Certified CyberSAFE

No Prerequisites

In this course, you will identify many of the common risks involved in using conventional computing technology, as well as ways to use it safely, to protect yourself from those risks. You will:

• Identify security compliance measures.
• Address social engineering attempts.
• Secure devices such as desktops, laptops, tablets, smartphones, and more.
• Use the Internet securely.

Domain 1.0 Compliance

Objective 1.1 Identify organizational security compliance requirements.

• Types of organizational compliance requirements
  • Password policy
  • Internet usage policy
  • Data protection
  • Personally Identifiable Information (PII)
  • Personal Health Information (PHI)
  • Acceptable Use Policy (AUP)
  • Facility policies
  • Ramifications of non-compliance

Objective 1.2 Identify legal compliance requirements.

• Types of legal compliance requirements

  • Regulation/law (HIPAA, SOX, GDPR, NISD)

  • Legal consequences of non-compliance

Objective 1.3 Identify industry compliance requirements.

• Examples of industry compliance requirements
  • PCI DSS
  • ISO 27001
  • NIST

Objective 1.4 Identify security and compliance resources.

• Organizational compliance resources
  • Handbooks/websites
  • AUP documentation
  • Departments
  • Incident reporting
• Legal compliance resources
  • Government websites
  • Legal departments
  • Insurance providers

• Industrial compliance resources

• Industry associations/professional groups

Domain 2.0 Social Engineering

Objective 2.1 Recognize social engineering attacks.

• Attack vectors (points of entry)
  • Username/password
  • Organizational/personnel information
  • Physical access
  • End-user personal information
  • Email
  • Mobile device
• Attack goals
  • Data destruction
  • Data theft
  • Financial gain
  • Financial harm
  • Political gain
  • Reputation
  • Revenge
• High-value targets
  • C-suite
  • AcCounting personnel
  • HR personnel
  • IT personnel

• Attack types
  • Phishing, (Whaling, Spear phishing)
  • Vishing
  • Smishing
  • Pharming
  • Baiting
  • Pretexting
  • Impersonation (CEO Fraud), deep fake
  • Quid pro quo
  • Tailgating/piggybacking
  • Shoulder surfing

Objective 2.2 Defend against social engineering attacks.

• Resources to defend
  • Organizational hardware/devices
  • Organizational data
  • Network access
  • Premises access
  • User credentials
• Mitigation techniques
  • Situational awareness
  • Badging systems/security checks
  • Door locks
  • Verification of requests
  • Proper disposal/deletion of sensitive information
  • Continual education/training
  • Communication
  • Compliance audit

Domain 3.0 Device and Data Protection

Objective 3.1 Maintain the physical security of devices.

• Organizational and personal devices containing potentially sensitive data
  • Laptops/computers
  • Mobile phones
  • Tablets
  • Removable storage
• Organizational device-security requirements
  • Limiting the devices that have access to sensitive data
  • Credentials
  • Acceptable devices for data storage
  • Disposal/deletion requirements
• Digital presence
  • Device logs
  • Temporary files
  • Browser history
  • Cached/saved credentials
  • IoT devices
  • Cloud storage
• Device physical security techniques
  • Proper storage/disposal/recycling
  • Loss/theft reporting
  • Locking unattended machines/devices
  • BYOD controls (Remote wipe functionality, Location detection)

Objective 3.2 Use Secure Authentication Methods.

• Something you know
  • Passwords/PINs
• Something you are
  • Biometrics (Finger print, Facial recognition, Retinal/iris scan)
• Something you have
  • Authentication apps
  • Key fob
  • Tokens
  • Smart cards
• Authentication best practices
  • Password managers
  • Covert entry (ensure nobody can watch you enter it)
  • Immediately change following breach/incident
  • Secure storage of passwords
  • Critical importance of protecting email passwords
  • Multi-Factor authentication use when possible
  • Complexity compared to sensitivity of data
  • Unique passwords for all sites and systems
  • Avoiding using easy-to-guess passwords
  • Passphrases

Objective 3.3 Adhere to data and sensitive data protection best practices.

• Data backups/storage locations
• Mobile device considerations
  • Information leakage through always-on app functionality
  • Accidental or intentional recording of sensitive data
• Data security techniques
  • Alerts for access/ deletion of data
  • Data classification
  • Prohibitions against copying/printing
  • Proper disposal of printed data
  • Prohibitions against removable storage devices
  • Prohibition against mobile devices in designated locations
• Digital presence considerations
  • Device logs
  • emporary files
  • Browser History
  • ached/ saved credentials
  • IoT devices
  • Cloud Storage

Objective 3.4 Identify potential sources of malware and prevent infection.

