DoD Cyber Awareness Challenge 2024 - Cyber Villagers (2024)

Today I want to tell you about an awesome free resource that can help level up your organization’s cyber skills – the DoD Cyber Awareness Challenge 2024.

In case you didn’t know, the Department of Defense puts out a cyber awareness challenge every year that’s completely unclassified and available to the public. That means your business can take advantage of this top-notch training content completely free of charge!

The challenge consists of informational modules and quizzes covering all aspects of cybersecurity best practices. The content is expertly designed by DoD cyber pros to help learners understand current cyber threats and how to protect against them.

Cyber Awareness Challenge 2024 Topics

• Unclassified Information
• Sensitive Compartmented Information
• Classified Information
• Physical Facilities
• Government Resources
• Identity Authentication
• Malicious Code
• Social Engineering
• Removable Media
• Mobile Devices
• Social Networking
• Website Use
• Identity Management
• Insider Threat
• Telework
• Home Computer Security

The content is organized into ‘Missions’, each with engaging videos, scenarios, and knowledge checks to reinforce the concepts.

When they complete the challenge, they receive a nifty certificate of completion to celebrate their new cyber skills! This can not only boost team morale but also help your organization benchmark cyber readiness.

Investing in comprehensive cybersecurity awareness training can be daunting for a small or medium business. That’s what makes the DoD Cyber Awareness Challenge such an invaluable opportunity. It allows you to tap into military-grade training materials at no cost!

Cyber Awareness Challenge 2024 Questions and Answers

We’ve taken the challenge and listed the questions and answers below. We’ve included some additional explanations from their resources, which we hope you find helpful.

Unclassified Information

Unclassified is a designation to mark information that does not have the potential to damage national security (i.e., not been determined to be Confidential, Secret, or Top Secret).

DoD Unclassified data:

• Must be cleared before being released to the public
• May require the application of Controlled Unclassified Information (CUI) access anddistribution controls
• Must be clearly marked as Unclassified or CUI if included in a classified document orclassified storage area
• If aggregated, the classification of the information may be elevated to a higher levelof sensitivity or even become classified
• If compromised, could affect the safety of government personnel, missions, andsystems

Your meeting notes are Unclassified. This means that your notes

• Do not have the potential to damage national security.

What type of information does this Personnel Roster represent?

• Controlled Unclassified Information (CUI)

When e-mailing this personnel roster, which of the following should you do?

• Encrypt the PII
• Digitally sign the e-mail
• Use your government e-mail account

Sensitive Compartmented Information

Sensitive Compartmented Information (SCI) is a program that segregates various types of classified information into distinct compartments for added protection and dissemination or distribution control. SCI introduces an overlay of security to Top Secret, Secret, and Confidential information. To be granted access to SCI material, one must first have TOP SECRET clearance and be indoctrinated into the SCI program. There are explicit indoctrinations for each compartment under the SCI program umbrella. The Director of National Intelligence has overarching authority concerning SCI policy.

SCI markings, or caveats, identify the specific compartment or compartments with which the material is affiliated. These caveats define the separation of SCI classified material from collateral classified material. Information that requires a formal need-to-know determination, also known as a special access authorization, exists within Sensitive Compartmented Information.

Select an action to take in response to compromised Sensitive Compartmented Information (SCI).

• Call your security point of contact (POC)

Clue: Dr. Dove printed a sensitive document and retrieved it promptly from the printer.

• No

Clue: Col. co*ckatiel worked on an unmarked document on the classified network.

• Yes

Clue: Mr. Macaw and a colleague had a conversation about a shared project in the SCIF after verifying no one was nearby.

• No

Which of these individuals demonstrated behavior that could lead to the compromise of SCI?

• Col. co*ckatiel

Classified Information

Classified data are designated by the original classification authority as information thatcould reasonably be expected to cause a given level of damage to national security ifdisclosed:

• Confidential – damage to national security
• Secret – serious damage to national security
• Top Secret – exceptionally grave damage to national security

Classified data:

• Must be handled and stored properly based on classification markings and handlingcaveats
• Can only be accessed by individuals with all of the following:
  • Appropriate clearance
  • Signed and approved non-disclosure agreement
  • Need-to-know

Select an area to work on a classified Document

• Designated security area

Physical Facilities

Physical security protects the facility and the information systems/infrastructure, both inside and outside the building. To practice good physical security:

• Know and follow your organization’s policy on:
  • Gaining entry
  • Securing work are
  • Responding to emergencies
• Use your own security badge/key code. Note that your Common Access Card(CAC)/Personal Identity Verification (PIV) card is sometimes used as a facility accessbadge.
• Don’t allow others access or to piggyback into secure areas
• Challenge people without proper badges
• Report suspicious activity
• Protect access rosters from public view (e.g., do not take them home or post them inpublic spaces, such as bulletin boards)

Which of the following poses a physical security risk?

