diff --git a/webgoat-lessons/cia/src/main/resources/js/questions_cia.json b/webgoat-lessons/cia/src/main/resources/js/questions_cia.json index 4c43fae60..caadbab70 100644 --- a/webgoat-lessons/cia/src/main/resources/js/questions_cia.json +++ b/webgoat-lessons/cia/src/main/resources/js/questions_cia.json @@ -1,35 +1,40 @@ { - "questions": [{ - "text": "How could an intruder harm the security goal of confidentiality?", - "solutions": { - "1": "By deleting all the databases.", - "2": "By stealing a database where general configuration information for the system is stored.", - "3": "By stealing a database where names and emails are stored and uploading it to a website.", - "4": "Confidentiality can't be harmed by an intruder." + "questions": [ + { + "text": "How could an intruder harm the security goal of confidentiality?", + "solutions": { + "1": "By deleting all the databases.", + "2": "By stealing a database where general configuration information for the system is stored.", + "3": "By stealing a database where names and emails are stored and uploading it to a website.", + "4": "Confidentiality can't be harmed by an intruder." + } + }, + { + "text": "How could an intruder harm the security goal of integrity?", + "solutions": { + "1": "By changing the names and emails of one or more users stored in a database.", + "2": "By listening to incoming and outgoing network traffic.", + "3": "By bypassing the access control mechanisms used to manage database access.", + "4": "Integrity can only be harmed when the intruder has physical access to the database." + } + }, + { + "text": "How could an intruder harm the security goal of availability?", + "solutions": { + "1": "By exploiting a software bug that allows the attacker to bypass the normal authentication mechanisms for a database.", + "2": "By redirecting sensitive emails to other individuals.", + "3": "Availability can only be harmed by unplugging the power supply of the storage devices.", + "4": "By launching a denial of service attack on the servers." + } + }, + { + "text": "What happens if at least one of the CIA security goals is harmed?", + "solutions": { + "1": "All three goals must be harmed for the system's security to be compromised; harming just one goal has no effect on the system's security.", + "2": "The system's security is compromised even if only one goal is harmed.", + "3": "It is acceptable if an attacker reads or changes data since at least some of the data is still available. The system's security is compromised only if its availability is harmed.", + "4": "It is acceptable if an attacker changes data or makes it unavailable, but reading sensitive data is not tolerable. The system's security is compromised only if its confidentiality is harmed." + } } - }, { - "text": "How could an intruder harm the security goal of integrity?", - "solutions": { - "1": "By changing the names and emails of one or more users stored in a database.", - "2": "By listening to incoming and outgoing network traffic.", - "3": "By bypassing authentication mechanisms that are in place to manage database access.", - "4": "Integrity can only be harmed when the intruder has physical access to the database storage." - } - }, { - "text": "How could an intruder harm the security goal of availability?", - "solutions": { - "1": "By exploiting bugs in the systems software to bypass authentication mechanisms for databases.", - "2": "By redirecting emails with sensitive data to other individuals.", - "3": "Availability can only be harmed by unplugging the power supply of the storage devices.", - "4": "By launching a denial of service attack on the servers." - } - }, { - "text": "What happens if at least one of the CIA security goals is harmed?", - "solutions": { - "1": "A system can be considered safe until all the goals are harmed. Harming one goal has no effect on the systems security.", - "2": "The systems security is compromised even if only one goal is harmed.", - "3": "It's not that bad when an attacker reads or changes data, at least some data is still available, hence only when the goal of availability is harmed the security of the system is compromised.", - "4": "It shouldn't be a problem if an attacker changes data or makes it unavailable, but reading sensitive data is not tolerable. Theres only a problem when confidentiality is harmed." - } - }] + ] } \ No newline at end of file diff --git a/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_availability.adoc b/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_availability.adoc index f470a62ab..a0c885ccc 100644 --- a/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_availability.adoc +++ b/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_availability.adoc @@ -1,22 +1,24 @@ == Availability -Availability is "the property of being accessible and usable on demand by an authorized entity." In other words all the information should be available and accessible for authorized persons whenever it is needed. +Availability is "the property of being accessible and usable on demand by an authorized entity." In other words, authorized persons should have access to permitted resources at all times. {nbsp} + === Examples that compromise availability: -** denial-of-service attacks (Dos) -** server crashes -** even fire or natural disasters +** denial-of-service attacks (DOS) +** hardware failures +** fire or other natural disasters +** software or network misconfigurations {nbsp} + === Examples of methods ensuring availability -** intrusion detection systems +** intrusion detection systems (IDSs) ** network traffic control ** firewalls -** physically and geographically isolated location -*** fire- and waterproof +** physical security of hardware and underlying infrastructure +*** protections against fire, water, and other elements ** hardware maintenance +** redundancy diff --git a/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_confidentiality.adoc b/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_confidentiality.adoc index 4132ec2e9..7d4e4b8a5 100644 --- a/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_confidentiality.adoc +++ b/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_confidentiality.adoc @@ -1,25 +1,25 @@ == Confidentiality -Confidentiality is "the property, that information is not made available or disclosed to unauthorized individuals, entities, or processes." In other words, confidentiality means to prevent sensitive information from reaching the wrong people, that should not get access to it, while at the same time making sure, that people that are allowed to access it, can get it. +Confidentiality is "the property, that information is not made available or disclosed to unauthorized individuals, entities, or processes." In other words, confidentiality requires that unauthorized users should not be able to access sensitive resources. Confidentiality must be balanced with availability; authorized persons must still be able to access the resources they have been granted permissions for. -While being similar to "privacy", these two words are not interchangeable. Rather, confidentiality is a component of privacy that implements to protect our data from unauthorized viewers. +Although confidentiality is similar to "privacy", these two words are not interchangeable. Rather, confidentiality is a component of privacy; confidentiality is implemented to protect resources from unauthorized entities. {nbsp} + === Examples that compromise confidentiality: ** a hacker gets access to the password database of a company -** sensitive emails being sent to incorrect individuals -** a hacker reads sensitive information by intercepting and eavesdropping an information transfer +** a sensitive emails is sent to the incorrect individual +** a hacker reads sensitive information by intercepting and eavesdropping on an information transfer {nbsp} + === Examples of methods ensuring confidentiality ** data encryption -** authentication methods -*** passwords -*** two-factor authentication +** properly implemented authentication and access control +*** securely stored passwords +*** multi-factor authentication (MFA) *** biometric verification ** minimizing the number of places/times the information appears -** physical security measurements like protected server rooms etc. \ No newline at end of file +** physical security controls such as properly secured server rooms \ No newline at end of file diff --git a/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_integrity.adoc b/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_integrity.adoc index 4e69e58ec..e3978d242 100644 --- a/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_integrity.adoc +++ b/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_integrity.adoc @@ -1,6 +1,6 @@ == Integrity -Integrity is "the property of accuracy and completeness." In other words, integrity means to maintain the consistency, accuracy and trustworthiness of data over its entire life cycle. Data must not be changed during transit and it must be ensured, that data can not be altered by unauthorized people (per example in a breach of confidentiality). +Integrity is "the property of accuracy and completeness." In other words, integrity means maintaining the consistency, accuracy and trustworthiness of data over its entire life cycle. Data must not be changed during transit and unauthorized entities should not be able to alter the data. {nbsp} + @@ -8,7 +8,7 @@ Integrity is "the property of accuracy and completeness." In other words, integr ** human error when entering data ** errors during data transmission -** software bugs, hardware failures +** software bugs and hardware failures ** hackers change information that they should not have access to {nbsp} + @@ -17,4 +17,5 @@ Integrity is "the property of accuracy and completeness." In other words, integr ** well functioning authentication methods and access control ** checking integrity with hash functions -** backups, redundancy \ No newline at end of file +** backups and redundancy +** auditing and logging \ No newline at end of file diff --git a/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_intro.adoc b/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_intro.adoc index 484549964..f987387fd 100644 --- a/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_intro.adoc +++ b/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_intro.adoc @@ -2,6 +2,6 @@ The CIA Triad (confidentiality, integrity, availability) is a model for information security. The three elements of the triad are considered the most crucial information security components and should be guaranteed in any secure system. + -If only one of those three elements can be breached it can have serious consequences for the parties concerned. +Serious consequences can result if even one these elements is breached. -The CIA Triad was created to provide a baseline standard for evaluating and implementing security regardless of the underlying system or/and organization. \ No newline at end of file +The CIA Triad was created to provide a baseline standard for evaluating and implementing security regardless of the underlying system and/or organization. \ No newline at end of file diff --git a/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_quiz.adoc b/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_quiz.adoc index 6bf62086a..56840faa5 100644 --- a/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_quiz.adoc +++ b/webgoat-lessons/cia/src/main/resources/lessonPlans/en/CIA_quiz.adoc @@ -1,3 +1,3 @@ -Now it's time for a quiz! Answer the following question to check, if you understood the topic. +Now it's time for a quiz! Answer the following question to check if you understood the topic. -Today every system is protected by a firewall. The firewall keeps intruders locked out of the system and guarantees, that the data handled there is safe. Imagine a system that handles personal data and is not protected by a firewall: \ No newline at end of file +Today, most systems are protected by a firewall.A properly configured firewall can prevent malicious entities from accessing a system and helps protect an organization's resources. For this quiz, imagine a system that handles personal data but is not protected by a firewall: \ No newline at end of file