Application threat modeling Quiz - 2
| Description: Application threat modeling Quiz | |
| Number of Questions: 20 | |
| Created by: Aliensbrain Bot | |
| Tags: security technology |
When do we need to be penetration testing
-
After integration testing but before acceptance testing by the client/end user
-
after unit test
-
after integration testing
-
during system testing
In threat modeling, what methodology used to perform risk analysis
-
STRIDE
-
DREAD
-
OWASP
-
DAR
AI Explanation
To answer this question, you need to understand the different methodologies used in threat modeling and risk analysis.
Option A) STRIDE - This option is incorrect because STRIDE is a threat modeling framework that helps identify and categorize threats based on six threat categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. It is not specifically a methodology for risk analysis.
Option B) DREAD - This option is correct because DREAD is a risk assessment methodology commonly used in threat modeling. DREAD stands for Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability. It helps evaluate and prioritize risks based on these five factors.
Option C) OWASP - This option is incorrect because OWASP (Open Web Application Security Project) is an online community that provides resources and guidance for web application security. While OWASP provides valuable information related to threat modeling and risk analysis, it is not a specific methodology for risk analysis.
Option D) DAR - This option is incorrect because there is no widely recognized risk analysis methodology called DAR.
The correct answer is B) DREAD. This option is correct because DREAD is a risk assessment methodology commonly used in threat modeling. It helps evaluate and prioritize risks based on five factors: Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability.
-
Risk score = (Reproducibility * Exploitability * Discoverability) / (Damage potential * Affected users)
-
Risk score = (Reproducibility * Exploitability - Discoverability) ^ (Damage potential + Affected users)
-
Risk score = (Reproducibility + Exploitability + Discoverability) / (Damage potential + Affected users)
-
Risk score = (Reproducibility + Exploitability + Discoverability) * (Damage potential + Affected users)
To understand how the Risk score for each threat is calculated in DREAD methodology, the user needs to know the components of the DREAD acronym, which stands for Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability. In this method, each component is scored on a scale of 0 to 10, with 10 representing the highest possible value. The scores for each component are then used to calculate the overall risk score for each threat.
Now, let's go through each option and explain why it is right or wrong:
A. Risk score = (Reproducibility * Exploitability * Discoverability) / (Damage potential * Affected users) This option is incorrect. The formula is not correct as it is multiplying the Reproducibility, Exploitability, and Discoverability and dividing it by the Damage potential and Affected users. The correct formula involves adding up the scores for each of the five components, not multiplying and dividing them.
B. Risk score = (Reproducibility * Exploitability - Discoverability) ^ (Damage potential + Affected users) This option is incorrect. The formula is not correct as it is subtracting the Discoverability from the product of Reproducibility and Exploitability, and then taking the result to the power of the sum of Damage potential and Affected users. The correct formula involves adding up the scores for each of the five components, not subtracting and taking the power of them.
C. Risk score = (Reproducibility + Exploitability + Discoverability) / (Damage potential + Affected users) This option is incorrect. The formula is not correct as it is adding the Reproducibility, Exploitability, and Discoverability and then dividing it by the sum of Damage potential and Affected users. The correct formula involves adding up the scores for each of the five components, but not dividing them by anything.
D. Risk score = (Reproducibility + Exploitability + Discoverability) * (Damage potential + Affected users) This option is correct. The formula is correct as it is adding the Reproducibility, Exploitability, and Discoverability and then multiplying it by the sum of Damage potential and Affected users. The correct formula involves adding up the scores for each of the five components, and then multiplying them by each other.
Therefore, the answer is: D
Select the correct choice for "Security Design Principle"
-
1) Keep it easy to understand 2) Secure default access 3) Defense in Depth 4) encapsulation 5) Highest privilege
-
1) Keep it easy to understand 2) Secure access 3) Defense in Depth 4) encapsulation 5) Highest privilege
-
1) Keep it simple and secure 2) Secure default access 3) Defense in Depth 4) Compartmentalization 5) Least privilege
-
1) Keep it easy to understand 2) Secure access 3) DMZ 4) encapsulation 5) Highest privilege
To select the correct choice for "Security Design Principle," the user needs to have knowledge about security design principles and their components.
