chore: update CIA grammar and content
- misc. grammatical edits - add a few more examples
This commit is contained in:
		
				
					committed by
					
						 Nanne Baars
						Nanne Baars
					
				
			
			
				
	
			
			
			
						parent
						
							d5f78351a2
						
					
				
				
					commit
					e4ec90db8a
				
			| @ -1,35 +1,40 @@ | |||||||
| { | { | ||||||
|   "questions": [{ |   "questions": [ | ||||||
|     "text": "How could an intruder harm the security goal of confidentiality?", |     { | ||||||
|     "solutions": { |       "text": "How could an intruder harm the security goal of confidentiality?", | ||||||
|       "1": "By deleting all the databases.", |       "solutions": { | ||||||
|       "2": "By stealing a database where general configuration information for the system is stored.", |         "1": "By deleting all the databases.", | ||||||
|       "3": "By stealing a database where names and emails are stored and uploading it to a website.", |         "2": "By stealing a database where general configuration information for the system is stored.", | ||||||
|       "4": "Confidentiality can't be harmed by an intruder." |         "3": "By stealing a database where names and emails are stored and uploading it to a website.", | ||||||
|  |         "4": "Confidentiality can't be harmed by an intruder." | ||||||
|  |       } | ||||||
|  |     }, | ||||||
|  |     { | ||||||
|  |       "text": "How could an intruder harm the security goal of integrity?", | ||||||
|  |       "solutions": { | ||||||
|  |         "1": "By changing the names and emails of one or more users stored in a database.", | ||||||
|  |         "2": "By listening to incoming and outgoing network traffic.", | ||||||
|  |         "3": "By bypassing the access control mechanisms used to manage database access.", | ||||||
|  |         "4": "Integrity can only be harmed when the intruder has physical access to the database." | ||||||
|  |       } | ||||||
|  |     }, | ||||||
|  |     { | ||||||
|  |       "text": "How could an intruder harm the security goal of availability?", | ||||||
|  |       "solutions": { | ||||||
|  |         "1": "By exploiting a software bug that allows the attacker to bypass the normal authentication mechanisms for a database.", | ||||||
|  |         "2": "By redirecting sensitive emails to other individuals.", | ||||||
|  |         "3": "Availability can only be harmed by unplugging the power supply of the storage devices.", | ||||||
|  |         "4": "By launching a denial of service attack on the servers." | ||||||
|  |       } | ||||||
|  |     }, | ||||||
|  |     { | ||||||
|  |       "text": "What happens if at least one of the CIA security goals is harmed?", | ||||||
|  |       "solutions": { | ||||||
|  |         "1": "All three goals must be harmed for the system's security to be compromised; harming just one goal has no effect on the system's security.", | ||||||
|  |         "2": "The system's security is compromised even if only one goal is harmed.", | ||||||
|  |         "3": "It is acceptable if an attacker reads or changes data since at least some of the data is still available. The system's security is compromised only if its availability is harmed.", | ||||||
|  |         "4": "It is acceptable if an attacker changes data or makes it unavailable, but reading sensitive data is not tolerable. The system's security is compromised only if its confidentiality is harmed." | ||||||
|  |       } | ||||||
|     } |     } | ||||||
|   }, { |   ] | ||||||
|     "text": "How could an intruder harm the security goal of integrity?", |  | ||||||
|     "solutions": { |  | ||||||
|       "1": "By changing the names and emails of one or more users stored in a database.", |  | ||||||
|       "2": "By listening to incoming and outgoing network traffic.", |  | ||||||
|       "3": "By bypassing authentication mechanisms that are in place to manage database access.", |  | ||||||
|       "4": "Integrity can only be harmed when the intruder has physical access to the database storage." |  | ||||||
|     } |  | ||||||
|   }, { |  | ||||||
|     "text": "How could an intruder harm the security goal of availability?", |  | ||||||
|     "solutions": { |  | ||||||
|       "1": "By exploiting bugs in the systems software to bypass authentication mechanisms for databases.", |  | ||||||
|       "2": "By redirecting emails with sensitive data to other individuals.", |  | ||||||
|       "3": "Availability can only be harmed by unplugging the power supply of the storage devices.", |  | ||||||
