The Topics:

This training will cover 11 cyber security topics.

What to expect:

Each topic comprises a range of tips, essential actions, and short videos aimed at providing in depth insight into cybersecurity. At the end of each topic, you’ll be asked two/three questions to assess your understanding of what you have just learnt.

Please take a moment to thoroughly review the content before proceeding to the questions, as once you move forward, you won't be able to revisit the material.

Please try to complete the training in 1 sitting. If that's not possible, please make sure you close and re-open the browser on resuming. You will resume from where you have left off.

Pass-mark:

You will need to get at least 80% of the questions correct or you will need to re-take the training.

What is Authentication?

Authentication is the process of verifying a user or device before allowing access to a system or resources.

In other words, authentication means confirming that a user is who they say they are. This ensures only those with authorised credentials gain access to secure systems. When a user attempts to access information on a network, they must provide secret credentials to prove their identity. Authentication allows you to grant access to the right user at the right time with confidence. But this doesn’t occur in isolation.

Authentication is part of a three-step process for gaining access to digital resources:

• Identification — Who are you?
• Authentication — Prove it.
• Authorisation — Do you have permission?

The Rise of Multi-Factor Authentication

One of the most important ways to protect data is through multi-factor authentication (MFA). The 2021 DBIR report found that credentials are the most frequently compromised data in a breach—especially in a phishing attack, which typically goes after the victim’s credentials to gain further access to the target organisation.

But multi-factor authentication adds another layer of verification that can help prevent these kinds of attacks. In other words, even if hackers steal your credentials, that won’t be enough to get into the system.

Authentication Factors

An authentication factor is a category of credentials used to authenticate or verify a user’s identity. Authentication factors can include:

• Passwords
• Security tokens (like keys or smart cards)
• Facial recognition
• Fingerprint scans

There are three main authentication factors:

• Something you know (aka knowledge factors): This is the most common authentication factor. It verifies identity by confirming users through confidential information they have, such as a login and password.
• Something you have (aka possession factors): Users verify their identity with a unique object such as an access card or key fob. This authentication removes the risk of forgetting passwords; however, it means the user must have the object with them whenever they need to access a system, and they run the risk of losing it by accident or theft.
• Something you are (aka inherence factors): An inherence factor verifies identity through inherent biometric characteristics of the user—like a fingerprint, voice, or iris pattern. The advantage of biometric authentication is that they’re harder to lose or replicate. But they can be expensive and less accurate than traditional authentication factors.

Password Manager

The Password Manager that we use is Microsoft Edge which is built into your browser.

How are passwords stored in Microsoft Edge and how safe is this approach?

Microsoft Edge stores passwords encrypted on disk. They’re encrypted using AES and the encryption key is saved in an operating system (OS) storage area. This technique is called local data encryption. Although not all of the browser's data is encrypted, sensitive data such as passwords, credit card numbers, and cookies are encrypted when they are saved.

The Microsoft Edge Password Manager encrypts passwords so they can only be accessed when a user is logged on to the operating system. Even if an attacker has admin rights or offline access and can get to the locally stored data, the system is designed to prevent the attacker from getting the plaintext passwords of a user who isn't logged in.

Tips

• Your browser can generate, save, and sync secure, unique passwords

Required Action:

• Use a password manager, not a post-it note. Please lodge an ICT support ticket if you have any issue with authentication and password recovery.

Please watch the short video below:

What is Phishing?

Phishing (pronounced: fishing) is an attack that attempts to steal your money, or your identity, by getting you to reveal corporate information -- such as credit card numbers, bank information, or passwords -- on websites that pretend to be legitimate. Cybercriminals typically pretend to be reputable companies, friends, or acquaintances in a fake message, which contains a link to a phishing website.

