DOD Cyber Awareness Training
Cookies -
A cookie is a text file that a web server stores on your hard drive. Cookies may pose a security threat, particularly when they save unencrypted personal information. Cookies also may track your activities on the web. To prevent cookies from being saved to your hard drive: • If you have the option, set your browser preferences to prompt you each time a website wants to store a cookie • Only accept cookies from reputable, trusted websites • Confirm that the site uses an encrypted link o Look for "h-t-t-p-s" in the URL name o Look for an icon to indicate the encryption is functioning • Be especially aware of cookies when visiting e-commerce sites or other sites that may ask for credit card or other personal information Note: Not all https sites are legitimate and there is still a risk to entering your information online.
Compromise -
A compromise occurs when a person who does not have the required clearance or access caveats comes into possession of SCI in any manner (i.e., physically, verbally, electronically, etc.). You are required to contact your security Point of Contact (POC) to report the incident. Do not elaborate detailed information (that may be considered sensitive/classified) concerning the people, processes, technology, file location, specific system information, or URL that may be related to the nature of the incident until secure two-way communications (verbal or transmitted) may be achieved.
Prevention - 2
Never use or modify government equipment for an unauthorized purpose: Such use or modification could be illegal Misuse of equipment could have a significant mission impact Unauthorized connection to the Internet or other network could introduce malware or facilitate hacking of sensitive or even classified information Any unauthorized connection creates a high potential for spillage. Never cross classification boundaries. Do not move any equipment from one network to another, even if the device's memory was purged. Never connect any device to a government network without authorization.
Devices -
No personal portable electronic devices (PEDs) are allowed in a SCIF. Government-owned PEDs must be expressly authorized by your agency. When using a government-owned PED: • Only connect government-owned PEDs to the same level classification information system when authorized • Only use devices of equal or greater classification than the information you are accessing or transmitting • Ensure secure device is properly configured and updated • Don't discuss classified information over smartphones • Don't view classified information via device when not in a cleared space As a general rule, there should be no Wi-Fi, Bluetooth, cellular, image capturing, video recording, or audio recording capabilities or wearable devices in the SCIF. Check with your security officer or your agency's policies.
Telework -
Do not remove classified documents from your secure workspace to work offsite! Classified documents, either in hard copy or electronic format, are strictly prohibited. Be sure to safeguard all DoD data while teleworking. To telework, you must: Have permission from your organization Follow your organization's guidance to telework Use authorized equipment and software and follow your organization's policies Employ cybersecurity best practices at all times, including when using a Virtual Private Network (VPN) Perform telework in a dedicated area when at home Position your monitor so that it is not facing windows or easily observed by others when in use.
Which of the following should you NOT do if you find classified information on the internet?
Download the information
Two-Factor Authentication
For identity authentication, the Department of Defense (DoD) is moving toward using two-factor authentication wherever possible. Two-factor authentication combines two out of the three types of credentials to verify your identity and keep it more secure: • Something you possess, such as a Common Access Card (CAC) • Something you know, such as your Personal Identification Number (PIN) • Something you are, such as a fingerprint or other biometrics Use two-factor authentication wherever possible, even for personal accounts. For example, some widely used personal services (like Google) offer two-factor authentication.
Incident Follow-up
If an incident occurs: • Notify your security POC about the incident • An analysis of the media must be conducted for viruses or malicious code • The other workstations in the SCIF must also be analyzed • If the incident was unintentional, then the person may have to attend a refresher training course in security awareness
Response - 1
If spillage occurs: Immediately notify your security POC Do not delete the suspected files Do not forward, read further, or manipulate the file Secure the area
Which of the following is NOT a correct way to protect CUI?
CUI may be stored on any password-protected system.
Classified Data
Classified data are designated by the original classification authority as information that could be reasonably be expected to cause a given level of damage to national security if disclosed: Confidential - damage to national security Secret - serious damage to national security Top Secret - exceptionally grave damage to national security Classified data: Must be handled and stored properly based on classification markings and handling caveats Can only be accessed by individuals with all of the following: Appropriate clearance Signed and approved non-disclosure agreement Need-to-know
Which of the following does NOT constitute spillage?
Classified information that should be unclassified and is downgraded.
Which of the following is true of protecting classified data?
Classified material must be appropriately marked.
Response - 2
If you find classified government data/information not cleared for public release on the internet: Remember that leaked classified or controlled information is still classified/controlled even if it has already been compromised. Do not download leaked classified or controlled information because you are not allowed to have classified information on your computer and downloading it may create a new case of spillage Note any identifying information and the website's URL Report the situation to your security POC Refer any inquiries to your organization's public affairs office Remember! Any comment by you could be treated as official confirmation by a Government spokesperson.
Reporting -
Individuals experiencing stressful situations may be vulnerable to exploitation. To protect against the insider threat, be alert to and report any suspicious activity or behavior or potential security incident in accordance with your agency's insider threat policy to include: • Attempt to access sensitive information without the need-to-know • Unauthorized removal of sensitive information • Unusual request for sensitive information • Bringing an electronic device into prohibited areas • Sudden purchases of high value items/living beyond one's means • Overseas trips for no apparent reason or of short duration • Alcohol or drug problems • Abrupt changes in personality or workplace behavior • Consistent statements indicative of hostility or anger toward the United States and its policies
Update Status
Install
Internet Hoaxes -
Internet hoaxes clog networks, slow down internet and e-mail services, and can be part of a distributed denial of service (DDoS) attack. To protect against internet hoaxes: • Use online sites to confirm or expose potential hoaxes • Don't forward e-mail hoaxes • Follow your organization's policies on loading files onto workstations and laptops
What should the employee do differently?
