This website has been created to demonstrate the cyber security game called Riskio which has been created as part of a PhD in Cyber Security at University of Southampton.
Note to Games Masters: The objective is for players to identify possible vulnerabilities and the classification can cause discussion even within cyber professionals. For example an attacker alters a URL on website to gain administration access to sensitive confidential information, is this Tampering? or is this Information Disclosure? or if the web page was for admins, so is it Elevation of Privilege?. Games master should explain the difference of the six STRIDE threat categories and correct any obvious errors but explain the debate that classification can cause. Each attack suit has an Ace, where players can invent a new attack type and this is like a joker card they can state any attack in the relevant STRIDE category of the Ace card.
Spoofing
Desired Property Authentication
Threats to procedures that can maliciously impersonate users, but can also spoof websites or servers..
Example attacks: The cards can be used to create attacks based on: spear-phishing; phishing; credential stealing; password brute-forcing; man-in-the-middle attacks; or abuse of admin configuration etc.
Repudiation
Desired Property Non Repudiation
Threats to claim to have not performed an action.
Example attacks: The cards can be used to create attacks based on: use shared account; weak authentication; alter digital signature; insufficient logging; or unprotected log files etc.
Tampering
Desired Property Integrity
Threats that alter data at rest or in transit.
Example attacks: The cards can be used to create attacks based on: man-in-browser; URL manipulation; session keys; authentication messages; or emails etc.
Information Disclosure
Desired Property Confidentiality
Threats to confidentiality of information.
Example attacks: The cards can be used to create attacks based on: web application vulnerabilities; http: traffic; encryption keys; weak access controls; reading security logs; emailing; documents not encrypted; or information leakage from error messages etc.
Denial of Service
Desired Property Availability
Threats to availability of services to users.
Example attacks: The cards can be used to create attacks based on: locking admin or user accounts; server vulnerabilities; botnets; jamming signals; network re-routing; malicious email links; or infected USB drive etc.
Elevation of Privilege
Desired Property Authorisation
Threats against the authorisation controls.
Example attacks: The cards can be used to create attacks based on: stolen tokens; server vulnerabilities; access to users devices; account takeover; URL modification; session IDs; or hidden file directories etc.