Can any one help with the Quiz

QUESTION 1

What is a vulnerability?

		a. An attempt to attack some weakness
		b. Some bad thing that might happen
		c. A weakness that may be exploited
		d. The likelihood that an attack will succeed against a weakness

10.00000 points

QUESTION 2

What is an attack library?

		a. Central repository of all known attacks
		b. Collection of detailed lists of common problems
		c. Structured list of threats and prioritized remediations
		d. Commercially available collections of attack trees

10.00000 points

QUESTION 3

What is an attack tree?

		a. Formal way to categorize attacks based on severity
		b. Formal way to describe the security of a system based on attacks
		c. Informal diagramming option when attempting to organize discovered threats
		d. Structured way to categorize discovered threats

10.00000 points

QUESTION 4

An engineering approach to threat modeling provides what benefits (choose all that apply):

		a. Predictable
		b. General
		c. Reliable
		d. Scalable

10.00000 points

QUESTION 5

What is the best definition of a trust boundary?

		a. The border between two countries
		b. Everywhere two principals interact
		c. Where you start threat modeling
		d. Where there is untrusted data

10.00000 points

QUESTION 6

What is the focus of privacy?

		a. Data
		b. The individual
		c. Confidentiality
		d. Being undetected

10.00000 points

QUESTION 7

What is one drawback to focusing on assets when threat modeling?

		a. Stepping stones may be lower in priority
		b. Impossible to enumerate all assets
		c. Difficult to place a value on assets
		d. Asset valuation is an accounting concept, not security

10.00000 points

QUESTION 8

What is the most likely response an attacker will have to a mitigation you have deployed?

		a. Defeat the mitigation control
		b. Attack some other system
		c. Look for an easier attack path
		d. Give up

10.00000 points

QUESTION 9

What is the visual goal for presenting an attack tree?

		a. No more than a single page
		b. No more than a page for each level
		c. Between 1 and 3 pages
		d. As many pages as necessary to include all nodes

10.00000 points

QUESTION 10

What is the best way to accept risk in an internal software project? (Choose the best answer)

		a. Developers do this all the time
		b. File a bug
		c. Discuss the decision with management
		d. Via a modal dialog

10.00000 points

QUESTION 11

When should you start to threat model in a software development project?

		a. When coding starts
		b. When the project begins
		c. When initial coding is complete
		d. As part of the delivery phase

10.00000 points

QUESTION 12

Which approach to threat modeling is best when time is limited?

		a. Depth first
		b. Top down
		c. Breadth first
		d. Bottom up

10.00000 points

QUESTION 13

Which attack tree representation generally takes more work but can help the reader to focus their attention better?

		a. Graphically
		b. Linear map
		c. Directed graph
		d. Outline

10.00000 points

QUESTION 14

Which of the following can have integrity protections applied to them? (choose all that apply)

		a. Disk
		b. People
		c. Network
		d. Memory

10.00000 points

QUESTION 15

Which of these is NOT a good prioritization strategy? (choose all that apply)

		a. Wait and see
		b. Randomly fix issues
		c. DREAD
		d. Bug bars

10.00000 points

QUESTION 16

Which of these is not an appropriate way to address a threat?

		a. Fix it
		b. Accept it
		c. Document it internally so you can manage it in the next release
		d. Transfer the risk

10.00000 points

QUESTION 17

Which two are examples of E threats (in STRIDE)?

		a. Calling web pages directly without credentials
		b. Claiming that a package was never received
		c. Finding crypto keys on disk
		d. Sending input to a program that causes it to crash

10.00000 points

QUESTION 18

Which two are examples of I threats (in STRIDE)?

		a. Sending input to a program that causes it to crash
		b. Using SQL injection to read database tables
		c. Finding crypto keys on disk
		d. Filling the disk with useless data

10.00000 points

QUESTION 19

Which two are examples of R threats (in STRIDE)?

		a. Calling web pages directly without credentials
		b. Claiming that a package was never received
		c. Filling logs files with useless data
		d. Finding crypto keys on disk

10.00000 points

QUESTION 20

Which two are examples of S threats (in STRIDE)?

		a. Creating an executable file in a local directory
		b. Redirecting an IP address to another host
		c. Finding crypto keys on disk
		d. Claiming that a package was never received

10.00000 points

QUESTION 21

Which type of STRIDE threat violates Authentication?

		a. Spoofing
		b. Repudiation
		c. Information Disclosure
		d. Tampering

10.00000 points

QUESTION 22

Which type of STRIDE threat violates Authorization?

		a. Tampering
		b. Denial-of-Service
		c. Information Disclosure
		d. Elevation of Privilege

10.00000 points

QUESTION 23

Which type of STRIDE threat violates Availability?

		a. Repudiation
		b. Denial-of-Service
		c. Spoofing
		d. Elevation of Privilege

10.00000 points

QUESTION 24

Which type of attack tree contains nodes that are true if any of the nodes below it are true?

		a. OR
		b. AND
		c. NOT
		d. NOR

10.00000 points

QUESTION 25

Which is the most difficult type of attack tree for you to create?

		a. Trees developed by someone else for their organization
		b. Trees you develop for your own organization
		c. Trees you develop for general use
		d. Commercially developed attack trees