Decline to let the person in and redirect her to security.
Best Practices -
Defend yourself! Keep your identity secure/prevent identity theft. When working at home on your computer, follow these best security practices, derived from the National Security Agency (NSA) datasheet "Best Practices for Keeping Your Home Network Secure." • Turn on password feature, create separate accounts for each user, and have them create their own passwords using a strong password creation method • Install all system security updates, patches, and keep your defenses up-to-date • Keep antivirus software up-to-date • Regularly scan files for viruses • Install spyware protection software • Turn on firewall protection • Require confirmation before installing mobile code • Change default logon ID and passwords for operating system and applications • Regularly back up and securely store your files • Beware of sudden flashing pop-ups that warn that your computer is infected with a virus; this is a malicious code attack!
Social Engineering Emails - Alice Murphy [Great books deals!]
Delete e-mail
Social Engineering Emails - Pursuit Bank [Account Alert]
Delete e-mail
How can you avoid downloading malicious code?
Do not access website links in e-mail messages
Online Misconduct -
Keep in mind when online: Online misconduct is inconsistent with DoD values. Individuals who participate in or condone misconduct, whether offline or online, may be subject to criminal, disciplinary, and/or administrative action. When online: • Treat others with respect and dignity • Do NOT use electronic communications for: o Harassment o Bullying o Hazing o Stalking o Discrimination o Retaliation Remember: No one is truly anonymous online!
Select all violations at this unattended workstation.
Laptop with CAC left in it. Pin number on post-it note.
Which of the following demonstrates proper protection of mobile devices?
Linda encrypts all of the sensitive data on her government-issued mobile devices.
Malicious Code -
Malicious code can do damage by corrupting files, erasing your hard drive, and/or allowing hackers access. Malicious code includes viruses, Trojan horses, worms, macros, and scripts. Malicious code can be spread by e-mail attachments, downloading files, and visiting infected websites.
GPS -
Many mobile devices and applications can track your location without your knowledge or consent. Mobile device tracking can: • Geolocate you • Display your location • Record location history • Activate by default Stop and think before you wear or use a mobile device!
What should Sara do when using publicly available Internet, such as hotel Wi-Fi?
Only connect with the Government VPN
What portable electronic devices (PEDs) are permitted in a SCIF?
Only expressly authorized government-owned PEDs
PPII/PHI
Personally Identifiable Information (PII) is information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual. PII includes, but is not limited to: • Social Security Number • Date and place of birth • Mother's maiden name • Biometric records • Protected Health Information • Passport number Protected Health Information (PHI): • Is a subset of PII requiring additional protection • Is health information that identifies the individual • Is created or received by a healthcare provider, health plan, or employer, or a business associate of these • Relates to: o Physical or mental health of an individual o Provision of healthcare to an individual o Payment for the provision of healthcare to an individual
CAC/PIV
The Common Access Card (CAC)/Personal Identity Verification (PIV) card is a controlled item. It implements DoD Public Key Infrastructure (PKI) and contains certificates for: • Identification • Encryption • Digital signature Note: Some systems use different types of smart card security tokens. Avoid a potential security violation by using the appropriate token for each system.
E-mail Protection
To prevent the downloading of viruses and other malicious code when checking your e-mail: • View e-mail in plain text and don't view e-mail in Preview Pane • Use caution when opening e-mail: Look for digital signatures if your organization uses them. Digitally signed e-mails are more secure. • Scan all attachments • If authenticity cannot be confirmed, delete e-mail from senders you do not know • Don't e-mail infected files to anyone • Don't access website links, buttons, and/or graphics in an e-mail or a popup generated by an email message
Protecting PII/PHI -
• Avoid storing Controlled Unclassified Information (CUI) in shared folders or shared applications (e.g., SharePoint, Google Docs) unless access controls are established that allow only those personnel with an official need-to-know to access the information. • Follow your organization's policies on the use of mobile computing devices and encryption • Use only mobile devices approved by your organization • Encrypt all CUI, including PII, on mobile devices and when e-mailed. The most commonly reported cause of PII breaches is failure to encrypt e-mail messages containing PII. The DoD requires use of two-factor authentication for access. • Only use Government-furnished or Government-approved equipment to process CUI, including PII. • Never allow sensitive data on non-Government-issued mobile devices. • Never use personal e-mail accounts for transmitting PII. PII may only be e-mailed between Government e-mail accounts and must be encrypted and digitally signed when possible.
Disinformation -
Adversaries exploit social and other media to share and rapidly spread false or misleading news stories and conspiracy theories about U.S. military and national security issues. Using face accounts on popular social networking platforms, these adversaries: • Disseminate fake news, including propaganda, satire, sloppy journalism, misleading headlines, and biased news • Share fake audio and video, which is increasingly difficult to detect as the creation technology improves • Gather personal information shared on social media to devise social engineering attacks Most media messages intend to influence you, if only to attract traffic. Ask yourself: • Who provided the information, and why? • How does the information provider want you to act? • Whose interests would your reaction serve?
