Cyber Awareness 2022 Knowledge Check

Questions and Answers

What should you do if a reporter asks you about potentially classified information on the web?

Refer the reporter to your organization's public affairs office.

Which of the following is a good practice to aid in preventing spillage?

Mix classified and unclassified data.

Ignore handling caveats.

Share information freely.

Be aware of classification markings. (correct)

What should be your response if asked to comment on a classified project?

Attempt to change the subject to something non-work related, but neither confirm nor deny the article's authenticity.

What should you do when working on an unclassified system and receive an email with a classified attachment?

Call your security point of contact immediately.

What is required for an individual to access classified data?

Appropriate clearance; signed and approved non-disclosure agreement; and need-to-know.

How can you protect classified data when it is not in use?

Store classified data appropriately in a GSA-approved vault/container.

How many potential insider threat indicators does a colleague who vacations at the beach every year and has a poor work quality display?

0 indicators

Based on the following description, how many insider threat indicators are displayed: a playful and charming colleague who wins awards and is occasionally aggressive in accessing classified info?

1 indicator

What type of activity should be reported as a potential insider threat?

Coworker making consistent statements indicative of hostility or anger toward the United States and its policies.

What advantages do 'insider threats' have over others in causing damage to organizations?

Insiders are given a level of trust and have authorized access to Government information systems.

Which of the following is a best practice to protect information about you on social networking sites?

Use only personal contact information.

When is the safest time to post details of your vacation activities on social media?

When your vacation is over, after you have returned home.

What level of damage can the unauthorized disclosure of information classified as confidential cause?

Damage to national security.

Which type of information could cause serious damage to national security if disclosed without authorization?

Secret.

What practice may reduce your appeal as a target for adversaries seeking to exploit your insider status?

Remove your security badge after leaving your controlled area or office building.

What type of unclassified material should be marked with a special handling caveat?

For Official Use Only (FOUO).

Which of the following is NOT an example of sensitive information?

Press release data

Which of the following is true about unclassified data?

When unclassified data is aggregated, its classification level may rise.

Which of the following represents a good physical security practice?

Use your own security badge, key code, or Common Access Card (CAC)/Personal Identity Verification (PIV) card.

What certificates are contained on the Common Access Card (CAC)?

Identification, encryption, and digital signature.

What should you do if a hotel asks to make a photocopy of your Common Access Card (CAC)?

Do not allow your CAC to be photocopied.

How is Sensitive Compartmented Information (SCI) marked?

Approved Security Classification Guide (SCG).

What best describes the compromise of Sensitive Compartmented Information (SCI)?

A person without the required clearance or access comes into possession of SCI.

What portable electronic devices (PEDs) are allowed in a Secure Compartmented Information Facility (SCIF)?

Government-owned PEDs, if expressly authorized by your agency.

What are some examples of malicious code?

Viruses, Trojan horses, or worms.

Which of the following is NOT a way that malicious code spreads?

Legitimate software updates

What should you do if a website requires a credit card for registration and does not start with 'https'?

Do not provide your credit card information.

Which email attachments are generally safe to open?

Attachments contained in a digitally signed email from someone known.

What is a common indicator of a phishing attempt?

It includes a threat of dire circumstances.

Which of the following is true of Internet hoaxes?

They can be part of a distributed denial-of-service (DDoS) attack.

What should you do upon connecting your Government-issued laptop to a public wireless connection?

Connect to the Government Virtual Private Network (VPN).

What should be your response if a coworker asks you to download a programmer's game to play at work?

I'll pass.

What are some examples of removable media?

Memory sticks, flash drives, or external hard drives.

Which are examples of portable electronic devices (PEDs)?

Laptops, fitness bands, tablets, smartphones, electric readers, and Bluetooth devices.

What is a good practice to protect data on your home wireless systems?

Ensure that the wireless security features are properly configured.

When may you be subjected to criminal, disciplinary, and/or administrative action due to online misconduct?

If you participate in or condone it at any time.

Which is a security best practice when using social networking sites?

Use only personal contact information.

Which of the following is NOT an example of Controlled Unclassified Information (CUI)?

Press release data

Which of the following is NOT a correct way to protect CUI?

CUI may be stored on any password-protected system.

Which Cyberspace Protection Condition (CPCON) establishes a focus on critical and essential functions only?

