Yber Ecurity Wareness: Tudent Uide
Yber Ecurity Wareness: Tudent Uide
Yber Ecurity Wareness: Tudent Uide
1
Cyber Security Awareness Student Guide
Course Overview
This is a scenario-based course in which you will learn about various
cyber attacks used to target cleared defense contractors. An overarching
scenario is threaded throughout the course to provide a context for more
detailed scenarios that are specific to each attack type.
Throughout the course, each scenario will end with a question to help you
assess your understanding of these attack types. Your responses will not
be judged in any way; in fact, all responses will provide an opportunity for
you to broaden your knowledge of the subject matter.
3
Cyber Security Awareness Student Guide
Course Introduction
Setting the stage
A multi-faceted cyber attack has resulted in three, large, “worst-case”
events affecting the general population, cleared defense contractors, and
the U.S. military.
Scenario
The Internet has changed the world immeasurably. It is woven into our
economy, our national security, and our lives. Nothing has ever changed
the world faster. But the advantages and capabilities that come with the
Internet come with a cost.
Your role
Who is attacking us and how are they doing it?
As you follow this examination of cyber attacks that resulted in the loss of
U.S. defense-related information and technology, you will learn about how
you may be targeted and some ways to help stop these attacks.
Along the way, you will meet people that both knowingly and unknowingly
played a part in these events. You will also meet three advisors who will
give you insight into how you can protect yourself and your organization
4
Cyber Security Awareness Student Guide
You will also have access to examples of what hackers and other
adversaries gain from successful cyber attacks.
If you work for the DoD, you may have a Security Officer (SO) or other
security point of contact, such as a Security Specialist. If you work for a
defense contractor, your facility has a Facility Security Officer, or FSO.
Regardless of the title, these individuals are responsible for security at
their facilities and for ensuring that security regulations and policies are
followed.
5
Cyber Security Awareness Student Guide
Phishing
Timeline Introduction
Cyber attacks are the fastest-growing method of operation for our
adversaries. Taken individually, many of these attacks go largely
unnoticed. However, you never know which attack will be the one that
provides adversaries with the key piece of information they’re seeking –
the final piece that invites disaster in.
This course presents you with a timeline that outlines various cyber
attacks. Some of these attacks include case files that you will examine to
learn more about cyber attacks.
Date Event
September 2011 Denial of Service (DoS) attack shuts down large CDC
6
Cyber Security Awareness Student Guide
As it turns out, the email was not from the IT department. It wasn’t from
within the contractor’s facility at all. The email was sent by a foreign group
disguising or “spoofing” their identity, looking for a way into the
contractor’s network. By providing the requested information, the
employees have allowed the foreign group access to their system.
The foreign group is now able to move within the contractor’s network,
stealing proprietary information that allows them to build a competing
product. Over the next few years, the impact to the defense contractor is
millions of dollars in lost revenue. The national security implications of
having such technology in foreign hands are grave.
Take a look at what the adversary collected from the CDC’s network.
When you’re satisfied with your review of this file, you may move on to
the knowledge check and feedback.
Information obtained:
• Employee user names/passwords
• Access to CDC network
7
Cyber Security Awareness Student Guide
Scenario Question
To: Employees
From: IT Department
Dear employees,
If you received an email asking for personal information, how would you
respond? Select your response; then review the feedback that follows.
a. If the email is from within my organization, there’s no harm in
providing the information. I’d provide the requested information.
b. I’m not sure why my user name and password would be required. I’d
notify my security point of contact or help desk.
c. I don’t care who is requesting my password, I would never provide
it. I’d delete the e-mail.
8
Cyber Security Awareness Student Guide
Choices A and C are risky responses; you should not provide personal
information if you receive any suspicious e-mail. You’re IT department will
need the email to track its origination, so you should also not delete it.
Instead, you should contact your security point of contract or help desk.
Take a moment to review indicators of phishing and when you are ready,
review Countermeasures to learn how to protect against phishing.
