Today I want to tell you about an awesome free resource that can help level up your organization’s cyber skills – the DoD Cyber Awareness Challenge 2024.
In case you didn’t know, the Department of Defense puts out a cyber awareness challenge every year that’s completely unclassified and available to the public. That means your business can take advantage of this top-notch training content completely free of charge!
The challenge consists of informational modules and quizzes covering all aspects of cybersecurity best practices. The content is expertly designed by DoD cyber pros to help learners understand current cyber threats and how to protect against them.
Cyber Awareness Challenge 2024 Topics
- Unclassified Information
- Sensitive Compartmented Information
- Classified Information
- Physical Facilities
- Government Resources
- Identity Authentication
- Malicious Code
- Social Engineering
- Removable Media
- Mobile Devices
- Social Networking
- Website Use
- Identity Management
- Insider Threat
- Telework
- Home Computer Security
The content is organized into ‘Missions’, each with engaging videos, scenarios, and knowledge checks to reinforce the concepts.
When they complete the challenge, they receive a nifty certificate of completion to celebrate their new cyber skills! This can not only boost team morale but also help your organization benchmark cyber readiness.
Investing in comprehensive cybersecurity awareness training can be daunting for a small or medium business. That’s what makes the DoD Cyber Awareness Challenge such an invaluable opportunity. It allows you to tap into military-grade training materials at no cost!
Cyber Awareness Challenge 2024 Questions and Answers
We’ve taken the challenge and listed the questions and answers below. We’ve included some additional explanations from their resources, which we hope you find helpful.
Unclassified Information
Unclassified is a designation to mark information that does not have the potential to damage national security (i.e., not been determined to be Confidential, Secret, or Top Secret).
DoD Unclassified data:
- Must be cleared before being released to the public
- May require the application of Controlled Unclassified Information (CUI) access and distribution controls
- Must be clearly marked as Unclassified or CUI if included in a classified document or classified storage area
- If aggregated, the classification of the information may be elevated to a higher level of sensitivity or even become classified
- If compromised, could affect the safety of government personnel, missions, and systems
Your meeting notes are Unclassified. This means that your notes
- Do not have the potential to damage national security.
What type of information does this Personnel Roster represent?
- Controlled Unclassified Information (CUI)
When e-mailing this personnel roster, which of the following should you do?
- Encrypt the PII
- Digitally sign the e-mail
- Use your government e-mail account
Sensitive Compartmented Information
Sensitive Compartmented Information (SCI) is a program that segregates various types of classified information into distinct compartments for added protection and dissemination or distribution control. SCI introduces an overlay of security to Top Secret, Secret, and Confidential information. To be granted access to SCI material, one must first have TOP SECRET clearance and be indoctrinated into the SCI program. There are explicit indoctrinations for each compartment under the SCI program umbrella. The Director of National Intelligence has overarching authority concerning SCI policy.
SCI markings, or caveats, identify the specific compartment or compartments with which the material is affiliated. These caveats define the separation of SCI classified material from collateral classified material. Information that requires a formal need-to-know determination, also known as a special access authorization, exists within Sensitive Compartmented Information.
Select an action to take in response to compromised Sensitive Compartmented Information (SCI).
- Call your security point of contact (POC)
Clue: Dr. Dove printed a sensitive document and retrieved it promptly from the printer.
- No
Clue: Col. Cockatiel worked on an unmarked document on the classified network.
- Yes
Clue: Mr. Macaw and a colleague had a conversation about a shared project in the SCIF after verifying no one was nearby.
- No
Which of these individuals demonstrated behavior that could lead to the compromise of SCI?
- Col. Cockatiel
Classified Information
Classified data are designated by the original classification authority as information that could reasonably be expected to cause a given level of damage to national security if disclosed:
- Confidential – damage to national security
- Secret – serious damage to national security
- Top Secret – exceptionally grave damage to national security
Classified data:
- Must be handled and stored properly based on classification markings and handling caveats
- Can only be accessed by individuals with all of the following:
- Appropriate clearance
- Signed and approved non-disclosure agreement
- Need-to-know
Select an area to work on a classified Document
- Designated security area
Physical Facilities
Physical security protects the facility and the information systems/infrastructure, both inside and outside the building. To practice good physical security:
- Know and follow your organization’s policy on:
- Gaining entry
- Securing work are
- Responding to emergencies
- Use your own security badge/key code. Note that your Common Access Card (CAC)/Personal Identity Verification (PIV) card is sometimes used as a facility access badge.
- Don’t allow others access or to piggyback into secure areas
- Challenge people without proper badges
- Report suspicious activity
- Protect access rosters from public view (e.g., do not take them home or post them in public spaces, such as bulletin boards)
Which of the following poses a physical security risk?
