Cyber Awareness Challenge

You receive an email asking you to click a link within two days to verify your account and keep it active. Your IT department has never sent emails like this, and the email does not have a digital signature. What action should you take?

What is spear phishing?

What is whaling?

What is smishing?

What is vishing?

Which of the following is a best practice to protect against phishing? (A) Click links in emails to verify if they are real (B) Type the web address directly or use bookmarks instead of clicking links in emails (C) Reply to the sender to ask if it is legitimate (D) Forward the email to coworkers for their opinion

How can you protect against phishing emails requesting personal information?

You receive a suspicious email that uses your name and appears to come from inside your organization. What type of attack is this likely to be?

Trisha receives an email containing a dramatic rumor about a celebrity. Which action should Trisha AVOID taking with this email?

What should you assume about all unsolicited information requests you receive via email?

What are compressed URLs (such as TinyURLs) and why should you exercise caution with them?

An unknown caller contacts your office and asks for names from a personnel directory. What should you do?

What methods do social engineers use to obtain information?

To protect against social engineering, what should you do if an unverified person contacts you requesting information?

Sara, a government expert, receives an email from a foreign national who praises her work and asks to connect to learn more about her field. What must Sara do?

How do adversaries exploit social media to target DoD personnel?

What should you do to protect against social engineering during phone calls?

You receive a text message from a commercial shipping company claiming they need an updated address to deliver a package, with a link provided. What should you do?

What are the three classification levels for national security information?

What three conditions must be met for an individual to access classified data?

How should classified data be stored when not in use?

What is spillage in the context of classified information?

Which of the following may help to prevent spillage? (A) Using classified networks for unclassified work (B) Labeling all files, removable media, and subject headers with appropriate classification markings (C) Removing equipment from classified networks for use on unclassified networks (D) Connecting unauthorized devices to any network

If spillage occurs, what should you do?

A user writes down details marked as Secret from a classified system and uses those details to draft a briefing on an unclassified system without authorization. What has occurred?

If you find classified government data on the internet that has not been cleared for public release, what should you do?

Why should you NOT use a classified network for unclassified work?

What is Controlled Unclassified Information (CUI)?

What type of sensitive information does a roster containing employee names and passport numbers represent?

What is Personally Identifiable Information (PII)?

What is the most commonly reported cause of PII breaches?

What is Protected Health Information (PHI)?

Paula is organizing data about healthcare provided to service members that includes PHI. What is the most secure way to handle this data?

Can PII be transmitted via personal email accounts?

Does the following social media post raise security concerns? (Post includes mother's maiden name, home address, and birthday.)

How should CUI be stored after working hours if no security is present or it is deemed inadequate?

What DoD instruction governs CUI handling?

When faxing CUI, what precautions must be taken?

What are best practices for physical security at a government facility?

What should you do after leaving your controlled area or office building regarding your security badge?

What is piggybacking (tailgating) and how should you respond to it?

An unfamiliar person without a visible badge is in your secure work area. What should you do?

You are working at your desk and hear an unusual sound near the office door. Before leaving your workstation to investigate, what critical security step must you perform?

Within a SCIF, where must badges be displayed?

What are the risks associated with removable media on government systems?

What is the primary security risk that removable storage devices pose to government computer systems?

Can personally owned USB drives or removable media be used on government systems?

What must users ensure when using removable media such as a CD in a SCIF?

What is the best practice for labeling removable media?

You find an unattended USB drive in your office. What should you do?

Ed is authorized to work in a SCIF today. Which personal electronic items is he forbidden from bringing inside?

Which peripherals are you allowed to connect to Government Furnished Equipment (GFE)?

What two types of credentials does two-factor authentication combine?

Which of the following examples uses two different types of authentication factors? (A) Password and PIN (B) Two different passwords (C) Password and fingerprint (D) PIN and security question

What certificates does the Common Access Card (CAC)/PIV card contain?

How should you protect your CAC/PIV card?

When creating strong passwords, which practices should you follow?

