Accounts and Credentials Security Quiz PDF

Summary

This document is a learner's guide covering cybersecurity awareness for accounts and credentials. It explores password cracking techniques, account breach detection, and prevention methods. It delves into the concept of dictionary attacks and brute-force attacks, and provides practical advice for protecting accounts from online threats.

Full Transcript

NICF - Cybersecurity Awareness
Programme (SF)
Learner’s Guide

SECTION 3:

ACCOUNTS AND CREDENTIALS SECURITY

In this section, you will learn the following:

Password cracking techniques - Brute Force and Dictionary
Attack

From one account to all accounts

Account breach detection methods

Prevention and protection methods (strong passwords,
password recycling, MFA, password management apps, etc.)

Tools to test and create a strong password
(HowSecureIsMyPassword, password management
applications)

Leaked Credentials (HaveIBeenPwned, LeakedSource)

Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved
Page 52 of 126
LHUB_ver1.1
 NICF - Cybersecurity Awareness
Programme (SF)
Learner’s Guide

ACCOUNTS & CREDENTIALS - PASSWORDS
Notes
One of the easiest ways to access valuable information is by
pretending to be someone you are not.

Hackers will invest time, resources and effort in accessing your
accounts (email, social media, google drive…) by acquiring your
password.

Accounts are the 'users' we have online. We all have internet
email accounts (identified by your email address), bank
accounts, social media accounts, perhaps even an online dating
account.

Credentials are the identifiers that help us access and use our
accounts, these include email addresses, bank account
numbers, usernames and of course, passwords.

Your Accounts

Hackers and cyber criminals want to access your accounts.
Why?
Blackmail
Identity Fraud (Email your accountant or access your bank
account)
Ransomware
Infiltrate company’s computer network

Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved
Page 53 of 126
LHUB_ver1.1
 NICF - Cybersecurity Awareness
Programme (SF)
Learner’s Guide

Protection Notes

All accounts have a certain level of protection. Most common are
a user name and password. Here are a few others that can be
added or combined.

Other mechanisms:
One-time code (send via cell phone) - also known as a
"token" or a multi-factor authentication
Biometric identification
Captcha (against AI)
Security questions

Password Cracking

Let’s focus on the two most prominent ways hackers can crack
passwords.
Dictionary Attack
Brute Force

Dictionary Attack

Most people use real words as part of their password.

It could be the name of a person they know, street address,
company or hobby. The dictionary attack takes advantage of that
and literally tries out every word in the dictionary in a
predetermined order.

Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved
Page 54 of 126
LHUB_ver1.1
 NICF - Cybersecurity Awareness
Programme (SF)
Learner’s Guide

Notes

The longer the word, the more time it will take the attack to
succeed.

Amount of time it would take to crack the following password:
Shield – less than a second
Broccoli – 5 seconds
Barricade – 2 minutes

Here are some easy ways to protect yourself from a dictionary
attack:
Create longer passwords
Combine numbers and symbols –
S!ngap0re instead of Singapore
Misspell or don’t use real words –
aplle instead of apple

Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved
Page 55 of 126
LHUB_ver1.1
 NICF - Cybersecurity Awareness
Programme (SF)
Learner’s Guide

Notes
Brute Force

Have you ever tried solving a question by simply answering
every possible answer until it works?

That’s exactly what a brute force algorithm does – tries every
possible combination.

It may sound like something that will take forever to work, but
strong computers and powerful algorithms can try out thousands
of possibilities a second.

Brute force algorithms can also be tweaked and improved.

Here are a few assumptions hackers relay on when running such
an algorithm. These assumptions may reduce the effectivity, but
will significantly improve its efficiency:
Most people use a capital letter as the first letter and the
rest is upper case
Usually numbers and symbols come at the end of the
password
When users update a password, they usually change the
last digit
etc.

Here are some easy ways to protect yourself from brute force
algorithm attacks:
Create longer passwords – will require far more attempts
and processing time
Insert the capital letters, symbols and numbers in the
middle of the password
Insert lower case letters at the beginning or the end of the
password

Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved
Page 56 of 126
LHUB_ver1.1
 NICF - Cybersecurity Awareness
Programme (SF)
Learner’s Guide

If you have trouble thinking of a strong password, use a
password generator, such as Google‘s ”Password Manager”!
Notes
Brute Force

Follow these guidelines to improve security:
Have at least 10 characters
Be a mix of numbers, symbols, capital and lower-case
letters
Not a dictionary word
Do not use the same password for different services –
make sure your Facebook and Gmail passwords are
different
Occasionally change your passwords

Remembering Multiple Complex Passwords

Users might find it hard to remember all their different
complicated and hard to remember passwords. A possible
solution would be to use Password Management services!

