Cybersecurity Fundamentals 🌎

This topic helps users understand the goal of malware, its common infection methods, and best practices to help prevent it from infecting devices.

• Questions (level 1, 2, 3)

• Video module

Translated content is typically AI-generated, and in some instances, it's been human-reviewed. Review the list below for translation details within this topic.

• English

• French

  • Questions = human-translated

  • Video = AI-translated

• Spanish

  • Questions = human-translated

  • Video = AI-translated

1. Malicious software, such as spyware or viruses, collectively referred to as malware, is utilized by cybercriminals. Being infected does not necessarily indicate a mistake on your part; however, it can result in unauthorized surveillance of your browsing, the collection of personal data, or making you an unwilling participant (botnet)

   - Examples include: pop-ups that generate revenue, spyware and viruses

2. Malware can infiltrate your device through a variety of avenues, including:

   - Clicking a link in an email

   - Websites created to deliver malware

   - Websites that were hacked or hijacked

   - Pop up ads designed to generate revenue

3. Malware used in sophisticated attacks, such as spear-phishing (personalized and/or targeted phishing attacks), might not trigger antivirus alerts; therefore, victims will likely not know that they’ve been infected.

4. Some external devices that can infect a laptop or computer with malware include:

   - Infected USB device (memory stick, MP3 player, USB-powered toys, and more)

   - Connecting to public Wi-Fi hotspots

   - Smartphones plugged into computers for charging and/or data transfer

   - Memory cards, such as SD, Micro SD and others

5. System-related defenses against malware include:

   - Ensure Operating System is always up-to-date

   - Ensure 3rd party software (such as Adobe, Java, MS Office) is always up-to-date

   - Ensure antivirus software is up-to-date

6. Personal actions you can take to prevent malware include:

   - Do not click links in emails from unknown sources

   - Be suspicious of email links to sites you’ve never visited, even from people that you know (they could have been infected and the malware is trying to spread)

7. Smartphones can also be a target for malware as they contain personal and confidential information, which can be a valuable reward to a hacker.

In this topic, users are taught about the various tactics commonly used by attackers against an organization to gain access to its systems. These attacks often focus on persuasion tactics to influence the individuals in the organization.

• Questions (level 1, 2, 3)

• Video module

Translated content is typically AI-generated, and in some instances, it's been human-reviewed. Review the list below for translation details within this topic.

• English

• French

  • Questions = human-translated

  • Video = AI-translated

• Spanish

  • Questions = human-translated

  • Video = AI-translated

1. Social Engineering is the art of manipulating people’s natural tendency to trust others. Because most people naturally want to trust others, social engineering is the quickest method skilled adversaries can use to gain access to company networks and/or sensitive data, which makes it one of the greatest security threats.

2. Hackers rely on human interactions and use social engineering to trick people into sharing or allowing access to important, confidential information. In some cases, hackers will even study every detail of your personal information.

3. Social Engineering is a successful form of cyber attack because people:

   - Tend to believe improbable stories. (Ex: “You won a free iPod! click here to claim your prize!)

   - Aren’t skilled at risk assessments.

   - Generally want to avoid confrontation. (Ex: Confronting someone you don’t recognize in your office to validate that they should be there.)

4. Some of the most common forms of Social Engineering attacks come in the form of:

   - Fake emails – might contain malicious links, requests for money or help, etc.

   - Phishing emails – emails disguised as official letters from trusted institutions like banks, schools, businesses, etc. that contain malware or malicious links.

   - Impersonators – people posing as employees from trusted businesses, calling to ask you to give them passwords or personal information, or people pretending to be delivery drivers, or employees who ask you to let them through security doors.

5. To protect yourself from social engineering attacks, follow these rules:

   - Set up a strong security defense: anti-virus software, firewalls, passwords, filters, security questions

   - Be suspicious of unknown emails, callers, and links before participating

   - Ask questions to validate the legitimacy of an email (asking an individual via non-email channel if they sent an email that you this is suspicious)

6. If you see something connected to a wall that shouldn’t be, or anything out of the ordinary, notify a member of your security team immediately.

7. Social Engineering attackers can also come to your home or to the office in person, impersonating a repairman, visitor for a meeting, delivery person, etc. These impersonators contact you in person, rather than contact you online so that they can gain physical access to a building, to your home, to your computer, energy source, etc.

   - Always ask questions when confronted by someone you don’t know.

8. Social engineering attacks by ‘impersonators’ usually include:

   - Gaining access to company networks and information via plugged-in devices.

   - Stealing equipment like laptops, USB drives, phones, etc.

   - Spying on information which may be posted to walls, cubicles, on computer monitors, etc.

9. The best defense against in-person social engineering attacks is to:

   - Introduce yourself to unescorted strangers in the office, even if they’re wearing a badge, and ask them if they need help.