At what level of network system are you authorized to use a SIPRNet PKI token?

When should you leave a DoD PKI token in a system?

What should you be aware of when using public Wi-Fi with a mobile device?

What precaution should you take when connecting a laptop to a hotel internet connection?

What should you assume about electronic transmissions when traveling overseas with mobile devices?

What is a best practice for protecting your home wireless network for telework?

Are DoD employees allowed to use their CAC in card-reader-enabled public devices?

What should you do before using a mobile device in public?

What is malicious code and what forms can it take?

Which of the following email habits helps protect against downloading viruses? (A) Open all attachments quickly (B) View email in Preview Pane (C) Look for a digital signature on emails (D) Forward suspicious emails to friends

What are indicators that your computer may be infected with malicious code?

How can you prevent the download of malicious code?

How should you handle email to prevent virus downloads?

What is Near Field Communication (NFC) and what are its security risks?

When you are issued a new Government mobile phone, what is the essential first step to secure it?

What should you do if your government mobile device is lost or stolen?

How can mobile device tracking be a security concern?

If you want to install an application on a Government-owned mobile device, what step must you take first?

Why is powering off a mobile device or putting it in airplane mode NOT sufficient in a classified environment?

What is an insider threat?

Which of the following is a potential insider threat indicator? (A) Taking approved vacation time (B) Untreated alcohol use disorder (C) Volunteering for extra projects (D) Arriving early to work

What is the specific way that an insider threat causes damage?

What is the primary method that Insider Threat Programs use to defend the organization?

John frequently appears hungover at work, handles classified information carelessly, and brings a cell phone into restricted classified areas. How many insider threat indicators is John exhibiting?

What behaviors should you report as potential insider threat indicators?

In a study of known U.S. spies, what percentage demonstrated behaviors of security concern?

If SCI is exposed or compromised, what action must you take immediately?

What is Sensitive Compartmented Information (SCI)?

Which statement is correct regarding SCI handling? (A) SCI can be discussed on unencrypted phones (B) SCI may be printed using an authorized printer when retrieved promptly (C) SCI can be taken home for review (D) SCI can be stored in any locked cabinet

Who has overarching authority concerning SCI policy?

What is a Security Classification Guide (SCG)?

Devon receives an email on her unclassified computer with an unmarked attachment she recognizes as containing classified information. What is the first thing she must do?

What should you do to report a cybersecurity incident?

If an incident occurs in a SCIF, what steps must be taken?

If you find classified data on the internet, what identifying information should you note?

Who should you report cultivation contacts by foreign nationals to?

What are Cyberspace Protection Conditions (CPCON)?

What is the Unclassified designation?

Can CUI be marked on any information?

What encryption is required when emailing PII or other CUI?

Oliver searched for a jacket on his phone and later saw ads for that same jacket on his laptop. Why?

How should you protect your identity online?

What is a cookie and why can it pose a security threat?

What should you avoid posting on social networking sites?

Is the social networking app TikTok allowed on government devices?

What should you do when posting pictures in uniform or at work on social media?

What is the Bring Your Own Approved Device (BYOAD) program?

What are prohibited uses of Government Furnished Equipment (GFE)?

Why is peer-to-peer (P2P) software prohibited on government systems?

Are all DoD-owned devices subject to monitoring?

What are best practices for using government email?

What precaution should be taken regarding monitors displaying classified information?

What wireless technologies are prohibited in DoD classified spaces?

What types of personally-owned peripherals can be used in a collateral classified environment?

How should you handle unclassified laptops in a collateral classified environment?

When can classified information be discussed on a smartphone?

What steps should you take to avoid being misled by online disinformation?

What is online misconduct according to DoD policy?

If you post content to a social networking site and regret it, what can you do?

What IoT devices pose security risks while teleworking?

What is a best practice for securing a home computer used by multiple family members?

How should data on removable media be encrypted?

What should you do before downloading data from classified networks onto removable storage media?

How should classified removable media be destroyed?

What is the significance of digital signatures on DoD emails?