This is a service that saves an encrypted list of all your
passwords. You can access it at any time with your password to
find all your other passwords. That way, you only need to
remember one password at a time.

Remembering Multiple Complex Passwords

Zoho Vault

Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved
Page 57 of 126
LHUB_ver1.1
 NICF - Cybersecurity Awareness
Programme (SF)
Learner’s Guide

Last Pass
Notes

Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved
Page 58 of 126
LHUB_ver1.1
 NICF - Cybersecurity Awareness
Programme (SF)
Learner’s Guide

EMAIL AND SOCIAL MEDIA ACCOUNTS Notes

Your email account is probably the most important account you
have.

We use our email to access other accounts, retrieve passwords
and conduct official business. Access to your email can mean
access to your bank account, social media accounts and
professional life.

Hackers can access your email even if you have the best
password in the world. For instance, they can use a malware
hidden in an attachment.

Additionally, once they infiltrate one email, they can send many
unsuspicious emails to other contacts.

Here are a few signs your account has been infiltrated:
You've received a notification about an unusual login or
device that you don’t recognize.
You received a notification that your username or
password was changed.
You stopped getting emails.
Your friends complain that they received spam from you.
You've received a notification about an unusual login or
device that you don’t recognize.
You received a notification that your username or
password was changed.
You stopped getting emails.
Your friends complain that they received spam from you.

Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved
Page 59 of 126
LHUB_ver1.1
 NICF - Cybersecurity Awareness
Programme (SF)
Learner’s Guide

So, what do you do when this happens (in 5 simple steps): Notes
1. Change your password.
2. Change your security question (if you have one).
3. Look at your settings – they may have automatically
forwarded every mail you get to a different address. If
you’re not sure what to do, you can always restore
settings.
4. Run a scan with an anti-malware/virus.
5. If you use the same password in different accounts,
change the passwords to those as well.

Email Accounts: Last Account Activity

The last account activity window shows you information about
recent activity in your mail account.

Recent activity includes any time that your mail was accessed
using a web browser or a mobile device. It displays a list of IP
addresses that accessed your mail, the associated location, as
well as the time and date.

Social Media Accounts

Social media has become an essential part of our modern lives.
More than likely you are connected to more online social circles
now than ever before.

The problem here is that hackers prey on social media pages
and exploit the information they find there.

Notes

Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved
Page 60 of 126
LHUB_ver1.1
 NICF - Cybersecurity Awareness
Programme (SF)
Learner’s Guide

Signs you’ve been hacked:
Posts that you didn’t write appear suddenly in your social
media.
Somebody logged into your account from an unusual
location: Most social media services enable you to check
the location of the last logins.
Spam ads flood your FB page

Social Media Accounts – Like Jacking

“Like-Jacking” is a method that is specific to Facebook. You are
lured onto a page with an attractive post, such as “watch this
puppy swim”.

The page is actually composed of two layers:
A front layer, which is the funny video.
A back layer. When you click “Like” you actually,
unknowingly, click on “Please flood my wall with tones of
ads”.

This hacking method is easy to reverse, since you can check
which apps you have liked. You can just disable unwanted ones.

IDENTITY THEFT

Identity theft is when hackers use the breached accounts to
pretend they are someone else. This is one of the greatest risks
in breached accounts. Identity hackers are interested in sensitive
information such as financials, medical info and private
information.

Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved
Page 61 of 126
LHUB_ver1.1
 NICF - Cybersecurity Awareness
Programme (SF)
Learner’s Guide

This information can be used to shame, extort, harm or steal Notes
from the hacked individual.

A more sophisticated method of stealing money with a stolen
identity is using the stolen identity to acquire financial assets.

For example, a stolen identity can be used by scammers to open
bank accounts using their victim’s personal details and credit
score and to conduct purchases with that account.

Victims of these kind of attacks may find themselves in
significant debts that they were not even aware of.

Three main ways to be reached:

Phishing

Communication posing as a legitimate entity that asks you to
provide personal information. By posing they can just have you
send them the personal information! For instance, a fake FB
message instructing you to change your password. Instead of
changing it you send it directly to the hacker.