|       "4": "By launching a denial of service attack on the servers." |  | ||||||
|     } |  | ||||||
|   }, { |  | ||||||
|     "text": "What happens if at least one of the CIA security goals is harmed?", |  | ||||||
|     "solutions": { |  | ||||||
|       "1": "A system can be considered safe until all the goals are harmed. Harming one goal has no effect on the systems security.", |  | ||||||
|       "2": "The systems security is compromised even if only one goal is harmed.", |  | ||||||
|       "3": "It's not that bad when an attacker reads or changes data, at least some data is still available, hence only when the goal of availability is harmed the security of the system is compromised.", |  | ||||||
|       "4": "It shouldn't be a problem if an attacker changes data or makes it unavailable, but reading sensitive data is not tolerable. Theres only a problem when confidentiality is harmed." |  | ||||||
|     } |  | ||||||
|   }] |  | ||||||
| } | } | ||||||
| @ -1,22 +1,24 @@ | |||||||
| == Availability | == Availability | ||||||
|  |  | ||||||
| Availability is "the property of being accessible and usable on demand by an authorized entity." In other words all the information should be available and accessible for authorized persons whenever it is needed. | Availability is "the property of being accessible and usable on demand by an authorized entity." In other words, authorized persons should have access to permitted resources at all times. | ||||||
|  |  | ||||||
| {nbsp} + | {nbsp} + | ||||||
|  |  | ||||||
| === Examples that compromise availability: | === Examples that compromise availability: | ||||||
|  |  | ||||||
| ** denial-of-service attacks (Dos) | ** denial-of-service attacks (DOS) | ||||||
| ** server crashes | ** hardware failures | ||||||
| ** even fire or natural disasters | ** fire or other natural disasters | ||||||
|  | ** software or network misconfigurations | ||||||
|  |  | ||||||
| {nbsp} + | {nbsp} + | ||||||
|  |  | ||||||
| === Examples of methods ensuring availability | === Examples of methods ensuring availability | ||||||
|  |  | ||||||
| ** intrusion detection systems | ** intrusion detection systems (IDSs) | ||||||
| ** network traffic control | ** network traffic control | ||||||
| ** firewalls | ** firewalls | ||||||
| ** physically and geographically isolated location | ** physical security of hardware and underlying infrastructure | ||||||
| *** fire- and waterproof | *** protections against fire, water, and other elements | ||||||
| ** hardware maintenance | ** hardware maintenance | ||||||
|  | ** redundancy | ||||||
|  | |||||||
| @ -1,25 +1,25 @@ | |||||||
| == Confidentiality | == Confidentiality | ||||||
|  |  | ||||||
| Confidentiality is "the property, that information is not made available or disclosed to unauthorized individuals, entities, or processes." In other words, confidentiality means to prevent sensitive information from reaching the wrong people, that should not get access to it, while at the same time making sure, that people that are allowed to access it, can get it. | Confidentiality is "the property, that information is not made available or disclosed to unauthorized individuals, entities, or processes." In other words, confidentiality requires that unauthorized users should not be able to access sensitive resources. Confidentiality must be balanced with availability; authorized persons must still be able to access the resources they have been granted permissions for.  | ||||||
|  |  | ||||||
| While being similar to "privacy", these two words are not interchangeable. Rather, confidentiality is a component of privacy that implements to protect our data from unauthorized viewers. | Although confidentiality is similar to "privacy", these two words are not interchangeable. Rather, confidentiality is a component of privacy; confidentiality is implemented to protect resources from unauthorized entities. | ||||||
|  |  | ||||||
| {nbsp} + | {nbsp} + | ||||||
|  |  | ||||||
| === Examples that compromise confidentiality: | === Examples that compromise confidentiality: | ||||||
|  |  | ||||||
| ** a hacker gets access to the password database of a company | ** a hacker gets access to the password database of a company | ||||||
| ** sensitive emails being sent to incorrect individuals | ** a sensitive emails is sent to the incorrect individual | ||||||
| ** a hacker reads sensitive information by intercepting and eavesdropping an information transfer | ** a hacker reads sensitive information by intercepting and eavesdropping on an information transfer | ||||||
|  |  | ||||||
| {nbsp} + | {nbsp} + | ||||||
|  |  | ||||||
| === Examples of methods ensuring confidentiality | === Examples of methods ensuring confidentiality | ||||||
|  |  | ||||||
| ** data encryption | ** data encryption | ||||||
| ** authentication methods | ** properly implemented authentication and access control | ||||||
| *** passwords | *** securely stored passwords | ||||||
| *** two-factor authentication | *** multi-factor authentication (MFA) | ||||||
| *** biometric verification | *** biometric verification | ||||||
| ** minimizing the number of places/times the information appears | ** minimizing the number of places/times the information appears | ||||||
| ** physical security measurements like protected server rooms etc. | ** physical security controls such as properly secured server rooms | ||||||
| @ -1,6 +1,6 @@ | |||||||
| == Integrity | == Integrity | ||||||
|  |  | ||||||
| Integrity is "the property of accuracy and completeness." In other words, integrity means to maintain the consistency, accuracy and trustworthiness of data over its entire life cycle. Data must not be changed during transit and it must be ensured, that data can not be altered by unauthorized people (per example in a breach of confidentiality). | Integrity is "the property of accuracy and completeness." In other words, integrity means maintaining the consistency, accuracy and trustworthiness of data over its entire life cycle. Data must not be changed during transit and unauthorized entities should not be able to alter the data. | ||||||
|  |  | ||||||
| {nbsp} + | {nbsp} + | ||||||
|  |  | ||||||
| @ -8,7 +8,7 @@ Integrity is "the property of accuracy and completeness." In other words, integr | |||||||
|  |  | ||||||
| ** human error when entering data | ** human error when entering data | ||||||
| ** errors during data transmission | ** errors during data transmission | ||||||
| ** software bugs, hardware failures | ** software bugs and hardware failures | ||||||
| ** hackers change information that they should not have access to | ** hackers change information that they should not have access to | ||||||
|  |  | ||||||
| {nbsp} + | {nbsp} + | ||||||
| @ -17,4 +17,5 @@ Integrity is "the property of accuracy and completeness." In other words, integr | |||||||
|  |  | ||||||
| ** well functioning authentication methods and access control | ** well functioning authentication methods and access control | ||||||
| ** checking integrity with hash functions | ** checking integrity with hash functions | ||||||
| ** backups, redundancy | ** backups and redundancy | ||||||
|  | ** auditing and logging | ||||||
| @ -2,6 +2,6 @@ | |||||||
|  |  | ||||||
| The CIA Triad (confidentiality, integrity, availability) is a model for information security. | The CIA Triad (confidentiality, integrity, availability) is a model for information security. | ||||||
| The three elements of the triad are considered the most crucial information security components and should be guaranteed in any secure system. + | The three elements of the triad are considered the most crucial information security components and should be guaranteed in any secure system. + | ||||||
| If only one of those three elements can be breached it can have serious consequences for the parties concerned. | Serious consequences can result if even one these elements is breached. | ||||||
|  |  | ||||||
| The CIA Triad was created to provide a baseline standard for evaluating and implementing security regardless of the underlying system or/and organization. | The CIA Triad was created to provide a baseline standard for evaluating and implementing security regardless of the underlying system and/or organization. | ||||||
| @ -1,3 +1,3 @@ | |||||||
| Now it's time for a quiz! Answer the following question to check, if you understood the topic. | Now it's time for a quiz! Answer the following question to check if you understood the topic. | ||||||
|  |  | ||||||
| Today every system is protected by a firewall. The firewall keeps intruders locked out of the system and guarantees, that the data handled there is safe. Imagine a system that handles personal data and is not protected by a firewall: | Today, most systems are protected by a firewall.A properly configured firewall can prevent malicious entities from accessing a system and helps protect an organization's resources. For this quiz, imagine a system that handles personal data but is not protected by a firewall: | ||||||
		Reference in New Issue
	
	Block a user