Recognising a phishing email:

• Urgent call to action or threats - Be cautious of emails and Teams messages that claim you must click, call, or open an attachment immediately.
• First time, infrequent senders, or senders marked [External] - While it’s not unusual to receive an email or Teams message from someone for the first time, especially if they are outside your organisation, this can be a sign of phishing.
• Spelling and bad grammar - Professional companies and organisations usually have an editorial and writing staff to make sure customers get high-quality, professional content. If an email message has obvious spelling or grammatical errors, it could be a scam.

Recognising a phishing email (continued):

• Generic greetings - An organisation that works with you should know your name and these days it’s easy to personalise an email. If the email starts with a generic “Dear sir or madam” that’s a warning sign that it might not really be your bank or shopping site.
• Mismatched email domains - If the email claims to be from a reputable company, like Microsoft or your bank, but the email is being sent from another email domain like Gmail.com, or microsoftsupport.ru it’s probably a scam.
• Suspicious links or unexpected attachments - If you suspect that an email message, or a message in Teams is a scam, don’t open any links or attachments that you see. Instead, hover your mouse over it, but don’t click the link.

Tips

• When you come across a message urging immediate action, it’s important to take a moment, pause and look carefully at the message. Ask yourself: Is this message real? Can I confirm the legitimacy of the sender or recipient? When in doubt, take a step back, think through, and prioritise your cyber safety by verifying the message’s credibility.

Required Action:

• Please report all attempted Phishing Attacks to the ICT Department via the ICT Support Channel in Teams for further investigation.

Please watch the short video below:

What is removable media?

Uncontrolled use of removable media such as USB drives can lead to business information being exposed/stolen to unauthorised individuals. Data stored in an unencrypted format on removable media is particularly vulnerable to cyber attacks, making data security a major concern.

Removable media stands out as the primary gateway for cyber attacks. Therefore, to effectively reduce this risk, we need to implement strict USB management process.

Common types of removable media:

• USB flash drives
• External hard drives (i.e. SSD)
• Card reader (i.e. SD card and memory card)
• Removable discs (i.e. blu-ray discs, CD-ROMs, DVDS)

Removable Media Security Risks:

Removable media introduces many security risks and vulnerabilities as it stores a large volume of data including sensitive data. Therefore, failure to properly manage and secure these removable media and devices could expose users to the following risks:

• Removable media can be easy to lose, which could result in the compromise of the sensitive information stored on it. You should be aware that some media types may be able to retain information even after deletion.
• Malware could be introduced on a system via a flash drive once inserted into the USB port.

Removable Media Security Risks (continued):

• Data exfiltration, if you are not careful and insert an unknown USB drive into your device, it may be malicious and have the ability to steal data from an organisation.
• Autorun is problematic especially with removable media – they can be helpful but hackers abuse this feature by setting malicious programs to run automatically on removable media.
• Reputational damage is the loss of sensitive information that can negatively affect our organisation’s reputation.

Tips:

• Only use removable media issued by the ICT department

Required Action:

• If you require a removable media tested, then please log an ICT support ticket

Please watch the short video below:

What is Social Engineering?

At its core, social engineering is not a cyber attack. Instead, social engineering is all about the psychology of persuasion: It targets the mind like your old school grifter or con man. The aim is to gain the trust of targets, so they lower their guard, and then encourage them into taking unsafe actions such as divulging corporate information or clicking on web links or opening attachments that may be malicious.

Types of social engineering attacks:

• Phishing: They typically take the form of an Email, SMS or Deep Fake AI voice that looks as if it is from a legitimate source. Sometimes attackers will attempt to coerce the victim into giving away credit card information or other corporate data.
• Watering hole attacks: Watering hole attacks are a very targeted type of social engineering. An attacker will set a trap by compromising a website that is likely to be visited by a particular group of people.
• Business email compromise attacks: Business email compromise (BEC) attacks are a form of email fraud where the attacker masquerades as a senior level manager and attempts to trick the recipient into performing their business function, for an illegitimate purpose. Sometimes they go as far as calling the individual and impersonating the executive.

