Cybersecurity Awareness Training for End Users

Training Quick Guide

University of Science and Technology

June 30, 2018
Morning Session
Introduction and Cybersecurity Basics
What is the internet?
What is safety?
What is cybersecurity?
Myths of Cybersecurity
Glossary: Common jargon and terminologies
Common malicious attacks used by cybercriminals
Social Engineering
Elements of a cyberattack
Silos of internet data
Online fraud, and identity theft
Participants Assessment

Afternoon Session
Securing your Person, Online
Basic computer security
Accounts and permissions
Basic security tools for the PC
Basic Windows Lockdown
Disabling USB Autorun
Securing Network Shares
Windows Local Group Policy
Localized data encryption
Encryption with VeraCryt
Passwords and Authentication Best Practices
Do's and Don'ts in handling passwords
Password Managers
Two-factor Authentication (2FA)
Web Browsing Safety
Web browsing safety tips
Demo: interrogating the browser for cookies and other data
Email Safety
Verifying email messages
Securing Email
Workshop: enabling 2FA with Google Authenticator
Email encryption with PGP/GNUPG
Workshop: PGP with Mailvelope
Keeping your sanity with email filters
Social Media Safety
Securing your Facebook account
Chat Safety
Mobile Safety
Trainers

Romar Mayer Micabalo

- IT Team Lead and DevOps SysAdmin for Innovuze Solutions, Inc.

- Former SysAdmin for Time Doctor / Staff.com
- Volunteer / Co-Organizer for ITG-X and PyTsada
- Long-time Linux and open source advocate and evangelist

Aryan Lowell Limjap

- DevOps SysAdmin for Innovuze Solutions, Inc.

- Former Network Engineer for Capitol University
- Volunteer for ITG-X, PyTsada, and HackM3
What is this Quick Guide about?

This training quick guide is a companion to the Cybersecurity Awareness Training for End
Users. It contains some definitions, glossary of terms, installation steps for software used in the
workshops, and links to additional tools and references that the training participants can use
and revisit at their own leisure.
What is the internet?
The Internet is a global network of interconnected computers, providing information, storage,
and communication facilities. It was born out of the initial, albeit smaller, ARPANET project from
the Defense Advanced Research Project Agency (DARPA).

The Internet as we know it today is fairly ubiquitous and pervasive. We connect to the internet
via our computers, laptops, mobile phones, tablets, TVs, and even home appliances. Virtually all
manner of data is being stored and exchanged via the internet.

Safety
- (n) the condition of being safe from undergoing or causing hurt, injury, or loss (​Merriam
Webster’s Dictionary)

What is cybersecurity?
- (n) the state of being protected against the criminal or unauthorized use of electronic
data, or the measures taken to achieve this. (​Google)
- (n) refers to a set of techniques used to protect the integrity of networks, programs and
data from attack, damage, or unauthorized access. (​Palo Alto CyberPedia)

Cybersecurity is the term for all the processes and practices implemented to protect networks,
computers, applications, and data from attacks on the ​C-I-A​ triad (​Confidentiality, Integrity,
and Availability​)
The CIA Triad

● Confidentiality​ - prevent unauthorized disclosure of information

● Integrity​ - Prevent unauthorized modification of information or files
● Availability​ - Ensuring timely access to resources

Confidentiality
● Keep sensitive information off the network, if possible.
● Encrypt sensitive information
● Protect access to your system
● Don’t share sensitive information
● Password protection

Integrity
● Prevent unauthorized modification of information
○ Email
○ Data
○ Digital Downloads
○ Log and audit files
● Check the reliability / trustworthiness of information
○ Pwned / hacked websites
○ Email with modified content
○ Corrupted files

Availability
● Denial of Service Attacks and Distributed Denial of Service Attacks
● Expect the Unexpected (Contingency Plans)
● Beware of Natural or manmade disasters
Cybersecurity:
● is everyone’s concern
● Helps your organization
○ Reduce loss
○ Protect customer information
○ Prevent fraud
○ Reduce stress, hair loss and gnashing of teeth
Myths of Cybersecurity

“It won’t happen to me. I’m not important.”