• Posting an access roster in public view

Which of the following must you do when using an unclassified laptop in a collateral classified environment?

• Disable the embedded camera, microphone, and Wi-Fi
• Use government-issued wired peripherals

Which of the following must you do when working in a SCIF?

• Verify that all personnel in listening distance have a need-to-know
• Ensure that monitors do not provide unobstructed views
• Escort uncleared personnel and warn others in the SCIF

Government Resources

Ethical use of government-furnished equipment (GFE):

• Use GFE for official purposes only
• Don’t allow unauthorized users to use your GFE
• Don’t view or download p*rnography
• Don’t gamble on the Internet
• Don’t conduct private business/money-making ventures
• Don’t load or use personal/unauthorized software or services, such as DropBox orpeer-to-peer (P2P) software
  • P2P software can compromise network configurations, spread viruses andspyware, and allow unauthorized access to data
• Only use streaming video and audio for official business and in accordance with yourorganization’s policy
• Don’t illegally download copyrighted programs or material
• Don’t make unauthorized configuration changes
• Only check personal e-mail if your organization allows it
• Don’t play games unless allowed by your organization to do so on personal time
• Always physically secure your device, including when working from home

Note: All DoD-owned devices are subject to monitoring. When you use these devices, you authorize the monitoring of your activity on these devices.

Is this an appropriate use of government-furnished equipment (GFE)?

• No

This is not an appropriate use of GFE. Why?

• You should not use government e-mail to sell anything.
• You should use a digital signature when sending hyperlinks.
• You should not use unauthorized services, such as file-share services, on GFE.

Identity Authentication

For identity authentication, the Department of Defense (DoD) is moving toward using two-factor authentication wherever possible. Two-factor authentication combines two out of thethree types of credentials to verify your identity and keep it more secure:

• Something you possess, such as a Common Access Card (CAC)
• Something you know, such as your Personal Identification Number (PIN)
• Something you are, such as a fingerprint or other biometrics

Use two-factor authentication wherever possible, even for personal accounts. For example,some widely used personal services (like Google) offer two-factor authentication.

When using passwords at work or at home, create strong passwords:

• Combine letters, numbers, and special characters
• Do not use personal information
• Do not use common phrases or dictionary words in any language
• Do not write down your password; memorize it
• Follow your organization’s policy on:
  • Password length
  • Frequency of changing your password: best practice is at least every 3 months
• Avoid using the same password between systems or applications

Select the individual who securely authenticates their identity.

• Alex

Malicious Code

Malicious code can do damage by corrupting files, encrypting or erasing your hard drive,and/or allowing hackers access. Malicious code includes viruses, Trojan horses, worms,macros, and scripts. Malicious code can be spread by e-mail attachments, downloading files,and visiting infected websites.

How can malicious code spread? Select all that apply. Then select submit.

• E-mail attachments
• Downloading files
• Visiting infected websites

How can you prevent the download of malicious code?Select all that apply. Then select submit.

• Scan external files before uploading to your device
• Research apps and their vulnerabilities before downloading

Which of the following may indicate a malicious code attack?

• A new app suddenly appears on the device.
• The device slows down.
• A new tab appears in the Web browser.

Social Engineering

Social engineers use telephone surveys, e-mail messages, websites, text messages,automated phone calls, and in-person interviews. To protect against social engineering:

• Do not participate in telephone surveys
• Do not give out personal information
• Do not give out computer or network information
• Do not follow instructions from unverified personnel
• Document interaction:
  • Verify the identity of all individuals
  • Write down the phone number
  • Take detailed notes
• Contact your security POC or help desk
• Report cultivation contacts by foreign nationals

Storage Quota Exceeded – How many social engineering indicators are present in this e-mail?

• 3+

Approved Software List – How many social engineering indicators are present in this e-mail?

• 3+

Removable Media

Removable media include flash media, such as thumb drives, memory sticks, and flash drives; external hard drives; optical discs (such as CDs, DVDs, and Blu-rays); and musicplayers (such as iPods). Other portable electronic devices (PEDs) and mobile computingdevices, such as laptops, fitness bands, tablets, smartphones, electronic readers, andBluetooth devices, have similar features. The same rules and protections apply to both

You find an unlabeled thumb drive in the parking area outside your workplace. What should you do?

