Can any one help with quiz QUESTION 5 What is the best definition of a trust bou

Question

Can any one help with quiz

QUESTION 5

What is the best definition of a trust boundary?

a. The border between two countries

b. Everywhere two principals interact

c. Where you start threat modeling

d. Where there is untrusted data

10.00000 points   

QUESTION 6

What is the focus of privacy?

a. Data

b. The individual

c. Confidentiality

d. Being undetected

10.00000 points   

QUESTION 7

What is one drawback to focusing on assets when threat modeling?

a. Stepping stones may be lower in priority

b. Impossible to enumerate all assets

c. Difficult to place a value on assets

d. Asset valuation is an accounting concept, not security

10.00000 points   

QUESTION 8

What is the most likely response an attacker will have to a mitigation you have deployed?

a. Defeat the mitigation control

b. Attack some other system

c. Look for an easier attack path

d. Give up

10.00000 points   

QUESTION 9

What is the visual goal for presenting an attack tree?

a. No more than a single page

b. No more than a page for each level

c. Between 1 and 3 pages

d. As many pages as necessary to include all nodes

10.00000 points   

QUESTION 10

What is the best way to accept risk in an internal software project? (Choose the best answer)

a. Developers do this all the time

b. File a bug

c. Discuss the decision with management

d. Via a modal dialog

10.00000 points   

QUESTION 11

When should you start to threat model in a software development project?

a. When coding starts

b. When the project begins

c. When initial coding is complete

d. As part of the delivery phase

10.00000 points   

QUESTION 12

Which approach to threat modeling is best when time is limited?

a. Depth first

b. Top down

c. Breadth first

d. Bottom up

10.00000 points   

QUESTION 13

Which attack tree representation generally takes more work but can help the reader to focus their attention better?

a. Graphically

b. Linear map

c. Directed graph

d. Outline

10.00000 points   

QUESTION 14

Which of the following can have integrity protections applied to them? (choose all that apply)

a. Disk

b. People

c. Network

d. Memory

10.00000 points   

QUESTION 15

Which of these is NOT a good prioritization strategy? (choose all that apply)

a. Wait and see

b. Randomly fix issues

c. DREAD

d. Bug bars

10.00000 points   

QUESTION 16

Which of these is not an appropriate way to address a threat?

a. Fix it

b. Accept it

c. Document it internally so you can manage it in the next release

d. Transfer the risk

10.00000 points   

QUESTION 17

Which two are examples of E threats (in STRIDE)?

a. Calling web pages directly without credentials

b. Claiming that a package was never received

c. Finding crypto keys on disk

d. Sending input to a program that causes it to crash

10.00000 points   

QUESTION 18

Which two are examples of I threats (in STRIDE)?

a. Sending input to a program that causes it to crash

b. Using SQL injection to read database tables

c. Finding crypto keys on disk

d. Filling the disk with useless data

10.00000 points   

QUESTION 19

Which two are examples of R threats (in STRIDE)?

a. Calling web pages directly without credentials

b. Claiming that a package was never received

c. Filling logs files with useless data

d. Finding crypto keys on disk

10.00000 points   

QUESTION 20

Which two are examples of S threats (in STRIDE)?

a. Creating an executable file in a local directory

b. Redirecting an IP address to another host

c. Finding crypto keys on disk

d. Claiming that a package was never received

10.00000 points   

QUESTION 21

Which type of STRIDE threat violates Authentication?

a. Spoofing

b. Repudiation

c. Information Disclosure

d. Tampering

10.00000 points   

QUESTION 22

Which type of STRIDE threat violates Authorization?

a. Tampering

b. Denial-of-Service

c. Information Disclosure

d. Elevation of Privilege

10.00000 points   

QUESTION 23

Which type of STRIDE threat violates Availability?

a. Repudiation

b. Denial-of-Service

c. Spoofing

d. Elevation of Privilege

10.00000 points   

QUESTION 24

Which type of attack tree contains nodes that are true if any of the nodes below it are true?

a. OR

b. AND

c. NOT

d. NOR

10.00000 points   

QUESTION 25

Which is the most difficult type of attack tree for you to create?

a. Trees developed by someone else for their organization

b. Trees you develop for your own organization

c. Trees you develop for general use

d. Commercially developed attack trees

a. The border between two countries

b. Everywhere two principals interact

c. Where you start threat modeling

d. Where there is untrusted data

Explanation / Answer

Answer 5) d. Where there is untrusted data.

A trust boundary is the portion where the data's are circulated from an untrusted source.

Answer 6) The focus of privacyis on all the aspects mentioned which is for data, individual information, confidentiality and being undetected where as the focus is on Data Security and privacy.

Answer 7) a) Stepping stones may be lower in priority

Answer 8) c) Look for an easier attack path.

The attackers always find an easirer way to hack the system without much complicasy.

Answer 9) a) No more than a single page

To present an attacked tree it is always advisable to use 1 page.

Answer 10) b) File a bug

By filing a bug and asking the development team work on it is an acceptable technique in any project.

Answer 11) a) When coding starts

Ideally the threat model should start when the architecture is setup in an SDLC Phase.

This is an important aspect of a project and should be started as soon as the architecture is setup.

Answer 12) c) Breadth first.

When the time is short we need to trace back in breadth first approach.

Answer 13) a) Graphically

When graphically the tree is represented then it helps the reader to focus on and have a better claity of the information provided.

Answer 14) Disk, Network and Memory need to have integrity protection applied to them.

Answer 15) Wait and see, Randomly fix issues and Dread are absolutely not good prioritization strategy.

Bug bar is denoted as the accepted range of bugs and severity in a system.

Answer 16) d) Transfer the risk

When a system is vulnerable to threat is should be well communicated and documented and an immediate setup to fix the issue should be done on a serious note. Any negligence would result in crashing of the application.

Answer 17) a) Calling web pages directly without credentials

d) Sending input to a program that causes it to crash

Security is a major concern in e-commerce and also the texts that are being send can have malicious and viruses injected into the system which would result in crashing the system.

Answer 21) a) Spoofing

Answer 22) d) Elevation of Privilege

Answer 23) b) Denial-of-Service

Any unavailable data threats the availability.

The answers against the question number are mentioned with explanation.

Hope this answer helps. :) Happy to help :)

Related Questions

Navigate

• Browse (All)
• Browse C
• Subjects

---

---

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.