security awareness

For Spanish | Para Español

This is a living document that will be updated as often as possible.

Goal: To Provide Information Security [InfoSec] and Cyber Security [CyberSec] fundamental awareness training and ethical development.

Security Awareness consists of technical and procedural guidelines that end users possess in regards to informational, electronic, and physical safety protocols when it comes to data and assets.

Attackers take various paths to ensure that at least one of them leads to your data, so they will attempt to access information via any hardware and software, using OSINT recon and social engineering techniques.

Everyone should be aware of the following guidelines.

HARDWARE

Wi-Fi Router:

  • Change your Network name [SSID]
  • Do not Broadcast your SSID
  • Change your router’s password
  • Do not auto-connect to just any public Wi-Fi
  • Always use a VPN when connecting to public Wi-Fi

Personal Devices:

  • Do not personalize device names –
    • “Jerry’s iPhone”
    • “Sally’s Macbook”
  • Shut off tracking and tagging services on mobile devices –
    • Location Services
    • Geo Tagging
    • EXIF Data
  • Always lock your personal device when unattended –
    • so the screen and/or device is not viewable or exposing data
    • so that the device is not accessible

SOFTWARE

Web Browsers:

A web browser is an application generally used to view text, images, and videos via a GUI [Graphical User Interface] or what is better known as a ‘website’. Some of the more known browsers are Google Chrome, Microsoft Edge, and Mozilla Firefox.

  • Always make sure any browser you use is updated regularly
  • IF you’re going to install plugins make sure they’re from a trusted vendor
  • Using “incognito mode” only stops the browser from saving browsing history, cookies, site data, or information entered into forms on that local machine
  • Try to use safer browsers like TOR, Brave, Firefox, or un-googled Chromium
  • Always use a VPN when connecting to public websites

Search Engines:

A search engine is an algorithm tool used to query databases for specific categorized and indexed information gathered from web portals. Some of the more popular search engines are Google, Bing, and DuckDuckGo.

  • A search engine has 3 functions:
    • Crawl: read through entire pages of content for each URL
    • Index: categorize all the content found while Crawling
    • Rank: display the most relative content that best answers a query

Virtual Private Network:

Simply having a Virtual Private Network [VPN] does not mean you are private or secure. You must ensure that the VPN you choose has the following –

  • Secure zero-logs policy
  • Strong or military-grade encryption protocols
  • Kill-switch technology
  • Leak protection
  • Simultaneous connections

PASSWORD MANAGEMENT

Password Management is simply a set of principles using best practices to efficiently create and manage passwords to prevent unauthorized access.

STRENGTH

The recommendations for creating a strong password are to include:

  • Lower Case Characters
  • Upper Case Characters
  • Contains Numbers
  • Contains a Special Character
  • 12 Characters or Longer

COMPLEXITY

To further strengthen a password LEETING is recommended. When you Leet a word, you exchange letters for symbols and/or numbers. For example the word “Password” would become “P@$$w0rd” by exchanging the ‘a’ with ‘@’, the ‘s’ with a ‘$’, the ‘o’ with the number ‘0’, et cetera.

PASSPHRASE

So having a long, strong, leeted password is recommended but who can remember a password like ‘m-8HP{E3<.&+J8qS,,T4aJUD'? Using a passphrase instead would meet all the requirements for strength and complexity, but would also be much easier to remember.

‘Garfield99″ is not a secure password at all even if you leet it to ‘G@rf!3ld99’ so using a passphrase such as ‘MyFatCatisOrange!’ would be great. Leeting that to ‘MyF@tC@t!$0r@ng3!’ makes it very secure and extremely easy to remember.

TRY A PASSWORD STRENGTH TESTER:
Password Meter
Password Monster
Password Strength Tester

TIPS

  • Do not use any personal information that can be directly linked to you such as:
    • Family members and/or pet names
    • School and/or Work names
    • Important dates such as birthdays & anniversaries
    • Addresses or location information
  • Try to use a more memorable passphrase instead of a password
  • Try not to use the same passphrase for multiple accounts

You can store passwords using applications such as LastPass, KeePass, or a hardware authentication device like Yubikey.

PERSONALLY IDENTIFIABLE INFORMATION [PII]

PII can be categorized and/or defined as ANY information that allows someone’s identity to be inferred, discovered, or exposed.

Social Security NumberDriver's License
Credit Card NumbersBirth Certificate
Personal and Business Email AddressesPassport ID Numbers
Education HistoryWork History
Job Position & TitleMedical Information
Criminal RecordsCredit Score Records
Mother's Maiden NameFamily/Genetic History
Alien Registration NumberDate of Birth
Ethnicity & RaceSexual Orientation
Home AddressGender Information/Pronouns

Some PII can be used to find other PII to identify individuals. Sensitive and non-sensitive data can be analyzed and an identity can be deduced if enough information is compiled.

This is the type of information attackers strive to access.

SOCIAL ENGINEERING

Basically, it’s a non-technical way of manipulating people into strategically doing specific things and/or disclosing confidential information. Hopefully without the realization that they have, in order to gain legitimate & authorized access to people, places, and/or data.

Types of Social Engineering:

Phishing Shoulder Surfing PreTexting
Tailgating Water Holing Dumpster Diving

These can be categorized as two types:

  • Cyber Social Engineering
    • Emails:
      • Phishing Emails [SMSishing, Whaling]
      • Spam & Baiting Emails
      • Business Email Compromise [BEC]

Email Security:

Emails are used to spread malware [such as adware, spyware, ransomware] via spam and phishing campaigns.

  • Enable the Preview Pane to view email content
  • Do not Click to open an email, simply view in Preview Pane
  • Ensure you know the sender of the email
  • Mouse over any links to view where it would actually take you before clicking –
    • Example: www.CNN.com [<- mouse over the link without clicking]
  • If sender is unknown and/or links seems suspicious, delete the email

SMSishing

What we call texting is actually called a Short Message Service or SMS so someone sending a phishing text instead of a phishing email is called SMSishing.

Simple mitigation steps are:

  • Do not reply, text back, or call the number
  • Add the sending number to your blocked callers list [see instructions below]
  • Download an encrypted messaging app like Signal.org instead of your phone’s basic messaging service

To block a text on your iPhone:

  • Open the text & tap the arrow next to the contact number that’s found at the top of the screen.
  • Tap the “Info” button then scroll down and tap “Block this Caller.”

To block a text on your Android:

  • Open the text & tap the three-dot menu in the upper right of the screen.
  • Tap “Details” then tap on “Block Contact.”
  • Physical Social Engineering
    • Tailgating
    • Shoulder Surfing
    • Impersonation

Be aware of your Operations Security [OpSec] and your surroundings:

  • when using a keyfob or badge when entering locations
  • that no one is behind you or can view your computer screens
  • that someone is who they say they are via their identification/uniform

There are many many more ways of Social Engineering. Attackers will use free resources to gain knowledge called Open Source Intelligence [OSINT], such as social media to access Social Media Intelligence [SOCMINT], gain someone’s trust, as well as public and business websites.

There are hundreds of free online resources that can be used for OSINT Reconnaissance [Recon] to provide an attacker with all the tools and information needed to gain unauthorized access to locations, accounts, and data.

These resources can provide an attacker with all the information needed to gain legitimate access to, or to point them in the right direction, to other resources. The main preventative tool would be Common Sense. Be aware of your surroundings, awareness to the information you may be posting, and review the legitimacy of emails and phone calls before giving out any personal information.

[You can also read and learn about Social Engineering under Attacks and Glossary.]