Avoid by verifying the authenticity of such messages, and avoid
sending such details in interactions you didn’t initiate.

Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved
Page 62 of 126
LHUB_ver1.1
 NICF - Cybersecurity Awareness
Programme (SF)
Learner’s Guide

Spywares Notes

Programs that spy on your computer. These may record your
screen, your typing, or files.

Get a good anti malware program and make sure it’s updated.
They may be expensive, but identity theft is more expensive.

Eavesdropping

Sometimes you store your information in places that are less
secure than you might think – cloud services, word docs and so
on. These are not encrypted, and therefore exposed.

Store your information on an encrypted service.

Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved
Page 63 of 126
LHUB_ver1.1
 NICF - Cybersecurity Awareness
Programme (SF)
Learner’s Guide

SHORT DEMONSTRATION - TOOLS TO TEST AND CREATE Notes
A STRONG PASSWORD

Password Statistics

The ‘Unmasked’ project (https://wpengine.com/unmasked/)
reveals the insights and statistics from 10 million leaked
passwords. The information on this website shows important
information about passwords that exposes common user habits
(such as most common passwords and most common digits
added to a password) that hackers use to create more
sophisticated hacking algorithms.

Try to create passwords that don’t follow the most common
patterns used by other users.

Password Strength

The educational website https://www.security.org/how-secure-is-
my-password/ allows users to test their passwords strength
against a Brute Force/Dictionary attack. Use this tools to test the
strength of a password to see if it really is string as you think (the
entire data is processed locally so there’s no risk of exposing the
password to external users).

Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved
Page 64 of 126
LHUB_ver1.1
 NICF - Cybersecurity Awareness
Programme (SF)
Learner’s Guide

Data Leaks

The website https://leakedsource.ru/ enables users to look for
leaked credentials according to various parameters (email,
username, password, etc.) and to see if they were ever leaked in
a data breach. This website also enables users to buy the leaked
data (and that’s why its owner was eventually sent to jail), but in
this case the website is being used to show that even the
strongest password can be exposed easily because of a larger
data breach.

Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved
Page 65 of 126
LHUB_ver1.1
 NICF - Cybersecurity Awareness
Programme (SF)
Learner’s Guide

ACCOUNTS AND CREDENTIALS SECURITY QUIZ Notes

Answer the following questions:

1. Recently, you have noticed that someone accessed your
Facebook account without your expressed permission.
You already changed the password. What is the most
efficient way to stop this from happening again?
A. Switch to 2-step verification
B. Block all users
C. Delete the private information from your account
D. Delete the apps in Facebook
E. Suspend the account
F. Change your profile picture

2. Which of the following is correct?
A. If I take every necessary security measure, my account
will be impenetrable.
B. There is no such thing as an impenetrable account.
C. There is no need to take all security measures, even a
few will make my account impenetrable.
D. If I take every necessary security measure, only a very
skilled hacker can hack my account.

3. You have been requested to change your password to
“jH76s%nh”. How long would it take a computer to crack
this password?
A. About 9 seconds
B. About 9 minutes
C. About 9 hours

Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved
Page 66 of 126
LHUB_ver1.1
 NICF - Cybersecurity Awareness
Programme (SF)
Learner’s Guide

D. About 9 days

Notes
4. Which of the following passwords would be the best in
terms of password strength and resistance to cracking?
A. Jdjd88dk
B. Password445
C. jsn2#d!jdjo!Hm3
D. Hdjhddmdl

5. If you have any sensitive information stored on a breached
account, you should:
A. Check if it was opened or changed
B. Assume it was compromised as well and act
accordingly
C. Look for any unusual activity concerning this
information and, if found, act accordingly
D. Delete this information from your account

6. A dictionary attack is an attack where:
A. The attacker tries all the words in the Oxford dictionary
one by one until a certain word cracks the victim's
password.
B. The attacker sends the victim a virus via email which is
referred to as a dictionary.
C. The attacker tries a predefined set of words and
combinations until a certain combination cracks the
victim's password.
D. The attacker hits the victim with a dictionary.

Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved
Page 67 of 126
LHUB_ver1.1
 NICF - Cybersecurity Awareness
Programme (SF)
Learner’s Guide

Notes

7. Adding a digit to each word in a password would:
A. Significantly increase password stability.
B. Not help at all.
C. Make the password impenetrable.
D. Help against a brute force attack but not against a
dictionary attack.

Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved
Page 68 of 126
LHUB_ver1.1