Select all sections of the profile that contain an issue. [Alex Smith]
All 3 sections & Privacy settings - Name and profile picture: Can select any, it is personal preference Biographical data: Friends only Status, photos, and posts: Friends only Family and relationships: Friends only Birthday: Friends only Photos and videos you are in: Friends only Check in location via GPS: Off
How can malicious code cause damage?
All of these Corrupting files Erasing your hard drive Allowing hackers access
What is the response to an incident such as opening an uncontrolled DVD on a computer in a SCIF?
All of these Notify your security POC Analyze the media for viruses or malicious code Analyze the other workstations in the SCIF for viruses or malicious code
Insider Threat -
An insider threat uses authorized access, wittingly or unwittingly, to harm national security through unauthorized disclosure, data modification, espionage, terrorism, or kinetic actions resulting in loss or degradation of resources or capabilities. Insiders are able to do extraordinary damage to their organizations by exploiting their trusted status and authorized access to government information systems. In one report on known U.S. spies, these individuals: • Demonstrated behaviors of security concerns: 80% of the time • Experienced a life crisis: 25% of the time • Volunteered: 70% of the time Although the vast majority of people are loyal and patriotic, the insider threat is real and we must be vigilant in our efforts to thwart it.
When is it appropriate to have your security badge visible?
At all times when in the facility.
In addition to avoiding the temptation of greed to betray his country, what should Alex do differently?
Avoid talking about work outside of the workplace or with people without a need-to-know
Whaling -
Be aware that high-level personnel may be targeted through complex and targeted phishing attacks called "whaling." Whaling: • Is targeted at senior officials • Uses personalized information: name, title, official e-mail address, sender names from personal contacts lists • Is an individualized, believable message • Exploits relevant issues or topics To protect against whaling: • Be wary of e-mails that ask for sensitive information, contain unexpected attachments, or provide unconfirmed URLs • Report the whaling e-mail to your security POC
Incident Indicators -
Beware of suspicious behavior that may indicate a cybersecurity incident or malicious code attack: • Sudden flashing pop-ups that warn that your computer is infected with a virus. • Sudden appearance of new apps or programs. • Strange pop-ups during startup, normal operation, or before shutdown. • The device slows down. • Appearance of new extensions or tabs in the Web browser. • Loss of control of the mouse or keyboard.
What is the danger of using public Wi-Fi connections?
Both of these
Select the information on the data sheet that is protected health information (PHI).
Bottom Box - Doctors note
CUI -
ControlledUnclassified Information (CUI) is Government information that must be handled using safeguarding or dissemination controls. It includes, but is not limited to, Controlled Technical Information (CTI), Personally Identifiable Information (PII), Protected Health Information (PHI), financial information, personal or payroll information, and operational information. It may contain information: • Provided by a confidential source (person, commercial business, or foreign government) on condition it would not be released • Related to contractor proprietary or source selection data • That could compromise Government missions or interests CUI is NOT classified information and may only be marked as CUI if it belongs to a category established in the DoD CUI Registry.
Use of Govt. E-mail
E-mail use must not adversely affect performance of your role or reflect poorly on your organization. To use e-mail appropriately: • Do not use e-mail to sell anything • Do not send: o Chain letters o Offensive letters o Mass e-mails o Jokes o Unnecessary pictures o Inspirational stories • Avoid using "Reply All" to prevent sending unnecessary e-mail traffic • Only use e-mail for personal reasons if allowed by your organization • Use a digital signature when sending attachments or hyperlinks, as required by the DoD • Do not use personal accounts, such as webmail, to conduct official DoD communication Follow your organization's policy on webmail (a web-based service that checks e-mail remotely). If webmail is allowed, use caution as it may bypass built-in security features and other safeguards, such as encryption, and thus may compromise security.
Firewall Status
Enable
Ethical Use of GFE
Ethical use of government furnished equipment (GFE): • Use GFE for official purposes only • Don't view or download pornography • Don't gamble on the Internet • Don't conduct private business/money-making ventures • Don't load or use personal/unauthorized software or services, such as DropBox or peer-to-peer (P2P) software o P2P software can compromise network configurations, spread viruses and spyware, and allow unauthorized access to data • Only use streaming video and audio for official business and in accordance with your organization's policy • Don't illegally download copyrighted programs or material • Don't make unauthorized configuration changes • Only check personal e-mail if your organization allows it • Don't play games unless allowed by your organization to do so on personal time Note: All DoD-owned devices are subject to monitoring. When you use these devices, you authorize the monitoring of your activity on these devices.
What level of damage to national security can you reasonably expect Top Secret information to cause if disclosed?
Exceptionally grave damage
NFC -
Exercise caution when using near field communication (NFC): • NFC is wireless technology that enables your electronic devices to establish communications and exchange information when placed next to each other. Smartphones can be enabled to: o Read electronic tag information, such as proximity cards or other objects with embedded NFC tags o Transmit information electronically, such as when making credit card payments with information held on the smartphone • Security risks: o Eavesdropping: an adversary intercepts the signal o Data manipulation or corruption: an adversary intercepts the signal and alters it o Viruses: stored financial or mission information increases potential rewards for hackers • Only use NFC with your Government-furnished device as instructed and permitted by your organization
Compressed URLs -
Exercise caution with compressed URLs, such as TinyURLs (e.g., https://tinyurl.com/2fcbvy): • Compressed URLs convert a long URL into a short URL for convenience but may be used to mask malicious intent • Investigate the destination by using the preview feature to see where the link actually leads o Use an Internet search engine to find instructions for previewing a specific compressed URL format (e.g., TinyURL, goo.gl)
Virus Alert!
