Cybersecurity All-in-One For Dummies Cheat Sheet

The following tips help you protect your data and keep yourself and your family safe from Internet scams:

• Protect your devices. At a minimum, run security software on every device you use to access sensitive information. Configure your devices to auto-lock, and to require a strong password to unlock them. Don’t leave your devices in insecure locations, and install software only from reputable sources, such as official app stores and official vendor and reseller websites.
• Protect data. Encrypt all sensitive data and back up often. If you’re unsure as to whether something should be encrypted, it probably should be. If you’re unsure as to whether you back up frequently enough, — you, like most people, probably are not.
• Use safe connections. Never access sensitive information over free public Wi-Fi and consider avoiding using such Internet access altogether, especially from any device on which you perform sensitive activities or access sensitive information.The connection provided by your cellular service is likely far more secure than any public Wi-Fi, and such connections can usually be shared by multiple devices if you turn on your phone’s “mobile hotspot” feature.
• Use proper authentication and passwords. Every person accessing an important system should have their own login credentials. Do not share passwords for online banking, email, social media, and so on with your children or significant other. Get everyone their own login. Make sure you use strong, unique passwords for your most sensitive systems.
• Share wisely. Do not overshare information on social media or using any other platforms. Crooks look for such data and use it to social engineer people. Oversharing exposes yourself and your loved ones to increased risks of being targeted by scammers or of having your identities stolen.

The following tips can help you communicate effectively about cybersecurity challenges in your organization:

• Treat security awareness and training as a business investment.
• Train users on an ongoing basis to keep security fresh in their minds.
• Include information privacy and security tasks and responsibilities in everyone’s job descriptions.
• Tailor your content to your audience whenever possible.
• Create a social engineering awareness program for your business functions and user roles.
• Keep your messages as nontechnical as possible.
• Develop incentive programs for preventing and reporting incidents.
• Lead by example.

These tips help prevent social engineering attacks in the workplace:

• Never divulge any information unless you can validate that the people requesting the information need it and are who they say they are. If a request is made over the telephone, verify the caller’s identity, and call back.
• Never click an email link that supposedly loads a page with information that needs updating. This is particularly true for unsolicited emails, which can be especially tricky on mobile devices because users often don’t have the benefit of seeing where the link would take them.
• Encourage your users to validate shortened URLs from bit.ly and other URL-shortening services if they’re unsure of their safety or legitimacy. Websites such as CheckShortURL and WhereGoes offer this service.
• Be careful when sharing sensitive personal information on social networking sites, such as Facebook or LinkedIn. Also, be on the lookout for people claiming to know you or wanting to be your friend. Their intentions might be malicious.
• Escort all guests within the building. This may not match your company’s culture or be realistic, but it can certainly help minimize social engineering risks.
• Never open email attachments or other files from strangers, and be very careful even if they come from people you know. This measure alone could prevent untold security incidents, breaches, and ransomware infections.
• Never give out passwords or other sensitive information. Even your own colleagues don’t need to know unless there’s an otherwise compelling business reason behind it.
• Never let a stranger connect to one of your Ethernet network ports or internal wireless networks, even for a few seconds. Someone with ill intent can place a network analyzer or install malware, or set up a backdoor that can be accessed remotely when they leave.
• Develop and enforce media-destruction policies. These policies (for computer media and documents) help ensure that data is handled carefully and stays where it should be. A good source of information on destruction policies is PDAconsulting.
• Use cross-cut paper shredders. Better still, hire a document-shredding company that specializes in confidential document and media destruction.

Following, are some general questions you should ask everyone you interview when creating a security awareness program. You also need to ask questions specific to the person’s job function and relationship or the influence they have to their awareness person.

• What are the biggest problems you see?
• What are the security strengths you see?
• Do you have any specific concerns?
• (If someone has been with the organization for a while) What has worked best within the company to change behaviors?
• (If someone is new to the organization) Have you seen anything in your past organizations that you think would work here?
• What have been the parts of the current awareness program that you like?
• What did you not like?
• Do you see other departments communicate well with employees? How do they do that?
• Do you think the organization places importance on security?
• Do you think your line manager expects certain things of you?
• What happens if adhering to security guidelines causes you to take longer to do your job?
• What prevents you from following good awareness practices?
• How do you prefer to receive awareness information?
• What information do you need?
• What information do you want to see?
• Can you offer any guidance to the awareness program?

Password-cracking tools can be used for both legitimate security assessments and malicious attacks. You want to find password weaknesses before the bad guys do.

You can try to crack your organization’s operating system and application passwords with various password-cracking tools:

• Brutus: Cracks logins for HTTP, FTP, Telnet, and more
• Cain & Abel: Cracks LM and NT LanManager (NTLM) hashes, Windows RDP passwords, Cisco IOS and PIX hashes, VNC passwords, RADIUS hashes, and lots more. (Hashes are cryptographic representations of passwords.)
• Elcomsoft Distributed Password Recovery: Cracks Windows, Microsoft Office, PGP, Adobe, iTunes, and numerous other passwords in a distributed fashion, using up to 10,000 networked computers at one time. This tool uses the same graphics processing unit (GPU) video acceleration as the Elcomsoft Wireless Auditor tool, which allows for cracking speeds up to 50 times faster.
• Elcomsoft Proactive Password Auditor: Runs brute-force, dictionary, and rainbow cracks against extracted LM and NTLM password hashes.
• Elcomsoft Proactive System Password Recovery: Recovers practically any locally stored Windows passwords, such as login passwords, WEP/WPA passphrases, SYSKEY passwords, and RAS/dial-up/VPN passwords.
• Elcomsoft System Recovery: Cracks or resets Windows user passwords, sets administrative rights, and resets password expirations, all from a bootable CD. This tool is great for demonstrating what can happen when laptop computers don’t have full disk encryption.
• John the Ripper: Cracks hashed Linux/Unix and Windows passwords.
• Mimikatz : For past the hash exploits and extracting passwords from memory on Windows systems.
• Ophcrack : Cracks Windows user passwords, using rainbow tables from a bootable CD. Rainbow tables are pre-calculated password hashes that can speed the cracking process by comparing these hashes with the hashes obtained from the specific passwords being tested.
• pwdump : Extracts Windows password hashes from the SAM (Security Accounts Manager) database.
• RainbowCrack:  Cracks LanManager (LM) and MD5 hashes quickly by using rainbow tables.
• Hydra : Cracks logins for HTTP, FTP, IMAP, SMTP, VNC, and many more.

When trying to crack passwords, the associated user accounts may be locked out, which could interrupt your users. Be careful if intruder lockout is enabled in your operating systems, databases, or applications. If intruder lockout is enabled, you might lock out some or all computer/network accounts, resulting in a denial of service situation for your users.