Type of social engineering attacks (continued):

• Physical social engineering: Skilled at using psychological manipulation to trick people into making security mistakes or giving away sensitive information. Some social engineering techniques hackers use to gain access to a target’s premises include getting someone to hold a door open for them, tailgating an employee to enter a building or restricted area, or posing as someone with a legitimate reason for being on the premises – such as a maintenance engineer or a delivery person.
• USB baiting: USB baiting sounds a bit unrealistic, but it happens more often than you think. As seen in the previous video, essentially what happens is that cybercriminals install malware onto USB sticks and leave them in strategic places, hoping that someone will pick it up and plug it into a corporate environment, thereby unknowingly unleashing malicious code into their organisation.

Tips:

• Check the sender’s address for any inconsistencies, and be on the lookout for bad grammar, spelling, and whether the entire email is presented as one clickable image – as this can be an attempt to bypass security measures and direct you to a malicious website.

Required Action:

• Please raise an ICT support ticket at any Social Engineering attempt immediately.

Please watch the short video below:

Users of Wi-Fi networks are at risk of exposure to an array of cyber threats, especially as they expand their use of mobile technology to access the internet and conduct online transactions.

The proliferation of public Wi-Fi also creates security issues for individual users and organisations. These networks are, by definition "open" and, therefore, unprotected. Devices accessing public networks are highly susceptible to malware, spyware, and other malicious activity.

Types of Wi-Fi attacks:

Spoofing attack

Attackers use IP spoofing to penetrate wireless networks by impersonating trusted IP addresses. This approach may allow attackers to plant malware, initiate distributed-denial-of-service (DDoS) attacks, or carry out other nefarious acts.

DNS-cache poisoning

Wireless networks are also susceptible to a threat known as DNS-cache poisoning, often called DNS spoofing. This tactic involves hacking a network and diverting network traffic to an attacker's computer or server or to another out-of-network device. The risk for users is connecting to a malicious version of a legitimate network they want to access.

Types of Wi-Fi attacks (continued):

Piggybacking

As noted earlier, bad actors can use open or unsecured wireless networks to conduct illegal activity, monitor web traffic, steal information, and more. They can do this by "piggybacking" on the internet service of real subscribers. The bad actors tap into the unsecure service to set up their own internet connections, without the legitimate users' knowledge.

Wardriving

There is another version of this practice, known as "wardriving." Individuals drive, walk, or cycle slowly through densely populated areas with wireless-equipped laptops or smartphones, searching for unsecured wireless networks to connect to.

Types of Wi-Fi attacks (continued):

MITM attacks

That extra layer makes man-in-the-middle (MITM) attacks more difficult. In a MITM attack, an adversary attempts to intercept communications between two parties to “listen in” on their activity or to manipulate the traffic being transmitted between them.

Tips:

• DO NOT connect to a public Wi-Fi network if it is not password protected.
• Use a phone Wi-Fi hotspot instead of random free networks / unsecured network.

Required Action:

• If you require Wi-Fi connectivity within the office, please log an ICT support ticket for the password.

Please watch the short video below:

What is social media?

Social media offers an outlet for people to connect and share life experiences through pictures and videos. But too much sharing––or a lack of attention to imposters––can lead to a compromise of business and personal accounts.

Attackers often use social media accounts during the reconnaissance phase of a social engineering or phishing attack. Social media can give attackers a platform to impersonate trusted people and brands or the information they need carry out additional attacks, including social engineering and phishing.

Recognising social media security risks:

• Use ad blockers on corporate devices. If ad blockers are not feasible, instruct employees to avoid clicking ads, especially on popups that instruct users to download software to view content.
• Employees should not share passwords—even if it’s within the same department.
• Attackers use fear and urgency in their engagements, and employees should recognise this tactic as suspicious. Any messages or social media posts that urge employees to act quickly should be ignored.