Exit
Peripherals -
Follow policy for using personally-owned computer peripherals with government furnished equipment (GFE): • Permitted o Monitors, with the following conditions: ▪ Connected via Visual Graphic Array (VGA), Digital Video Interface (DVI), High Definition Multimedia Interface (HDMI), or DisplayPort ▪ No other devices connected to the monitor o Wired keyboards, mice, and trackballs through a Universal Serial Bus (USB) connection o USB hubs o Headphones and headsets, with or without microphones, through a USB port • Not permitted o Monitors connected via USB o Peripherals manufactured by any prohibited source (refer to the course Resources) o Bluetooth and other wireless external computer peripherals o Installation of drivers to support personally-owned peripherals
Protect Yourself -
Follow these information security best practices at home and on social networking sites. Be aware of the information you post online about yourself and your family. Sites own any content you post. Once you post content, it can't be taken back. To protect yourself: • Understand and use the privacy settings • Create strong passwords • Don't give away your position through GPS or location links or updates about places where you are or where you will be • If possible, validate all friend requests through another source, such as phone or e-mail, before confirming them • Don't connect with people you don't know, even if you share mutual connections • Beware of links to games, quizzes, and other applications available through social networking services • Avoid posting personally identifiable information (PII): o Social Security Number o Date and place of birth o Mother's maiden name o Home address
Collateral Classified Spaces
Follow your organization's policy on mobile devices and peripherals within secure spaces where classified information is processed, handled, or discussed. Mobile devices and peripherals may be hacked or infected with malware and can be used to track, record, photograph, or videotape the environment around them. Powering off or putting devices in airplane mode is not sufficient to mitigate these risks and the threat these devices pose to classified information. When using unclassified laptops and peripherals in a collateral classified environment: Ensure that any embedded cameras, microphones, and Wi-Fi are physically disabled Use authorized external peripherals only: Government-issued wired headsets and microphones Government-issued wired webcams in designated areas Personally-owned wired headsets without a microphone All wireless headsets, microphones, and webcams are prohibited in DoD classified spaces, as well as all personally-owned external peripherals other than wired headsets.
Spear Phishing -
Spear phishing is a type of phishing attack that targets particular individuals, groups of people, or organizations. To protect against spear phishing: • Be wary of suspicious e-mails that use your name and/or appear to come from inside your organization or a related organization • Report the spear phishing e-mail to your security POC
Phishing -
Phishing attempts use suspicious e-mails or pop-ups that: • Claim to be from your military service, government organization, Internet service provider, bank, or other plausible sender • Directs you to a website that looks real • Asks you to call a phone number to make any change to your computer, such as to help clean a virus from your computer • Claim that you must update or validate information • Threaten dire consequences Assume all unsolicited information requests are phishing attempts and follow your organization's IT security policies and guidelines. To protect against phishing: • Do not access sites by selecting links in e-mails or pop-up messages. Type the address or use bookmarks. • Contact the organization using a telephone number you know to be legitimate if you are suspicious of a link or attachment • Delete the e-mail o Report e-mails requesting personal information to your security POC or help desk • Look for digital signatures • Never give out organizational, personal, or financial information to anyone by e-mail • Avoid sites with expired certificates. If officially directed to a site with expired certificates, report it to your security POC or help desk.
Physical Security -
Physical security protects the facility and the information systems/infrastructure, both inside and outside the building. To practice good physical security: • Know and follow your organization's policy on: o Gaining entry o Securing work area o Responding to emergencies • Use your own security badge/key code. Note that your Common Access Card (CAC)/Personal Identity Verification (PIV) card is sometimes used as a facility access badge. • Don't allow others access or to piggyback into secure areas • Challenge people without proper badges • Report suspicious activity • Protect access rosters from public view (e.g., do not take them home or post them in public spaces, such as bulletin boards)
What should the participants in this conversation involving SCI do differently?
Physically assess that everyone within listening distance is cleared and has a need-to-know for the information being discussed.
Which of the following is NOT an example of CUI?
Press release data
Removable Media & Mobile Devices -
Removable media include flash media, such as thumb drives, memory sticks, and flash drives; external hard drives; optical discs (such as CDs, DVDs, and Blu-rays); and music players (such as iPods). Other portable electronic devices (PEDs) and mobile computing devices, such as laptops, fitness bands, tablets, smartphones, electronic readers, and Bluetooth devices, have similar features. The same rules and protections apply to both. • Use only removable media approved by your organization • Only use flash media or other removable storage when operationally necessary, owned by your organization, and approved by the appropriate authority in accordance with policy • Do not use any personally owned/non-organizational removable media on your organization's systems • Do not use your organization's removable media on non-organizational/personal systems • Never plug unauthorized devices into a government system • Be aware that wireless connections to the devices bring increased threats and vulnerabilities • Abide by the signed End User License Agreement for mobile devices • Understand and follow your organization's Bring Your Own Device (BYOD) policy
What should the employee do differently?
