How well do you know your cybersecurity?
Did you know that January 4th was National Trivia Day? We may have missed the actual day, but we thought we can still celebrate it by challenging our readers to a handful of cybersecurity trivia questions. Try your best to answer the six questions before you take a peek at the answers that follow.
1. What is the most common type of malware attachment?
a) .pdf
b) .doc/.dot
c) .xls
d) .exe
e) none of the above
2. Which of these strategies represents a good defence against ransomware?
a) employee security training
b) regular backups and patching
c) a supply of bitcoins for ransom payments
d) a) and b)
e) all of the above
3. Which of the following passwords is the most secure?
a) Asdfghjkl
b) CyberSecurity
c) SyberCecurity!
d) PaSsW0rd
e) W#t3@
4. On average, how long after a cybersecurity breach will you realize you’ve been hacked?
a) 24 hours
b) 21 days
c) 365 days
d) 206 days
5. How can you tell if a site is encrypting your data when you are communicating with it?
a) with modern browsers and websites, all communications are encrypted these days
b) a closed padlock icon will appear near the website’s URL in the browser
c) the letters “https” will appear in front of the website’s URL
d) b) and c)
e) all of the above
6. How often should staff be trained on best practices for cybersecurity?
a) in response to a cyber breach
b) once upon being hired, then whenever they change jobs or get a promotion
c) never, since staff likely use technology at home, they should be responsible enough already
d) at least once a year
How did you do?
1. What is the most common type of malware attachment?
a) and b)
According to Symantec’s 2019 Internet Security Threat Report, at 37%, Word documents and templates are still the most common delivery method for malware in an email attachment. With macros and other scripts easily embedded in word processing documents, unsuspecting users can open and launch malware without realizing it. Never open a Word document in an email attachment unless it’s from someone whom you know – and you were expecting to receive it. When sharing information externally, it’s safer to use PDF format if possible, as it dramatically reduces the potential to deliver malware, and protects you from unwittingly revealing information in the form of metadata potentially hiding in documents that aren’t “locked down”.
2. Which of these strategies represents a good defence against ransomware?
a) and b)
Employee awareness to be on the look-out for ransomware attacks via phishing or malware delivery is an important part of a good defence against attack. Ensuring that systems have the latest security patches is also essential to help close any known vulnerabilities that could be exploited. While it’s not technically a “defense”, ensuring that you have regular (and tested!) backups is important as a response in the event that your data is encrypted and held for ransom. Paying a ransom to a cyber attacker is discouraged – there’s no guarantee your data will be released, or if it is, that the bad guys won’t strike again right afterwards.
3. Which of the following passwords is the most secure?
c) SyberCecurity!
c) is the most secure. While it is very similar to option b) CyberSecurity, since it doesn’t have any dictionary words in it, it’s a lot more difficult to crack. At 14 characters, with mixed case and a special character, this password is considered very strong. Option a) looks complex, but you’ll likely recognize it as the second row of characters on a standard keyboard. Hacking tools look for this and other common patterns, and would be able to penetrate your system in seconds. If you guessed option e) because of those special characters, you were on the right track – however, such a short password would provide inadequate defence for your credentials. Passwords should be at least 12-14 characters in length: typically, the longer the better.
4. On average, how long after a cybersecurity breach will you realize you’ve been hacked?
d) 206 days
According to the Ponemon/IBM 2019 Cost of a Data Breach report, it takes an average of 206 days for a company to discover that it has suffered a cyber breach (and an average of 73 additional days to remediate the breach) – a shockingly long time. You can imagine how much sensitive data or financial resources could be harvested over the course of nine months or so. Constant diligence and monitoring are essential to help prevent breaches, and accelerate identification, eradication, and remediation in the event of a successful cyber attack. ISA is here to help – contact us anytime to see how we can assist in securing your digital assets.
5. How can you tell if a site is encrypting your data when you are communicating with it?
b) and c)
The padlock indicates that encryption is protecting the communication between your browser and the website you’re visiting. The “https” in the web address (in contrast to a plain “http”) is also a signal – that extra “s” stands for “secure”. Always make sure to look for these indications that a website is secure, particularly when sharing sensitive personal or financial information on the Internet. Not all websites are secure – while it’s a best practice for companies to provide security for their customers, it’s by no means a given.
6. How often should staff be trained on best practices for cybersecurity?
d) at least once a year
Staff should receive formal, documented security training at least once a year – in fact, if your company handles credit card data for customers, it’s mandatory for PCI (payment card industry) compliance. That said, it’s better practice to provide training – and testing of that training – more frequently over the course of a year. This will help your team develop a culture of security awareness that will help defend your company, and will also serve as a value-add to your staff in keeping themselves secure at home. Answers a) and b) in the question do have their merits: in the event of a breach, it’s valuable to provide “lessons learned” training to staff. And staff who are changing roles within a company may require additional security awareness training if they are handling new or more sensitive data.