Recognising social media security risks (continue):

• Don’t accept friend requests from unknown people even if the user has several friends in common.
• Avoid using social media sites on public Wi-Fi hotspots. Public Wi-Fi is a common location for attackers to snoop on data using man-in-the-middle (MitM) attacks.
• Use unique passwords and two factor authentication whenever possible.

Tips:

• Be wary of phishing attacks, or posting information not for public consumption

Required Action:

• Please raise an ICT service desk ticket for ANY unusual activity on any of our businesses’ social media channels.

Please watch the short video below:

What is Mobile Device Security?

Mobile Device Security refers to the measures designed to protect sensitive information stored on and transmitted by laptops, smartphones, tablets, wearables, and other portable devices. At the root of mobile device security is the goal of keeping unauthorised users from accessing our corporate network.

Mobile Device Cyber Threats:

As mobile devices become increasingly important, they have received additional attention from cybercriminals. As a result, cyber threats against these devices have become more diverse.

• Malicious Apps and Websites Like desktop computers, mobile devices have software and Internet access. Mobile malware (i.e. malicious applications) and malicious websites can accomplish the same objectives (stealing data, encrypting data, etc.) on mobile phones as on traditional computers.
• Mobile Ransomware Mobile ransomware is a particular type of mobile malware, but the increased usage of mobile devices for businesses has made it a more common and damaging malware variant. Mobile ransomware encrypts files on a mobile device and then requires a ransom payment for the decryption key to restore access to the encrypted data.

Mobile Device Cyber Threats (continued):

• Phishing On mobile devices, phishing attacks have a variety of media for delivering their links and malware, including email, SMS messaging, social media platforms, and other applications.
• Man-in-the-Middle (MitM) Attacks Mobile devices are especially susceptible to MITM attacks. Unlike web traffic, which commonly uses encrypted HTTPS for communication, SMS messages can be easily intercepted, and mobile applications may use unencrypted HTTP for transfer of potentially sensitive information.

Mobile Device Cyber Threats (continued):

• Advanced Jailbreaking and Rooting Techniques Jailbreaking and rooting are terms for gaining administrator access to iOS and Android mobile devices. These types of attacks take advantage of vulnerabilities in the mobile OSs to achieve root access on these devices. These increased permissions enable an attacker to gain access to more data and cause more damage than with the limited permissions available by default.
• Device and OS exploits With mobile devices, like computers, vulnerabilities in the mobile OS or the device itself can be exploited by an attacker. Often, these exploits are more damaging than higher-level ones because they exist below and outside the visibility of the device’s security solutions.

Tips:

• We strongly recommend you to raise an ICT service ticket to install Microsoft Defender (our corporate mobile security solution) on your personal mobile devices

Required Action:

• Please report any malicious activities on your mobile device to the ICT service desk

Please watch the short video below:

Understanding Internet Security

We can confidently say it is a well-known fact that internet security is priceless and lifesaving for every person using the internet. You may ask why? Well, simply because it helps keep us and our families safe when using the internet and browsing the web. As we mentioned earlier, there are many internet security threats and some of them can be extremely dangerous.

Legal, Ethical and Responsible use of ICT Resources

Users must ensure that use of ICT Resources is always legal and ethical. This also includes the users’ interactions with all social media mediums.

Inappropriate internet usage would include (but is not limited to):

• Creating or exchanging messages which commit or permit a breach of confidence or the privacy of any business information.
• Creating or sending a communication under another person’s name or using another person’s email account to send an email (unless express consent has been given).

Inappropriate internet usage (continued):

• Creating, forwarding, or sending chain or spam emails, or other unsolicited or bulk emails.
• Creating, forwarding, or sending communications which are obscene, abusive, harassing, fraudulent, threatening, tormenting, annoying or repetitive, discriminatory, vilifying or incite hatred toward any person based on sex, race or disability.
• Viewing or downloading internet content that is offensive, obscene, pornographic, or otherwise objectionable.

Inappropriate internet usage (continued):

• Downloading or installing software or running unknown or unapproved programs without express prior approval by ICT Department.
• Burdening the email system or internet system with noticeable congestion or additional costs.
• Accessing gambling internet sites.