Remove his CAC and lock his workstation.
Social Engineering Emails - John Anderson [Required Profile Update]
Report e-mail
What should Alex's colleagues do?
Report the suspicious behavior in accordance with their organization's insider threat policy
What should the owner of this printed SCI do differently?
Retrieve classified documents promptly from printers.
Spillage -
Spillage occurs when information is "spilled" from a higher classification or protection level to a lower classification or protection level. Spillage can be either inadvertent or intentional.
SCI -
Sensitive Compartmented Information (SCI) is a program that segregates various types of classified information into distinct compartments for added protection and dissemination or distribution control. SCI introduces an overlay of security to Top Secret, Secret, and Confidential information. To be granted access to SCI material, one must first have TOP SECRET clearance and be indoctrinated into the SCI program. There are explicit indoctrinations for each compartment under the SCI program umbrella. The Director of National Intelligence has overarching authority concerning SCI policy. SCI markings, or caveats, identify the specific compartment or compartments with which the material is affiliated. These caveats define the separation of SCI classified material from collateral classified material. Information that requires a formal need-to-know determination, also known as a special access authorization, exists within Sensitive Compartmented Information.
SCIF Awareness -
Situational awareness and SCI: • Do not discuss sensitive or classified information around non-cleared personnel, personnel without a need-to-know, or outside of a properly secured facility, as it could lead to a compromise of SCI. • When discussing sensitive or classified information, physically assess that all personnel present or within listening distance have a need-to-know for the information being discussed • Do not hold phone conversations on unencrypted phones in the vicinity in which classified or sensitive information is being discussed • Ensure monitors do not provide unobstructed views of classified information - monitors facing windows should be turned or the window blinds should be closed • Ensure uncleared persons are escorted by a cleared person familiar with the facility security procedures • Warn those in the SCIF that uncleared personnel are present in the secure facility or working area When sharing information in a SCIF: • Follow security practices for protecting classified material; do not assume open storage just because you are in a SCIF • Ensure that the person with whom you are sharing information is properly cleared and has a needto-know • Do not reference or hyperlink derivatively classified reports, documents, records, or articles that are classified higher than the audience in receipt • Do not share any information with any individuals without checking need-to-know • Balance the need to share intelligence with the need to protect sources and methods • Appropriately mark and protect all classified material
Internet of Things
Smart devices in your home, such as voice-enabled devices, enhanced remotes, smart thermostats, security cameras, smart speakers, smart televisions, doorbell cameras, smart thermostats, smart watches, smart appliances, and even automobiles are part of what is known as the Internet of Things (IoT). The "things" within the IoT rely on a connection to the cloud, sometimes using another device as a relay, to analyze and act on the data they gather. For example, consider a smart lightbulb. You may use an app on your smartphone, tablet, or a voice activated digital assistant accessed through another device, such as a smart speaker, television, or watch, to operate it. IoT devices can be compromised within two minutes of connecting to the Internet, and default passwords are currently the biggest security weaknesses of these devices. When using your home network to telework, an unsecured IoT device could become an attack vector to any attached government-furnished equipment (GFE). To secure IoT devices: • Examine the default security options available and enable any security features o Remove or turn off voice-enabled listening and recording devices in your telework environment o Disable voice to text functions on Intelligent Personal Virtual Assistant Applications (IPVA) residing on any of your mobile or networked devices when teleworking o Most IPVAs, when enabled, are always listening for sounds or commands, which includes background conversations o Deny IPVAs access permission to any data that you consider risky or do not want to share • Set a robust password at the device's maximum length, if possible • Check your device's Bluetooth connections periodically to ensure that there are no unknown devices connected For each device, check the user manual or go to the manufacturer's website to learn more about its data collection policies and how to enable security features and disable audio and recording functions. Regularly monitor the device manufacturer's website for firmware updates and ensure updates are installed when available.
Social Engineering -
Social engineers use telephone surveys, e-mail messages, websites, text messages, automated phone calls, and in-person interviews. To protect against social engineering: • Do not participate in telephone surveys • Do not give out personal information • Do not give out computer or network information • Do not follow instructions from unverified personnel • Document interaction: o Verify the identity of all individuals o Write down phone number o Take detailed notes • Contact your security POC or help desk • Report cultivation contacts by foreign nationals
Online Identity -
Social networking sites are not the only source of your online identity. Many apps and smart devices collect and share your personal information, and contribute to your online identity. These include, but are not limited to: • Fitness and health trackers • Professional networking apps • Dating apps and websites • Secure chat • Neighborhood advisory apps • Audio-enabled personal digital assistants and the smart devices they support, such as phones, TVs, and speakers Feeding off the data collected by these apps and devices, as well as information available in public records, online data aggregators collect and catalogue information about you. You should opt out of data aggregation and use these apps and devices with caution.
Which of the following is an example of malicious code?
Software that installs itself without the user's knowledge.
Antivirus Software
Some agencies may have discounted/free antivirus software available to their employees • Active Department of Defense military and civilian employees may install antivirus software for home use via the DOD. • Contractors are excluded from participating in the DOD Antivirus Home Use Program
CPCON
The United States Cyber Command (USCYBERCOM) Instruction 5200-13 establishes Cyberspace Protection Conditions (CPCON) for the DoD. CPCON establishes protection priorities for each level during significant cyberspace events, as shown in the table below. Depending on the CPCON level, users may experience disruptions in service or access to physical spaces.
