Transcription
October 2020THISMONTH’SFOCUS10NATIONAL CYBERSECURITY AWARENESS MONTHDID YOU KNOW?The U.S. Department ofHomeland Security andthe National Cyber SecurityAlliance (NCSA) launchedNational CybersecurityAwareness Month (NCSAM)to raise cybersecurityawareness in 2004.CDSE – Center forDevelopment of SecurityExcellence@TheCDSECenter for Development ofSecurity ExcellenceNCSAM is a collaborativeeffort betweenGovernment and industryto provide every Americanthe resources they needto stay safe and secureonline while increasingthe resilience of the Nationagainst cyber treats. Itwas launched in 2004 bythe U.S. Department ofHomeland Security (DHS)National Cyber SecurityDivision, now calledthe Cybersecurity andInfrastructure SecurityAgency (CISA), and thenonprofit National CyberSecurity Alliance (NCSA)representing industry.Their shared goal isto expand NCSAM’sreach every year andhighlight the importanceof cybersecurity andstaying safe online. Thisyear’s theme is “Do YourPart. #BeCyberSmart.” Itencourages individualsand organizations to owntheir role in protectingtheir part of cyberspacewhile stressing personalaccountability and theimportance of takingproactive steps to enhancecybersecurity.This year has beenunprecedented for manyreasons, including therise of teleworking due tothe COVID-19 pandemic.Increased phishing attacksand identity theft have leftindividuals compromiseddue to lack of knowledge,awareness, or vigilancesurrounding cyberpractices. The Center forDevelopment of SecurityExcellence (CDSE) aimsto focus readers ontopics associated withcybersecurity to combatthese issues at home and inthe office.Sign up for the latest security awareness newsletters at https://www.cdse.edu/news/index.html1
October 2020CYBERSECURITY KNOWLEDGECRITICAL FOR TELEWORKERSDURING PANDEMICThe COVID-19 pandemicand the resulting socialdistancing protocols haveforced many Americansto work from home.Unfortunately, morepeople teleworkingmeans more targets forcybersecurity threats. Eventhe most routine aspects ofteleworking such as VirtualPrivate Networks (VPN),employee email accounts,and virtual meetings arevulnerable to attacks. AsNCSAM enters its 17th year,it is important to rememberthat these vulnerabilitiescan be secured throughvigilance, securityprocedures, and training.VPNs are one of the mostsecure means to accessthe internet because theycreate “private tunnels”that encrypt the datathat passes through thenetwork. It also masks useridentity and promotesonline safety and privacy;however, VPNs are stillvulnerable to attacks.According to guidancepublished by CISA,organizations are less likelyto keep VPNs updatedwith the latest securityupdates and patches. Someorganizations do not useMulti-Factor Authentication(MFA) for remote access,which grants accessonly after successfullypresenting two or morepieces of evidence. This gapalso leaves VPNs open toattacks. CISA offers tips forsecuring VPNs known asenterprise VPN solutions.These tips includeupdating VPN devicesfrequently, employingMFAs to increase security,and developing andmaintaining enterprisesecurity policies andprocedures. A safe internetconnection is important,but it is only one aspectof safe teleworking.Another aspect is avoidinginteraction with phishingemails.Phishing occurs whenattackers masqueradeas trusted entities andtry to lure people inwith malicious links andsuspicious attachments.One of their techniques isto make their fraudulentwebsite or bogus emailaddress look as authenticas possible to trick10unsuspecting employees.For instance, google.comis a legitimate website, butgo0gle.com is most likely ascam website. Other signsof phishing include emailsfrom unknown senderstrying to solicit sensitive orpersonal information. Sometips to safeguard againstphishing include knowingyour organization’s processfor spotting anomalies,being vigilant and awareof sophisticated attacks,paying attention toURLs and domains, andemploying MFAs. Phishingattacks were a problemwell before the pandemic;however, virtual meetingsare a vulnerability thatmany may not haveconsidered.Virtual meetings havebecome the new norm in2020. But, governmentemployees were not theonly people who adjustedto this new format; so didthe cyber threat actors.CDSE recently aired acybersecurity webinarthat included the “dos anddon’ts” of virtual meetings.In summary, the “dos” areto prohibit unauthorizedsoftware, verify meetingclassification, securemeetings, enforce policies,and connect approveddevices. The “don’ts” aredo not use unauthorizedsoftware, do not ignoreclassification markings,do not open meetingsto all, do not overlook orignore policies, and donot connect unapproveddevices.While the examplespresented in this articlecover different teleworkingsecurity risks, there isone thing they have incommon: the employee.According to a 2020global study conductedby the Ponemon Institute,62% percent of insiderthreat incidents werecaused by negligence.While cybersecurityand insider threatsare different securitydisciplines, a negligentemployee could be thecatalyst in a cybersecurityincident. Employees withcybersecurity knowledgeare less likely to benegligent. In fact, they arethe best line of defense forpreventing attacks.Sign up for the latest security awareness newsletters at https://www.cdse.edu/news/index.html2
