lying) | Building gradual relationship with a victim to take advantage of them later on (IT team wanting to help)

Question 23

What is an example of ‘Baiting’ in social engineering.

Answer 23

Leaving a USB stick on the ground for someone to pick up and put into their PC.

Question 24

How does Spear Phishing differe from Whaling?

Answer 24

Spear Phishing targets a certain individual or group to understand what social engineering technique could be effective for them. Whaling is similar, but targets only the ‘big fish’ like CEOs, CFOs, and COOs.

Question 25

What are methods for preventing social engineering? Name three specific practical steps that can be taken.

Answer 25

Awareness, Training, and education can help mitigate social engineering attacks. As well as strong security policies | Request proof of identity, Require callback authorization for sensitive information or network alterations, and contacting a suspicious entity through approved channels such as websites and ledgers.