LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the specific mitigation techniques for each STRIDE threat?

Each STRIDE threat is countered by restoring the security property it breaks: authentication beats spoofing, integrity checks (hashes/MACs/signatures) beat tampering, logging beats repudiation, encryption beats disclosure, throttling/filtering beats DoS, and least privilege beats elevation.

Each STRIDE threat mapped to the one property it breaks: Spoofing→Authentication … Elevation→Authorization.

* Each STRIDE threat breaks exactly one security property — the mitigation restores it. *

The trick to remembering this table is that every mitigation re-establishes the exact property the threat violates — so you never memorise it as a lookup, you derive it:

Threat Key techniques Why these counter it
Spoofing Cookie auth, Kerberos, PKI/SSL/TLS certificates, digital signatures Spoofing breaks authentication, so you prove identity. Kerberos is a ticket-based network auth protocol; PKI binds a public key to an identity via a certificate, so the receiver can verify who they're really talking to.
Tampering Hashes, MACs, digital signatures, ACLs, tamper-resistant protocols Tampering breaks integrity, so you make changes detectable. A hash flags any change; a MAC (Message Authentication Code) is a keyed hash so only someone with the key can forge it; an ACL stops the unauthorised write in the first place.
Repudiation Digital signatures, timestamps, audit trails, secure logging Repudiation breaks non-repudiation, so you create tamper-evident evidence that an action happened and who did it — a signed, timestamped log the actor can't later deny.
Info Disclosure Authorization, encryption, privacy-enhancing protocols, ACLs Disclosure breaks confidentiality, so you keep data unreadable to the unauthorised: encryption protects it in transit/at rest, ACLs and authorization gate who may read it at all.
DoS Filtering, throttling, quotas, quality-of-service, ACLs DoS breaks availability, so you cap how much any one source can consume — throttling/quotas/QoS ration resources, filtering and ACLs drop hostile traffic before it costs you.
Elevation of Privilege Run with least privilege, ACLs, role membership, input validation EoP breaks authorization, so you shrink what a compromised component can do (least privilege) and close the doors used to escalate — input validation stops the injection/overflow that grants extra rights.

The golden rule: when in doubt, the best fix is to not store secrets you don't need (it appears under both Spoofing and Info Disclosure) — data you never hold can't be stolen or leaked.

Go deeper:

From Quiz: SPRG / Mitigation and Risk Analysis | Updated: Jul 14, 2026