Risks -
The risks associated with removable media include: • Introduction of malicious code • Compromise of systems' confidentiality, availability, and/or integrity • Spillage of classified information Potential consequences: • Shutdown of systems • Compromise of information, systems, programs, and/or assets • Loss of mission • Loss of life
When is it okay to charge a personal mobile device using government-furnished equipment (GFE)?
This is never okay.
How many insider threat indicators does Alex demonstrate?
Three or more
Evaluation -
To avoid being misled by disinformation: • Research the source to evaluate its credibility and reliability • Read beyond the headline • Check against known facts and other sources on the topic • Consider whether the story is intended as a joke • Check your personal biases o Consider whether your views or beliefs are affecting your judgement o Actively seek opposing or disconfirming content
Awareness -
To avoid being targeted by adversaries, remain aware of your surroundings. For example: • Remove your security badge after leaving your controlled area or office building • Don't talk about work outside your workspace unless it is a specifically designated public meeting environment and is controlled by the event planners • Even inside a closed work environment, be careful when discussing classified or sensitive information, such as PII or PHI, as people without a need-to-know may be present • Avoid activities that may compromise situational awareness • Be aware of people eavesdropping when retrieving messages from smartphones or other media
Prevention - 1
To prevent inadvertent spillage: Always check to make sure you are using the correct network for the level of data. Do NOT use a classified network for unclassified work. Processing unclassified information on a classified network: Can unnecessarily consume mission-essential bandwidth May illegal shield information from disclosure under the Freedom of Information Act (FOIA) Creates a danger of spillage when attempting to remove the information to an unclassified media or hard copy Be aware of classification markings and all handling caveats Follow procedures for transferring data to and from outside agency and non-Government networks, including referring vendors making solicitations to appropriate personnel Label all files, removable media, and subject headers with appropriate classification markings
Prevention -
To prevent viruses and the download of malicious code: • Scan all external files before uploading to your computer • Don't e-mail infected files to anyone • Don't access website links, buttons, and/or graphics in an e-mail or a popup generated by an email message • For personally-owned devices, research any application and its vulnerabilities before downloading that "app" • For Government-owned devices, use approved and authorized applications only Mobile code can be malicious code. To prevent damage from malicious mobile code: • Only allow mobile code from your organization or your organization's trusted sites to run • Contact your security Point of Contact (POC) or help desk for assistance, especially with e-mails that request personal information
Protection -
To protect Controlled Unclassified Information (CUI): • Properly mark all CUI • Store CUI data only on authorized information systems • Don't transmit, store, or process CUI on non-approved systems • Mark, handle, and store CUI properly o Reduce risk of access during working hours o Store after working hours: Locked or unlocked containers, desks, cabinets, if security is present Locked containers, desks, cabinets if no security is present or is deemed inadequate • Follow policy in DoD Instruction 5200.48, "Controlled Unclassified Information (CUI)" for retention or disposal • Comply with the DoD Cyber Regulations outlined in the Defense Federal Acquisition Regulation Supplement (DFARS) for CUI and CTI handling requirements
Protecting Classified Data
To protect classified data: Only use classified data in areas with security appropriate to classification level Store classified data appropriately n a GSA-approved vault/container when not in use Don't assume open storage in a secure facility is authorized Weigh need-to-share against need-to-know Ensure proper labeling: Appropriately mark all classified material and, when required, sensitive material Report inappropriately marked material Never transmit classified information using an unapproved method, such as visa an unsecure fax machine or personal mobile device
Data Protection -
To protect data on your mobile computing and portable electronic devices (PEDs): • Lock your laptop/device screen when not in use and power off the device if you don't plan to resume use in the immediate future • Enable automatic screen locking after a period of inactivity • Encrypt all sensitive data on laptops and on other mobile computing devices when possible • At a minimum, password protect Government-issued mobile computing devices; use two-factor authentication if possible • Secure your personal mobile devices to the same level as Government-issued systems • Understand your organization's policy for using commercial cloud applications (e.g., Dropbox, Drive, etc.) • Maintain visual or physical control of your laptop and mobile devices at all times and especially when going through airport security checkpoints • Have a strategy for addressing a potential "authority situation" (e.g., police who want to inspect devices coincident with a traffic stop or an airport TSA agent check) • If lost or stolen, immediately report the loss to your security POC
CAC/PIV Protection
To protect your CAC/PIV card: • Maintain possession of your CAC/PIV card at all times o Remove and take your CAC/PIV card whenever you leave your work station o Never surrender or exchange your CAC/PIV card for building access (e.g., a visitor pass) o If your CAC/PIV card is lost or misplaced, report it immediately to your security POC • Store it in a shielded sleeve to mitigate card and chip cloning • Do not write down or share the PIN for your CAC/PIV card • Avoid using your CAC/PIV card as a form of photo identification when there is a request for such verification by a commercial entity • Do not allow commercial entities to photocopy or duplicate your CAC/PIV card • Lock your computer when you leave or shut it down, depending on your organization's security policy • Do not use your CAC/PIV card on systems without updated system security protections and antivirus • Use all security tokens appropriately
Identity Protection -
To protect your identity: • Ask how information will be used before giving it out • Pay attention to credit card and bank statements • Avoid common names/dates for passwords and PINs • Never share passwords and PINs • Pick up mail promptly • Do not leave outgoing postal mail in personal or organizational mailboxes, unless secured with a locking mechanism • Shred personal documents • Refrain from carrying SSN card and passport • Order credit report annually