• Malware effects
  • System corruption
  • Spying/logging
  • Distracting/annoying
  • Device performance degradation
  • Data hijacking/ransoming
  • Data destruction
  • Blackmail
  • Advertising
• Malware types
  • Key logger
  • Ransomware
  • Adware/spyware
  • Trojan horse
  • Virus
  • Worm
  • Browser hijacker
• Malware sources
  • Trick offers
  • Rogue antivirus
  • Free software scams
  • Software piggybacking
  • Confusing or obscured options (custom installations)
  • Unknown/untrusted download sites
  • Open Networks
  • Email attachments
  • Links
  • Scripts in data files/software
  • Advertising banners
  • Infected hardware (USB drives, External hard drives)
• Malware prevention techniques
  • Careful reading of emails/dialog boxes/offers/pop-ups/etc.
  • Malware prevention software
  • IT approval for software installation
  • Inspection of links before selecting
  • Benefit/risk analysis when installing software
  • General system behavior awareness
  • Use of only known vendors and devices
  • Verified publishers

Objective 3.5 Use wireless devices securely.

• Common wireless network risks
  • Eavesdropping
  • Unsecure networks
  • Private, Public & Open
  • Rogue access points
  • Evil twins
  • “Remembering” wireless networks
• Secure wireless device use techniques
  • Public network use prohibitions
  • Encryption (WPA2/WPA3)
  • Securing Wi-Fi passwords
  • Wireless network “forgetting”
  • Evil twin avoidance
  • Misspelled network names
  • Lack of password requirements when they are expected
  • Multiple networks with similar names

Domain 4.0 Online Security and Remote Access

Objective 4.1 Browse the web safely.

• Well-known browsers
  • Chrome
  • Edge
  • Firefox
  • Safari
• URL construction
  • HTTP vs. HTTPS
  • Non-encryption vs. encryption
  • Top level domains
  • Domain names
  • Suspicious/spoofed URLs
  • Close spellings/misspellings
• Safe web browsing techniques
• Current and updated web browser use
• Deciphering web addresses
• Shortened (Bitly)
• Misspelled
• Wrong top-level domain (.com v .net)
• Redirect (changed URL)
• Unknown add-in, plug-in, toolbar avoidance
• Not clicking/tapping ads and pop-ups
• Protocol verification
• URL verification when using links
• Typing vs. clicking
  • Bookmarking common sites
  • Caution when using mobile devices (URLs not always visible)

Objective 4.2 Use email securely.

• Common email use risks
  • Frequent social engineering attacks
  • Security concern alerts
  • Requests for user credentials
  • Malware removal/IT support offers
  • Free offers
  • Monetary/inheritance scams
  • Requests for information
  • Fake invoices from debt collectors
  • Fake credit card expiry notifications
  • Urgent requests form supervisor/ executive level
  • Malicious attachments
  • High-risk file types
• ZIP/ Compressed files
• .exe
• JavaScript
• Attachment policy/regulation compliance
• Safe email use techniques
  • Imposter identification
  • Sender name vs. email address
  • Subject line topics
  • Tone/voice/grammar of sender
  • Signature lines
  • Unusual/atypical/urgency requests from seemingly valid sources
• “Bank” asking for password in email
• “IT” asking for personal info via email
  • Sender verification
  • Call back/meet in person before responding/clicking
  • Email use policy compliance
  • Attachment considerations
  • Approved third-party cloud storage (Dropbox, Box, etc.)
  • Password protected
  • Encrypted

Objective 4.3 Use social networks securely.

• Social network security considerations
  • Accidental sharing of sensitive information
  • Combined sources of data (multiple platforms, posts, replies, likes, etc.)
  • Disparaging/revealing comments
  • Representing yourself vs. the organization
  • Sensitive information
  • Lack of control over data and sharing
  • Confidentiality
  • Once posted, always online
  • Consent to data sharing
  • Ambiguous/lengthy confusing security settings
  • Opportunities for social engineering
  • Spoofed accounts
  • Hacked accounts
  • Strong authentication
  • Password
  • Multi-Factor Authentication (MFA)
• Safe social networking techniques
  • Alignment with organizational social networking usage and policies
  • Thorough research and configuration of security and privacy settings
  • Caution with sharing any potentially sensitive or reputation-damaging information
  • Security of credentials
  • Social engineering awareness
  • Verify connections
  • Verification of content
• Fact checking

Objective 4.4 Use cloud services securely.

• Cloud service risks
  • Cloud service spoofing
  • Vendor changes
  • Acquisitions/mergers
  • Out of business
  • Mixing up work and private accounts (digital storage location)
  • Compromising credentials
  • Data persistence
• IoT device considerations
  • Data collection
• Safe cloud service use techniques
  • Organizational approval for all cloud-based storage
  • Local backups
  • Extra credential vigilance
  • Secure network connection

Objective 4.5 Working from remote locations securely.

• Connecting securely
  • VPN
  • Scanning for vulnerabilities (Health check)
  • Anti-Virus Software
• Home Network Security
  • Password sharing
  • Updated router firmware
• Separate professional and personal
  • Separate network
  • Devices
  • Data
  • Cloud storage
• Remote Management / Managed device
• Smart Home Devices
  • Access point for network entry
  • Shut down smart home devices
• Collaboration platforms
  • Personal accounts vs. corporate accounts
  • Background
  • Recording
  • Authentication
  • Access to microphone/ video
  • Sharing settings

The CyberSAFE CBS-410 credential is valid for 1 year from the time the certificate is granted. You must take the Recertification Credential for CyberSAFE or take the most up-to-date version of the CyberSAFE credential prior to the 1-year period’s end to maintain a continuously valid certification.

• Exam included