Domain 1: Threat Modeling Flashcards
The security process where potential threats are identified, categorized and analyzed
Threat modeling
- Threat modeling that takes place during the early stages of systems development
- i.e. Initial design
Proactive approach
- Threat modeling that takes place after a product has been created and deployed
- i.e. pen testing, fuzzing, code review
Reactive approach
A threat model created by Microsoft to guide threat categorization
STRIDE
What does STRIDE stand for?
Spoofing Tampering Repudiation Information Disclosure Denial of Service (DoS) Elevation of privilege
Seven stage threat modeling methodology aimed at selecting or developing countermeasures in relation to the value of the assets to be protected.
Process for Attack Simulation and Threat Analysis (PASTA)
Threat model used to provide a security audit in a reliable and repeatable procedure.
Trike
Threat model that integrates threat and risk management into Agile programing environment on a scalable basis
Visual, Agile, and Simple Threat (VAST)
- Next step in threat modeling determining the threats facing your development project
- Creating a graph detailing elements involved in the transaction along with indications of data flow and privilege boundaries.
Diagramming
What does the DREAD rating system stand for?
Damage potential Reproducibility Exploitability Affected users Discoverability
The act of intentionally positioning data so that it is not viewable or accessible to an unauthorized subject.
Data Hiding
The idea of not informing a subject about an object being present and hoping the subject will not discover the object.
Security through obscurity
- Long-term plan
- Defines the organization’s security purpose goals mission and objectives of the organization
- Useful up to 5 years if maintained and updated annually
Strategic Plan
- Midterm plan
- Provides more details on accomplishing the goals set forth
- Useful for about a year
- i.e. hiring, project, and budget plans
Tactical Plan
- Short-term plan
- Provides step-by step detail on plan
- Updated often monthly or quarterly
- i.e. staffing assignments, scheduling, step-by-step implementation procedures
Operational Plan
- Each participants writes down their response on paper anonymously
- Results are compiled and presented to group
- Process is repeated until consensus is reached
- Qualitative
Delphi technique
- A formal evaluation of a security infrastructure’s individual mechanisms against a baseline or reliability expectation
- Can be performed in addition to or independently to a pen test or vulnerability assessment
Security Control Assessment (SCA)
When a competitor tries to steal info, and they may use an internal employee
Espionage
Name the six categories of computer crimes
- Military and intelligence attack
- Business attack
- Financial attack
- Terrorist attack
- Grudge attack
- Thrill attack
What are the three ways of confiscating evidence?
- Person who owns the evidence voluntarily surrenders it
- Subpoena could be used to compel the subject to surrender it
- Search warrant confiscates the evidence without giving the subject opportunity to alter it
- Threat model
- Threats are ranked numerically and categorized
DREAD
PASTA risk-based threat-model that contains what following 7 stages?
Stage 1: Definition of objectives (DO) for the Analysis of Risks
Stage 2: Definition of the Technical Scope (DTS)
Stage 3: Application Decomposition and Analysis (ADA)
Stage 4: Threat Analysis (TA)
Stage 5: Weakness and Vulnerability Analysis (WVA)
Stage 6: Attack Modeling & Simulation (AMS)
Stage 7: Risk Analysis & Management (RAM)
- Two-dimensional model that uses six basic communication interrogatives (What, How, Where, Who, When and Why) and intersects them with different enterprise audiences (Executives, Business - Managers, System Architects, Engineers, Technicians, and Enterprise-wide)
- Framework is not security orientated
- Offers understanding of an enterprise in a modular table
Zachman Architecture Framework
Name the 4 architecture types The Open Group Architecture Framework (TOGAF) is used to develop?
- Business architecture
- Data architecture
- Applications architecture
- Technology architecture
Framework used by an architect to understand the enterprise from different views (i.e. business, data, applications, and technology) and implements the necessary technology controls to work within the environment.
The Open Group Architecture Framework (TOGAF)
US based military architecture framework
Department of Defense Architecture Framework (DoDAF)
British based military architecture framework
Ministry of Defense Architecture Framework (MODAF)
Two dimensional model (similar to Zachman Framework) for enterprise security architecture and service management
Sherwood Applied Business Security Architecture (SABSA)
- Process improvement methodology
- Uses statistical methods of measuring operational efficiency and reducing variation, defects, and waste.
Six Sigma