Security Concepts: True/False and Threat Modeling Q&A
True/False Questions
True: CFI is a technique for dynamically checking if indirect control transfers during program execution are consistent with those described by the program source code.
True: Cache timing attacks can be used to break process isolation.
False: Cookies are unique tokens generated by web browsers to identify themselves to web servers.
True: A browser configured to not execute JavaScript cannot be attacked via cross-site scripting (XSS) attacks.
False: Eliminating all XSS attacks also eliminates SQL injection attacks.
True: Use-after-free vulnerabilities can be used by an attacker to hijack control flow.
True: Both direct and indirect call instructions must be instrumented to enforce fine-grained, forward-edge CFI.
True: Virtual memory is a means of isolating the memory address space of multiple processes.
True: Just in time (JIT) compilers make it possible for attackers to bring shell code into a process with W^X enabled.
Threat Modeling & Security Principles
Which security property is violated if an attacker modifies a database without authorization?
Answer: b) Integrity
What principle is violated if a low-privileged user can modify admin settings in a web application?
Answer: a) Least Privilege
A file permission system allows users to modify files they do not own. What security flaw does this introduce?
Answer: a) Violation of Least Privilege
Which security principle ensures that access control is enforced every time a request is made?
Answer: c) Complete Mediation
What security principle states that systems should default to no access unless explicitly granted?
Answer: d) Fail-Safe Defaults
What principle helps reduce the impact of a security breach by dividing a system into separate components?
Answer: b) Privilege Separation
Which security property is violated if an attacker crashes a server by overloading it with requests?
Answer: c) Availability
A system requires two different administrators to approve any critical changes. Which principle does this follow?
Answer: d) Separation of Duties
Which security principle involves implementing multiple layers of security to protect against failure in one layer?
Answer: b) Defense-in-Depth
A company uses encryption to protect data stored on its servers. Which security property is this enforcing?
Answer: a) Confidentiality
Which principle states that security mechanisms should not rely on secrecy of their implementation?
Answer: c) Open Design
What is the first step in threat modeling?
Answer: b) Identify assets
A developer adds extra validation checks to detect unauthorized access attempts. This follows which principle?
Answer: a) Complete Mediation
What is a key goal of security threat modeling?
Answer: d) Identify potential risks before they become vulnerabilities
An attacker tricks an employee into providing login credentials over the phone. This is an example of what attack?
Answer: c) Social Engineering
What is the most effective way to reduce the attack surface of a system?
Answer: b) Minimize the number of exposed services and entry points
Why is “keeping it simple” an important security principle?
Answer: a) Complex systems have more vulnerabilities
Which of the following is NOT a part of the CIA triad?
Answer: d) Authorization
What is the purpose of role-based access control (RBAC)?
Answer: b) Restrict access based on a user’s role in the system
A security policy that automatically logs out users after a period of inactivity follows which principle?
Answer: d) Least Privilege
What is the main goal of risk assessment in threat modeling?
Answer: c) Determine the likelihood and impact of security threats
Which of the following best describes the concept of a threat model?
Answer: a) A structured approach to identifying and evaluating security risks
An organization limits admin privileges to only a few trusted employees. What principle is being followed?
Answer: b) Least Privilege