Now, let's go through each option and explain why it is right or wrong:
A. 1) Keep it easy to understand 2) Secure default access 3) Defense in Depth 4) encapsulation 5) Highest privilege
This option is incorrect because it includes "highest privilege," which means giving users the maximum level of access, which is not a good security practice as it can lead to data breaches or unauthorized access. The other principles listed are correct.
B. 1) Keep it easy to understand 2) Secure access 3) Defense in Depth 4) encapsulation 5) Highest privilege
This option is incorrect because it lacks the principle of "least privilege," which is a fundamental security principle that means providing users with the minimum level of access they need to perform their tasks. This principle helps reduce the attack surface and minimize the damage in case of a breach.
C. 1) Keep it simple and secure 2) Secure default access 3) Defense in Depth 4) Compartmentalization 5) Least privilege
This option is correct. It includes all the essential security design principles, such as secure default access, defense in depth, compartmentalization, and least privilege. Moreover, it emphasizes keeping the design simple, which is always a good practice.
D. 1) Keep it easy to understand 2) Secure access 3) DMZ 4) encapsulation 5) Highest privilege
This option is incorrect because it includes "DMZ," which is not a design principle but a network architecture that separates the internal network from the external network. Also, it includes "highest privilege," which is not a good security practice.
Therefore, the correct answer is:
The Answer is: C
The kind of testing in which activities are performed to find the active machines, open ports and available services, identifying the OS and mapping the network
-
Passive Scanning
-
Social Engineering
-
Scanning
-
Fuzzing
To solve this question, the user needs to know the different types of testing techniques used in cybersecurity. The user must identify the type of testing in which activities are performed to find active machines, open ports, available services, identifying the OS, and mapping the network.
Now, let's go through each option and explain why it is right or wrong:
A. Passive Scanning: This option is incorrect because passive scanning is a type of testing in which the tester monitors network traffic and collects data without actively engaging with the network.
B. Social Engineering: This option is incorrect because social engineering is a type of attack that exploits human behavior to gain access to systems or information.
C. Scanning: This option is correct. Scanning is a type of testing that involves actively probing a network to identify active machines, open ports, available services, identifying the OS, and mapping the network.
D. Fuzzing: This option is incorrect because fuzzing is a type of testing that involves sending random or invalid data to a system to identify vulnerabilities.
The Answer is: C
-
Mandatory access control
-
Role Based Access Control
-
Discretionary Access Control
-
Biometric access control
To answer this question, the user needs to understand the different types of access control mechanisms that can be used to provide access to an SSO application in a portal.
A. Mandatory access control: This access control mechanism is typically used in secure environments such as military or government settings. It is a strict access control mechanism that assigns access levels to users based on their security clearance level. This approach is not suitable for providing access to SSO applications in a portal.
B. Role Based Access Control: This access control mechanism assigns roles to users based on their job functions and responsibilities. The roles are used to determine what type of access a user has to an SSO application. This approach is suitable for providing access to SSO applications in a portal.
C. Discretionary Access Control: This access control mechanism allows users to determine who has access to their resources. This approach is not suitable for providing access to SSO applications in a portal.
D. Biometric access control: This access control mechanism uses biometric data such as fingerprints or facial recognition to authenticate users. This approach is not suitable for providing access to SSO applications in a portal.
Therefore, the best approach to be used while providing access to SSO application in a portal is Role Based Access Control.
The Answer is: B
Which tool can be used for system vulnerability test
-
Nessus
-
HP Web Inspect
-
TAM
-
SDL
The correct answer is A. Nessus.
Nessus is a widely used tool for system vulnerability testing. It helps identify and assess vulnerabilities in various systems and networks. It performs scans to detect potential weaknesses and provides detailed reports on the vulnerabilities found. Nessus is known for its extensive vulnerability database and its ability to perform comprehensive security assessments.
Options B, C, and D are not specifically designed for system vulnerability testing:
B. HP Web Inspect: HP Web Inspect is a web application security testing tool that focuses on identifying vulnerabilities in web applications, rather than system vulnerabilities.
C. TAM: It is unclear what "TAM" refers to in this context. Without more information, it is difficult to determine if it is a tool suitable for system vulnerability testing.
D. SDL: SDL stands for "Security Development Lifecycle," which is a methodology for developing secure software. It is not a specific tool used for system vulnerability testing.
Therefore, option A, Nessus, is the most appropriate tool for system vulnerability testing.