• Turn it in to your security officer

Mobile Devices

To protect data on your mobile computing and portable electronic devices (PEDs):

• Lock your laptop/device screen when not in use and power off the device if you don’tplan to resume use in the immediate future
• Enable automatic screen locking after a period of inactivity
• Encrypt all sensitive data on laptops and on other mobile computing devices whenpossible
• At a minimum, password protect Government-issued mobile computing devices; usetwo-factor authentication if possible
• Secure your personal mobile devices to the same level as Government-issuedsystems
• Understand your organization’s policy for using commercial cloud applications (e.g.,Dropbox, Drive, etc.)
• Maintain visual or physical control of your laptop and mobile devices at all times andespecially when going through airport security checkpoints
• Have a strategy for addressing a potential “authority situation” (e.g., police whowant to inspect devices coincident with a traffic stop or an airport TSA agent check)
• If lost or stolen, immediately report the loss to your security POC

Which payment method poses the least risk?

• Cash

Which method of getting online poses the least risk?

• Approved mobile hotspot

Which action will keep DoD data the safest?

• Leave the coffee shop

Social Networking

Follow information security best practices at home and on social networking sites. Be awareof the information you post online about yourself and your family. Sites own any contentyou post. Once you post content, it can’t be taken back. The social networking app TikTok isbanned on all Government devices

Everyone should see the new superhero movie! The special effects are fantastic on the big screen!

• Delete

Select an action to take with this friend request

• Deny

Select an action to take with this post on your feed

• Keep scrolling

Website Use

Internet hoaxes clog networks, slow down internet and e-mail services, and can be part of adistributed denial of service (DDoS) attack. To protect against internet hoaxes:

• Use online sites to confirm or expose potential hoaxes
• Don’t forward e-mail hoaxes
• Follow your organization’s policies on loading files onto workstations and laptops

Select an action to take with this e-mail:

• Research Claim

Identity Management

To protect your identity:

• Ask how information will be used before giving it out
• Pay attention to credit card and bank statements
• Avoid common names/dates for passwords and PINs
• Never share passwords and PINs
• Pick up mail promptly
• Do not leave outgoing postal mail in personal or organizational mailboxes, unlesssecured with a locking mechanism
• Shred personal documents
• Refrain from carrying SSN card and passport
• Order credit report annually

To respond to identity theft if it occurs:

• Contact credit reporting agencies
• Contact financial institutions to cancel accounts
• Monitor credit card statements for unauthorized purchases
• Report the crime to local law enforcement

Voice-activated smart devices can collect and share your personal information.

• True

The best way to keep your passport safe is to carry it with you.

• False

You should monitor your credit card statements for unauthorized purchases.

• True

Insider Threat

An insider threat uses authorized access, wittingly or unwittingly, to harm national security through unauthorized disclosure, data modification, espionage, terrorism, or kinetic actions resulting in the loss or degradation of resources or capabilities.

Insiders are able to do extraordinary damage to their organizations by exploiting theirtrusted status and authorized access to government information systems.

In one report on known U.S. spies, these individuals:

• Demonstrated behaviors of security concerns: 80% of the time
• Experienced a life crisis: 25% of the time
• Volunteered: 70% of the time

Although the vast majority of people are loyal and patriotic, the insider threat is real and wemust be vigilant in our efforts to thwart it.

Does Bob demonstrate potential insider threat indicators?

• Yes

How should Bob’s colleagues respond?

• Report Bob

Telework

To telework, you must:

• Have permission from your organization
• Follow your organization’s guidance to telework
• Use authorized equipment and software and follow your organization’s policies
• Employ cybersecurity best practices at all times, including when using a VirtualPrivate Network (VPN)
• Perform telework in a dedicated area when at home
• Position your monitor so that it is not facing windows or easily observed by otherswhen in use

Do not remove sensitive documents from your secure workspace to work offsite! Sensitivedocuments, either in hard copy or electronic format, are strictly prohibited. Be sure tosafeguard all data while teleworking.

What step should be taken next to securely telework?

• Secure the area so others cannot view your monitor

Which of these personally-owned computer peripherals may be used with government-furnished recruitment?

• HDMI monitor
• USB keyboard

Does this action pose a potential security risk?

• Yes

Home Computer Security

Defend yourself! Keep your identity secure/prevent identity theft.

When working at home on your computer, follow these best security practices, derived fromthe National Security Agency (NSA) datasheet “Best Practices for Keeping Your HomeNetwork Secure.”

• Turn on the password feature, create separate accounts for each user, and have themcreate their own passwords using a strong password-creation method
• Install all system security updates, and patches, and keep your defenses up-to-date
• Keep antivirus software up-to-date
• Regularly scan files for viruses
• Install spyware protection software
• Turn on firewall protection
• Require confirmation before installing mobile code
• Change default logon ID and passwords for operating system and applications
• Regularly back up and securely store your files

Antivirus Install?

• Yes

Create user profile?

• Yes

Enable firewall?

• Yes

Wrapping Up

A workforce armed with fundamental cyber awareness is one of the best defenses against rapidly evolving cyber threats. Help protect your organization and empower your employees by taking the DoD Cyber Awareness Challenge 2024!

DoD Cyber Awareness Challenge FAQs