This is commonly referred to as “security through obscurity” believing that since you’re not
prominent or important enough, you won’t be targeted and victimized.

“I’ll just install (X), and I’ll be safe.”

Referred to as the “magic bullet” fallacy, most users believe that installing a certain security app
protects them from all manners of security issues.

“I don’t access unsafe URLs so I’m safe.”

Some users believe that their “safe” usage patterns make them impervious to security problems,
without realizing that intrusion can come from anywhere, including ADVERTISEMENTS being
shown on “safe websites”.

“I use strong passwords, so I’m ok.”

Password strength is not a guarantee of solid security. However, having a strong password
makes you a little bit more safer online.

“Security is expensive!”
Most companies have this mindset. This is partially related to the “magic bullet” fallacy wherein,
users and companies believe that if the more expensive the tool, the better secured they
become.

“I only open emails from friends, so I’m safe.”

This is “security by association” believing that since your friends are safe and secure, you are
secure as well.

“I only access trusted sources, so I’m safe.”

Yet another myth that relies of “safe usage patterns”.

“My social network is safe, so I’m safe.”

The quality of your social network is not a guarantee that you will be secure online.

“I don’t deal with sensitive data. Why worry?”

The quality or sensitivity of the data you handle at work or at home is not a guarantee of
security. This is a variant of “security through obscurity”.

“If I’m infected, I’ll know.”

This is an oft-repeated statement, not only in cybersecurity but in real world as well. The answer
is “No, you won’t.”
Cybersecurity Myths Summary

● Everyone is a potential victim.

● There’s no magic bullet.
● Your internet usage pattern is not a safety guarantee.
● Strong passwords are just a minute part of the solution.
● Security doesn’t need to be expensive.
● Trust doesn’t need to be broken to become a victim.
● The quality of your social network is irrelevant.
● You won’t know immediately if you’ve become a victim.
Glossary, Jargon, and Common Terminologies

Adware
software that displays advertisements on your computer

Becomes a problem when:

● installs itself on your computer without your consent
● installs itself in applications other than the one it came with and displays
advertising when you use those applications
● hijacks your web browser in order to display more ads
● gathers data on your web browsing without your consent and sends it to others
via the Internet

Anonymizing proxy
proxies allow the user to hide their web browsing activity, often used to bypass web
security filters—e.g., to access blocked sites from a work computer.

Anonymizing proxies hold security and liability risks for organizations:

● proxy bypasses web security & allows unauthorized webpage access
● organizations are legally liable if computers are used for porn, hate material or
incite illegal behavior, and ramifications if users violate third-party licenses via
illegal downloads.

Browser Hijacker
used to boost advertising revenue, as in the use of blackhat Search Engine Optimization
(SEO), to inflate a site’s page ranking in search results.

The attacker hijacks clicks meant for one page and routing them to another page, most
likely owned by another application, domain, or both.

Brute-force Attack
hackers try a large number of possible keyword or password combinations to gain
unauthorized access to a system or file.

● Hackers use computer programs to try a very large number of passwords to

decrypt the message or access the system.
● To prevent brute force attacks, it is important to make your passwords as secure
as possible
Data leakage
is the unauthorized exposure of information. It can result in data theft or data loss.

Denial-of-Service Attack (DoS)

A denial-of-service (DoS) attack prevents users from accessing a computer or website.

Typical DoS attacks target web servers and aim to make websites unavailable. No data
is stolen or compromised, but the interruption to the service can be costly for an
organization.

Email malware distribution

refers to malware that is distributed via email.

● These malware rely on users double-clicking an attachment, which would run the
malicious code, infect their machine and send itself to more email addresses
from that computer.
● user education can raise awareness of email scams and seemingly legitimate
attachments or links.

Internet worm (aka ‘worm’)

Worms are a form of malware that replicates across the Internet or local networks.