Inappropriate internet usage (continued):

• Playing electronic or online games during work time.
• Printing confidential documents unless they are needed. Also don’t recycle unwanted documents, make sure to safely dispose of them by using a cross-cutting shredder.
• Using ICT Resources to create any legal or contractual obligations.

Inappropriate internet usage (continued):

• Handle business data with care. Only share business data with people within the business who need to know.
• Be aware of data privacy. Data privacy involves the rights and duties of individuals and organisations regarding the collection, use, retention, disclosure, and disposal of personal data.
• Transmitting work related information to personal email and or social media accounts.
• Staff are not permitted to send unencrypted Confidential information by email, removable media, or any other medium.

Prohibited use for personal gain

Under no circumstances may the Co-operative’s ICT Resources be used for, or in relation to, corrupt conduct, unauthorised personal financial or commercial gain, or the unauthorised financial or commercial gain of a third party.

Tips:

• Be mindful of the websites you visit. Before you open up your internet browser (our recommended browser is Microsoft Edge), consider whether a website is for strict business use or something more personal.

Required Action:

• All new software or SaaS platforms must be vetted by the ICT department prior to attempting to load it on your system

Please watch the short video below:

What is Clear Desk and Screen?

The clean desk and clear screen philosophy refers to practices that ensure sensitive information – both in digital and physical format, and assets (e.g. notebooks, cellphones, tablets, etc.) – are not left unprotected at personal and public workspaces when they are not in use, or when someone leaves his/her workstation, either for a short time or at the end of the day.

A clear screen policy directs all your organisation’s employees to lock their computers when leaving their desk and to log off when leaving for an extended period of time. This ensures that the contents of the computer screen are protected from prying eyes and the computer is protected from unauthorised use.

Clear Desk and Screen Recommendations:

• Workstations should be turned off when unoccupied, or locked with a secure password when absent.
• Confidential information should always be removed from desks, meeting rooms, and printers, leaving them safe in locked cabinets after handling. It is also recommended that you erase any whiteboards/turn off presentation screens at the end of meetings and dispose of the trash properly.

Clear Desk and Screen Recommendations (continued):

• Passwords cannot be left on notes posted on or under a computer, nor written in places accessible to others.
• Printouts containing sensitive, confidential, or restricted information should be removed immediately from the printer.
• Clean waste requires attention, too, as sensitive, confidential, or restricted documents must be shredded and disposed of properly in designated secure locations.

Tips

• Treat stakeholder's confidential information like you would do for your own

Required Action:

• If you see any breach of clear desk or screen philosophy, please raise an ICT support ticket

Please watch the short video below:

What is Physical Security?

Physical security aims to protect people, property, and physical assets from any action or event that could lead to loss or damage. Physical security is crucial, and all staff must work together to ensure the security of assets.

Why is Physical Security important?

Physical security keeps your employees, facilities, and assets safe from real-world threats. These threats can arise from internal or external intruders that question data security.

Physical attacks can break into a safe or restricted area. An attacker can easily damage or steal critical IT assets, install malware on systems, or leave a remote access port on the network.

It is important to have strict physical security to protect against external threats, as well as equally effective measures to avoid the risks of any internal intruder.

What are the main threats to Physical Security?

Physical security focuses on keeping your facilities, people, and assets safe from real-world threats. Currently, there are multiple attack vectors, and these can have a focus not only from a physical and technological point of view, but also exploring weaknesses specific to the human condition (social engineering).

Some of the most common and most difficult attacks to mitigate are focused on Social Engineering, psychologically manipulating people to perform actions or disclose confidential information. Examples:

• Tailgating: The attacker manages to follow an authorised person to a reserved area.
• Piggybacking: The attacker manages to trick an authorised person by gaining their access to reserved areas.

Tips

• Don't be afraid to challenge suspicious characters

Required Action:

• Please report suspicious activities by unauthorised persona to the Building Manager or raise an ICT ticket.