- Posting an access roster in public view
Which of the following must you do when using an unclassified laptop in a collateral classified environment?
- Disable the embedded camera, microphone, and Wi-Fi
- Use government-issued wired peripherals
Which of the following must you do when working in a SCIF?
- Verify that all personnel in listening distance have a need-to-know
- Ensure that monitors do not provide unobstructed views
- Escort uncleared personnel and warn others in the SCIF
Government Resources
Ethical use of government-furnished equipment (GFE):
- Use GFE for official purposes only
- Don’t allow unauthorized users to use your GFE
- Don’t view or download pornography
- Don’t gamble on the Internet
- Don’t conduct private business/money-making ventures
- Don’t load or use personal/unauthorized software or services, such as DropBox or peer-to-peer (P2P) software
- P2P software can compromise network configurations, spread viruses and spyware, and allow unauthorized access to data
- Only use streaming video and audio for official business and in accordance with your organization’s policy
- Don’t illegally download copyrighted programs or material
- Don’t make unauthorized configuration changes
- Only check personal e-mail if your organization allows it
- Don’t play games unless allowed by your organization to do so on personal time
- Always physically secure your device, including when working from home
Note: All DoD-owned devices are subject to monitoring. When you use these devices, you authorize the monitoring of your activity on these devices.
Is this an appropriate use of government-furnished equipment (GFE)?
- No
This is not an appropriate use of GFE. Why?
- You should not use government e-mail to sell anything.
- You should use a digital signature when sending hyperlinks.
- You should not use unauthorized services, such as file-share services, on GFE.
Identity Authentication
For identity authentication, the Department of Defense (DoD) is moving toward using two-factor authentication wherever possible. Two-factor authentication combines two out of the three types of credentials to verify your identity and keep it more secure:
- Something you possess, such as a Common Access Card (CAC)
- Something you know, such as your Personal Identification Number (PIN)
- Something you are, such as a fingerprint or other biometrics
Use two-factor authentication wherever possible, even for personal accounts. For example, some widely used personal services (like Google) offer two-factor authentication.
When using passwords at work or at home, create strong passwords:
- Combine letters, numbers, and special characters
- Do not use personal information
- Do not use common phrases or dictionary words in any language
- Do not write down your password; memorize it
- Follow your organization’s policy on:
- Password length
- Frequency of changing your password: best practice is at least every 3 months
- Avoid using the same password between systems or applications
Select the individual who securely authenticates their identity.
- Alex
Malicious Code
Malicious code can do damage by corrupting files, encrypting or erasing your hard drive, and/or allowing hackers access. Malicious code includes viruses, Trojan horses, worms, macros, and scripts. Malicious code can be spread by e-mail attachments, downloading files, and visiting infected websites.
How can malicious code spread? Select all that apply. Then select submit.
- E-mail attachments
- Downloading files
- Visiting infected websites
How can you prevent the download of malicious code? Select all that apply. Then select submit.
- Scan external files before uploading to your device
- Research apps and their vulnerabilities before downloading
Which of the following may indicate a malicious code attack?
- A new app suddenly appears on the device.
- The device slows down.
- A new tab appears in the Web browser.
Social Engineering
Social engineers use telephone surveys, e-mail messages, websites, text messages, automated phone calls, and in-person interviews. To protect against social engineering:
- Do not participate in telephone surveys
- Do not give out personal information
- Do not give out computer or network information
- Do not follow instructions from unverified personnel
- Document interaction:
- Verify the identity of all individuals
- Write down the phone number
- Take detailed notes
- Contact your security POC or help desk
- Report cultivation contacts by foreign nationals
Storage Quota Exceeded – How many social engineering indicators are present in this e-mail?
- 3+
Approved Software List – How many social engineering indicators are present in this e-mail?
- 3+
Removable Media
Removable media include flash media, such as thumb drives, memory sticks, and flash drives; external hard drives; optical discs (such as CDs, DVDs, and Blu-rays); and music players (such as iPods). Other portable electronic devices (PEDs) and mobile computing devices, such as laptops, fitness bands, tablets, smartphones, electronic readers, and Bluetooth devices, have similar features. The same rules and protections apply to both
You find an unlabeled thumb drive in the parking area outside your workplace. What should you do?
- Turn it in to your security officer
Mobile Devices
To protect data on your mobile computing and portable electronic devices (PEDs):
- Lock your laptop/device screen when not in use and power off the device if you don’t plan to resume use in the immediate future
- Enable automatic screen locking after a period of inactivity
- Encrypt all sensitive data on laptops and on other mobile computing devices when possible
- At a minimum, password protect Government-issued mobile computing devices; use two-factor authentication if possible
- Secure your personal mobile devices to the same level as Government-issued systems
- Understand your organization’s policy for using commercial cloud applications (e.g., Dropbox, Drive, etc.)