October 2020CYBERSECURITY KNOWLEDGECRITICAL FOR TELEWORKERSDURING PANDEMIC (CONT’D)banners, and displayingfrequent pop-up reminders.CDSE offers training,posters, videos, games,and access to policyguidance to improve andpromote organizationaland individualcybersecurity awareness.Some methods to educateemployees includeinvesting in user education,providing frequentrefreshers to influencebehavior, employingseparation of duties,signing acceptable usepolicies, displaying warningThe number of peopleteleworking for suchan extended period oftime was unprecedentedbefore COVID-19, and itis important to remainvigilant and awareduring this time of newand increased security10vulnerabilities. CISADirector ChristopherKrebs expressed the needfor vigilance at a virtualcybersecurity conferencethis September, “We haveto make sure that federalagencies that are shifting toa remote work environmentor have shifted to a remoteenvironment, that areintroducing new risks,that are expanding theirattack surface, that wedon’t take our foot offthe gas in terms of theprogress we’ve made.”Security professionalsneed to develop, maintain,and enforce cybersecuritypolicies, continuously patchand update operatingsystems, and utilize trainingto prevent cyberattacksand safeguard the nation.ENHANCE YOURCYBERSECURITYKNOWLEDGEWITH SECURITYAWARENESS GAMESLearning games are a proven way to improve knowledge and retention.Our new cybersecurity games aim to drive awareness with this year’sNCSAM theme, “Do Your Part. #BeCyberSmart.” Choose from the gamesbelow. You can find them under “Cybersecurity” here along with othersecurity awareness games.Word Search:Cyber TerminologyCrossword Puzzle:#BeCyberSmartJeopardy:“I’ll take Cyber”October 5October 12October 19WEBINARSCDSE has severalCybersecurity webinarsscheduled this month. Thefirst event was the “KnowYour CDSE” CybersecuritySpeaker Series on October1, 2020. If you missed thelive event, you can still viewthe archived Speaker Seriesunder Cybersecurity.The Cybersecurity Teamhas also recorded twoNCSAM webcasts with thefollowing release dates:October 5Cybersecurityand Telework:Concerns, Challenges,and Practical SolutionsWebcast(Part 1 of two-part series)October 19Cybersecurityand Telework:Concerns, Challengesand Practical SolutionsWebcast(Part 2 of two-part series).more under “Webinars”on the Cybersecuritycatalog page at n up for the latest security awareness newsletters at https://www.cdse.edu/news/index.html3
October 2020LINKS TO MORE CYBERSECURITY RESOURCES:NCSAM yawareness-monthCISA Cybersecurity esourcesCOVID-19 Exploited by Malicious Cyber 9aNational Cyber Security Alliancehttps://staysafeonline.org10NEW PSAS HIGHLIGHTFREE TRAINING, EDUCATION,AND CERTIFICATIONExplore information about security learning opportunitieswith our new CDSE Public Service Announcements (PSAs).These short PSAs can introduce you to learning paths tohelp you get to the next level of your career goals.wCDSE:EDUCATION:CDSE OVERVIEW:information on CDSE offeringsPROGRAM OVERVIEW: graduate& advanced level security coursesCERTIFICATE PROGRAM:overview of programFederal Trade ct tracingscams infographic-1-508.pdfUNDERSTANDING ADVERSARIES& THREATS TO THE U.S. AND DODCDSE Cybersecurity ex.phpWHAT STUDENTS ARE SAYING“This is one of the best training courses Ihave taken. It moves smoothly and has verygood information. The format and image ofeach page make it interesting to participate.”– StudentCybersecurity Awareness CS130.16“Great training on a difficult, technical topic.”– StudentContinuous Monitoring CS200.16STATUTORY, LEGAL, ANDREGULATORY BASIS OF DODSECURITY PROGRAMAny questions or more information aboutthese PSAs can be directed milPHISHING AWARENESS 101Phishing is aform of socialengineering thatfools peopleinto revealingconfidentialor personalinformationthat can beused illicitly orfraudulently against them.Cybercriminals can also takeadvantage of informationfound through socialmedia platforms, locationsharing, and in-personconversations. CDSE’sphishing prevention posterhighlights waysindividualscan securethemselves fromonline fraudand phishingattempts. Weinvite you todownload andshare the posterwithin your organization toraise awareness and takeour Phishing AwarenesseLearning course. There’salso a Phishing Scamsgame available through theFederal Trade Commissionhere.Sign up for the latest security awareness newsletters at https://www.cdse.edu/news/index.html4
October 202010WHAT’S COMING IN NOVEMBERNovember is NationalCritical InfrastructureSecurity and ResilienceMonth! This year, theNovember CDSE Pulse willfocus on the InfrastructureSecurity Month andthe resources availableto raise awareness andpromote actions toprotect our nation’s criticalinfrastructure.In addition, the ”KnowYour CDSE: Education”Speaker Series isscheduled for November10. The speaker will coverour Education programincluding requirements,credit recommendations,courses, and certificates.Sign up today to learnhow you can broadenyour security knowledgeand prepare for securityleadership positions andresponsibilities!DID YOU MISS THE INSIDERTHREAT VIRTUAL SECURITYCONFERENCE?In case you missed theVirtual Security Conferenceon September 3, CDSEhas made the eventresources available toinsider threat practitioners,counterintelligence andsecurity professionals fromthe DoD, federal agencies,private industry, criticalinfrastructure sectors,and academia. Access theconference presentationsin our webinar archiveunder Insider Threat.UPCOMING WEBINAR:NATIONAL ACCESS ELSEWHERESECURITY OVERSIGHT CENTER,NOW WHAT?Thursday, October 22, 2020,1-2 PM ETIf you are assigned to theNAESOC, make plans toattend this webinar to hearabout the current state ofNAESOC and FY21 plans.Attendees will also be ableto ask questions and getanswers in real time fromsubject matter experts.Sign up for the latest security awareness newsletters at https://www.cdse.edu/news/index.html5
Our new cybersecurity games aim to drive awareness with this year's NCSAM theme, "Do Your Part. #BeCyberSmart." Choose from the games below. You can find them under "Cybersecurity" here along with other security awareness games. Word Search: Cyber Terminology October 5 Crossword Puzzle: #BeCyberSmart October 12 Jeopardy:
