Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

ECM 2426 Network and Computer Security > CH10 Threat Modelling > Flashcards

CH10 Threat Modelling Flashcards

1
Q

Developers must consider in Threat Modelling

A

The valuability of the asset being secured
The strength/durability of the encryption/security used on the asset
Where on the asset the protection is provided (what attack vectors are being covered)

Threat modelling is often a structured way of brain-storming

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

STRIDE in Threat Modelling

A

expansion of CIA (confidentiality, integritt, availability) threat types

Spoofing Identity
Tampering with data
Repudiation
Information Disclosure
Denial of Service
Elevation of Privelege

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Spoofing Identity

A

example: illegally accessing (like shoulder surfing) and then using another user’s authentication information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Tampering with Data

A

involves the malicious modification of data. Examples include unauthorised changes made to persistent (stored) data, such as held in a database

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Repudiation

A

associated with users who deny performing an action without other parties having any way to prove otherwise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Information Disclosure

A

involve the exposure of information to individuals who are not supposed to have access to it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Denial of Service (DoS)

A

deny service to valid users - e.g. by making a web server temporarily unavailable or unusable

overload requests
ISP throttling
Persistent XSS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Elevation of Privilege

A

an unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

(Qualitative/) Risk calculation

A

Risk = (1/easiness-of-attack) * impact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Subjective RIsk Model: DREAD

A

Damage
Reproducibility
Exploitability
Affected Users
Discoverability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is needed in threat modelling

A

business: knowledge what the system should do
- scenarios
- use cases
Architectural: knowledge how information/data “flows” in the system
- block/component diagrams
- data-flow diagrams
Functional Security: how to defeat an attack
- planned security technologies/checks/processes
Attacker Goals
A team of experts
structered process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

for each identified threat, the following should be documented

A

threat category
description of the threat
likelihood of the threat (easiness of attack)
impact/severity of the threat
either a mitigation strategy or an explicit acceptance of the threat (sign-off)
If a mitigation has been defined, a strategy for validating its implementation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

ECM 2426 Network and Computer Security (7 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions