Which of the following correctly matches a STRIDE category with its primary threat type?
Think about what each STRIDE letter stands for and the kind of threat it represents.
Spoofing means pretending to be someone else to gain access. Tampering is about modifying data. Repudiation involves denying actions, and Information Disclosure is about exposing data.
Which component of the DREAD model evaluates how easily an attacker can exploit a vulnerability?
Consider which factor measures the effort or skill needed to carry out an attack.
Exploitability measures how easy it is for an attacker to exploit a vulnerability. Damage Potential is about impact, Reproducibility about repeating the attack, and Discoverability about finding the vulnerability.
A web application allows users to upload files without checking the file type. Which STRIDE threat does this vulnerability most directly relate to?
Think about what an attacker could do by uploading malicious files.
Uploading unchecked files can allow attackers to modify or inject malicious data, which is Tampering. Elevation of Privilege is about gaining higher access, Information Disclosure about leaking data, and Spoofing about impersonation.
A vulnerability has the following DREAD scores: Damage Potential=8, Reproducibility=7, Exploitability=9, Affected Users=6, Discoverability=5. What is the average risk score?
Calculate the average by adding all scores and dividing by the number of components.
The sum is 8+7+9+6+5=35. Dividing by 5 gives 7.0 as the average risk score.
An attacker intercepts and reads sensitive data sent between a user and a server without altering it. Which STRIDE threat does this represent?
Focus on what the attacker does with the data.
Intercepting and reading data without changing it is Information Disclosure. Tampering involves modification, Repudiation is denying actions, and Denial of Service is about blocking access.