PART 1 (60 marks) : ANALYZE STRIDE PER ELEMENT
Spoofing (6 marks) - entity and process.
Tampering (9 marks) - data flow, data store and process.
Repudiation (3 marks) - entity.
Information disclosure (9 marks) - data stores and data flows.
Denial of service (9 marks) - process, data stores and data flows.
Elevation of privilege (3 marks) - process.
We choose the BEST entry for each combination and give up to three marks
each based on one mark for each of these three elements:
- correct application as an attack
- application to the right victim
- impact of threat makes sense in the context of the system
Work done (three possibilities):
- less than one threat per row (0 marks)
- more than one threat per row (11 marks)
- a threat for each applicable cell (21 marks)
PART 2 (20 marks): SUMMARISE THREATS AND APPLY DREAD
We find the best answers for TWO threats, one mark per:
- damage potential
- affected customers
- one mark per unique threat up to ten marks (10 marks)
PART 3 (20 marks): DECIDE HOW TO HANDLE RISKS
Find the best example of each of these types of strategies:
- mitigation (4 marks)
- elimination (4 marks)
- transfer (4 marks)
- accept risk (4 marks)
- half mark per answer up to eight marks (4 marks)