Personal Cybersecurity Assessment
SORRY! SOMETHING WENT WRONG ON OUR SIDE.
PLEASE TRY AGAIN LATER.
A stranger asks to be your friend on a social network. What do you do?
Your social media profile is a treasure chest for cybercriminals – and they’re frequently exploiting the sites to learn valuable information about people: where you live; where you work; your favorite sports team; maybe even your mother’s maiden name. Don’t be lulled into a false sense of security if you see you have friends in common. Smart hackers are banking that you’re more likely to trust a friend request if you think you have friends in common, so they’re getting more persistent about finding a way into your social network.
Do you use two-factor authentication to log in to your email account?
Cybersecurity experts have been saying this for years: Usernames and passwords are not enough. Two-factor authentication may be a slight inconvenience – it requires the traditional password as an additional element you have on your person, such as a short code texted to your phone or your fingerprint. Enabling two-factor authentication on all your email accounts is a simple step you can take to keep hackers out of your email. As the government and large businesses have mandated tighter email security, they’re seeing more intruders finding a way in by exploiting vulnerabilities in employees’ personal accounts, which may be less secure.
How often do you reuse the same or similar passwords?
Experts say you’re safest if you create unique passwords for every account your create. Even social networks offer valuable information about you and your acquaintances that hackers can use to gain access to more sensitive details. At a minimum, experts say, you should use unique passwords for sites that store banking information, credit card numbers, Social Security numbers and other sensitive information.
Mary Smith, a newly hired federal employee, is setting up her email account. Select the most secure password she should choose from the options below. Remember, this is a password you should be able to easily recall.
Experts say strong passwords should contain a combination of letters, numbers and symbols, if possible, and not resemble any words found in dictionaries. Why? Because hackers actually use electronic dictionaries to try to crack passwords. Passwords definitely shouldn’t contain personal information like your last name, nicknames or birthday (Answer A). Answer C is better, but hackers are getting more sophisticated and now know to substitute common letter-number combinations, so a clever substitute may not be enough. Experts say you’re better off taking a long phrase you can remember and then substituting numbers and letters, as in Answer D. The long phrase in that example is actually the first letter of each of the words in the opening line of Abraham Lincoln’s Gettysburg Address “Four score and seven years ago…”) with some letter and symbol substitutions. (Experts recommend picking a phrase unique to you.)
Do you lock your computer when you step away from your desk?
It’s always a good practice to lock your computer so no one can access your files or other information. It only takes seconds for someone to change your screensaver – or do something much more serious. And locking your computer is easy: On Windows machines, the command is the Windows Key + L. If you have a Mac, simultaneously press Control + Shift + Eject to lock your screen. For newer Macs without an eject key, press Control + Shift + Power.
Where do you store your passwords?
Sometimes, cybersecurity is about physical security. “Write down your passwords and store them in a secure place away from your computer if necessary,” the Homeland Security Department recommends. “For example, passwords locked in your desk drawer are secure, but passwords on a sticky note stuck to the monitor are not.” For convenience, you can also download and use a free password manager.
You receive an email that appears to come from your organization’s help desk asking for your password or other personal information to reset your account. If you don’t respond to the email within an hour, the email says, you’ll be locked out of your account. What would you do?
It pays to be skeptical. Most IT organizations would never ask for your password or personal information in an email. Even if the email address looks legitimate, be aware it could be spoofed by hackers. Be on the lookout for grammar and spelling mistakes, too-good-to-be-true offers or an urgent or threatening tone. Those are often dead giveaways for phishing emails. If you receive a suspicious email, it’s best to contact your IT office right away.
When using a website that collects personal or payment information, there’s an easy way to tell if information you submit is sent via a secure connection. What is it?
Look for https at the beginning of the Web address. That ensures the site you’re visiting hasn’t been spoofed by hackers and the information you submit via the site won’t be intercepted in what’s known as a man-in-middle hack. For most legitimate websites, the use of https is now standard, although it never hurts to double-check. Most browsers also include a padlock icon in the address to let you know the site uses https. The government has made a big push to use https across all of its websites by the end of this year.
When do you use PGP?
PGP (Pretty Good Privacy) is a widely accepted encryption tool that shields email from interception by hackers, including criminals, ex-spouses, and spies from countries with authoritarian governments. "Encryption should be enabled for everything," cryptologist Bruce Schneier says. People who only encrypt medical data signal to hackers that their email is valuable. Windows is not considered a safe environment to store the private key code used for unlocking encrypted email. Experts suggest if you must use a Windows machine, store your keys on a separate safe device, such as a thumb drive.
After opening a Web browser you have never used before, what is the first thing you do?
Browsers are periodically updated to fix software bugs. The faster you update, the better your chances of fixing the vulnerabilities before hackers take advantage of them. Cleaning your history, or "browsing data," clears your browser of passwords and other personal data on websites you have visited in the past. Disabling Flash, known for being a common trajectory for malware, improves your overall security. Clicking on a link without doing the above things first is asking for trouble.
You receive a call from a phone number you recognize as coming from within the building. The individual on the other end of the line identifies herself as a technical support employee from your department. She says there is a security problem with your system that she needs to address by remotely logging in. What do you do?
Divulging your password to someone over the phone who you have never met could make you a victim of social engineering, the deception of someone to obtain sensitive information. If your credential falls into the wrong hands, a hacker could compromise your machine or your department’s network. It's possible your colleagues are or will be experiencing similar fraud. Hackers sometimes target multiple people in an organization until they get the secrets they are after. Best to tip off your IT security folks to the call.
When connecting to public Wi-Fi in a hotel, airport or other shared space, what do you do?
On a public network, anyone, including snoops and thieves, can be connected. It’s easy for busybodies to capture the communications you send. Password-restricted Wi-Fi can reduce the number of people on the network, but the same kinds of attacks would still occur in the same way. The good news is that just because bad guys can easily intercept data, it doesn't necessarily mean they can make sense of it. Facebook and many e-commerce websites use secure webpages that scramble the data you enter. Look for a padlock icon displayed next to the webpage address to be sure. That said, if the hotspot has been manipulated by a hacker, he or she could perform a "man-in-the-middle" attack and send you to a site that looks just like Facebook, but is malicious. When you type your username and password, it could go directly to the attacker. Or the phony page could contain malware that infects your device invisibly.