- Maintain visual or physical control of your laptop and mobile devices at all times and especially when going through airport security checkpoints
- Have a strategy for addressing a potential “authority situation” (e.g., police who want to inspect devices coincident with a traffic stop or an airport TSA agent check)
- If lost or stolen, immediately report the loss to your security POC
Which payment method poses the least risk?
- Cash
Which method of getting online poses the least risk?
- Approved mobile hotspot
Which action will keep DoD data the safest?
- Leave the coffee shop
Social Networking
Follow information security best practices at home and on social networking sites. Be aware of the information you post online about yourself and your family. Sites own any content you post. Once you post content, it can’t be taken back. The social networking app TikTok is banned on all Government devices
Everyone should see the new superhero movie! The special effects are fantastic on the big screen!
- Delete
Select an action to take with this friend request
- Deny
Select an action to take with this post on your feed
- Keep scrolling
Website Use
Internet hoaxes clog networks, slow down internet and e-mail services, and can be part of a distributed denial of service (DDoS) attack. To protect against internet hoaxes:
- Use online sites to confirm or expose potential hoaxes
- Don’t forward e-mail hoaxes
- Follow your organization’s policies on loading files onto workstations and laptops
Select an action to take with this e-mail:
- Research Claim
Identity Management
To protect your identity:
- Ask how information will be used before giving it out
- Pay attention to credit card and bank statements
- Avoid common names/dates for passwords and PINs
- Never share passwords and PINs
- Pick up mail promptly
- Do not leave outgoing postal mail in personal or organizational mailboxes, unless secured with a locking mechanism
- Shred personal documents
- Refrain from carrying SSN card and passport
- Order credit report annually
To respond to identity theft if it occurs:
- Contact credit reporting agencies
- Contact financial institutions to cancel accounts
- Monitor credit card statements for unauthorized purchases
- Report the crime to local law enforcement
Voice-activated smart devices can collect and share your personal information.
- True
The best way to keep your passport safe is to carry it with you.
- False
You should monitor your credit card statements for unauthorized purchases.
- True
Insider Threat
An insider threat uses authorized access, wittingly or unwittingly, to harm national security through unauthorized disclosure, data modification, espionage, terrorism, or kinetic actions resulting in the loss or degradation of resources or capabilities.
Insiders are able to do extraordinary damage to their organizations by exploiting their trusted status and authorized access to government information systems.
In one report on known U.S. spies, these individuals:
- Demonstrated behaviors of security concerns: 80% of the time
- Experienced a life crisis: 25% of the time
- Volunteered: 70% of the time
Although the vast majority of people are loyal and patriotic, the insider threat is real and we must be vigilant in our efforts to thwart it.
Does Bob demonstrate potential insider threat indicators?
- Yes
How should Bob’s colleagues respond?
- Report Bob
Telework
To telework, you must:
- Have permission from your organization
- Follow your organization’s guidance to telework
- Use authorized equipment and software and follow your organization’s policies
- Employ cybersecurity best practices at all times, including when using a Virtual Private Network (VPN)
- Perform telework in a dedicated area when at home
- Position your monitor so that it is not facing windows or easily observed by others when in use
Do not remove sensitive documents from your secure workspace to work offsite! Sensitive documents, either in hard copy or electronic format, are strictly prohibited. Be sure to safeguard all data while teleworking.
What step should be taken next to securely telework?
- Secure the area so others cannot view your monitor
Which of these personally-owned computer peripherals may be used with government-furnished recruitment?
- HDMI monitor
- USB keyboard
Does this action pose a potential security risk?
- Yes
Home Computer Security
Defend yourself! Keep your identity secure/prevent identity theft.
When working at home on your computer, follow these best security practices, derived from the National Security Agency (NSA) datasheet “Best Practices for Keeping Your Home Network Secure.”
- Turn on the password feature, create separate accounts for each user, and have them create their own passwords using a strong password-creation method
- Install all system security updates, and patches, and keep your defenses up-to-date
- Keep antivirus software up-to-date
- Regularly scan files for viruses
- Install spyware protection software
- Turn on firewall protection
- Require confirmation before installing mobile code
- Change default logon ID and passwords for operating system and applications
- Regularly back up and securely store your files
Antivirus Install?
- Yes
Create user profile?
- Yes
Enable firewall?
- Yes
Wrapping Up
A workforce armed with fundamental cyber awareness is one of the best defenses against rapidly evolving cyber threats. Help protect your organization and empower your employees by taking the DoD Cyber Awareness Challenge 2024!