Question 6: In the Mirai botnet attack scenario (Attack Scenario 3), what is the FIRST step attackers take to build the botnet?
💡 Explanation: The attack chain is: 1) Port scanning (find devices), 2) Brute force (compromise), 3) Malware download (infect), 4) Propagation (spread), 5) DDoS launch (attack). Scanning identifies vulnerable devices with open Telnet (port 23) or SSH (port 22) before any exploitation occurs. Mirai scanned random IP addresses looking for IoT devices, then tried default credentials. Mitigation starts at reconnaissance: firewalls blocking inbound connections, disabling unnecessary services, or using non-standard ports (though security through obscurity alone is insufficient).
NoteQuiz 2: Comprehensive Review
Question 1: A security team analyzing a smart factory follows the five-step threat modeling process. After identifying all components and entry points, what should they do NEXT?
💡 Explanation: The five-step process follows: 1) Architecture knowledge, 2) Entry points, 3) Data flow paths, 4) Trust boundaries, 5) Attack scenarios. After identifying entry points, you must map how data flows through the system, where it’s encrypted/decrypted, and authentication/authorization checkpoints. This reveals where data is most vulnerable before defining trust boundaries. Skipping to attack scenarios without understanding data flow means missing critical vulnerabilities in data handling.
Question 2: An attacker replaces a valid sensor calibration file with modified thresholds during boot. Using STRIDE, which threat category does this represent?
💡 Explanation: Tampering violates integrity—unauthorized modification of data or code. The attacker didn’t impersonate anyone (spoofing), expose information (disclosure), or escalate privileges. The PRIMARY action is modifying the calibration file. Countermeasures include digital signatures on configuration files, integrity checks (hash verification), and secure boot validating all loaded data before use. This scenario from Attack Scenario 2 shows how tampering can cause physical harm in industrial systems.
Question 3: Using DREAD methodology, a vulnerability has these scores: Damage=9, Reproducibility=10, Exploitability=8, Affected users=7, Discoverability=6. What is the risk score and category?
💡 Explanation: DREAD score = (D + R + E + A + D) / 5 = (9 + 10 + 8 + 7 + 6) / 5 = 40/5 = 8.0/10. Scores ≥8.0 are CRITICAL, 6.0-7.9 HIGH, 4.0-5.9 MEDIUM, <4.0 LOW. The high reproducibility (10) and damage (9) make this critical—it’s easy to exploit repeatedly with severe impact. This quantifiable approach prioritizes remediation: fix CRITICAL threats first (8.0+), then HIGH (6.0+), allocating security resources based on actual risk rather than intuition.
Question 4: In Attack Scenario 1 (Administration System Compromise), what is the MOST EFFECTIVE mitigation to prevent initial compromise?
💡 Explanation: Network segmentation is PREVENTIVE—it stops attackers from reaching the IoT gateway even if they compromise the corporate network. IDS is DETECTIVE (identifies attacks after they start). Incident response is REACTIVE (responds after compromise). Firmware verification prevents malicious updates but doesn’t stop initial network-based compromise. The attack path is: reconnaissance → exploit vulnerability → network access → persistence. Segmentation blocks the “network access” step with firewalls between IoT and corporate networks, following defense-in-depth principles.
Question 5: A threat model reveals 8 CRITICAL threats, 15 HIGH threats, and 30 MEDIUM threats. Security budget allows addressing only 10 threats this quarter. What prioritization approach is MOST appropriate?
💡 Explanation: Always prioritize CRITICAL threats first—they have highest impact×likelihood and pose immediate danger. Fixing 10 MEDIUM threats leaves 8 CRITICAL threats unmitigated, which is unacceptable. “Balanced coverage” sounds appealing but leaves CRITICAL threats active. Public-facing focus ignores internal threats. The correct approach: eliminate ALL critical threats (8), then move to HIGH threats (2 more), maximizing risk reduction. If budget constraints persist, revisit why CRITICAL threats exist—they may indicate fundamental architecture problems requiring redesign, not just patching.
