CCT 149: Practice CISSP Questions - Threat Modeling & STRIDE for CISSP Exam Success (D3.1)
Jun 13, 2024Ready to conquer the CISSP exam? Unlock the secrets of threat modeling with our latest episode! Join me, Sean Gerber, as we break down the STRIDE methodology—Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Learn how to decode these critical security concepts and master the art of eliminating wrong answers in multiple-choice questions. This episode is your ticket to not only understanding but excelling in one of the most vital areas of cybersecurity.
But we’re not stopping there! We’ll also dissect the main components of a threat model, helping you identify and analyze assets, adversaries, threats, and mitigations with precision. By comparing different sets of terms, you'll sharpen your test-taking strategies and gain a deeper understanding of how to approach the CISSP exam. Whether you’re driving, at the gym, or relaxing at home, this episode is packed with practical, actionable insights designed to elevate your cybersecurity expertise and ensure you ace that exam. Tune in and let's make cybersecurity mastery a reality!
Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!
TRANSCRIPT
Speaker 1:
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time.
Speaker 1:
Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started. Let's go. Cybersecurity knowledge All right, let's get started. Hey, I'm Sean Gerber with CISSP Cyber Training, and today is Thursday. We're going to be doing CISSP exam questions, so get ready, get buckled up and let's see what you can think about as it relates to the CISSP exam questions. Now I want to let you know that these CISSP exam questions are available to you at CISSP Cyber Training as well. So all of the information that we go through here, I have a vulnerable or vulnerable I've been talking security too long a variable list of a long list of CISSP questions that you can get at CISSP Cyber Training, and these are part of those questions I come out with, probably around anywhere from 15 to 30 questions every week Usually. It's sometimes a little bit more than that, but it's around 30 questions a week is what I usually come up with, and I add that to my overall bucket and list of overall questions that you can study so that you can be prepared to pass the CISSP exam. And this is all part of my CISSP blueprint that I have available to my members of my CISSP exam and this is all part of my CISSP blueprint that I have available to my members of my CISSP training course. Okay, so we're going to get into the questions. We're going to see how they all play out, all right, so what is what does stride methodology stand for? Okay, so a for you guys that are listening, I'm gonna walk through all the questions and then you see if you can think of it while you're driving or wherever you're at and you're listening to this A security, tampering, replication, intrusion, denial of service, escalation of privileges.
Speaker 1:
That's A. B is spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege. C is security, tampering, repudiation, intrusion, denial of service, escalation of privilege. C is security, tampering, repudiation, intrusion, denial of service, escalation of privileges. And then D is spoofing, tampering, replication, information disclosure, denial of service and elevation of privilege. So if you know STRIDE, okay, that deals a lot with and I'm not going to go through all those again because that's a mouthful of words, but STRIDE is an acronym, it stands for spoofing, okay. So again, as you're going through these questions, you know spoofing is one. So that could throw out, in this case of a multiple choice, two of the four questions tampering, repudiation, information disclosure, denial of service and elevation of privilege. Those are the part of stride. So the answer is B. Now if you look at D if you're seeing this on the video you'll see that the difference with D is it's replication versus repudiation. So don't focus on replication Security. We don't really talk about replication a lot. We talk about repudiation a lot. So if you didn't know you go, these terms don't seem like this, replication doesn't seem like a security term, more of a networking term. Then you may want to at least glob on to B. So the point is is just narrow down your focus right on what is the actual right question. All right. So I'm sorry, I'm fighting a little bit of a cold, so I apologize if I sound a little congested.
Speaker 1:
What are the main components of a threat model in the context of cybersecurity? Okay, so what are the main components of a threat model in the context of cybersecurity? Okay, so what are the main components of a threat model in the context of cybersecurity A assets, vulnerabilities, threats and mitigations. B assets, adversaries, threats and mitigations. C assets, adversaries, attack vectors. And then mitigations, or D adversaries, vulnerabilities, threats and mitigations. Okay, so if you notice there's right now, you get assets. So assets has got three of the four. I'd probably pick assets if I didn't know. And when you're dealing with adversaries, that is probably something you won't understand when it comes to threat modeling. So that was if I'd narrow that down to B and C and then, when it really comes right down to it, c is the main component of a threat model are assets, adversaries, attack vectors and then mitigations.
Speaker 1:
What are the main focus of the TRIKE technology in threat modeling? A is data, b is systems, c is people, d is processes. Well, if you listened to the last podcast, the TRIKE methodology, the main part of the main focus of that threat modeling is data. So the answer is D or D. It's A. The answer is A data. So the TRIKE methodology does focus on a highly data-centric approach.
Speaker 1:
Which of those following steps in the threat modeling process involves the use of stride or dread? That's another one that you're going to have to know for your CISSP is dread, okay, so one is identifying assets, Two is identifying potential assets, c is identifying potential threats or D is identifying and implementing controls. And the answer is C. Identifying potential threats involves the use of methodologies like stride or dread, which threat in stride refers to an act that modifies or alters data or the system configuration. So which threat in stride refers to the act that modifies or alters the data in the system configuration. So you get A is spoofing, b is tampering, c is repudiation or D is information disclosure. Again, modifying or altering the data is tampering right. So that's B. Tampering refers to the act or modifying of alters data in the system configuration.
