This is a living document that will be updated as often as possible.
📌 Goal: To Provide Information Security [InfoSec] and Cyber Security [CyberSec] fundamental awareness training and ethical development.
Security Awareness consists of technical and procedural guidelines that end users possess in regards to informational, electronic, and physical safety protocols when it comes to data and assets. Majority of successful cyberattacks involve human error.
One careless click can lead to:
- Identity theft
- Financial loss
- Data breaches
- Account takeovers
Cybersecurity Awareness is understanding how cyber threats work and how to protect yourself from them. Most cyberattacks don’t start with hacking tools — they start with human mistakes.
Attackers take various paths to ensure that at least one of them leads to your data, so they will attempt to access information via any hardware and software, using OSINT recon and social engineering techniques.
Attackers rely on:
- Trust
- Curiosity
- Fear
- Urgency
Awareness helps you recognize these tricks before damage is done. Everyone should be aware of the following guidelines.
1️⃣ HARDWARE
WI-FI ROUTER:
• Change your Network name [SSID]
• Do not Broadcast your SSID
• Change your router’s password
• Do not auto-connect to just any public Wi-Fi
• Always use a VPN when connecting to public Wi-Fi
PERSONAL DEVICES:
Do not personalize device names –
• “Jerry’s iPhone”
• “Sally’s Macbook”
Shut off tracking and tagging services on mobile devices –
• Location Services
• Geo Tagging
• EXIF Data
Always lock your personal device when unattended –
• so the screen and/or device is not viewable or exposing data
• so that the device is not accessible
2️⃣ SOFTWARE
BROWSERS:
• Always make sure any browser you use is updated regularly
• IF you’re going to install plugins make sure they’re from a trusted vendor
• Using “incognito mode” only stops the browser from saving browsing history, cookies, site data, or information entered into forms on that local machine
• Try to use safer browsers like TOR, Brave, Firefox, or ungoogled Chromium
• Always use a VPN when connecting to public websites
VIRTUAL PRIVATE NETWORK:
Simply having a Virtual Private Network [VPN] does not mean you are private or secure. You must ensure that the VPN you choose has the following –
• Secure zero-logs policy
• Strong or military-grade encryption protocols
• Kill-switch technology
• Leak protection
• Simultaneous connections
3️⃣ PERSONALLY IDENTIFIABLE INFORMATION [PII]
PII can be categorized and/or defined as ANY information that allows someone’s identity to be inferred, discovered, or exposed.
| Social Security Number | Driver’s License |
| Credit Card Numbers | Birth Certificate |
| Personal and Business Email Addresses | Passport ID Numbers |
| Education History | Work History |
| Job Position & Title | Medical Information |
| Criminal Records | Credit Score Records |
| Mother’s Maiden Name | Family/Genetic History |
| Alien Registration Number | Date of Birth |
| Ethnicity & Race | Sexual Orientation |
| Home Address | Gender Information/Pronouns |
Some PII can be used to find other PII to identify individuals. Sensitive and non-sensitive data can be analyzed and an identity can be deduced if enough information is compiled.
This is the type of information attackers strive to access.
4️⃣ SOCIAL ENGINEERING
Basically, it’s a non-technical way of manipulating people into strategically doing specific things and/or disclosing confidential information. Hopefully without the realization that they have, in order to gain legitimate & authorized access to people, places, and/or data.
Types of Social Engineering:
| Phishing | Shoulder Surfing | PreTexting |
| Tailgating | Water Holing | Dumpster Diving |
These can be categorized as two types:
CYBER SOCIAL ENGINEERING
Emails:
• Phishing Emails [SMSishing, Whaling]
• Spam & Baiting Emails
• Business Email Compromise [BEC]
Email Security:
Emails are used to spread malware [such as adware, spyware, ransomware] via spam and phishing campaigns.
• Enable the Preview Pane to view email content
• Do not Click to open an email, simply view in Preview Pane
• Ensure you know the sender of the email
• Mouse over any links to view where it would actually take you before clicking –
Example: www.CNN.com [<- mouse over the link without clicking]
If sender is unknown and/or links seems suspicious, delete the email
SMSishing
What we call texting is actually called a Short Message Service or SMS so someone sending a phishing text instead of a phishing email is called SMSishing.
Simple mitigation steps are:
• Do not reply, text back, or call the number
• Add the sending number to your blocked callers list [see instructions below]
• Download an encrypted messaging app like Signal.org instead of your phone’s basic messaging service
To block a text on your iPhone:
• Open the text & tap the arrow next to the contact number that’s found at the top of the screen.
• Tap the “Info” button then scroll down and tap “Block this Caller.”
To block a text on your Android:
• Open the text & tap the three-dot menu in the upper right of the screen.
• Tap “Details” then tap on “Block Contact.”
PHYSICAL SOCIAL ENGINEERING
• Tailgating
• Shoulder Surfing
• Impersonation
Be aware of your Operations Security [OpSec] and your surroundings:
• when using a keyfob or badge when entering locations
• that no one is behind you or can view your computer screens
• that someone is who they say they are via their identification/uniform
There are many many more ways of Social Engineering. Attackers will use free resources to gain knowledge called Open Source Intelligence [OSINT], such as social media to access Social Media Intelligence [SOCMINT], gain someone’s trust, as well as public and business websites.
There are hundreds of free online resources that can be used for OSINT Reconnaissance [Recon] to provide an attacker with all the tools and information needed to gain unauthorized access to locations, accounts, and data.
These resources can provide an attacker with all the information needed to gain legitimate access to, or to point them in the right direction, to other resources. The main preventative tool would be Common Sense. Be aware of your surroundings, awareness to the information you may be posting, and review the legitimacy of emails and phone calls before giving out any personal information.