   - Assess potential social risks, even if they go against what’s considered polite. For example, do not hold security doors open for others you don’t recognize, and ask questions when someone asks you for personal information.

This topic helps users understand how their data is easily available to attackers, and how it may be used against them. It teaches about metadata, cookies, profiling, and more.

• Questions (level 1, 2, 3)

• Video module

Translated content is typically AI-generated, and in some instances, it's been human-reviewed. Review the list below for translation details within this topic.

• English

• French

  • Questions = human-translated

  • Video = AI-translated

• Spanish

  • Questions = human-translated

  • Video = AI-translated

1. Everything that you put online could be discovered because information about our online activities can be stored for a long time after we’re done with a site, or after we close the browser.

2. The capacity for online data storage has been steadily increasing; therefore, we can keep more data for longer. As a result, information and data that we put online can stay online and accessible for years, possibly forever.

3. Hackers will analyze your online posts to study you and determine if you could be used in their scheme.

4. The metadata (data about your data) in your social posts can contain sensitive details such as:

   - Your current geographical location

   - The type and device model you are using

   - Username and/or email

   - Frequency and times of posts/updates

5. Metadata in documents that you email or post online can contain information such as:

   - Operating system type and version

   - Name of your computer

   - Name and version of software used to create the document

   - Author name (usually defaults to your full name)

6. Many websites use “cookies” to track your return visits and to remember you are signed in. You can delete the cookies to protect your privacy.

7. Large advertisers operate networks consisting of a mixture of search engines, media companies, technology vendors, etc., which lets them learn which websites you frequent. Advertising companies share their tracking data with their customers, partners, networks, etc., which lets them deduce a lot of psychological information about you (aka profiling).

8. Modern web browsers offer the user the option to use a ‘private browsing mode’, which temporarily disables browsing history, so the user’s data can’t be retrieved later and/or shared with third parties.

In this topic, users are taught some best practices to help guard their devices and online identity from attack. Content includes tips for creating strong passwords, protecting devices from exposure to attack, etc.

• Questions (level 1, 2, 3)

• Video module

Translated content is typically AI-generated, and in some instances, it's been human-reviewed. Review the list below for translation details within this topic.

• English

• French

  • Questions = human-translated

  • Video = AI-translated

• Spanish

  • Questions = human-translated

  • Video = AI-translated

1. Always restrict the privacy settings on your social profiles as much as possible to prevent data leaks and attacks.

   - Revisit and check your privacy settings every few months as they tend to change often.

2. To ensure that your laptop and mobile devices are secure, consider enabling additional encryption or authentication measures, including biometrics such as face and fingerprint identification.

3. Once a single account has been compromised, it can lead to many more being hacked.

4. When a machine or smartphone becomes infected, malware can steal usernames and passwords for multiple programs, including:

   - Operating systems

   - Passwords saved in the browser for websites

   - Outlook and other programs (such as FTP clients)

   - Applications you use (or ‘Apps’ on mobile devices)

   Malware can also:

   - Unlock or change the passwords on any of your computing devices

   - Encrypt your drives

5. Lock and physically secure your device when it’s not in use. If hackers steal your device, they can install malware, hack your passwords, and gain access to your information.

This topic provides the user with some best practices when it comes to selecting or creating passwords. Content focuses on tips like: restricting privacy settings, using strong passwords, what can happen when a password is breached or stolen, etc.

• Questions (level 1, 2, 3)

• Video Module

Translated content is typically AI-generated, and in some instances, it's been human-reviewed. Review the list below for translation details within this topic.

• English

• French

  • Questions = human-translated

  • Video = AI-translated

• Spanish

  • Questions = human-translated

  • Video = AI-translated

1. To make your password harder for a stranger to guess or break, try writing passwords using quotes, poems, personal goals, etc. Create passwords with more than 12 characters, or use more than 8 characters that are a combination of letters, numbers, and symbols.

2. To add an extra layer of security to your passwords, use two-factor authentication wherever possible.

   Two-factor authentication is an additional step when logging in to a site that’s targeted at confirming your identity. (Ex: When a site sends a verification code to your cell phone that you must enter when logging into a site.) Many sites, such as Facebook, Amazon, Dropbox and Google, support it.

3. Always remember to lock your computer when you walk away from your desk. Passwords can be stolen from a running computer.

4. Use password managers to help you create and remember strong passwords for all your accounts. 1Password is a popular option.

5. Passwords are usually very easy to crack online or on the network, and there are a variety of tools hackers can use to help them figure out your passwords.

   - Passwords are your “last line of defense”

   - Passwords are even easier to crack if the hackers have your physical device

6. People often select simple and short passwords that are unsafe.

7. Most people reuse the same one or two passwords on all the websites and services they use.

   - If your email or Facebook password was stolen, hackers will immediately try the same credentials on other services.

   - Once they accessed your email, they often try to reach out and compromise other people on your contact list.