Worms differ from computer viruses because they can propagate themselves, rather
than using a carrier program or file. They simply create copies of themselves and use
communication between computers to spread.

Phishing emails (aka ‘phishing’)

refers to the process of deceiving recipients into sharing sensitive information with an
unknown third party.

● Typically in a phishing email scam, you receive an email that appears to come
from a reputable organization, such as banks, social media and financial
institutions
● To protect against phishing attacks, it’s good practice not to click on links in email
messages. Instead, you should enter the website address in the address field
and then navigate to the correct page

Intrusion Prevention System (IPS)

Intrusion prevention systems (IPS) monitor network and systems for malicious activity.

IPS can log activity information, and also attempt to block activity and report it to network
administrators to prevent network infections.
Uniform Resource Locator (URL)
A URL is also referred to as a web address, that typically starts with http:// or https:// that
users type on the web browser.

URL/web content filtering

URL or web content filtering describes the technology that allows organizations to block
specific websites or entire categories.

Most malware and phishing attacks are carried out via the web. By restricting access to
certain websites, organizations can reduce the risk that their users will become victims

Ransomware
Ransomware is software that denies you access to your files or computer until you pay a
ransom.

For example, the Archiveus Trojan copies the contents of the My Documents folder into
a password-protected file and then deletes the original files. It leaves a message telling
you that you require a 30-character password to access the folder, and that you will be
sent the password if you make purchases from an online pharmacy
In some cases, the password or key is concealed inside the Trojan’s code and can be
retrieved by malware analysts. However, some criminals use asymmetric or public-key
encryption (which uses one key to encrypt the data, but another to decrypt it) so that the
password is not easily recoverable.

Vulnerability
A security vulnerability is a weakness in a product or system that could allow an attacker
to compromise the integrity, availability, or confidentiality of that product.

Threats
A threat, in the context of computer security, refers to anything that has the potential to
cause serious harm to a computer system.

Threats are potentials for vulnerabilities to turn into attacks on computer systems,
networks, and more.

Threats can include everything from viruses, trojans, backdoors to outright attacks from
hackers.

Exploits
An exploit takes advantage of a weakness in an operating system, application, hardware
or any other software code.
 Security exploits come in all shapes and sizes, but some techniques are used more
often than others. Some of the most common web-based security vulnerabilities include
SQL injection attacks, cross-site scripting and cross-site request forgery, as well as
abuse of broken authentication code or security misconfigurations.

0-Day (‘zero day’)

A zero-day vulnerability occurs when a piece of software -- usually an application or an
operating system -- contains a critical security vulnerability of which the vendor is
unaware.

The vulnerability only becomes known when a hacker is detected exploiting the
vulnerability, hence the term zero-day exploit.

Systems running the software are left vulnerable to an attack until the vendor releases a
patch to correct the vulnerability and the patch is applied to the software.
Software Utilities

SYSINTERNALS AUTORUNS FOR WINDOWS

Autoruns for Windows shows auto-starting locations of any startup monitor, shows you what
programs are configured to run during system boot up or login, and when you start various
built-in Windows applications like Internet Explorer, Explorer and media players. These
programs and drivers include ones in your startup folder, Run, RunOnce, and other Registry
keys. Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon
notifications, auto-start services, and much more. Autoruns goes way beyond other autostart
utilities.

Download at ​https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

There is no installation step for Autoruns for Windows. Once you have downloaded the ZIP file,
extract the package to a folder of your choice and run / double click on Autoruns.exe.

VERACRYPT
VeraCrypt is a free open source disk encryption software for Windows, Mac OSX and Linux. It is
a software for establishing and maintaining an on-the-fly-encrypted volume (data storage
device). On-the-fly encryption means that data is automatically encrypted right before it is saved
and decrypted right after it is loaded, without any user intervention. No data stored on an
encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or
correct encryption keys.

Download at ​https://www.veracrypt.fr/en/Downloads.html​ for your operating system of choice.

