mro-admin/medienkompetenz-lernplattform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
a439873394
medienkompetenz-lernplattform/LESSON_QUICK_REFERENCE.md
Marius Rometsch 0068785924 initial commit
2026-02-05 22:42:30 +01:00

413 lines
11 KiB
Markdown
Raw Blame History

# Security Awareness Lessons - Quick Reference
A quick reference guide for instructors and administrators using the learning platform.
---
## Available Lessons Overview
| Lesson | Difficulty | Duration | Topics | Interactive |
|--------|-----------|----------|--------|-------------|
| Phishing Email Detection | Beginner | 15 min | Email security, social engineering | No |
| SQL Injection Shop Demo | Intermediate | 20 min | Web security, OWASP Top 10 | Yes |
| Browser-in-the-Browser | Advanced | 25 min | Advanced phishing, OAuth | Yes |
---
## Phishing Email Detection Basics
### Quick Facts
- **Best for:** All employees, security awareness foundation
- **Prerequisites:** None
- **Key Takeaway:** How to identify and report phishing emails
### What Students Learn
1. Common phishing indicators (suspicious domains, urgent language)
2. Email analysis techniques (hover over links, check headers)
3. Organizational reporting procedures
### Question Breakdown
- **Q1 (50 pts):** Identify phishing red flags (multiple choice)
- **Q2 (25 pts):** Safe email practices (single choice)
- **Q3 (25 pts):** Explain reporting procedures (free text)
### Teaching Tips
- Use real examples from your organization
- Emphasize cost of successful attacks
- Make reporting easy and encouraged
- Follow up with participants who fail
### Follow-Up Activities
- Conduct simulated phishing exercises
- Share recent phishing attempts with team
- Review organizational policies
---
## SQL Injection Attack - Online Shop Demo
### Quick Facts
- **Best for:** Developers, QA engineers, technical staff
- **Prerequisites:** Basic understanding of databases and web applications
- **Key Takeaway:** SQL injection is preventable with parameterized queries
### What Students Learn
1. How SQL injection vulnerabilities work
2. Types of SQL injection (OR, UNION, destructive)
3. Impact of successful attacks (data theft, deletion)
4. Defense mechanisms (parameterized queries, input validation)
### Interactive Component: Fake Shop
Students can:
- Search products normally
- Execute SQL injection attacks safely
- See real-time query visualization
- Compare vulnerable vs secure queries
**Attack Examples Demonstrated:**
- `' OR '1'='1` - View all products
- `' UNION SELECT ...` - Extract user credentials
- `'; DROP TABLE ...` - Destructive attack
### Question Breakdown
- **Q1 (40 pts):** Identify SQL injection payloads (multiple choice)
- **Q2 (30 pts):** Best prevention method (single choice)
- **Q3 (30 pts):** Explain parameterized queries (free text)
### Teaching Tips
- Let students experiment with injections
- Emphasize parameterized queries over filtering
- Show real breach examples (British Airways, etc.)
- Discuss OWASP Top 10 context
- Connect to secure coding standards
### Follow-Up Activities
- Code review session for SQL vulnerabilities
- Scan existing applications for SQL injection
- Implement parameterized queries in projects
- Add SQL injection tests to CI/CD pipeline
### For Developers
This lesson directly applies to:
- Backend API development
- Database query construction
- Security code reviews
- Penetration testing
---
## Browser-in-the-Browser (BitB) Attack
### Quick Facts
- **Best for:** All staff, especially those using SSO/OAuth
- **Prerequisites:** Understanding of web browsers and login flows
- **Key Takeaway:** Physical testing (drag window) detects fake popups
### What Students Learn
1. How BitB attacks mimic legitimate browser windows
2. Why traditional phishing training doesn't catch this
3. Detection techniques (drag test, inspect element)
4. Why password managers provide protection
### Interactive Component: Fake Browser Popups
Students can:
- Launch realistic fake OAuth popups (Google, Microsoft)
- Compare real vs fake browser windows
- Test detection techniques (drag, right-click)
- See educational feedback when testing
**Two Scenarios:**
1. **Legitimate OAuth** - Shows how real popups behave
2. **BitB Attack** - Demonstrates fake trapped popup
### Question Breakdown
- **Q1 (40 pts):** Detection indicators (multiple choice)
- **Q2 (35 pts):** Safest approach to popups (single choice)
- **Q3 (25 pts):** Why password managers help (free text)
### Teaching Tips
- Emphasize this is NEW and sophisticated
- Practice the "drag test" multiple times
- Explain OAuth/SSO context for relevance
- Recommend password managers strongly
- Show real-world attack examples (2022+)
### Follow-Up Activities
- Test SSO popups in your organization
- Deploy password manager to all staff
- Enable 2FA/MFA on all accounts
- Consider hardware security keys (FIDO2)
- Review OAuth implementation security
### For Security Teams
This lesson supports:
- Advanced phishing awareness
- SSO security strategy
- Password manager adoption
- Zero-trust implementation
- Security tool evaluation
---
## Scoring System
### Point Distribution Philosophy
- **Easy questions:** 20-30% of total
- **Medium questions:** 40-50% of total
- **Hard questions:** 20-30% of total
### Passing Scores
- **70%** - Demonstrates basic competency
- **80%** - Strong understanding
- **90%+** - Expert level
### Partial Credit (Multiple Choice)
- Points awarded per correct selection
- Incorrect selections don't subtract points
- Encourages selecting all correct answers