Speaker 1:
Which of the following is not a component of a threat in the context of threat modeling? Which of the following is not a component of a threat in the context of threat modeling? A a vulnerability, b an asset. C an adversary, or D an impact. Okay, so which is not a component of a threat? So of a threat in the context of threat modeling? So the component of the threat is vulnerabilities. Asset and adversaries are all components that are tied to threat modeling. Asset and adversaries are all components that are tied to threat modeling. D is the impact, is a result of a successful threat but is not a component of the overall threat. So I hope that makes sense to you guys.
Speaker 1:
Which of the following threat modeling methodology focuses on data flow diagrams? Okay, so we talked about data flow diagrams earlier in our CISSP cyber training. That was on the podcast that was on Monday. So A is pasta, b is stride, c is trike or D is octave. Okay, so we talked about it. So, if you go, well, since we talked about it, then it would be stride or trike. You'd be correct, but remember, trike was focused on data and stride was focused on data flow diagrams. That is stride, so it would be B. Stride is focused on data flow diagrams. What does R in stride stand for? Again, a recognition, b replication. We talked about the replication thing C repudiation or D restoration, and the answer is C repudiation. That's what the R stands for in stride.
Speaker 1:
What is the main goal of threat modeling? One, to comply with legal or A to comply with legal requirements. B, to identify potential threats and develop appropriate countermeasures. C to purchase suitable cybersecurity insurance or D, to train IT staff about cybersecurity. Okay, so you can do all of the I mean? Well, you can definitely train staff about it, but that's not the main purpose behind it. Right, you can purchase security insurance by doing your stride. That'll help you understand your overall threat modeling. It'll help you understand what you need to do. But when it really comes right down to it, the main goal of threat modeling is to identify potential threats and develop the appropriate countermeasures behind it. Each of those are helpful, not necessarily the legal requirements, but I mean you could have some legal requirements. I guess I've never seen that, but you could. But definitely C and D is a byproduct of doing a threat modeling. But the overall answer is B to identify potential threats and develop appropriate countermeasures.
Speaker 1:
Which methodology involves creating a threat model that is at the design phase of a system or application. So a methodology involves creating a threat model at the design phase of a system or application A, stride, b, dread, c, cvss, which isn't one, and then D, owasp. Okay, that's really not a threat model either. So then, when it comes right down to it? So if you knew CVSS isn't one and OSP isn't one, you could narrow it down to stride and dread. But when it comes right down to it, which one do we talk about? We talked about stride, but stride is a threat model that is at the design phase of the system or application. That would be A stride. What type of threat does the E in stride represent? A encryption, b endpoint, c elevation of privileges or D exfiltration. And the answer is C Elevation of privileges is what we want. That's what the E is for in the stride, we focused on that.
Speaker 1:
In a threat modeling, what does the adversary represent? A security control? No, a vulnerability? Yeah, no See. An asset? No, the answer is D a threat actor. That is correct. That is the adversary. Now, that threat actor can be multiple things. It could be a hacker that's sitting in Bangladesh, or it could be your person that's sitting right next to you in the cubicle. That is what a threat an adversary would be your person that's sitting right next to you in the cubicle. That is what a threat an adversary would be and that is represented as a threat actor In the context of a stride.
Speaker 1:
What does information disclosure mean? It means gaining unauthorized access to the information. A tampering with the information. B unauthorized alteration of the information. C or releasing the information to the public. Okay, so, when the context is tried, what does information disclosure mean? And that means A gaining unauthorized access to the information that is referred to as information disclosure.
Speaker 1:
Which of the following is not part of the threat modeling process? That is A identifying potential threats, identifying vulnerabilities is B. Identifying assets is C, and then identifying network architecture is D. That's a pretty easy one, right? The answer is D, because we've talked about all A, b and C, but we have not really talked about identifying network architecture, so that would probably be not part of the threat modeling process.
Speaker 1:
And then which of the following is true about threat modeling? A it focuses only on external threats. No, b it performed only after a security breach has occurred. Yeah, no, that's B. C it involves a proactive identification and mitigation of the threat. Hmm, maybe. And then D it's a one-time activity that does not require updates or maintenance. Yeah, that's not it either. So the answer would be C. Again, it's proactive identification and mitigation of the threats, and it is always an ongoing activity and should always be updated on a routine basis. All right, that's all I got for you today. I hope you guys have a wonderful day. Go check me out at CISSP Cyber Training. Check out the blueprint you will be happy you did cyber training. Check out the blueprint you will be happy you did, and we'll catch you on the flip side. Have a wonderful day and have a great week. Talk to you later, bye.
CISSP Cyber Training Academy Program!
Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification?
Let CISSP Cyber Training help you pass the CISSP Test the first time!