LASTPASS
LastPass is a popular, freemium password manager.

Download at ​https://www.lastpass.com/

MAILVELOPE
Mailvelope is an open source project that provides OpenPGP encryption for webmail
(web-based email). It comes as an extension for Google Chrome, or an add-on for Firefox.

In order to read a PGP-encrypted email, the receiving party needs to have your PGP public key
installed as well.

Download Mailvelope at ​https://www.mailvelope.com/en/​ .

Installing Veracrypt

1. Download VeraCrypt Setup 1.22.exe or whatever version is available for download from
the website at ​https://www.veracrypt.fr/en/Downloads.html​.
2. Save the exe file into a folder in your computer.
3. Run the installation by double-clicking on the VeraCrypt Setup 1.22.exe installer file.
4. VeraCrypt will ask you if you want to allow the installer to make changes to your PC.
Click on Yes.

5. In the License screen, click on “I accept the license terms” and click Next.
6. In the Wizard Mode dialog, choose ‘Install’ to install. ‘Extract’ is only applicable if you
want VeraCrypt to be portable. In our case, we need it to run only on our Windows
computer.

7. Choose where to install VeraCrypt. You can leave it as is. Click Install.
8. Let VeraCrypt finish installing.

9. In the installation confirmation dialog, click OK.

10. On the final confirmation dialog, click Finish.
Creating a VeraCrypt Encrypted Volume

1. After installing VeraCrypt, double-click on VeraCrypt.exe or click on VeraCrypt in the

Windows StartUp menu.
2. In the VeraCrypt window, click on Create Volume.
3. The VeraCrypt Volume Creation Wizard will appear. Choose ‘Create an encrypted file
container’ and click on Next.

4. Choose ‘Standard VeraCrypt volume’ in the Volume Type dialog and click Next.
5. Specify the volume location for your VeraCrypt volume. Click ‘Select File’, specify the
path and filename of the volume, click Save, then click Next.
6. Select an encryption algorithm to use for your VeraCrypt volume. For this exercise, just
use AES for encryption algorithm, and SHA-512 for hash algorithm. Click Next

More about encryption algorithms can be read at

https://www.veracrypt.fr/en/Encryption%20Algorithms.html​ and hash algorithms at
https://www.veracrypt.fr/en/Hash%20Algorithms.html

7. Choose the size for your VeraCrypt volume (this is where the encryption algorithm is
used). Click Next.
8. To make sure that your VeraCrypt volume doesn’t get mounted arbitrarily by any one
using your computer, assign a password (this is where the hash algorithm is used). Click
Next.

9. Choose a volume format. Modern Windows versions support FAT and NTFS. Linux
support EXT2, EXT3, EXT4, etc. Choose NTFS or FAT. Make sure to move your mouse
to generate enough randomness, and click Format
10. After creating the volume, click on OK in the confirmation dialog.

11. In the Volume Created dialog, click on Exit.

Using / Mounting a VeraCrypt volume

1. In the main VeraCrypt window, click on an empty mount point and click Select File.

2. Select the VeraCrypt volume encrypted file you generated earlier, and click Open.
3. With the encrypted volume file selected already, click on Mount.

4. Enter the password in order to mount the volume.

5. Select the PRF algorithm used for the password. In our case, the Hash Algorithm used
was SHA-512. Click OK.

6. Once the volume has been successfully mounted, it will be listed in the mount point, with
the assigned drive letter. You can now access the volume normally via Windows
Explorer and other apps.
Google Authenticator
Google Authenticator is a ​software token that implements ​two-step verification services using
the ​Time-based One-time Password Algorithm (TOTP) and ​HMAC-based One-time Password
Algorithm​ (HOTP), for authenticating users of mobile applications by​ ​Google​.
Setting up Two Factor Authentication for Facebook

1. Login to your Facebook account

2. Click on the down arrow located at the upper right hand of the page. Select ​Settings in
the Menu.
3. Click on ​Security and Login ​(This is located in the upper left hand side of the page)
4. Click on the Edit button on the Use two-factor authentication section.

