DOD CYBER AWARENESS TRAINING

DOD CYBER AWARENESS TRAINING

FLASHCARDS

EXAM PREPARATION GUIDE | 100 ITEMS

Q:Use of Govt. E-mail

E-mail use must not adversely affect performance of your role or reflect poorly on your organization.To use e-mail appropriately:? Do not use e-mail to sell anything? Do not send:o Chain letterso Offensive letterso Mass e-mailso Jokeso Unnecessary pictureso Inspirational stories? Avoid using "Reply All" to prevent sending unnecessary e-mail traffic? Only use e-mail for personal reasons if allowed by your organization? Use a digital signature when sending attachments or hyperlinks, as required by the DoD? Do not use personal accounts, such as webmail, to conduct official DoD communicationFollow your organization's policy on webmail (a web-based service that checks e-mail remotely). If webmail is allowed, use caution as it may bypass built-in security features and other safeguards, such as encryption, and thus may compromise security.

Q:Online Identity -

Social networking sites are not the only source of your online identity. Many apps and smart devices collect and share your personal information, and contribute to your online identity.These include, but are not limited to:? Fitness and health trackers? Professional networking apps? Dating apps and websites? Secure chat? Neighborhood advisory apps? Audio-enabled personal digital assistants and the smart devices they support, such as phones, TVs, and speakersFeeding off the data collected by these apps and devices, as well as information available in public records, online data aggregators collect and catalogue information about you. You should opt out of data aggregation and use these apps and devices with caution.

Q:Evaluation -

To avoid being misled by disinformation:? Research the source to evaluate its credibility and reliability? Read beyond the headline? Check against known facts and other sources on the topic? Consider whether the story is intended as a joke? Check your personal biaseso Consider whether your views or beliefs are affecting your judgemento Actively seek opposing or disconfirming content

Q:Collateral Classified Spaces

Follow your organization's policy on mobile devices and peripherals within secure spaces where classified information is processed, handled, or discussed. Mobile devices and peripherals may be hacked or infected with malware and can be used to track, record, photograph, or videotape the environment around them. Powering off or putting devices in airplane mode is not sufficient to mitigate these risks and the threat these devices pose to classified information.When using unclassified laptops and peripherals in a collateral classified environment:Ensure that any embedded cameras, microphones, and Wi-Fi are physically disabledUse authorized external peripherals only:Government-issued wired headsets and microphonesGovernment-issued wired webcams in designated areasPersonally-owned wired headsets without a microphoneAll wireless headsets, microphones, and webcams are prohibited in DoD classified spaces, as well as all personally-owned external peripherals other than wired headsets.

Q:Permitted Uses of Government-Furnished Equipment (GFE)

Viewing or downloading pornography- NOGambling online- NOConducting a private money-making venture- NOUsing unauthorized software- NOIllegally downloading copyrighted material- NOMaking unauthorized configuration changes- NO

Q:CAC/PIV

The Common Access Card (CAC)/Personal Identity Verification (PIV) card is a controlled item.It implements DoD Public Key Infrastructure (PKI) and contains certificates for:?Identification? Encryption? Digital signatureNote: Some systems use different types of smart card security tokens. Avoid a potential security violation by using the appropriate token for each system.

Q:CAC/PIV Protection

To protect your CAC/PIV card:? Maintain possession of your CAC/PIV card at all timeso Remove and take your CAC/PIV card whenever you leave your work stationo Never surrender or exchange your CAC/PIV card for building access (e.g., a visitor pass)o If your CAC/PIV card is lost or misplaced, report it immediately to your security POC? Store it in a shielded sleeve to mitigate card and chip cloning? Do not write down or share the PIN for your CAC/PIV card? Avoid using your CAC/PIV card as a form of photo identification when there is a request for such verification by a commercial entity? Do not allow commercial entities to photocopy or duplicate your CAC/PIV card? Lock your computer when you leave or shut it down, depending on your organization's security policy? Do not use your CAC/PIV card on systems without updated system security protections and antivirus? Use all security tokens appropriately