Name the query language for reading XML document
-
Xpath
-
XmlReader
-
SQL
-
xmlPlus
To read XML documents, the query language used is XPath.
Option A is correct because XPath is a query language used to navigate and select elements and attributes in an XML document. It provides a syntax for addressing specific parts of an XML document, similar to how directories and files are addressed in a file system.
Option B, XmlReader, is incorrect because XmlReader is a .NET class used to read XML documents, but it is not a query language. It provides a way to read XML data sequentially and extract information from it.
Option C, SQL, is incorrect because SQL is a query language used to interact with relational databases, not XML documents.
Option D, xmlPlus, is incorrect because there is no such query language with that name for reading XML documents.
Therefore, the answer is: A. XPath
Which one is not a counter measure for log tampering
-
Digitally signed and stamped logs
-
Log file Read/write privilege is controlled by System administrator
-
Separate logs for system events
-
Transaction log for all application events
AI Explanation
To answer this question, we need to understand what log tampering is and what countermeasures can be used to prevent it.
Log tampering refers to the unauthorized modification or alteration of log files, which can be done to conceal or manipulate information. Countermeasures for log tampering aim to protect the integrity and authenticity of log files.
Let's go through each option to understand why it is a countermeasure or not:
A. Digitally signed and stamped logs - This option is a countermeasure for log tampering. Digitally signing and stamping logs ensures that the logs are authentic and have not been tampered with. Any modification to the logs will invalidate the digital signature or stamp.
B. Log file Read/write privilege is controlled by System administrator - This option is not a countermeasure for log tampering. Controlling read/write privileges for log files is important for access control, but it does not directly prevent log tampering. Even with controlled privileges, a malicious user with the appropriate access rights can still tamper with the log files.
C. Separate logs for system events - This option is a countermeasure for log tampering. Using separate logs for system events can help isolate and protect critical log information. If a malicious user tries to tamper with one set of logs, it will not affect the integrity of the other set of logs.
D. Transaction log for all application events - This option is a countermeasure for log tampering. Maintaining a transaction log for all application events allows for the tracking and verification of actions performed within the application. If log tampering occurs, it can be detected by comparing the transaction log with the actual log files.
The correct answer is B. Log file Read/write privilege is controlled by System administrator. This option is not a countermeasure for log tampering as it focuses on access control rather than directly preventing log tampering.
DMZ is a
-
DMZ is the place where customers servers are deployed.
-
DMZ is an area where all the protocols are allowed to pass through.
-
semi trusted network zone that separates the untrusted internet from the companys trusted internal network
-
DMZ is cyber warfare terminology
AI Explanation
To answer this question, we need to understand what a DMZ (Demilitarized Zone) is.
Option A) DMZ is the place where customers servers are deployed - This option is incorrect. While it is true that servers can be deployed in a DMZ, a DMZ itself is not specifically for customer servers.
Option B) DMZ is an area where all the protocols are allowed to pass through - This option is incorrect. A DMZ does not allow all protocols to pass through. It is designed to allow only specific protocols or services that are necessary for external communication.
Option C) A semi-trusted network zone that separates the untrusted internet from the company's trusted internal network - This option is correct. A DMZ is a network segment that acts as a buffer zone between an organization's trusted internal network and the untrusted external network (such as the internet). It is designed to provide an additional layer of security by isolating externally accessible services from the internal network.
Option D) DMZ is cyber warfare terminology - This option is incorrect. While the term "DMZ" may be used in the context of cyber warfare, in the context of computer networks, a DMZ refers to a specific network configuration.
The correct answer is C) A semi-trusted network zone that separates the untrusted internet from the company's trusted internal network. This option is correct because it accurately describes the purpose and function of a DMZ.
Cookie value gets submitted during POST submit of HTML FORM
-
SQL Injection
-
Cross site request forgery
-
Session fixation
-
session hijack
To solve this question, the user needs to know about common web application vulnerabilities and their characteristics.
The correct answer is: C. Session fixation
Option A, SQL Injection, is incorrect because it is a type of attack that targets the database layer of a web application, not the HTTP protocol layer that handles form submissions.
Option B, Cross Site Request Forgery (CSRF), is incorrect because it involves tricking a user into submitting a form on a different website that performs an action on the user's behalf on a target website, not manipulating the values submitted within a form on the same website.