### Free Text Validation
- Keyword-based scoring
- Partial credit if some keywords present
- Minimum length requirements
- Case-insensitive matching
---
## Lesson Recommendations by Role
### All Employees
1.**Phishing Email Detection** (required)
2. ⚠️ **Browser-in-the-Browser** (recommended)
### Developers / Technical Staff
1.**SQL Injection Shop** (required)
2.**Phishing Email Detection** (required)
3. ⚠️ **Browser-in-the-Browser** (recommended)
### Security Team
1. ✅ All lessons (required)
2. Use as train-the-trainer material
### Management / Executives
1.**Phishing Email Detection** (required)
2.**Browser-in-the-Browser** (recommended - targets high-value accounts)
---
## Creating Training Events
### Recommended Event Structures
#### New Hire Security Basics
```
Event: "Security Awareness Onboarding"
Duration: 1 week access
Lessons:
1. Phishing Email Detection (weight: 1.0)
2. Browser-in-the-Browser (weight: 1.0)
Passing: 70% overall
```
#### Developer Security Training
```
Event: "Secure Coding Fundamentals"
Duration: 2 weeks access
Lessons:
1. Phishing Email Detection (weight: 0.5)
2. SQL Injection Shop (weight: 2.0)
3. Browser-in-the-Browser (weight: 0.5)
Passing: 75% overall
```
#### Quarterly Security Refresher
```
Event: "Q1 Security Updates"
Duration: 1 week access
Lessons:
- Rotate lessons each quarter
- Include new lessons as available
Passing: 70% overall
```
### Event Configuration Tips
**Lesson Weights:**
- Weight = 1.0: Normal importance
- Weight = 2.0: Double importance
- Weight = 0.5: Lower priority/bonus
**Lesson Order:**
- Beginner → Intermediate → Advanced
- Required lessons first
- Interactive lessons for engagement
**Access Duration:**
- Minimum: 3 days (allows flexible completion)
- Typical: 1-2 weeks
- Ongoing training: No end date
**Point Configuration:**
- Use default 100 max points per lesson
- Adjust weights instead of max points
- Keep passing score consistent (70-75%)
---
## Troubleshooting Common Issues
### "Lesson not showing up"
- ✅ Check lesson is assigned to event
- ✅ Verify event is active
- ✅ Confirm participant joined correct event
### "Can't complete lesson"
- ✅ Ensure all questions answered
- ✅ Check for validation errors
- ✅ Verify lesson was started
- ✅ Try refreshing page
### "Interactive component not working"
- ✅ Check browser console for errors
- ✅ Try different browser
- ✅ Verify JavaScript enabled
- ✅ Clear browser cache
### "Score seems wrong"
- ✅ Review partial credit rules
- ✅ Check question weights
- ✅ Verify lesson weight in event
- ✅ See participant answers in admin panel
### "Assigning lesson fails"
- ✅ Check lesson isn't already assigned
- ✅ Verify event exists
- ✅ Order index auto-increments now (fixed)
- ✅ Try different order index
---
## Keyboard Shortcuts (Lesson Player)
| Action | Shortcut | Notes |
|--------|----------|-------|
| Next step | → or Enter | Only if current step complete |
| Previous step | ← | Always available |
| Submit answer | Enter | In text input |
| Complete lesson | - | Click button when on last step |
---
## Best Practices for Admins
### Event Planning
- Schedule events with advance notice
- Provide clear deadline communication
- Send reminder emails at 50% and 90% of time
- Celebrate completion publicly
- Review analytics after event
### Lesson Assignment
- Start with easier lessons
- Mix content types (text + interactive)
- Don't overload with too many lessons
- Consider time required for completion
- Weight by organizational priority
### Participant Support
- Provide help desk contact info
- Monitor completion rates
- Follow up with non-completers
- Review common wrong answers
- Adjust training based on feedback
### Monitoring Progress
- Check completion rates weekly
- Identify struggling participants
- Review average scores per lesson
- Look for common failure points
- Export data for reporting
---
## Integration Ideas
### With Existing Training
- Part of onboarding checklist
- Annual security training requirement
- Post-incident remediation
- Role-based training tracks
### With Security Tools
- Password manager deployment
- 2FA enrollment campaign
- Phishing simulation platform
- Security awareness metrics
### With HR/Compliance
- Track completion for compliance
- Report to leadership quarterly
- Include in performance reviews
- Tie to security culture initiatives
---
## Metrics to Track
### Completion Metrics
- % of participants who completed
- Average time to complete
- Completion rate by department
- Deadline adherence
### Performance Metrics
- Average score per lesson
- Pass/fail rates
- Most missed questions
- Improvement over time
### Engagement Metrics
- Time spent per lesson
- Interactive component usage
- Repeat attempts
- Question feedback ratings
---
## Quick Access URLs
Assuming platform at `http://localhost`:
- **Participant Hub:** `/`
- **Admin Login:** `/admin/login`
- **Event Management:** `/admin/events`
- **Lesson Configuration:** `/admin/events/{id}/lessons`
- **Participant Data:** `/admin/events/{id}/participants`
---
## Support Resources
### For Lesson Content Questions
- Review lesson documentation
- Check existing lesson examples
- Test in development environment
### For Technical Issues
- Check browser console
- Review backend logs
- Verify container health
- Check database connectivity
### For Training Strategy
- Consult security team
- Review industry standards
- Benchmark against similar organizations
- Gather participant feedback
---
**Last Updated:** 2026-01-12
**Platform Version:** 1.0.0
**Total Lessons:** 3
Reference in New Issue View Git Blame Copy Permalink