Q:Transmission -

When transmitting Controlled Unclassified Information (CUI):? Ensure all information receivers have required clearance and official need-to-know before transmitting CUI or using/replying to e-mail distribution lists? If faxing CUI:o Ensure recipient is at the receiving endo Use correct cover sheeto Contact the recipient to confirm receipt? Use encryption when e-mailing Personally Identifiable Information (PII) or other types of CUI, as required by the DoD

Q:Two-Factor Authentication

For identity authentication, the Department of Defense (DoD) is moving toward using two-factor authentication wherever possible. Two-factor authentication combines two out of the three types of credentials to verify your identity and keep it more secure:? Something you possess, such as a Common Access Card (CAC)? Something you know, such as your Personal Identification Number (PIN)? Something you are, such as a fingerprint or other biometricsUse two-factor authentication wherever possible, even for personal accounts. For example, some widely used personal services (like Google) offer two-factor authentication.Q:In addition to avoiding the temptation of greed to betray his country, what should Alex do differently?Avoid talking about work outside of the workplace or with people without a need-to-know

Q:Social Engineering -

Social engineers use telephone surveys, e-mail messages, websites, text messages, automated phone calls, and in-person interviews.To protect against social engineering:? Do not participate in telephone surveys? Do not give out personal information? Do not give out computer or network information? Do not follow instructions from unverified personnel? Document interaction:o Verify the identity of all individualso Write down phone numbero Take detailed notes? Contact your security POC or help desk? Report cultivation contacts by foreign nationals

Q:Risks -

The risks associated with removable media include:? Introduction of malicious code?Compromise of systems' confidentiality, availability, and/or integrity? Spillage of classified informationPotential consequences:? Shutdown of systems? Compromise of information, systems, programs, and/or assets? Loss of mission? Loss of life

Q:Deterring -

We defend against the damage insider threats can cause by deterring insiders from becoming threats. DoD and Federal policies require agencies to establish Insider Threat Programs aimed at deterring, detecting, and mitigating the risks associated with insider threats.Their activities include:Proactively identifying insiders who exhibit potential risk indicators through:o User activity monitoringo Workplace reportingFormulating holistic mitigation responses to decrease risk while achieving positive outcomes for the organization and the individual. For example:o Referring individuals to counseling or other types of assistance to alleviate personal stressorso Requiring training on security protocolso Developing organization-wide protocols designed to secure information, resources, and personnel

Q:What is the response to an incident such as opening an uncontrolled DVD on a

computer in a SCIF?All of theseNotify your security POCAnalyze the media for viruses or malicious codeAnalyze the other workstations in the SCIF for viruses or malicious code

Q:PPII/PHI

Personally Identifiable Information (PII) is information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual.PII includes, but is not limited to:? Social Security Number?Date and place of birth? Mother's maiden name? Biometric records? Protected Health Information? Passport numberProtected Health Information (PHI):? Is a subset of PII requiring additional protection? Is health information that identifies the individual? Is created or received by a healthcare provider, health plan, or employer, or a business associate of these?Relates to:o Physical or mental health of an individualo Provision of healthcare to an individualo Payment for the provision of healthcare to an individual

Q:Protection -

To protect Controlled Unclassified Information (CUI):? Properly mark all CUI? Store CUI data only on authorized information systems? Don't transmit, store, or process CUI on non-approved systems? Mark, handle, and store CUI properlyo Reduce risk of access during working hours o Store after working hours:? Locked or unlocked containers, desks, cabinets, if security is present? Locked containers, desks, cabinets if no security is present or is deemed inadequate? Follow policy in DoD Instruction 5200.48, "Controlled Unclassified Information (CUI)" for retention or disposal? Comply with the DoD Cyber Regulations outlined in the Defense Federal Acquisition Regulation Supplement (DFARS) for CUI and CTI handling requirements