Personal Cybersecurity Assessment

SORRY! SOMETHING WENT WRONG ON OUR SIDE.

PLEASE TRY AGAIN LATER.

It looks like you don’t have JavaScript enabled, but this page requires JavaScript to work properly. Please enable JavaScript or try a different browser in order to proceed.

Email *

Full Name *

Employer *

Agency/Department *

Job Function *

Phone Number *

State *

Subscribe to Nextgov Today

Please save my information for future visits

Important Notice

Any information you supply is subject to our privacy policy. Access to this content is available to registered members at no cost. In order to provide you with this free service, the Government Executive Media Group may share member registration information with underwriters and partners.

[PAGE 1 OF 4]

All questions must be answered before you can continue.

A stranger asks to be your friend on a social network. What do you do?

Go ahead and accept the request. That’s the point of social networking.

Check to see if we have any friends in common. If so, I accept the request.

Do some online research about the person and then decide.

Ignore the request. Unless we’ve met in person, I don’t accept friend requests.

Your social media profile is a treasure chest for cybercriminals – and they’re frequently exploiting the sites to learn valuable information about people: where you live; where you work; your favorite sports team; maybe even your mother’s maiden name. Don’t be lulled into a false sense of security if you see you have friends in common. Smart hackers are banking that you’re more likely to trust a friend request if you think you have friends in common, so they’re getting more persistent about finding a way into your social network.

Do you use two-factor authentication to log in to your email account?

Yes. I have two-factor enabled on every email account I use.

I have two-factor authentication enabled on most of the email accounts I use. For example, I am required to use two-factor on my work email but don’t have it enabled on my personal email.

Two-factor is too inconvenient for me to use.

What’s two-factor authentication?

Cybersecurity experts have been saying this for years: Usernames and passwords are not enough. Two-factor authentication may be a slight inconvenience – it requires the traditional password as an additional element you have on your person, such as a short code texted to your phone or your fingerprint. Enabling two-factor authentication on all your email accounts is a simple step you can take to keep hackers out of your email. As the government and large businesses have mandated tighter email security, they’re seeing more intruders finding a way in by exploiting vulnerabilities in employees’ personal accounts, which may be less secure.

How often do you reuse the same or similar passwords?

Never. I always use unique passwords for each site.

Rarely. For sites that store personal information, like my online bank account, I use unique passwords. But for social media, and other “less important” sites, I reuse the same ones.

Sometimes. I have a handful of passwords that I occasionally reuse across multiple sites, regardless of how important the website.

Always. For important websites, I reuse the same password, so I never get locked out of my account.

Experts say you’re safest if you create unique passwords for every account your create. Even social networks offer valuable information about you and your acquaintances that hackers can use to gain access to more sensitive details. At a minimum, experts say, you should use unique passwords for sites that store banking information, credit card numbers, Social Security numbers and other sensitive information.

[PAGE 2 OF 4]

All questions must be answered before you can continue.

Mary Smith, a newly hired federal employee, is setting up her email account. Select the most secure password she should choose from the options below. Remember, this is a password you should be able to easily recall.

Smith1975

password123

Strawb33ryFieldsForever

4s&7yaoFbf0tcanN

Experts say strong passwords should contain a combination of letters, numbers and symbols, if possible, and not resemble any words found in dictionaries. Why? Because hackers actually use electronic dictionaries to try to crack passwords. Passwords definitely shouldn’t contain personal information like your last name, nicknames or birthday (Answer A). Answer C is better, but hackers are getting more sophisticated and now know to substitute common letter-number combinations, so a clever substitute may not be enough. Experts say you’re better off taking a long phrase you can remember and then substituting numbers and letters, as in Answer D. The long phrase in that example is actually the first letter of each of the words in the opening line of Abraham Lincoln’s Gettysburg Address “Four score and seven years ago…”) with some letter and symbol substitutions. (Experts recommend picking a phrase unique to you.)

Do you lock your computer when you step away from your desk?

Yes, always.

Sometimes, when I remember.

Only if I’m working on something sensitive.

No, never. I trust my coworkers.

It’s always a good practice to lock your computer so no one can access your files or other information. It only takes seconds for someone to change your screensaver – or do something much more serious. And locking your computer is easy: On Windows machines, the command is the Windows Key + L. If you have a Mac, simultaneously press Control + Shift + Eject to lock your screen. For newer Macs without an eject key, press Control + Shift + Power.

Where do you store your passwords?

On a sticky note attached to my computer monitor.

On a piece of paper in a locked drawer in my file cabinet.

In my memory.

I store my passwords in a secure password-storage application. No pencil required.

Sometimes, cybersecurity is about physical security. “Write down your passwords and store them in a secure place away from your computer if necessary,” the Homeland Security Department recommends. “For example, passwords locked in your desk drawer are secure, but passwords on a sticky note stuck to the monitor are not.” For convenience, you can also download and use a free password manager.

[PAGE 3 OF 4]

All questions must be answered before you can continue.

You receive an email that appears to come from your organization’s help desk asking for your password or other personal information to reset your account. If you don’t respond to the email within an hour, the email says, you’ll be locked out of your account. What would you do?

If the email looks legitimate, I would provide the information.

I would ask a co-worker. If they also received a similar message, then I would conclude it must be legitimate.

I would reply to the email, asking for more information, and wait to contact the help desk until I heard back.

I would call the help desk or my IT office – or stop by in person – to alert them to the email.

It pays to be skeptical. Most IT organizations would never ask for your password or personal information in an email. Even if the email address looks legitimate, be aware it could be spoofed by hackers. Be on the lookout for grammar and spelling mistakes, too-good-to-be-true offers or an urgent or threatening tone. Those are often dead giveaways for phishing emails. If you receive a suspicious email, it’s best to contact your IT office right away.

When using a website that collects personal or payment information, there’s an easy way to tell if information you submit is sent via a secure connection. What is it?

Instead of http:// the Web address begins with https://

The Web address ends in .com, .gov, .edu or .mil. Those sites are secure.

The Web address ends with “/secure.” For example, www.nextgov.com/secure.

There is no way to tell.

Look for https at the beginning of the Web address. That ensures the site you’re visiting hasn’t been spoofed by hackers and the information you submit via the site won’t be intercepted in what’s known as a man-in-middle hack. For most legitimate websites, the use of https is now standard, although it never hurts to double-check. Most browsers also include a padlock icon in the address to let you know the site uses https. The government has made a big push to use https across all of its websites by the end of this year.

When do you use PGP?

When I am writing emails to family members.

When I am sharing health records with my doctor.

When I am on a Windows PC.

What is PGP?

PGP (Pretty Good Privacy) is a widely accepted encryption tool that shields email from interception by hackers, including criminals, ex-spouses, and spies from countries with authoritarian governments. "Encryption should be enabled for everything," cryptologist Bruce Schneier says. People who only encrypt medical data signal to hackers that their email is valuable. Windows is not considered a safe environment to store the private key code used for unlocking encrypted email. Experts suggest if you must use a Windows machine, store your keys on a separate safe device, such as a thumb drive.

[PAGE 4 OF 4]

All questions must be answered before you can continue.

After opening a Web browser you have never used before, what is the first thing you do?

Ensure the browser is the newest version available.

Clear the browsing history and schedule the browser to delete website data frequently.

Disable the Adobe Flash feature.

Make sure the browser is authentic by clicking the logo on the browser’s home screen.

Browsers are periodically updated to fix software bugs. The faster you update, the better your chances of fixing the vulnerabilities before hackers take advantage of them. Cleaning your history, or "browsing data," clears your browser of passwords and other personal data on websites you have visited in the past. Disabling Flash, known for being a common trajectory for malware, improves your overall security. Clicking on a link without doing the above things first is asking for trouble.

You receive a call from a phone number you recognize as coming from within the building. The individual on the other end of the line identifies herself as a technical support employee from your department. She says there is a security problem with your system that she needs to address by remotely logging in. What do you do?

Provide her with your credentials to troubleshoot the problem.

Ask her to come to your floor to fix the issue or offer to bring the device to her office.

Hang up the phone.

Visit your office's IT staff in person to report the incident.

Divulging your password to someone over the phone who you have never met could make you a victim of social engineering, the deception of someone to obtain sensitive information. If your credential falls into the wrong hands, a hacker could compromise your machine or your department’s network. It's possible your colleagues are or will be experiencing similar fraud. Hackers sometimes target multiple people in an organization until they get the secrets they are after. Best to tip off your IT security folks to the call.

When connecting to public Wi-Fi in a hotel, airport or other shared space, what do you do?

I often log into Facebook and other social networks.

I email with colleagues while on business travel.

I make sure the connection requires a password from the building.

I do not use public Wi-Fi.

On a public network, anyone, including snoops and thieves, can be connected. It’s easy for busybodies to capture the communications you send. Password-restricted Wi-Fi can reduce the number of people on the network, but the same kinds of attacks would still occur in the same way. The good news is that just because bad guys can easily intercept data, it doesn't necessarily mean they can make sense of it. Facebook and many e-commerce websites use secure webpages that scramble the data you enter. Look for a padlock icon displayed next to the webpage address to be sure. That said, if the hotspot has been manipulated by a hacker, he or she could perform a "man-in-the-middle" attack and send you to a site that looks just like Facebook, but is malicious. When you type your username and password, it could go directly to the attacker. Or the phony page could contain malware that infects your device invisibly.