5. Under Authentication App, click on ​Add new app. Scan the generated QR code using
Google Authenticator.

6. As added layer of security. In ​Recovery Codes, click on ​Setup, ​click on ​Get Codes.
Print and save the codes at your most convenient, yet secure storage location. These
codes will come in handy in the unfortunate event you lose your phone (Google
 Authenticator)

Setting up Two Factor Authentication for Twitter

1. Login to your Twitter account

2. Click on your Avatar on the upper right hand side of the page to access your ​Profile and
Settings.
3. Click on ​Account. ​In the Security section click on ​Setup Login Verification​.
 4. In the popup dialog that appears click on ​Start.

5. Type your Twitter password in the popup dialog. Then click ​Verify.
6. Click on ​Send code​ in the next popup.
7. Once you have received your SMS code, type it in the next popup and click ​Submit. ​You
can choose to generate backup code as added layer of security
Setting up Two Factor Authentication for Instagram

1. Tap the profile button in the bottom-right corner of the screen.

2. Tap the ​dotted icon​ near the top-right corner of the screen.
3. Under “Privacy and Security,” tap “​Two-Factor Authentication​.”
4. Flip the switch ​Require Security Code​ to ON.
5. Select ​Turn On​ in the popup dialog.
6. Type in the 6 digit SMS code in the screen. Confirm your mobile number.
7. A screenshot of your IG backup codes will be sent to your Gallery under Screenshots.
Print and secure this image as soon as possible​.

Setting up Two Factor Authentication for LinkedIn

1. Login your LinkedIn account. Click on the profile picture at the upper right part of the
screen.
2. Under Account, click on ​Settings and Privacy.
3. In Login and Security, click on Two-step verification.

4. You will be asked to provide a mobile number to verify and receive SMS codes from.
5. Once activated, you will be required to enter an SMS code after typing in your password
upon Login.
Setting up Two Factor Authentication for Gmail
​ ttps://www.google.com/landing/2step/
1. Navigate to​ h
2. Click on ​Get started
3. Enter the phone number you want to use for OTP. This is just in case the authenticator
app isn’t accessible. Click ​Next​.
4. Enter the one-time password sent to your phone. Click ​Next​.
5. Click ​Turn on​.
6. This enables two-factor authentication via SMS on your Google account. Now scroll
down and click ​Setup​ under ​Authenticator app​.
7. In the pop-up, select the type of phone you have - ​Android or ​iPhone​.

8. Now you’ll see a QR code on screen. You can either scan this or click ​Can’t scan it to
get a code for two-factor authentication. This is where you’ll have to switch to your
smartphone.
9. Download Google Authenticator on​ ​Android​ or​ ​iOS​.
10. Tap ​Begin Setup
11. Tap ​Scan barcode​. This will fire up the camera on your smartphone and you can point
that at the QR code on the computer screen.
12. On the Google two-factor authentication page, click ​Next​.
13. Enter the code on your authenticator app and click ​Verify​.

14. Set the ​Authenticator app​ as Default second step.

Installing Mailvelope

Basics
OpenPGP and therefore Mailvelope use public-key encryption, which means a key is split into
two parts: public and private keys with different purposes:

Public key – Used to encrypt a message. Is and should be available to everybody.

Private key – Used to decrypt a message. Needs to be stored securely. Access is restricted by
password.

In order to send an encrypted email, you must have the public key of the recipient. Therefore,
before secure communication can happen between two people, they must exchange their public
key.

Installing

For Google Chrome, visit

https://chrome.google.com/webstore/detail/mailvelope/kajibbejlbohfaggdiogboambcijhkke​ to
download, and click Install.

For Firefox, visit ​https://addons.mozilla.org/firefox/downloads/latest/mailvelope/​ then choose

“Allow” and “Add”.
Configuring Mailvelope

Generating a Key

1. To start using Mailvelope, we need to generate a private key and public key in order for
Mailvelope to perform encryption. Click on the Mailvelope “lock” icon in your browser
then click Configure Mailvelope (gear icon).

