While cybersecurity may appear to be a complicated subject, it is ultimately all about people. The Office of Technology (OTECH) in collaboration with CISA and their partners are focusing on the “people” aspect of cybersecurity. Our website will provide information and resources to help educate Government of Guam employees and the general public to ensure all individuals and organizations make smart decisions – on the job, at home, or at school – now and in the future. Click HERE for more information.
Cybersecurity Awareness Training
The Office of Technology is committed to protecting the confidentiality and security of forty (40) Gov Guam’s Line Agencies’ IT infrastructure, edge devices, networks, and data. Our Chief Technology Officer, Frank Lujan, understands the importance of identifying, securing, and mitigating threat vectors to protect the Government of Guam’s cyber borders and critical infrastructure.
OTECH understands that all Gov Guam users are our first line of defense in our fight against cybercriminals and state threat actors. We all need to do our part to strengthening our cyber defense mechanisms. Even with the purchase of new technology and upgrading our infrastructure, cybersecurity awareness is imperative in deterring data breaches, downtime, and other cyber incidents.
1. Watch (9) Cybersecurity Awareness Training Videos
2. Read all (4) Cybersecurity Informational Flyers
3. Click and read about all (10) most common cyber attacks.
4. Take the Cyber Awareness Quiz
Cybersecurity Awareness Training Videos
Cybersecurity Informational Flyers
Top 10 Most Common Cyber Attacks
Using MFA protects your account more than just using a username and password. Users who enable MFA are 99% less likely to get hacked, according to Microsoft. Why? Because even if one factor (like your password) becomes compromised, unauthorized users will be unable to meet the second authentication requirement ultimately stopping them from gaining access to your accounts.
It goes by many names: Two Factor Authentication, Multi-Factor Authentication, Two Step Authentication, MFA, 2FA. They all refer to using a combination of something we have, something we know, or something we are when confirming we are who we say we are online. Your bank, your social media network, your school, your workplace… they want to make sure you’re the one accessing your information, and more importantly, they want to prevent unauthorized individuals from accessing your account and data.
So, OTECH is taking a step to double check. Instead of asking you just for something you know (e.g., a password) – which can be reused, more easily cracked, or stolen – OTECH can verify it’s you by asking for two forms of information that can identify it’s you:
We are asking for something you know …. like a password or a PIN number, along with
Something you have …. like an authentication application or a confirmation text on your phone.
Two steps are harder for a hacker to compromise. So, prove it’s you with two … two steps, that is.
10 Most Common Cyber Attacks:
|Information / Links|
|What is Ransomware?||Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid.
|What can I do to prevent a ransomware attack?||https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C_.pdf|
|What to do when you are a victim of ransomware?||1. See “Section 2” of the ransomware Guide: https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C_.pdf
2. Immediately call your IT Dept. and email incident details to firstname.lastname@example.org.
|Training / Resources:||https://www.cisa.gov/stopransomware/training
Cybersecurity in a Flash: Ransomology Training video
2) Phishing and Spear Phishing Attack
|Information / Links|
|What is a Phishing Attack?||Phishing attack is the practice of sending emails that appear to be from trusted sources with the goal of gaining personal information or influencing users to do something. It combines social engineering and technical trickery. It could involve an attachment to an email that loads malware onto your computer. It could also be a link to an illegitimate website that can trick you into downloading malware or handing over your personal information.
|What is a Spear Phishing Attack?||Spear phishing is a very targeted type of phishing activity. Attackers take the time to conduct research into targets and create messages that are personal and relevant. Because of this, spear phishing can be very hard to identify and even harder to defend against. One of the simplest ways that a hacker can conduct a spear phishing attack is email spoofing, which is when the information in the “From” section of the email is falsified, making it appear as if it is coming from someone you know, such as your management or your partner company. Another technique that scammers use to add credibility to their story is website cloning — they copy legitimate websites to fool you into entering personally identifiable information (PII) or login credentials.
|What can I do to prevent a phishing attack?||To reduce the risk of being phished, you can use these techniques:
* Critical thinking — Do not accept that an email is the real deal just because you’re busy or stressed or you have 150 other unread messages in your inbox. Stop for a minute and analyze the email.
* Hovering over the links — Move your mouse over the link, but do not click it! Just let your mouse cursor move over the link and see where would actually take you. Apply critical thinking to decipher the URL.
* Analyzing email headers — Email headers define how an email got to your address. The “Reply-to” and “Return-Path” parameters should lead to the same domain as is stated in the email.
* Sandboxing — You can test email content in a sandbox environment, logging activity from opening the attachment or clicking the links inside the email.
3) Man-in-the-middle (MitM) Attack
4) Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS)
5) Drive-by Attack
6) Password Attack
|Information / Links|
|What is a Password Attack?||Because passwords are the most commonly used mechanism to authenticate users to an information system, obtaining passwords is a common and effective attack approach. Access to a person’s password can be obtained by looking around the person’s desk, ‘‘sniffing’’ the connection to the network to acquire unencrypted passwords, using social engineering, gaining access to a password database or outright guessing. The last approach can be done in either a random or systematic manner:
* Brute-force password guessing means using a random approach by trying different passwords and hoping that one work Some logic can be applied by trying passwords related to the person’s name, job title, hobbies or similar items.
* In a dictionary attack, a dictionary of common passwords is used to attempt to gain access to a user’s computer and network. One approach is to copy an encrypted file that contains the passwords, apply the same encryption to a dictionary of commonly used passwords, and compare the results.
|What can I do to prevent a password attack?||In order to protect yourself from dictionary or brute-force attacks, you need to implement an account lockout policy that will lock the account after a few invalid password attempts. You can follow these password policy best practices|
7) SQL Injection Attack
8) Cross-site scripting (XSS) Attack
9) Eavesdropping Attack
10) Malware Attack
ONLINE SERVICE DESK
We provide IT support services to all Government of Guam line agencies. Please use the following application to submit your service request.