24 Chapter 1 ■ Security and Risk Management (Domain 1)
- John is analyzing an attack against his company in which the attacker found comments
embedded in HTML code that provided the clues needed to exploit a software vulnerabil-
ity. Using the STRIDE model, what type of attack did he uncover?
A. Spoofing
B. Repudiation
C. Information disclosure
D. Elevation of privilege - Which one of the following is an administrative control that can protect the confidentiality
of information?
A. Encryption
B. Nondisclosure agreement
C. Firewall
D. Fault tolerance - Chris is worried that the laptops that his organization has recently acquired were modified
by a third party to include keyloggers before they were delivered. Where should he focus
his efforts to prevent this?
A. His supply chain
B. His vendor contracts
C. His post-purchase build process
D. The original equipment manufacturer (OEM) - STRIDE, PASTA, and VAST are all examples of what type of tool?
A. Risk assessment methodologies
B. Control matrices
C. Threat modeling methodologies
D. Awareness campaign tools - In her role as a developer for an online bank, Lisa is required to submit her code for test-
ing and review. After it passes through this process and it is approved, another employee
moves the code to the production environment. What security management does this pro-
cess describe?
A. Regression testing
B. Code review
C. Change management
D. Fuzz testing