Protect Your Organization -
To protect your organization: • Don't speak or appear to speak for your organization or post any embarrassing material • Carefully consider who you accept as a friend and validate, if possible, before acceptance • If posting pictures of yourself in uniform or in a work-setting, make sure there are no identifiable landmarks or items visible • When establishing personal social networking accounts, use only personal contact information, never your Government contact information • If you work with classified or sensitive material as a Federal Government civilian employee, military member, or contractor: o Inform your security POC of all non-professional or non-routine contacts with foreign nationals, including, but not limited to, joining each other's social media sites o If you believe a foreign national is contacting you specifically, seek further guidance from your security POC
Identity Theft Response -
To respond to identity theft if it occurs: • Contact credit reporting agencies • Contact financial institutions to cancel accounts • Monitor credit card statements for unauthorized purchases • Report the crime to local law enforcement
Select the information on the data sheet that is personally identifiable information (PII) but not protected health information (PHI)
Top box - Name and SSN
Select all security issues. [Boundaries website]
Top section (website URL) Bottom section (cookies settings/preferences)
Unclassified -
Unclassified is a designation to mark information that does not have potential to damage national security (i.e., not been determined to be Confidential, Secret, or Top Secret). DoD Unclassified data: • Must be cleared before being released to the public • May require application of access and distribution controls (known as handling caveats), such as For Official Use Only (FOUO) information • Must be clearly marked as Unclassified, along with any handling caveats, if included in a classified document or classified storage area • If aggregated, the classification of the information may be elevated to a higher level of sensitivity or even become classified • If compromised, could affect the safety of government personnel, missions, and systems
Antivirus Alert!
Update
Travel -
Use caution when connecting laptops to hotel Internet connections. If you are directed to a login page before you can connect by VPN, the risk of malware loading or data compromise is substantially increased. When traveling overseas with mobile devices, including laptops and cell phones: When traveling overseas with mobile devices: • Be aware that information sent over public Wi-Fi connections may be exposed to theft, and the device may be exposed to malware • Fake Wi-Fi access points may be used for deception • Use public or free Wi-Fi only with the Government VPN When traveling overseas with mobile devices: • Be careful and do not travel with mobile devices, unless absolutely necessary • Report your travel if carrying a device approved under Bring Your Own Approved Device (BYOAD) policy so it can be unenrolled while out of the country • Assume that any electronic transmission you make (voice or data) may be monitored o Mobile phones carried overseas are often compromised upon exiting the plane • Physical security of mobile devices carried overseas is a major issue • Devices not in your custody or in secure U.S. Government facility storage should be assumed to be compromised
Transmission -
Use proper protections for transmitting and transporting SCI, such as proper wrapping and courier requirements. • Dissemination of information regarding intelligence sources, methods, or activities shall be consistent with directives issued by the Director of National Intelligence Printing: • Retrieve classified documents promptly from printers • Use appropriate classification cover sheets • Ensure classified material is not mixed in with unclassified material being removed from SCIF • Cover or place classified documents in a container even in an open storage environment Fax: • Mark SCI documents appropriately • Send SCI information using an approved SCI fax machine • Follow SCI handling and storage policies and procedures • Immediately report security incidents to your Security POC Courier: • Authorization to escort, courier, or hand-carry SCI shall be in accordance with appropriate organization policy (agency-specific resources external to the course) • Follow SCI transporting badge requirements and procedures • Only transport SCI information if you have been courier-briefed for SCI • Refer to agency-specific policies and requirements prior to transporting SCI information • Contact your Special Security Office (SSO) or Security POC for questions/clarification
Which of the following is NOT an appropriate
Use the classified network for all work, including unclassified work
Permitted Uses of Government-Furnished Equipment (GFE)
Viewing or downloading pornography - NO Gambling online - NO Conducting a private money-making venture - NO Using unauthorized software - NO Illegally downloading copyrighted material - NO Making unauthorized configuration changes - NO
Deterring -
We defend against the damage insider threats can cause by deterring insiders from becoming threats. DoD and Federal policies require agencies to establish Insider Threat Programs aimed at deterring, detecting, and mitigating the risks associated with insider threats. Their activities include: Proactively identifying insiders who exhibit potential risk indicators through: o User activity monitoring o Workplace reporting Formulating holistic mitigation responses to decrease risk while achieving positive outcomes for the organization and the individual. For example: o Referring individuals to counseling or other types of assistance to alleviate personal stressors o Requiring training on security protocols o Developing organization-wide protocols designed to secure information, resources, and personnel
Detecting -
We detect insider threats by using our powers of observation to recognize potential insider threat indicators. These include, but are not limited to: • Difficult life circumstances o Divorce or death of spouse o Alcohol or other substance misuse or dependence o Untreated mental health issues o Financial difficulties • Extreme, persistent interpersonal difficulties • Hostile or vindictive behavior • Criminal behavior • Unexplained or sudden affluence • Unreported foreign contact and travel • Inappropriate, unusual, or excessive interest in sensitive or classified information • Mishandling of classified information • Divided loyalty or allegiance to the U.S.