Technique
• A high-tech scam that uses e-mail to deceive you into disclosing personal
information
• Spear Phishing: a type of targeted phishing that appears to be from a
specific organization, such as your employer or bank
Indicators
The following are suspicious indicators related to phishing and spear phishing:
• Uses e-mail
• May include bad grammar, misspellings, and/or generic greetings
• May include maliciously-crafted attachments with varying file extension or
links to a malicious website
• May appear to be from a position of authority or legitimate company:
• Your employer
• Bank or credit card company
• Online payment provider
• Government organization
Spear phishing specifically:
• Has a high level of targeting sophistication and appears to come from an
associate, client, or acquaintance
• May be contextually relevant to your job
9
Cyber Security Awareness Student Guide
10
Cyber Security Awareness Student Guide
Countermeasures
NOTE: If you suspect you may have been a target of phishing, report it to
your Facility Security Officer (FSO) or security point of contact.
11
Cyber Security Awareness Student Guide
Adversaries are anyone that seeks to do you and your organization harm
– they may include insiders from your own organization, hackers, cyber
criminals, terrorists, members of organized crime, or foreign intelligence
entities
The short answer is that they target anything that may be of value. Their
targets aren’t limited to classified information. No piece of information is
too small; adversaries often obtain unclassified data and when they’re
able to collect enough of it, they can piece it together and learn things—
even classified things—that may do you, your organization, and our
country harm.
Review the table below to learn about the types of information and
technology adversaries may target.
The Threat
• Insiders
• Hackers
• Cyber Criminals
• Terrorists
• Organized Crime
• Foreign Intelligence Entities
The Target
• Sensitive company documents and proprietary information
• Export controlled/classified information and technology
• Information on DoD-funded contracts
• Sensitive technological specification documents
• Users’ login IDs and passwords
• Personal Identifying Information (SSN, date of birth, address)
• Contact rosters and phone directories
12
Cyber Security Awareness Student Guide
Review the table below to learn the most targeted technologies in recent
years.
13
Cyber Security Awareness Student Guide
Malicious Code
Timeline update
Have you ever dealt with malicious code on your computer? Likely you
have, though you may not even be aware of it. Let’s take a look at a case
involving malicious code.
Date Event
September 2011 Denial of Service (DoS) attack shuts down large CDC
14
Cyber Security Awareness Student Guide
Take a look at what the adversary collected from the CDC’s network.
When you’re satisfied with your review of this file, you may move on to
the knowledge check and feedback.
Information obtained:
• CDC network access
• DoD program details
• Names and contact information of CDC and DoD personnel
• Corruption of network data
• Loss of weapons program schematics
• Surveillance system compromised
15
Cyber Security Awareness Student Guide
Scenario Question
www.socialnetworkingsite1.com
Selecting the link downloaded malicious code. Would you have selected
the link? Select your response; then review the feedback that follows.
a. Definitely, my organization has strong anti-virus software. I’d open
the link.
b. No; I wouldn’t open a link from an unknown forum poster.
c. It depends. If I was on a reputable site, I’d have no problem opening
it.
16
Cyber Security Awareness Student Guide
Take a moment to review indicators of malicious code and when you are
ready, review Countermeasures to learn how to protect against it.
Technique
Embeds malicious code into links which, once selected, download the malicious
code to the user’s computer and network. Malicious code includes:
• Viruses
• Trojan horses
• Worms
• Keyloggers
• Spyware
• Rootkits
• Backdoors
Indicators
17
Cyber Security Awareness Student Guide
• Removable media
Effects include, but are not limited to:
18
Cyber Security Awareness Student Guide
Countermeasures
19
Cyber Security Awareness Student Guide
First, they research and identify targets through open source means such
as social networking sites. With targets identified, adversaries look for a
way into your organization’s network.
Once they gain access to your network, adversaries can easily obtain
user credentials and install backdoors and utilities that let them enter your
system at will and take what they find.
After accessing your system, adversaries can usually cover their tracks
so their presence on the network goes unnoticed. Even if detected, they
will use other means and try again.
20
Cyber Security Awareness Student Guide
Date Event
September 2011 Denial of Service (DoS) attack shuts down large CDC
21
Cyber Security Awareness Student Guide
News of the contract award was published online and in several major
newspapers. Employees of the contractor congratulated one another on
several social networking sites.
Once it had login data, the adversary group used the data to obtain a
great deal of information.
Take a look at what the adversary collected from the CDC’s network.
When you’re satisfied with your review of this file, you may move on to
the knowledge check and feedback.