Question 7: An attack tree shows: Reconnaissance (95% probability) → Exploit (70%) → Escalate (60%) → Control (90%). What is the overall attack success probability?
💡 Explanation: Attack tree probabilities multiply (AND gate logic): 0.95 × 0.70 × 0.60 × 0.90 = 0.3591 = 35.9%. The attacker must succeed at EVERY step. Even one failure breaks the chain. This shows why defense-in-depth works: adding a 50% probability defense layer reduces overall attack success from 35.9% to 17.95%. The weakest link is “Escalate” (60%)—strengthening that step most effectively reduces overall risk. Attack trees help identify where mitigation investments have maximum impact.
Question 8: A vulnerability has 85% risk reduction after mitigation. Initial risk score was 80/100. What is the residual risk?
💡 Explanation: Residual Risk = Initial Risk × (1 - Mitigation Effectiveness) = 80 × (1 - 0.85) = 80 × 0.15 = 12. The mitigation eliminates 85% of risk (68 points), leaving 15% residual (12 points). Perfect mitigation (100%) is impossible in practice. Residual risk of 12/100 is often acceptable for MEDIUM threats, but CRITICAL threats may require <5 residual risk. Organizations must decide acceptable residual risk levels based on impact, likelihood, and risk appetite. Documenting residual risk demonstrates due diligence for compliance.
Question 9: According to the Open Threat Taxonomy, an attacker sending a phishing email to an IoT administrator falls under which category?
💡 Explanation: Phishing is social engineering targeting people (Personnel Threats), not technology. The taxonomy recognizes that humans are often the weakest link. Physical threats involve equipment damage/theft. Technical threats exploit software/hardware vulnerabilities. Resource threats disrupt power/network. Personnel threats include phishing, insider threats, accidental misconfiguration, and social engineering. Mitigations: security awareness training, phishing simulations, email filtering, multi-factor authentication (even if credentials are stolen, 2FA prevents access), and incident response procedures for reported suspicious emails.
Question 10: In Attack Scenario 2 (Sensor Value Manipulation), attackers modify calibration thresholds. What is the PRIMARY safety consequence?
💡 Explanation: Modified thresholds cause the robot to accept invalid sensor readings (e.g., accepting 200°C as normal when limit is 100°C), leading to wrong control decisions and dangerous movements. This is an integrity attack (tampering) with SAFETY consequences—not just data exposure or availability. Countermeasures: encrypted calibration data, digital signatures, integrity checks (hash verification), redundant sensors with cross-validation, anomaly detection flagging out-of-pattern behavior, and physical tamper detection. Safety-critical systems need Defense Level 3+ (IEC 62443) with hardware and software integrity protections.
Question 11: A security team identifies 50 threats but only has budget for 30 mitigations. After implementing those 30, what should they do with the remaining 20 unmitigated threats?
💡 Explanation: Unmitigated threats must be formally documented as accepted risk with management acknowledgment. This demonstrates due diligence: “We identified the risks, explained consequences, and management consciously accepted them.” Ignoring threats creates liability. Waiting delays addressing critical issues. “Free compensating controls” don’t exist—all security measures have cost (time, complexity, performance). Risk acceptance requires: documenting threat severity, explaining why not mitigated (budget, timeline, technical constraints), getting management sign-off, and revisiting periodically. This protects the organization legally and ensures leadership understands security posture.
Question 12: When using STRIDE for a smart thermostat, which threat should have HIGHEST priority based on potential impact?
💡 Explanation: Elevation of Privilege is highest impact because once attackers have admin control, they can exploit ALL other STRIDE categories: spoof identity, tamper with settings, access all data, deny service, and hide their actions. Privilege escalation is the “keys to the kingdom”—complete device compromise. Information disclosure of temperature history is privacy concern but limited impact. Repudiation is low impact for a thermostat (non-repudiation isn’t critical for home temperature changes). DoS is medium impact (temporary inconvenience). Prioritization: Elevation of Privilege > Tampering/Spoofing > Info Disclosure/DoS > Repudiation.
Question 17: A threat analysis identifies a vulnerability with DREAD scores: Damage=10, Reproducibility=10, Exploitability=2, Affected=9, Discoverability=1. The low Exploitability and Discoverability suggest the threat is:
💡 Explanation: DREAD = (10+10+2+9+1)/5 = 6.4 (HIGH priority). Despite low Exploitability (2) and Discoverability (1), Damage (10) and Affected users (9) are catastrophic. This is a latent high-impact vulnerability—hard to find and exploit TODAY, but once discovered (by researchers or attackers), it becomes CRITICAL due to severe consequences. Strategy: Mitigate BEFORE it’s widely discovered. Security through obscurity (low discoverability) is temporary—assume sophisticated attackers will find it. Real-world example: Heartbleed (CVE-2014-0160) was undiscovered for 2 years but had catastrophic impact once found. Proactive mitigation prevents “zero-day” scenarios.
Question 18: According to IEC 62443 security levels referenced in the Security Decision Tree, which scenario requires the HIGHEST security level implementation?
💡 Explanation: C requires Safety-Critical Security (IEC 62443 SL-3 or SL-4) because compromise causes catastrophic safety consequences: explosions, injuries, environmental disasters, loss of life. IEC 62443 defines Security Levels: SL-1 (casual attacker, option A), SL-2 (intentional attacker with resources, options B/D), SL-3 (sophisticated attacker with specific knowledge, industrial control), SL-4 (nation-state APT with unlimited resources, critical infrastructure). Safety-critical systems need: defense-in-depth, network segmentation, secure-by-design, formal verification, redundant safety systems, and continuous monitoring. Cost: $100-500+/device vs $1-5/device for public sensors. Regulatory requirements (EPA, OSHA) mandate these controls.
1392.3 Chapter Summary
Systematic threat modeling provides structured methodology for proactive security through five iterative steps: acquiring comprehensive architecture knowledge of IoT components and interactions, identifying entry points across physical/network/application interfaces, mapping data flow paths with encryption and authentication checkpoints, defining trust boundaries between device/gateway/cloud tiers, and conceiving plausible attack scenarios based on threat intelligence. This disciplined approach ensures comprehensive coverage of potential vulnerabilities before deployment.
Multiple threat taxonomies guide classification and prioritization. STRIDE maps threats to security properties: Spoofing violates authentication, Tampering violates integrity, Repudiation prevents accountability, Information Disclosure violates confidentiality, Denial of Service violates availability, and Elevation of Privilege violates authorization. The Open Threat Taxonomy categorizes threats as Physical (hardware damage), Resource (power/network disruption), Personnel (social engineering), and Technical (exploitation). ENISA provides IoT-specific frameworks covering devices, communications, data, services, and stakeholders.
Ten critical IoT attack scenarios demonstrate real-world exploitation paths: network eavesdropping for intelligence gathering, sensor manipulation causing safety failures, actuator sabotage for production disruption, administration system compromise enabling mass device control, protocol exploitation leveraging vulnerabilities, command injection for privilege escalation, stepping stone attacks for anonymity, DDoS botnet creation (Mirai-style), power manipulation for battery depletion, and ransomware attacks on critical infrastructure. Each scenario includes detailed attack steps, impact analysis, and targeted mitigations.
The comprehensive Python threat modeling framework implements DREAD scoring (calculating risk as average of five factors rated 1-10), attack tree analysis with probability propagation and critical path identification, automated threat identification matching asset properties to known vulnerabilities, MITRE ATT&CK phase mapping for IoT-specific techniques, residual risk calculation showing effectiveness of applied mitigations, attack surface scoring per asset based on threat count and severity, and mitigation coverage analysis identifying unprotected vulnerabilities. This framework enables data-driven security decisions with quantifiable risk metrics and prioritized remediation roadmaps.
NoteQuiz 3: Comprehensive Review
Question 1: A security team analyzing a smart factory follows the five-step threat modeling process. After identifying all components and entry points, what should they do NEXT?
💡 Explanation: The five-step process follows: 1) Architecture knowledge, 2) Entry points, 3) Data flow paths, 4) Trust boundaries, 5) Attack scenarios. After identifying entry points, you must map how data flows through the system, where it’s encrypted/decrypted, and authentication/authorization checkpoints. This reveals where data is most vulnerable before defining trust boundaries. Skipping to attack scenarios without understanding data flow means missing critical vulnerabilities in data handling.
Question 2: An attacker replaces a valid sensor calibration file with modified thresholds during boot. Using STRIDE, which threat category does this represent?
💡 Explanation: Tampering violates integrity—unauthorized modification of data or code. The attacker didn’t impersonate anyone (spoofing), expose information (disclosure), or escalate privileges. The PRIMARY action is modifying the calibration file. Countermeasures include digital signatures on configuration files, integrity checks (hash verification), and secure boot validating all loaded data before use. This scenario from Attack Scenario 2 shows how tampering can cause physical harm in industrial systems.
Question 3: Using DREAD methodology, a vulnerability has these scores: Damage=9, Reproducibility=10, Exploitability=8, Affected users=7, Discoverability=6. What is the risk score and category?
💡 Explanation: DREAD score = (D + R + E + A + D) / 5 = (9 + 10 + 8 + 7 + 6) / 5 = 40/5 = 8.0/10. Scores ≥8.0 are CRITICAL, 6.0-7.9 HIGH, 4.0-5.9 MEDIUM, <4.0 LOW. The high reproducibility (10) and damage (9) make this critical—it’s easy to exploit repeatedly with severe impact. This quantifiable approach prioritizes remediation: fix CRITICAL threats first (8.0+), then HIGH (6.0+), allocating security resources based on actual risk rather than intuition.
Question 4: In Attack Scenario 1 (Administration System Compromise), what is the MOST EFFECTIVE mitigation to prevent initial compromise?
💡 Explanation: Network segmentation is PREVENTIVE—it stops attackers from reaching the IoT gateway even if they compromise the corporate network. IDS is DETECTIVE (identifies attacks after they start). Incident response is REACTIVE (responds after compromise). Firmware verification prevents malicious updates but doesn’t stop initial network-based compromise. The attack path is: reconnaissance → exploit vulnerability → network access → persistence. Segmentation blocks the “network access” step with firewalls between IoT and corporate networks, following defense-in-depth principles.
Question 5: A threat model reveals 8 CRITICAL threats, 15 HIGH threats, and 30 MEDIUM threats. Security budget allows addressing only 10 threats this quarter. What prioritization approach is MOST appropriate?
💡 Explanation: Always prioritize CRITICAL threats first—they have highest impact×likelihood and pose immediate danger. Fixing 10 MEDIUM threats leaves 8 CRITICAL threats unmitigated, which is unacceptable. “Balanced coverage” sounds appealing but leaves CRITICAL threats active. Public-facing focus ignores internal threats. The correct approach: eliminate ALL critical threats (8), then move to HIGH threats (2 more), maximizing risk reduction. If budget constraints persist, revisit why CRITICAL threats exist—they may indicate fundamental architecture problems requiring redesign, not just patching.
Question 7: An attack tree shows: Reconnaissance (95% probability) → Exploit (70%) → Escalate (60%) → Control (90%). What is the overall attack success probability?
💡 Explanation: Attack tree probabilities multiply (AND gate logic): 0.95 × 0.70 × 0.60 × 0.90 = 0.3591 = 35.9%. The attacker must succeed at EVERY step. Even one failure breaks the chain. This shows why defense-in-depth works: adding a 50% probability defense layer reduces overall attack success from 35.9% to 17.95%. The weakest link is “Escalate” (60%)—strengthening that step most effectively reduces overall risk. Attack trees help identify where mitigation investments have maximum impact.
Question 8: A vulnerability has 85% risk reduction after mitigation. Initial risk score was 80/100. What is the residual risk?
💡 Explanation: Residual Risk = Initial Risk × (1 - Mitigation Effectiveness) = 80 × (1 - 0.85) = 80 × 0.15 = 12. The mitigation eliminates 85% of risk (68 points), leaving 15% residual (12 points). Perfect mitigation (100%) is impossible in practice. Residual risk of 12/100 is often acceptable for MEDIUM threats, but CRITICAL threats may require <5 residual risk. Organizations must decide acceptable residual risk levels based on impact, likelihood, and risk appetite. Documenting residual risk demonstrates due diligence for compliance.
Question 9: According to the Open Threat Taxonomy, an attacker sending a phishing email to an IoT administrator falls under which category?
💡 Explanation: Phishing is social engineering targeting people (Personnel Threats), not technology. The taxonomy recognizes that humans are often the weakest link. Physical threats involve equipment damage/theft. Technical threats exploit software/hardware vulnerabilities. Resource threats disrupt power/network. Personnel threats include phishing, insider threats, accidental misconfiguration, and social engineering. Mitigations: security awareness training, phishing simulations, email filtering, multi-factor authentication (even if credentials are stolen, 2FA prevents access), and incident response procedures for reported suspicious emails.
Question 10: In Attack Scenario 2 (Sensor Value Manipulation), attackers modify calibration thresholds. What is the PRIMARY safety consequence?
💡 Explanation: Modified thresholds cause the robot to accept invalid sensor readings (e.g., accepting 200°C as normal when limit is 100°C), leading to wrong control decisions and dangerous movements. This is an integrity attack (tampering) with SAFETY consequences—not just data exposure or availability. Countermeasures: encrypted calibration data, digital signatures, integrity checks (hash verification), redundant sensors with cross-validation, anomaly detection flagging out-of-pattern behavior, and physical tamper detection. Safety-critical systems need Defense Level 3+ (IEC 62443) with hardware and software integrity protections.
Question 11: A security team identifies 50 threats but only has budget for 30 mitigations. After implementing those 30, what should they do with the remaining 20 unmitigated threats?
💡 Explanation: Unmitigated threats must be formally documented as accepted risk with management acknowledgment. This demonstrates due diligence: “We identified the risks, explained consequences, and management consciously accepted them.” Ignoring threats creates liability. Waiting delays addressing critical issues. “Free compensating controls” don’t exist—all security measures have cost (time, complexity, performance). Risk acceptance requires: documenting threat severity, explaining why not mitigated (budget, timeline, technical constraints), getting management sign-off, and revisiting periodically. This protects the organization legally and ensures leadership understands security posture.
Question 12: When using STRIDE for a smart thermostat, which threat should have HIGHEST priority based on potential impact?
💡 Explanation: Elevation of Privilege is highest impact because once attackers have admin control, they can exploit ALL other STRIDE categories: spoof identity, tamper with settings, access all data, deny service, and hide their actions. Privilege escalation is the “keys to the kingdom”—complete device compromise. Information disclosure of temperature history is privacy concern but limited impact. Repudiation is low impact for a thermostat (non-repudiation isn’t critical for home temperature changes). DoS is medium impact (temporary inconvenience). Prioritization: Elevation of Privilege > Tampering/Spoofing > Info Disclosure/DoS > Repudiation.
Question 17: A threat analysis identifies a vulnerability with DREAD scores: Damage=10, Reproducibility=10, Exploitability=2, Affected=9, Discoverability=1. The low Exploitability and Discoverability suggest the threat is:
💡 Explanation: DREAD = (10+10+2+9+1)/5 = 6.4 (HIGH priority). Despite low Exploitability (2) and Discoverability (1), Damage (10) and Affected users (9) are catastrophic. This is a latent high-impact vulnerability—hard to find and exploit TODAY, but once discovered (by researchers or attackers), it becomes CRITICAL due to severe consequences. Strategy: Mitigate BEFORE it’s widely discovered. Security through obscurity (low discoverability) is temporary—assume sophisticated attackers will find it. Real-world example: Heartbleed (CVE-2014-0160) was undiscovered for 2 years but had catastrophic impact once found. Proactive mitigation prevents “zero-day” scenarios.
