C706 Exam Questions and Answers Already Passed
Stride - AnswersStride is a classification scheme for characterizing/measuring known
threats/vulnerabilities according to the kinds of exploit that are used (motivation of the attacker). It also
focuses on the end results of possible attacks rather than on the identification of each specific attack.
The STRIDE acronym is formed from the first letter of each of the following categories.
Spoofing Identity - AnswersIdentity spoofing is a key risk for applications that have many users but
provide a single execution context at the application and database level. In particular, users should not
be able to become any other user or assume the attributes of another user.
Tampering of Data - AnswersUsers can potentially change data delivered to them return it and thereby
potentially manipulate client side validation, GET and POST results, cookies, HTTP headers, and so forth.
The application should not send data to the user, such as interest rates or periods, which are obtainable
only from within the application itself. The application should also carefully check data received from
the user and validate that it is sane and applicable before storing or using it.
Repudiation - AnswersUsers may dispute transactions if there is insufficient auditing or recordkeeping of
their activity.
Information Disclosure - Answers
Denial of Service - AnswersApplication designers should avoid expensive resources such as large files,
complex calculations, long queries.
Elevation of Privilege - AnswersAll actions should be gated through an authorization matrix to ensure
that only the permitted roles can access privileged functionality.
STRIDE - Answersclassification scheme for characterizing/measuring known threats/vulnerabilities
according to the kinds of exploit that are used or motivation of attacker. It also focuses on the end
results of possible attacks rather than on the identification of each specific attack.
DREAD - AnswersRisk assessment model
Damage - AnswersHow bad would an attack be? Ranks the extent of harm that occurs if a vulnerability is
exploited.
Reproducibility - Answershow easy is it to reproduce the attack? Ranks how often an attempt at
exploiting a vulnerability really works.
Exploitability / Vulnerability - AnswersHow much work is it to launch the attack? Measures the effort
required to launch the attack.
Affected users - AnswersHow may people will be impacted? Measures the number of installed instances
of the system affected by the exploit.
, Discoverability - AnswersHow easy is it to discover the threat? States the likelihood that a vulnerability
will be found by security researchers or hackers.
Threat Model - AnswersA threat model is a diagram and description that tells a story of how an attacker
could exploit the vulnerability. This is a narrative approach to the attack that should help guide the
mitigation techniques that need to be put in place to protect the system at that point. It can define the
security of an application and reduces the number of vulnerabilities. It also has the 2 steps of identifying
and prioritizing the vulnerabilities.
Sequence Diagram - AnswersDetailed breakdown of he communication that will occur between actors
and system objects or components. A sequence diagram bridges the gap between the business analysis
and the development analysis; this type of diagram can be considered a business description or a
development description of system functionality.
T-Map - AnswersT-MAP defines a set of threat-relevant attributes for each layers or nodes. These
attributes can be classified as either probability-relevant, size of loss of relevant or descriptive. These
class attributes are primarily derived from Common Vulnerability Scoring System. CVSS
SDLC Domains - Answers
Planning Organization - AnswersProject Definition, User Requirements Definition and System
Requirement Definition
Acquisition / Implementation - AnswersUser requirements definition, System Requirement Definition,
Analysis and Design and System Build/ Prototype/ Pilot
Deliver and Support - AnswersAnalysis and Design, System Build/ Prototype / Pilot, Implementation and
Training and Sustainment.
Monitoring - AnswersUser Requirements Definition, Systems Requirements Definition, Analysis and
Design, System Build / Prototype /Pilot, Implementation and Training and Sustainment.
Requirements analysis - AnswersPhases that defines security functions that an application should satisfy.
Testing Phases - AnswersSecurity should be involved in all phases of SDLC, but expectation of
vulnerabilities to identify weaknesses should be done in the testing phase.
Incident Response Plan - AnswersAn incident response plan is organized approach to addressing and
managing the aftermath of a security breach or compromise on a system or software. The goal is to
handle the situation and limit damage and reduces recovery time and costs.