Information obtained:
• CDC personnel user names/passwords
• CDC network access
• CDC personnel SSNs and birthdates
• DoD program details
• Weapons technology specifications
• Weapons components and their manufacturers
22
Cyber Security Awareness Student Guide
Scenario Question
23
Cyber Security Awareness Student Guide
There’s really no excuse for a weak password – it’s the easiest thing you
can control.
Technique
Adversaries easily gain access to computer and network using legitimate login
credentials
Indicators
The following are indicators of weak passwords; weak passwords include those
that use:
• Words found in the dictionary
• Readily available information significant to you (names, dates, cities, etc.)
• Lack of character diversity (e.g., all lower case letters)
Effects include, but are not limited to, hackers:
24
Cyber Security Awareness Student Guide
25
Cyber Security Awareness Student Guide
Countermeasures
26
Cyber Security Awareness Student Guide
Reporting Requirements
You are the first line of defense against cyber threats.
DoD personnel who fail to report the contacts, activities, indicators, and
behaviors in items 1-10 are subject to punitive action.
1. Actual or attempted unauthorized access into U.S. automated
information systems and unauthorized transmissions of classified or
controlled unclassified information.
2. Password cracking, key logging, encryption, steganography, privilege
escalation, and account masquerading.
3. Network spillage incidents or information compromise.
4. Use of DoD account credentials by unauthorized parties.
5. Tampering with or introducing unauthorized elements into information
systems.
6. Unauthorized downloads or uploads of sensitive data.
7. Unauthorized use of Universal Serial Bus, removable media, or other
transfer devices.
8. Downloading or installing non-approved computer applications.
9. Unauthorized network access.
10. Unauthorized e-mail traffic to foreign destinations.
The indicators in items 11-19 are reportable, but failure by DoD personnel to
report these indicators may not alone serve as the basis for punitive action.
11. Denial of service attacks or suspicious network communications
failures.
27
Cyber Security Awareness Student Guide
28
Cyber Security Awareness Student Guide
Cyber intrusions into classified systems fall under the reporting requirement of
NISPOM 1-301 and must be reported to the FBI, with a copy to DSS.
Contractors should or must consider reporting Cyber intrusions into unclassified
information systems if the contractor believes they meet certain conditions.
Specifically, contractors must report cyber intrusions against classified
information systems that indicate:
• Espionage
• Sabotage
• Terrorism
• Subversive activity
A cyber intrusion reportable under NISPOM 1-301 may involve one or more of a
combination of active efforts, such as:
• Port and services scanning from consistent or constant addresses
• Hacking into the system
• Placing malware hacking tools into the system
• Passive efforts (e.g., unsolicited emails containing malware or internet sites
that entice users to download files that contain embedded malware)
• Exploitation of knowledgeable persons through “phishing” and “social
engineering”
Contractors should consider the following guidelines when making a
determination to report a cyber intrusion to the FBI and to DSS under NISPOM
paragraph 1-301:
• Evidence of an advanced persistent threat
• Evidence of unauthorized exfiltration or manipulation of information
• Evidence of preparation of contractor systems or networks for future
unauthorized exploitation
• Activity that appears to be out of the ordinary, representing more than
nuisance incidents
• Activities, anomalies, or intrusions that are suspicious and cannot be easily
explained as innocent
Contractors are also reminded they are required to report to DSS:
• Efforts by any individual, regardless of nationality, to “obtain illegal or
unauthorized” access to an information system processing classified
information (NISPOM paragraph 1-302b)
• “Significant vulnerabilities” identified in information system “hardware and
software used to protect classified material” (NISPOM paragraph 1-302j)
29
Cyber Security Awareness Student Guide
30
Cyber Security Awareness Student Guide
Date Event
September 2011 Denial of Service (DoS) attack shuts down large CDC
31
Cyber Security Awareness Student Guide
With everything going on, the contractor decided to delay its initiative to
upgrade key software. Network administrators were busy supporting and
getting new employees up-to-speed, so temporarily set aside notices to
apply software patches.
The foreign group was able to obtain volumes of information and data.
The group sold several pieces of the information and used other pieces to
advance related programs in its own country.
Take a look at what the adversary collected from the CDC’s network.