Most places you go these days have Wi-Fi; however, should you connect to it? This topic helps learners be more aware of potential hazards of connecting to unsecured sites, how to tell if a site is secured, what to look for in a URL, and more.

• Questions (level 1, 2, 3)

• Video Module

Translated content is typically AI-generated, and in some instances, it's been human-reviewed. Review the list below for translation details within this topic.

• English

• French

  • Questions = human-translated

  • Video = AI-translated

• Spanish

  • Questions = human-translated

  • Video = AI-translated

1. Be careful when using public Wi-Fi hotspots, especially ones that don’t require a password to connect (aka unsecured networks). Unsecured networks are much easier for hackers to gain access to and start stealing or reading through your information.

2. When you connect to public Wi-Fi networks, hackers could

   - See your network traffic and the sites you visit

   - Hijack your online accounts (Gmail, Facebook, banks, etc.)

   - Search your network traffic for passwords

3. Transport Layer Security (TLS) is the standard security technology used by websites. It encrypts communication between the browser and the server and ensures that the browser is ‘talking’ to the right entity by verifying that the certificate matches the server name in the location bar.

4. Always double-check the URL before doing any online shopping or accessing any sites with sensitive information. To make sure that a site is secured by a TLS, check the URL. A URL that starts with https is secured by TLS. The s stands for ‘secured.’

5. A way to make sure the website is TLS-protected is to make sure you see a padlock icon in your browser when logging into sensitive sites, such as banking, shopping, and social media. The padlock icon indicates that the connection to the site is encrypted.

This topic teaches users how to identify the methods used by hackers to gain access to their accounts or to business/company files. Specifically, content explains how hackers try to confuse users and encourage them to respond to emails that will expose private information.

• Questions (level 1, 2, 3)

• Video Module

Translated content is typically AI-generated, and in some instances, it's been human-reviewed. Review the list below for translation details within this topic.

• English

• French

  • Questions = human-translated

  • Video = AI-translated

• Spanish

  • Questions = human-translated

  • Video = AI-translated

1. There are two main types of phishing emails: shotgun and targeted/spear phishing. Each type of phishing email is sent with the hope of tricking the user into disclosing important or confidential information, through clicking a link, replying with information, forwarding to more recipients, etc.

2. Shotgun phishing messages are sent in large blasts to thousands of people, in hopes that a few people will be fooled into providing the information the hacker is after. Shotgun phishing emails are usually poorly constructed and can be easier to identify.

3. Targeted or spear phishing emails are much harder to identify because they often include:

   - Personal information, the recipient’s name, job title, department, etc.

   - A familiar name: they might appear as though they’re from a co-worker, a contact, a client, etc. Hackers will register domains that are very similar to the contact’s original domain, and hope that the recipient is fooled.

   - A sense of urgency: an urgent action is required to avoid some kind of penalty.

4. Some phishing emails will link to sites that are designed to look like a legitimate service, such as your bank or Salesforce. These sites are primarily used to fool users into disclosing their login credentials. Sometimes they will also try to infect your computer or smartphone with malware.

Everyone receives several attachments daily; they are business-related, personal, hobby-related, etc. This topic helps users identify which attachments are likely safe and which are likely a phishing scam aimed at infecting devices or gaining access to private information. The content in this topic also provides some helpful tips about what to look for in phishing attachments, so you can protect yourself from being hacked.

• Questions (level 1, 2, 3)

• Video module

Translated content is typically AI-generated, and in some instances, it's been human-reviewed. Review the list below for translation details within this topic.

• English

• French

  • Questions = human-translated

  • Video = AI-translated

• Spanish

  • Questions = human-translated

  • Video = AI-translated

1. Any attachment type could be, or could contain malware. Opening a malicious attachment could compromise your machine, your privacy, or the privacy and equipment of your company.

   Common attachment types may include .exe, .zip, .scr, .pdf, .docx, .pptx, .xlsx, .html

2. Some common types of malicious attachments include: documents that need to be completed, links that need to be clicked, sites that need to be accessed with confidential credentials, images, or even videos. Sometimes, simply opening an image or PDF document could put your machine at risk.

3. When you receive an email, text, etc., that contains an attachment you were not expecting, be discerning about whether or not you open them. When in doubt, send the message to your IT team to verify that it’s safe to open.

4. To help verify whether or not an attachment is safe to open, hover over the link of the attachment. When the attachment’s URL appears, verify that it’s linked to a legitimate address, doesn’t contain spelling errors, matches the sender’s information, etc.

5. Short Messaging Service (SMS) messages and Multimedia Messaging Service (MMS) messages are used to trick people into clicking links on their phones. These scams trick the recipients into opening their smartphones up to hackers. SMS and MMS messages are often disguised as messages from your carrier, someone in your contacts’ list, or an institution, like a bank, and can even mimic phone numbers to make them seem more authentic.