BCWS - AnswersBudget Cost Work Schedule
BCWP - AnswersBudget Cost Work Performed
SV - AnswersScheduled Variance
Stride - AnswersStride is a classification scheme for characterizing/measuring known
threats/vulnerabilities according to the kinds of exploit that are used (motivation of the attacker). It also
focuses on the end results of possible attacks rather than on the identification of each specific attack.
The STRIDE acronym is formed from the first letter of each of the following categories.
Spoofing Identity - AnswersIdentity spoofing is a key risk for applications that have many users but
provide a single execution context at the application and database level. In particular, users should not
be able to become any other user or assume the attributes of another user.
Tampering of Data - AnswersUsers can potentially change data delivered to them return it and thereby
potentially manipulate client side validation, GET and POST results, cookies, HTTP headers, and so forth.
The application should not send data to the user, such as interest rates or periods, which are obtainable
only from within the application itself. The application should also carefully check data received from
the user and validate that it is sane and applicable before storing or using it.
Repudiation - AnswersUsers may dispute transactions if there is insufficient auditing or recordkeeping of
their activity.
Information Disclosure - Answers
Denial of Service - AnswersApplication designers should avoid expensive resources such as large files,
complex calculations, long queries.
Elevation of Privilege - AnswersAll actions should be gated through an authorization matrix to ensure
that only the permitted roles can access privileged functionality.
STRIDE - Answersclassification scheme for characterizing/measuring known threats/vulnerabilities
according to the kinds of exploit that are used or motivation of attacker. It also focuses on the end
results of possible attacks rather than on the identification of each specific attack.
DREAD - AnswersRisk assessment model
Damage - AnswersHow bad would an attack be? Ranks the extent of harm that occurs if a vulnerability is
exploited.
Reproducibility - Answershow easy is it to reproduce the attack? Ranks how often an attempt at
exploiting a vulnerability really works.
Exploitability / Vulnerability - AnswersHow much work is it to launch the attack? Measures the effort
required to launch the attack.
Affected users - AnswersHow may people will be impacted? Measures the number of installed instances
of the system affected by the exploit.
, Discoverability - AnswersHow easy is it to discover the threat? States the likelihood that a vulnerability
will be found by security researchers or hackers.
Threat Model - AnswersA threat model is a diagram and description that tells a story of how an attacker
could exploit the vulnerability. This is a narrative approach to the attack that should help guide the
mitigation techniques that need to be put in place to protect the system at that point. It can define the
security of an application and reduces the number of vulnerabilities. It also has the 2 steps of identifying
and prioritizing the vulnerabilities.
Sequence Diagram - AnswersDetailed breakdown of he communication that will occur between actors
and system objects or components. A sequence diagram bridges the gap between the business analysis
and the development analysis; this type of diagram can be considered a business description or a
development description of system functionality.
T-Map - AnswersT-MAP defines a set of threat-relevant attributes for each layers or nodes. These
attributes can be classified as either probability-relevant, size of loss of relevant or descriptive. These
class attributes are primarily derived from Common Vulnerability Scoring System. CVSS
SDLC Domains - Answers
Planning Organization - AnswersProject Definition, User Requirements Definition and System
Requirement Definition
Acquisition / Implementation - AnswersUser requirements definition, System Requirement Definition,
Analysis and Design and System Build/ Prototype/ Pilot
Deliver and Support - AnswersAnalysis and Design, System Build/ Prototype / Pilot, Implementation and
Training and Sustainment.
Monitoring - AnswersUser Requirements Definition, Systems Requirements Definition, Analysis and
Design, System Build / Prototype /Pilot, Implementation and Training and Sustainment.
Requirements analysis - AnswersPhases that defines security functions that an application should satisfy.
Testing Phases - AnswersSecurity should be involved in all phases of SDLC, but expectation of
vulnerabilities to identify weaknesses should be done in the testing phase.
Incident Response Plan - AnswersAn incident response plan is organized approach to addressing and
managing the aftermath of a security breach or compromise on a system or software. The goal is to
handle the situation and limit damage and reduces recovery time and costs.
BCWS - AnswersBudget Cost Work Schedule
BCWP - AnswersBudget Cost Work Performed
SV - AnswersScheduled Variance