Option D, Session Hijacking, is incorrect because it involves stealing or guessing a user's session ID to impersonate them on a web application, not manipulating the values submitted within a form.
Option C, Session Fixation, is the correct answer. Session fixation is a type of attack where an attacker sets a user's session ID before the user logs in, then waits for the user to authenticate with that ID. Once the user logs in, the attacker can use the known session ID to access the user's session and perform actions on their behalf. In this case, the attacker could set a cookie value in the HTML form submission and then use that value to access the user's session.
Password complexity check should be implemented where?
-
Client side only
-
server side only
-
Both client and server side
-
In the SQL procedure
AI Explanation
To answer this question, you need to understand the concept of password complexity and where it should be implemented.
Option A) Client side only - This option is incorrect because implementing password complexity checks only on the client side is not sufficient. Client-side checks can be easily bypassed, as the client-side code can be modified or manipulated by the user.
Option B) Server side only - This option is correct because implementing password complexity checks on the server side is the most secure approach. It ensures that the checks are enforced and cannot be bypassed by the client.
Option C) Both client and server side - This option is incorrect because while implementing password complexity checks on both the client and server side might provide an additional layer of security, it is not necessary. The server-side checks are sufficient to enforce password complexity requirements.
Option D) In the SQL procedure - This option is incorrect because implementing password complexity checks in the SQL procedure is not recommended. The SQL procedure should be responsible for database operations and not for enforcing password complexity rules.
The correct answer is B) Server side only. This option is correct because implementing password complexity checks on the server side ensures that the checks are enforced and cannot be bypassed by the client.
While using "Forgot Password" feature by user to recover the password, what should be checked first
-
whether the credentials provided are valid and correct
-
whether account is already disabled
-
whether account is locked
-
whether the CAPTCHA values entered by the user same as what is in the image
Which tool can be used for Threat Modeling
-
HP Web Inspect
-
Nessus
-
Open Vas
-
TAM
To solve this question, the user needs to understand what Threat Modeling is and what tools can be used for it.
Threat Modeling is a process of identifying potential security threats and vulnerabilities in an application or system. It helps to find security weaknesses early in the development cycle, reducing the risk of costly security breaches in the future.
Now, let's go through each option and explain why it is right or wrong:
A. HP Web Inspect: HP Web Inspect is a web application security scanner that can help identify vulnerabilities in web applications. However, it is not a tool that is typically used for threat modeling.
B. Nessus: Nessus is a popular vulnerability scanner that can help detect and report potential security issues. While it can be used as part of a threat modeling process, it is not specifically designed for threat modeling.
C. Open Vas: OpenVAS is an open-source vulnerability scanner that can help identify vulnerabilities in networks and systems. While it can be used as part of a threat modeling process, it is not specifically designed for threat modeling.
D. TAM: TAM (Threat Agent Modeling) is a structured approach to identifying potential threats to a system or application. It is a tool that can be used for threat modeling, as it helps identify and prioritize potential threats based on the likelihood and impact of each threat.
Therefore, the correct answer is: D. TAM
Which of the following is mandatory for the audit and access logs of the application to be valid in the court of law
-
log should have url accessed by user
-
Date and time logged in the logs should be in IST format
-
logs have to be in W3C format
-
System time is in sync with INDIA domain time and the logs should have uniquely identifiable information about the user
To ensure that audit and access logs of the application are valid in the court of law, the following requirements have to be met:
A. The log should have the URL accessed by the user: This is an important requirement as it helps in identifying the exact action taken by the user on the application.
B. Date and time logged in the logs should be in IST format: This requirement ensures that the date and time mentioned in the logs are accurate and can be easily correlated with other events.
C. Logs have to be in W3C format: This is not a mandatory requirement, but logs in W3C format are widely accepted as a standard format for web server logs.
D. System time is in sync with INDIA domain time and the logs should have uniquely identifiable information about the user: This is a crucial requirement as it helps in establishing the authenticity of the logs and the actions taken by the user. Uniquely identifiable information about the user can include the user's IP address, username, or any other information that can uniquely identify the user.
Therefore, options A, B, and D are all mandatory for the audit and access logs of the application to be valid in the court of law.
The Answer is: D
When you are performing EQA of an application developed by another project, you are doing
-
white box testing
-
black box testing
-
security testing
-
vulnerability testing
AI Explanation
To answer this question, you need to understand the concepts of white box testing and black box testing.