CPCON 2 (High: Critical and Essential Functions).

What certificates are contained on the Common Access Card (CAC)?

Identification, encryption, and digital signature.

Which of the following is an example of two-factor authentication?

Your password and a text code.

What guidance is available from marking Sensitive Information (SCI)?

Security Classification Guide (SCG).

What must the dissemination of information regarding intelligence sources follow?

The Director of National Intelligence.

If an incident occurs involving removable media in a Sensitive Compartmented Information Facility (SCIF), what action should you take?

Notify your security point of contact.

Which actions can help to protect your identity?

Order a credit report annually.

What is whaling?

A type of phishing targeted at senior officials.

Which best practice can prevent viruses and other malicious code from being downloaded when checking your email?

Do not access website links, buttons, or graphics in email.

What type of social engineering targets particular individuals or organizations?

Spear phishing.

Which of the following is a concern when using your Government-issued laptop in public?

Others may be able to view your screen.

When can you check personal email on your Government-furnished equipment (GFE)?

If allowed by organizational policy.

Which of the following statements is true about mobile devices?

Mobile devices and applications can track your location without your knowledge or consent.

When can you use removable media on a Government system?

When operationally necessary, owned by your organization, and approved by the appropriate authority.

Which is the best practice for securing your home computer?

Create separate accounts for each user.

Study Notes

Spillage

• If approached by a reporter about classified information, refer them to the public affairs office.
• Awareness of classification markings and handling caveats is critical to prevent information spillage.
• In conversations about classified projects, avoid confirming or denying details; change the subject instead.
• If receiving a classified attachment on an unclassified system, immediately contact your security point of contact.
• Accessing classified data requires appropriate clearance, a signed non-disclosure agreement, and a need-to-know basis.
• To protect classified data when not in use, store it in a GSA-approved vault or container.

Insider Threat

• A colleague's vacation habits and family status may not indicate insider threats; zero indicators present in this scenario.
• Indicators of a potential insider threat can include charm combined with aggression towards accessing classified information.

Online Conduct and Security

• Report comments of hostility towards the U.S. as potential insider threats.
• Insiders have an easier path to damage organizations due to their trust and authorized access to sensitive systems.
• When creating social media accounts, use personal contact details only to safeguard organizational information.
• Post vacation updates only after returning to avoid giving potential adversaries information to exploit.

Data Classification

• Unauthorized disclosure of confidential information could threaten national security.
• Disclosing secret information poses serious risks to national security.
• Enhance security presence by removing security badges outside controlled areas.

Sensitive Information

• Mark unclassified materials with handling caveats like For Official Use Only (FOUO).
• Aggregated unclassified data may require a higher classification.
• Secure personal identification and authorization via Common Access Cards (CAC) to prevent unauthorized access.

Malicious Code

• Malicious code examples include viruses, Trojan horses, and worms.
• Legitimate software updates are not a method of spreading malicious code.
• Ensure URLs are secure (start with "https") before providing sensitive information.
• Open email attachments only if they're from recognized senders and are digitally signed.

Social Networking Risks

• Engage in responsible online behavior to avoid disciplinary actions, which include both direct participation and condoning misconduct.
• Use personal contact information when setting up accounts on social networking sites to enhance security.

Controlled Unclassified Information (CUI)

• Press release data is not considered CUI.
• CUI should be safeguarded, and cannot be stored on just any password-protected system.

Physical Security and Identity Management

• Cyberspace Protection Condition (CPCON 2) prioritizes critical functions amid varying levels of threat.
• Common Access Cards (CAC) contain identification, encryption, and digital signature certificates.

Security Practices

• Two-factor authentication can enhance security; it typically includes a password and a verification code sent to your phone.
• When using removable media in government settings, ensure the media is owned by the organization and approved for use.
• Individuals should order a credit report annually to help protect their identity.
• Whaling is a sophisticated phishing attack aimed at senior officials.

Mobile Device Security

• Mobile devices can track users' locations without their knowledge, raising privacy concerns.
• Users should create separate accounts for each individual on home computers to improve security.

Description

Test your knowledge on Cyber Awareness for 2022 with this quiz focused on preventing information spillage. Learn about handling classified information and best practices for communication with the media. Perfect for those who want to ensure they are up-to-date with cyber security protocols.