Hello Community. Looking to spend 15 minutes providing "Personal CyberSecurity Awareness" training to fellow co-workers. Was wondering if anyone had any useful resources to share on that topic.
Don't take those stupid quizzes!
Seriously, my wife has several friends on social media (we share social media accounts as it confuses the algorithm [not really, the matrix can figure out which phone or computer we are using most of the time]) and they love to post the results of these supposedly "fun" "quizzes" or "games" which give away security questions. Here is an example:
"Your actor/actress name is your middle name and the street you grew up on." Mine is Oscar Hollywood. (not mine by the way.)
Your street name is, pick from a list. They then give a list of months with names next to them like January=Doggy, a list with 31 numbers on it, for supposedly your birthday so 1=Mixtape and the last thing you ate, i.e. Nachos so you end up with something like Doggy Mixtape Nachos. Sometimes they try to make it less obvious by using things such as your Chinese new year animal or your birthstones. Also throw in your Zodiac sign too.
it also should be a crime to post anything with this statement in it " 97% of people will ignore this, and only 3% of people have the courage to post this. I know who the strong ones are." Stop trying to guilt people into oversharing things.
A lot of your information is already out there, but don't make it insanely easy for people to gather it. Especially information that wouldn't normally come up in conversations like what street you grew up on or your middle name.
When I was doing new employee orientation I used to have a "crash cart" that I would wheel in to the back of the room with a laptop and some wi-fi sniffers on it. I would gather the names of SSID's the new employees phones were beaconing for. When I started my presentation I would ask "Who's phone normally connects to " and shout out some of the more personal SSID's of people's home routers. People were shocked that I could pick up that information from the classroom.
Other times I would ask, "How expensive does a hacker's set-up have to be?" Then proceed to show them how I could do a lot of information gathering for under $150.
When doing presentations, keep it interesting. Do not drone on and on about the dangers of "hackers". Give them some real life examples of information sharing gone bad.
I would also offer up the opportunity to come up to the Cyber Security Office anytime they wanted and speak to any of my techs or me if they wanted to ask anything about cyber security. You want to be approachable. You also will want to know what they want to ask you. Ask them what questions they want to ask you. Use real-life examples if you can. During this new employee orientation, we also told them that, even after being warned not to plug their phones into the work computers, that someone from the class would be in my office before the month was out asking for their computer NIC, their network switch port, and their account to be unlocked because they had violated company policy and hooked up their phone to their company computer. Yes, we had protocols that if your computer violated protocol we would block your MAC, lock down the port you were using on the switch and lock your user account. All of which could only be undone by coming up to the cyber office, sitting through a refresher course on infosec, and then having your account reset. It never failed. We routinely had someone from every class in there. I would always gather their excuses to try and use in future classes and also to try to understand why. Most of the time it came down to "I forgot" or "Well I was just going to charge it! I wasn't doing anything with it." but sometimes you got the "Well my son came in to work to see me and hooked up his phone to charge it."