When you’re satisfied with your review of this file, you may move on to
the knowledge check and feedback.
Information obtained:
• Access to CDC network
• Identification of information system vulnerabilities
• Proprietary software
• Operations plans
• Company personnel information
32
Cyber Security Awareness Student Guide
Scenario Question
33
Cyber Security Awareness Student Guide
Choices B and C are risky responses. While it may not seem like a
necessity, ensuring the software on your network has the latest updates
helps prevent network intrusion. A lax attitude toward software patches
and updates basically invites adversaries into your organization’s
network.
Technique
• Targets known software vulnerabilities to gain access to computer or
network
Indicators
34
Cyber Security Awareness Student Guide
Countermeasures
35
Cyber Security Awareness Student Guide
Employees should:
• Use complex alphanumeric passwords
• Change passwords regularly
• Do NOT open emails or attachments from unfamiliar sources, even if
it looks official
• Do NOT install or connect any personal software or hardware to your
organization’s network or hardware without permission from your IT
department
• Report all suspicious or unusual problems with your computer to your
IT department
There are also tips managers and IT departments should follow. They’re
listed here:
• Implement defense-in-depth*
• Implement technical defenses**
• Update anti-virus software daily
• Regularly download vendor security patches for all software
• Change the manufacturer’s default passwords on all software
• Monitor, log, and analyze successful and attempted intrusions to your
systems and networks
36
Cyber Security Awareness Student Guide
Removable Media
Timeline update
We’ve reached our last case file. Let’s see what we learn from this one.
Date Event
September 2011 Denial of Service (DoS) attack shuts down large CDC
37
Cyber Security Awareness Student Guide
Take a look at what the adversary collected from the CDC’s network.
When you’re satisfied with your review of this file, you may move on to
the knowledge check and feedback.
Information obtained:
• CDC network access
• DoD program details
• Proprietary technology capabilities, limitations, and vulnerabilities
38
Cyber Security Awareness Student Guide
Scenario Question
The defense contractor was targeted via removable media. What is your
organization’s policy on thumb drives and other removable media? Select
your response; then review the feedback that follows.
a. We use removable media; it’s convenient and is an efficient way of
sharing and transferring information.
b. Removable media is strictly prohibited.
c. I’m not sure.
39
Cyber Security Awareness Student Guide
Is any type of storage device that can be added to and removed from a
computer while the system is running
Technique
Malicious code can be stored in removable media devices. Once the device is
activated, the code initiates and infiltrates the user’s computer and any network
connected to the computer
Examples of removable media devices include:
• Thumb drives
• Flash drives
• CDs
• DVDs
• External hard drives
Indicators
40
Cyber Security Awareness Student Guide
41
Cyber Security Awareness Student Guide
Countermeasures
42
Cyber Security Awareness Student Guide
Investigation Wrap Up
Timeline update
The attacks we’ve just highlighted are all fictitious. These particular
events never happened, though cyber attacks similar to those you’ve just
seen happen every day.
Taken individually, these attacks can seem minor. But imagine the effect
of the millions of attacks that occur every day. Imagine the amount of
information our adversaries can cull because we are not as vigilant as we
should be. Imagine how much information they can gather over time.
Imagine what they can do with this information.
And imagine the impact to individuals, the companies they work for, and
to the country as a whole. The potential impact on national security and
our strategic military advantage cannot be overstated.
Date Event
September 2011 Denial of Service (DoS) attack shuts down large CDC
43
Cyber Security Awareness Student Guide
August 2012 Case File: Foreign group accesses CDC network via
corrupted thumb drives
44
Cyber Security Awareness Student Guide
Conclusion
You have just learned about some of the cyber threats that target DoD
employees, cleared defense contractors, and people like you.
You need to be aware of these threats. You need to consider your facility,
its technology and programs, and the information you know. How might
you be a target?
If you are subject to a suspicious cyber incident, you must report it.
45
Cyber Security Awareness Student Guide
Acknowledgement
Sign the acknowledgement below indicating that you understand your
obligation to report all suspicious cyber activities.
I understand that I shall report all suspicious cyber activities and attempts
to acquire U.S. export-controlled, restricted, or classified information and
technology to my Facility Security Officer (FSO) or security point of
contact.
_________________________________________
Student Signature
46