Please watch the short video below:

What is AI (Artificial Intelligence)?

AI, or Artificial Intelligence, refers to the development of computer systems that can perform tasks and make decisions that typically require human intelligence. It involves creating algorithms and models that enable machines to learn from data, recognize patterns, and adapt to new information or situations.

Types of Artificial Intelligence:

• Machine learning: Machine learning (ML) is a commonly used subset of AI. ML algorithms and techniques allow systems to learn from data and make decisions without being explicitly programmed.
• Deep learning: Deep learning (DL) is a subset of ML that leverages artificial computational models inspired by the human brain called neural networks for more advanced tasks. ChatGPT is an example of AI that uses ML to understand and respond to human-generated prompts.
• Generative AI: Generative AI refers to a subset of artificial intelligence techniques that involve the creation and generation of new content, such as images, text, audio, or even videos. It involves training models to understand patterns in existing data and then using that knowledge to generate new, original content that resembles the training data.
• Narrow AI: All types of AI are considered Narrow AI. Their scope is limited, and they’re not sentient. Examples of such AI are voice assistants, chatbots, image recognition systems, self-driving vehicles, and maintenance models.

Risks from Artificial Intelligence:

Although there are many benefits to using AI in a business environment including saving time, eliminating biases, automating repetitive tasks, improving customer experiences and better decision making, there are also risks.
Below are a few to consider.

• Data manipulation and data poisoning: While AI is a powerful tool, it can be vulnerable to data manipulation. After all, AI is dependent on its training data. If the data is modified or poisoned, an AI-powered tool can produce unexpected or even malicious outcomes.
• Impersonation - Voice Cloning and Deepfakes: AI voice impersonation (also known as voice cloning) is the creation of an artificial rendering of a person's voice using AI tools or software. Deepfake technology can be used to make people appear to say or do things that they have not actually said or done. Both techniques can be used to perpetrate various crimes, including financial fraud and intellectual property theft.
• Physical safety: As more systems such as autonomous vehicles, manufacturing and construction equipment, and medical systems use AI, risks of artificial intelligence to physical safety can increase. For example, an AI-based true self-driving car that suffers a cyber security breach could result in risks to the physical safety of its passengers.

Risks from Artificial Intelligence (continued):

• Automated malware: Having Chat GPT write a convincing phishing email could be the tip of the iceberg. Future AI-powered tools may allow developers with entry-level programming skills to create automated malware, like an advanced malicious bot that can steal data, infect networks, and attack systems with little to no human intervention.
• Cyber attacks optimization : Experts say that attackers can use generative AI and large language models to scale attacks at an unseen level of speed and complexity. They may use generative AI to find fresh ways to undermine cloud complexity and take advantage of geopolitical tensions for advanced attacks. They can also optimize their ransomware and phishing attack techniques by polishing them with generative AI.
• AI privacy risks: In what was an embarrassing bug for OpenAI CEO Sam Altman, ChatGPT leaked bits of chat history of other users. Although the bug was fixed, there are other possible privacy risks due to the vast amount of data that AI crunches. For example, a hacker who breaches an AI system could access different kinds of sensitive information.

AI - Final Thoughts

Although Generative AI promises remarkable advancements, it’s not without its challenges and risks (which we have just covered). Privacy is probably the most significant concern. When models are not trained with privacy-preserving algorithms (e.g. Chat GPT Free, Google Gemini, etc), they are vulnerable to numerous privacy risks and attacks.

Given these risks, it’s important to think twice about entering any sensitive personal or professional information into these free-to-use LLM’s as these models pose privacy risks – such as memorising vast volumes of training data, including sensitive data, which may be exposed accidentally and used by attackers for malicious purposes.

We advise that it is best to stick with paid services like Microsoft Co-Pilot or Chat GPT Enterprise which offer privacy-preserving functionalities.

Please watch the short video below: