CAS-003 · Question #378
CAS-003 Question #378: Real Exam Question with Answer & Explanation
The correct answer is D: Conduct a threat modeling exercise.. Threat modeling is the structured, systematic process of identifying and categorizing external threats by actor type (nation-states, hacktivists, cybercriminals, competitors), attack vectors (phishing, supply chain, web application attacks), and the vulnerabilities they would exp
Question
Options
- ASummarize the most recently disclosed vulnerabilities.
- BResearch industry best practices and latest RFCs.
- CUndertake an external vulnerability scan and penetration test.
- DConduct a threat modeling exercise.
Explanation
Threat modeling is the structured, systematic process of identifying and categorizing external threats by actor type (nation-states, hacktivists, cybercriminals, competitors), attack vectors (phishing, supply chain, web application attacks), and the vulnerabilities they would exploit to cause business impact. It is specifically designed to produce the prioritized, business-contextualized list the CISO needs to justify security funding to the board. Option A (summarizing recent vulnerabilities) is reactive and tactical - it lists CVEs but does not map them to threat actors or business impact in a structured way. Option B (researching best practices and RFCs) produces control frameworks, not a threat landscape. Option C (vulnerability scanning and penetration testing) is a technical assessment of current weaknesses, not a broad exercise that categorizes external actors and their motivations. Threat modeling (per STRIDE, PASTA, or similar frameworks) uniquely delivers the actor-vector-vulnerability-impact mapping described in the question.
Community Discussion
No community discussion yet for this question.