Domain 1: Threat Modeling

Question 1

The security process where potential threats are identified, categorized and analyzed

Answer 1

Threat modeling

Question 2

• Threat modeling that takes place during the early stages of systems development
• i.e. Initial design

Answer 2

Proactive approach

Question 3

• Threat modeling that takes place after a product has been created and deployed
• i.e. pen testing, fuzzing, code review

Answer 3

Reactive approach

Question 4

A threat model created by Microsoft to guide threat categorization

Answer 4

STRIDE

Question 5

What does STRIDE stand for?

Answer 5

Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service (DoS)
Elevation of privilege

Question 6

Seven stage threat modeling methodology aimed at selecting or developing countermeasures in relation to the value of the assets to be protected.

Answer 6

Process for Attack Simulation and Threat Analysis (PASTA)

Question 7

Threat model used to provide a security audit in a reliable and repeatable procedure.

Answer 7

Trike

Question 8

Threat model that integrates threat and risk management into Agile programing environment on a scalable basis

Answer 8

Visual, Agile, and Simple Threat (VAST)

Question 9

• Next step in threat modeling determining the threats facing your development project
• Creating a graph detailing elements involved in the transaction along with indications of data flow and privilege boundaries.

Answer 9

Diagramming

Question 10

What does the DREAD rating system stand for?

Answer 10

Damage potential
Reproducibility
Exploitability
Affected users
Discoverability

Question 11

The act of intentionally positioning data so that it is not viewable or accessible to an unauthorized subject.

Answer 11

Data Hiding

Question 12

The idea of not informing a subject about an object being present and hoping the subject will not discover the object.

Answer 12

Security through obscurity

Question 13

• Long-term plan
• Defines the organization’s security purpose goals mission and objectives of the organization
• Useful up to 5 years if maintained and updated annually

Answer 13

Strategic Plan

Question 14

• Midterm plan
• Provides more details on accomplishing the goals set forth
• Useful for about a year
• i.e. hiring, project, and budget plans

Answer 14

Tactical Plan

Question 15

• Short-term plan
• Provides step-by step detail on plan
• Updated often monthly or quarterly
• i.e. staffing assignments, scheduling, step-by-step implementation procedures

Answer 15

Operational Plan

Question 16

• Each participants writes down their response on paper anonymously
• Results are compiled and presented to group
• Process is repeated until consensus is reached
• Qualitative

Answer 16

Delphi technique

Question 17

• A formal evaluation of a security infrastructure’s individual mechanisms against a baseline or reliability expectation
• Can be performed in addition to or independently to a pen test or vulnerability assessment

Answer 17

Security Control Assessment (SCA)

Question 18

When a competitor tries to steal info, and they may use an internal employee

Answer 18

Espionage

Question 19

Name the six categories of computer crimes

Answer 19

1. Military and intelligence attack
2. Business attack
3. Financial attack
4. Terrorist attack
5. Grudge attack
6. Thrill attack

Question 20

What are the three ways of confiscating evidence?

Answer 20

1. Person who owns the evidence voluntarily surrenders it
2. Subpoena could be used to compel the subject to surrender it
3. Search warrant confiscates the evidence without giving the subject opportunity to alter it

Question 21

• Threat model

- Threats are ranked numerically and categorized

Answer 21

DREAD

Question 22

PASTA risk-based threat-model that contains what following 7 stages?

Answer 22

Stage 1: Definition of objectives (DO) for the Analysis of Risks
Stage 2: Definition of the Technical Scope (DTS)
Stage 3: Application Decomposition and Analysis (ADA)
Stage 4: Threat Analysis (TA)
Stage 5: Weakness and Vulnerability Analysis (WVA)
Stage 6: Attack Modeling & Simulation (AMS)
Stage 7: Risk Analysis & Management (RAM)

Question 23

• Two-dimensional model that uses six basic communication interrogatives (What, How, Where, Who, When and Why) and intersects them with different enterprise audiences (Executives, Business - Managers, System Architects, Engineers, Technicians, and Enterprise-wide)
• Framework is not security orientated
• Offers understanding of an enterprise in a modular table

Answer 23

Zachman Architecture Framework

Question 24

Name the 4 architecture types The Open Group Architecture Framework (TOGAF) is used to develop?

Answer 24

1. Business architecture
2. Data architecture
3. Applications architecture
4. Technology architecture

Question 25

Framework used by an architect to understand the enterprise from different views (i.e. business, data, applications, and technology) and implements the necessary technology controls to work within the environment.

Answer 25

The Open Group Architecture Framework (TOGAF)

Question 26

US based military architecture framework

Answer 26

Department of Defense Architecture Framework (DoDAF)

Question 27

British based military architecture framework

Answer 27

Ministry of Defense Architecture Framework (MODAF)

Question 28

Two dimensional model (similar to Zachman Framework) for enterprise security architecture and service management

Answer 28

Sherwood Applied Business Security Architecture (SABSA)

Question 29

• Process improvement methodology

- Uses statistical methods of measuring operational efficiency and reducing variation, defects, and waste.

Answer 29

Six Sigma