2. Click on ‘Generate key’ to generate your keys.

3. Fill up the form with a descriptive name of the key, email, and password. You can opt NOT
TO UPLOAD your public key to Mailvelope’s own key server. Click on ‘Generate’ once done.

4. After generating your keys, you can see the keys by clicking on Display Keys.
Composing an Encrypted Email Message

With Mailvelope already installed and configured, you can now compose an encrypted
message.

1. Click on ‘Encryption’ in the Mailvelope menu.

2. Click on ‘Text Encryption’.

3. Proceed to writing your message in plaintext. If you want to add a recipient, the
recipient’s public key must be added/imported into Mailvelope beforehand. However, you
can still encrypt the message and copy the generated encrypted message and paste it
into Gmail.
4. View your sent message. Mailvelope will automatically detect that the message was
encrypted and will show an overlay with a lock icon. Clicking on the icon will decrypt the
message, provided that you have the public key of the sender. You can decrypt your
own sent messages anytime.
LastPass

LastPass is a free-to-try password manager that works both for desktop and mobile devices.

LastPass is available on Android, IOS and Windows -x

LastPass allows you to store your passwords and login credentials for all your web applications.

Using LastPass

1. Get the LastPass browser extension. Install the extension in your browser for saving &
accessing your passwords.
2. Make a strong master password.
3. Explore your LastPass vault.
Setting Privacy settings in Facebook

1. Login to your Facebook account, Click on the down arrow on the upper right hand of the
page.
2. Select ​Settings​ and then select ​Privacy ​from the left hand side of the page.
3. Adjust privacy settings as desired by clicking on the ​Edit​ links for each section.

4. Click on ​Ads​ and set preferences as follows for minimal ad exposure.

5. Under Apps and Websites, edit and check any website and app you used Facebook to
login to. Make sure you have explicitly enabled access to these entries.

6.
Additional References

http://time.com/4673602/terms-service-privacy-security/

https://www.pcpd.org.hk/english/publications/files/interd_e.pdf

http://www.bbc.com/news/business-36854292

https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/how-much-is-your-personal
-data-worth-survey-says

https://cacm.acm.org/magazines/2018/2/224626-the-war-over-the-value-of-personal-data/fulltext

https://www.forbes.com/sites/thomasbrewster/2018/04/16/huge-facebook-facial-recognition-data
base-built-by-ex-israeli-spies

https://www.experian.com/blogs/ask-experian/heres-how-much-your-personal-information-is-sell
ing-for-on-the-dark-web/

https://www.windowscentral.com/how-use-windows-10-non-admin-and-why

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

https://www.betterbuys.com/estimating-password-cracking-times/

https://howsecureismypassword.net/

http://www.passwordmeter.com/

https://password.kaspersky.com/

https://www.cnet.com/news/the-best-password-managers-directory/

http://www.primalsecurity.net/pgp-encryption/

https://blog.barkly.com/10-fundamental-cybersecurity-lessons-for-beginners
https://www.welivesecurity.com/2017/01/31/cybersecurity-5-basic-lessons-everyone/

https://www.pandasecurity.com/mediacenter/business/10-cybersecurity-basics-employees/

https://www.americanexpress.com/us/small-business/openforum/articles/7-cyber-security-basics
-every-small-business-needs/

http://www.its.ms.gov/Services/Pages/Security-Links-for-Cyber-Security.aspx

https://heimdalsecurity.com/blog/free-cyber-security-tools-list/

https://www.theguardian.com/technology/2013/sep/16/10-ways-keep-personal-data-safe

http://theconversation.com/7-in-10-smartphone-apps-share-your-data-with-third-party-services-7
2404

https://www.ftc.gov/tips-advice/business-center/guidance/small-business-computer-security-basi
cs

https://www.nist.gov/news-events/news/2018/06/youve-been-phished