Marking -
When handling SCI: • Mark classified information appropriately o Use proper markings, including paragraph portion markings o Use Security Classification Guides o Use Classification Management Tool (CMT) (ICS 500-8) for email and electronic documents • Attach appropriate cover sheets • Take precautions when transporting classified information through unclassified areas • Complete annually required classification training A Security Classification Guide: • Provides precise, comprehensive guidance regarding specific program, system, operation, or weapon system elements of information to be classified, including: o Classification levels o Reasons for classification o Duration of classification • Is approved and signed by the cognizant Original Classification Authority (OCA) • Is an authoritative source for derivative classification • Ensures consistent application of classification to the same information
Transmission -
When transmitting Controlled Unclassified Information (CUI): • Ensure all information receivers have required clearance and official need-to-know before transmitting CUI or using/replying to e-mail distribution lists • If faxing CUI: o Ensure recipient is at the receiving end o Use correct cover sheet o Contact the recipient to confirm receipt • Use encryption when e-mailing Personally Identifiable Information (PII) or other types of CUI, as required by the DoD
DoD PKI Tokens
When using a DOD PKI token: • Only leave in a system while actively using it for a PKI-required task • Never use on a publicly accessible computer (e.g., kiosks, internet cafes, and public libraries) • Never use on a computer with out-of-date antivirus software or without spyware and malware protection • Only use a token within its designated classification level o Never use a token approved for NIPRNet on a system of a higher classification level o Never use a token for a higher classification system on a system of a lower classification level (e.g., do not use a SIPRNet token on the NIPRNet) o Know and comply with the security requirements for tokens for higher classification systems • If misuse occurs, report it immediately to your security POC
Wireless Network
When using a home wireless network for telework: • Implement Wi-Fi Protected Access 2 (WPA2) Personal (also known as WPA2 Pre-Shared Key) encryption at a minimum on your wireless router • Limit access to your wireless network and allow access only to specific devices • Change the Service Set Identifier (SSID) of your router from the default and your router's pre-set password using a strong password • Immediately establish a virtual private network (VPN) after connecting
Public Use -
When using mobile computing devices, including laptops and cell phones, in public: • Be careful of information visible on your mobile computing device; consider screen protection • Maintain possession of laptop and other government-furnished equipment (GFE) at all times and be extra vigilant in protecting it • Protect your mobile computing device using a password or other access control (i.e., two-factor authentication) • Make certain all sensitive data stored on your laptop is encrypted • Avoid using Government computers in non-secure environments o DoD employees are prohibited from using a DoD CAC in card-reader-enabled public devices such as those found in public libraries and Internet cafes • Never discuss sensitive information in public, even if using a secure device
Passwords
When using passwords at work or at home, create strong passwords: • Combine letters, numbers, and special characters • Do not use personal information • Do not use common phrases or dictionary words in any language • Do not write down your password; memorize it • Follow your organization's policy on: o Password length o Frequency of changing your password: best practice is at least every 3 months • Avoid using the same password between systems or applications
Use -
When using removable media: • Users must properly identify and disclose removable media with local Configuration/Change Management (CM) Control and Property Management authorities • Users shall comply with site CM policies and procedures • Media shall display a label inclusive of maximum classification, date of creation, POC, and CM Control Number
Wireless Technology
Wireless technology includes Bluetooth, infrared, wireless computer peripherals (e.g., wireless keyboard, wireless mouse, etc.), and smart devices (e.g., smart refrigerators, medical pumps, wireless-enabled hearing aids). To protect information systems and data on those systems: • Be cautious when using wireless technology o Ensure that the wireless security features are properly configured o Turn off/disable wireless capability when connected via LAN cable o Turn off/disable wireless capability when not in use o Avoid using non-Bluetooth paired or unencrypted wireless peripherals (e.g., keyboard, mouse, etc.) • Follow your organization's policies for proper configuration of wireless security features Remember! Wireless technology is inherently not a secure technology.
SCIF Security -
Within a Sensitive Compartmented Information Facility (SCIF): • Everyone must badge in - no piggybacking • Personnel entering or leaving an area are required to secure the entrance or exit point • Authorized personnel who permit another individual to enter the area are responsible for confirming the individual's need-to-know and access • Badges must be visible and displayed above the waist at all times while in the facility • Badges must be removed when leaving the facility
Which of the following is true about telework?
You must have your organization's permission to telework.
Use (Removable Media) -
Your organization may severely restrict or prohibit the use of removable media and PEDs. Follow your organization's policies or contact your security POC with questions. If allowed, use appropriately: • Do not download data from the classified networks onto removable storage media • Encrypt data appropriately and in accordance with its classification or sensitivity level • As a best practice, label all removable media regardless of classification or environment and avoid inserting removable media with unknown content into your computer • Store according to the appropriate security classification in GSA-approved storage containers • Mark all classified and sensitive material correctly • Ensure unclassified media in a classified environment is labeled appropriately • Label all media containing Privacy Act information, personally identifiable information (PII), or protected health information (PHI) appropriately regardless of environment • Follow your organization's policy for sanitizing, purging, discarding, and destroying removable media • Destroy classified removable media in accordance with its classification level