White box testing, also known as structural testing or glass box testing, involves testing an application while having complete knowledge of its internal workings. This includes examining the source code, design documents, and implementation details. White box testing aims to test the internal logic of the application, such as control flow, data flow, and error handling.
Black box testing, on the other hand, involves testing an application without having any knowledge of its internal workings. Testers focus on the functional requirements of the application, and the testing is based on inputs and expected outputs. Black box testing aims to test the application from an end-user perspective, without considering the internal implementation.
In the given scenario, when you are performing EQA (External Quality Assurance) of an application developed by another project, you are doing black box testing. This is because you are testing the application without having knowledge of its internal workings, similar to how a typical end-user would interact with the application.
Therefore, the correct answer is B. black box testing.
An application is developed and deployed in production. A bug was found and a CR was raised and modified code is ready for deployment after following SSA and SDLC. This interim release of the application is called
-
Release of CR
-
maintenance of application
-
release of patch
-
interim release of CR
AI Explanation
To answer this question, we need to understand the terms related to software development and deployment.
Option A) Release of CR - This option is incorrect because a CR (Change Request) is a formal request to make a modification or fix in an application. It does not refer to the interim release of the application.
Option B) Maintenance of application - This option is incorrect because while the bug fix is a part of application maintenance, it does not specifically refer to the interim release of the modified code.
Option C) Release of patch - This option is correct because a patch is a small piece of code that is used to fix a specific issue or bug in an application. When the modified code is ready for deployment to fix the bug, it is released as a patch to address the issue.
Option D) Interim release of CR - This option is incorrect because the interim release refers to the temporary release of the modified code before the final release. CR (Change Request) is not specifically mentioned in this context.
The correct answer is C) release of patch. This option is correct because when a bug is found and a CR is raised, the modified code is released as a patch to fix the issue in the application.
The application logs are backed up in a media and retained for years as required by law. One of the media found defective after a long period of time. What do we need to do with the media
-
Use it for overwriting current logs
-
Inform stakeholders and degauss the media
-
Keep it safely and securely in the fire proof safe
-
format the media
To solve this question, the user needs to have knowledge of data retention policies and best practices for managing defective media.
Option A: Using the defective media for overwriting current logs is not recommended. The data on the defective media is potentially corrupted or lost, and using it for overwriting current logs can result in further data loss or inconsistency.
Option B: This is the correct answer. Informing stakeholders and degaussing the media is the best approach for managing defective media. Degaussing the media involves exposing it to a magnetic field to erase all data stored on it. This is a secure and effective way to dispose of defective media.
Option C: Keeping the defective media safely and securely in a fireproof safe may seem like a good idea, but it is not an effective way to manage defective media. The data on the defective media is still potentially corrupted or lost, and there is no guarantee that it will remain secure in the safe.
Option D: Formatting the media is not recommended. Formatting may not be effective in erasing all data, and it may also overwrite any remaining data on the media, making it difficult or impossible to recover.
Therefore, the correct answer is:
The Answer is: B. Inform stakeholders and degauss the media.
-
At the design stage
-
At the beginning of testing phase
-
During requirements collection phase
-
HP Webinspect performs the Threat Modeling, I do not need to do anything
___________ is a malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages
-
Clickjacking
-
RoughJacking
-
CyberJacking
-
CrackJacking
To solve this question, the user needs to have knowledge of web security and common malicious techniques used by hackers.
The technique described in the question is known as "Clickjacking", which is used to trick web users into clicking on a button or link that is disguised as something else, thereby revealing confidential information or taking control of their computer.
Now, let's go through each option and explain why it is right or wrong:
A. Clickjacking: This option is correct. Clickjacking is a malicious technique used by hackers to deceive web users into clicking on a disguised button or link, which results in the user revealing confidential information or giving control of their computer to the attacker.
B. RoughJacking: This option is incorrect. "RoughJacking" is not a known term in web security, and there is no evidence to suggest that it is a malicious technique used by hackers.
C. CyberJacking: This option is incorrect. "CyberJacking" is a broad term that can refer to a range of malicious activities, but it is not specific to the technique described in the question.
D. CrackJacking: This option is incorrect. "CrackJacking" is not a known term in web security, and there is no evidence to suggest that it is a malicious technique used by hackers.
Therefore, the correct answer is: A. Clickjacking.