Question 18: According to IEC 62443 security levels referenced in the Security Decision Tree, which scenario requires the HIGHEST security level implementation?
💡 Explanation: C requires Safety-Critical Security (IEC 62443 SL-3 or SL-4) because compromise causes catastrophic safety consequences: explosions, injuries, environmental disasters, loss of life. IEC 62443 defines Security Levels: SL-1 (casual attacker, option A), SL-2 (intentional attacker with resources, options B/D), SL-3 (sophisticated attacker with specific knowledge, industrial control), SL-4 (nation-state APT with unlimited resources, critical infrastructure). Safety-critical systems need: defense-in-depth, network segmentation, secure-by-design, formal verification, redundant safety systems, and continuous monitoring. Cost: $100-500+/device vs $1-5/device for public sensors. Regulatory requirements (EPA, OSHA) mandate these controls.
1392.4 Videos
NoteThreat Modeling Overview
Threat Modeling Overview
From slides — frameworks (STRIDE, attack trees) and IoT-specific considerations.
NotePrivacy Engineering Basics
Privacy Engineering Basics
From slides — aligning threat models with privacy-by-design principles.
NoteAttack Trees and Misuse Cases
Attack Trees and Misuse Cases
From slides — constructing and using attack trees for IoT.
1392.5 Cross-links
Security overview and CIA fundamentals: security-and-privacy-overview.qmd
Encryption choices and pitfalls: encryption-principles-and-crypto-basics.qmd
Device and network hardening: iot-devices-and-network-security.qmd
Secure data lifecycle and OTA updates: secure-data-and-software.qmd
Architectural placement decisions: ../architectures/edge-fog-cloud-overview.qmd and ../architectures/cloud-computing.qmd
1392.6 Visual Reference Gallery
NoteAI-Generated Visual: Attack Tree Analysis
Figure 1392.1: Attack Tree Analysis - Hierarchical threat decomposition for IoT systems
NoteWorked Example: DREAD Risk Scoring for Smart Lock Vulnerability
Scenario: A penetration tester discovers that a smart lock’s Bluetooth pairing can be sniffed and replayed within 30 seconds of legitimate pairing, allowing an attacker to clone the digital key.
Given:
Vulnerability: BLE pairing replay attack
Affected product: Consumer smart door lock ($200)
Attack requires: Proximity during pairing (within 10 meters), BLE sniffer ($50), replay tool
Impact: Unauthorized physical access to home
Step 1: Score Each DREAD Factor (0-10 scale)
Factor
Question
Score
Justification
Damage
What’s the worst case?
9
Complete home access, theft of valuables, physical safety risk
Reproducibility
How easy to reproduce?
7
Requires timing (during pairing), but attack works consistently when conditions met
Exploitability
How much skill needed?
6
Requires BLE knowledge and tools, but tutorials exist online
Affected Users
How many users impacted?
8
All users of this lock model (~500,000 sold), vulnerability is systematic
Discoverability
How easy to find?
5
Requires security research to discover, not obvious to casual attackers
Residual risk of 3.6 (Low) is acceptable because: - Damage potential remains (inherent to the asset being protected) - But exploitability and reproducibility are dramatically reduced - OTA firmware update can patch existing devices within 30 days
Key insight: DREAD scoring shows that mitigations should target the factors with highest scores AND highest potential for reduction. Damage (9) is difficult to reduce (the lock still protects your home), but Reproducibility and Exploitability can be dramatically reduced through cryptographic fixes. Focusing mitigation on the “reducible” factors provides maximum risk reduction per engineering dollar spent.
1392.7 What’s Next
Now that you’ve tested your knowledge, continue your learning:
Hands-On Lab: Practice threat detection with an interactive simulator
