 It is running. All right. Hello and welcome to Become a Cyber Security Ninja. Session 10, we are here. We started in January. It is now the very end of May. Well, not very end, we got one more day. But you made it, this is it. And today we're just gonna do a quick wrap up and then launch into our quiz. I think that this will take around a half an hour as these usually have, if it runs a little long, I apologize. But we have 20 total questions to get through. Each question is going to be worth five points. These will be done live in the webinar. So we'll do these all as polls and you'll just answer them in the poll and then we'll call the scores when we're all done. I won't be able to tell you live how you did, but we will within a day or two get back to you and I'll give the answers at the end of each one after we've gone through the answers. You will get all the live answers so you'll know how you did. And you can email me if you think we didn't get it. If you get 80% or better, 80 points or more, you will get a cybersecurity Ninja certificate, a framed cybersecurity Ninja certificate with the name on it from Roundtable Technology. And if you ace this quiz, you will get a $50 Amazon gift certificate and there are no limits on that. If you all ace it, you will all get that. And if no one aces it, then we will probably give one at least to the top three people who score on this. And we'll do it that way if it turns out to be too hard. And without further ado, I think we'll launch into this. Oops, let me get on my right screen here, and that'll probably help. So the Ninja plan, here we are, I'm not gonna take too much time on this except to just celebrate the fact that we are at the end. We have made it through this thing. I, of course, am Josh McCuskey of Roundtable Technology, Roundtable Technology helps nonprofits and small businesses throughout New York and Maine and really all over the country and the world with all kinds of technology issues, including of course, cybersecurity. Our learning objectives today wrap up of the course, certification quiz and celebrate. These, of course, we'll just have one little quick cartoon. I think I showed this before one of the other sessions, but I actually don't recall. These are bad security tips. These are from XKCD. And I've been using, showing this at some of the live trainings that I've been doing. I've just had this sitting on the screen while we're waiting to start at some of the live like cybersecurity or cybersecurity wearing classes that I teach. And it's enjoyable watching people get these really puzzled looks on their face. And then about maybe a third to a half of a typical 50 person audience gets the joke and starts laughing. And the other just look increasingly concerned as they think that these are actually the tips that I'm about to walk them through. It's kind of a mean way to start, I suppose, but there it is. Okay, here's the way we're gonna do this. I have these little summary slides of each session that we did. We'll just show it, talk about it for a minute and then we'll have either two or three questions on each session that we went through. Session one, we covered threat modeling and risk assessment. And we talked about how to perform a basic risk assessment. We talked about how to understand and think about different type of risks that you may have. We talked about thinking about your organization's security posture, meaning are you a really, really secure aware organization? Do you have a lot of security concerns or are you kind of generally pretty mellow and pretty chill and kind of things that are somewhere in between? And one of the really key questions around cybersecurity as you identify your risks and think about what it would take to mitigate how much effort are you and your organization willing to expend to protect information that you have? And with that, we're gonna go ahead and have our first question. And here we go. All right, so the first one is, according to the Electronic Frontier Foundation, I apologize, we'll have these in shorthand. We have 128 character limits here in GoToWebinar. Which of the questions below are good questions to ask when doing threat modeling? And you can pick any or all of these. And I'm going to leave this up until everybody submits an answer. So please go ahead and submit your answer. I would say go ahead and ask questions if you have them. But of course we can't answer questions until after we close the poll. And not quite everybody here has having submitted an answer yet. So we'll wait just a little bit longer and see if everybody can get their answers in. I feel that at some point I'll have to set a time limit on this and I'll leave these open just for a little bit of time. So we'll go about five more seconds on this one. And then I'm going to close this up. According to the EHF, do we have a firewall? What do we want to protect? How much effort can we expend to protect information? Are we being paranoid? How much expertise do we have? I'm going to close this down in three, two, one and here we go. And I'm going to go ahead and share the results of what people answered. And the two answers that are 100% are in fact the two correct answers for how to do how the Electronic Frontier Foundation again does threat modeling, which we did talk about in this first webinar. How much expertise do we have? It's certainly a reasonable question to be asking as is do we have a firewall? But those are not specifically questions that are involved in threat modeling because expertise is more what do we have in terms of resources and safeguards? Same with firewall, what do we have in terms of safeguards? So those are not part of threat modeling. So if you answered that, that's incorrect. But those of you who said, what do we want to protect and how much effort can we expend? Those are correct answers. On to the next one, increase, oh, I'm sorry, we have a little bit of a typo there. It should say increased security results in decreased convenience. Think about that statement and select one of the following. That statement is always true. That statement is always false. That statement is usually true. That statement is usually false. Or that statement is never true. You get to pick one of those answers. Increased security results in decreased convenience. Think about which of those you agree with. That statement's always true. That statement is always false. That statement is usually true. That statement is usually false. And that statement is never true. And we'll leave that open for just a couple of more seconds as people go ahead and select their answers. And we're gonna close it in three, two, and one. And we'll share the results. So we had a bit of a spread here, but most people did get the correct answer here, which is that statement is usually true. Increasing security usually, but not always, results in decreasing convenience. And when you think about security for an organization or an individual, generally you're making trade-offs between convenience and security, not always. And anytime you can increase security and either have a neutral impact on convenience or even improve convenience, which can actually be done in some cases. That's a huge win. But usually you're trading some convenience or increase security. And obviously, these are based on the things that we've taught over the course of the Ninja series. And these are based on what we think are the right answers to these based on everything that we've read and studied and cybersecurity experts that we've talked to. But if you have a strong disagreement about one of these, by all means share that with us, we certainly wanna get increased stuff. All right, so we're gonna go on to another question around threat modeling. This is our, I think we may have one more here actually, which of the organizational qualities below tend to increase cybersecurity risk? So which of the organizational qualities below tends to increase cybersecurity risk? A shoot the messenger culture, limited transparency within the organization. So a secretive or not sharing culture, open communications about observed risks, security awareness training, highly restrictive technology, e.g., no one is allowed to work remotely. So which of these organizational qualities tend to increase cybersecurity risk? And think very hard about this. And one of these, I'm gonna go ahead and give hints, which I probably shouldn't do. One of these is not real intuitive, but I do, we talked about it in the Ninja classes at least a couple of different times. We'll leave this open for just a few more seconds here. We'll give it maybe five more seconds as people are faking hard about this. And if anyone feels like I'm not giving you enough time to answer these, or if you want me to shut up so you can think about it, well, I mean, it's also reasonable just to go ahead and enter into the questions field and just say more time or a shut up or something along those lines. Leave this open for just a few more seconds here. Three, two, one. I'm gonna close that poll. We'll share the results for that one. All right, so we got a bit of a spread here. Everybody with the exception of one person agrees with, or exception of a few people, I'm sorry, agree with Shoot the Messenger as a, something that increases that's absolutely true. Limited transparency is also a correct answer here. Open communication about observed risks decreases risk. That's a good thing if you're trying to improve cybersecurity. Security awareness training is a good thing tends to decrease cybersecurity risk. And that last one was probably the one I would say is counterintuitive. That does tend to increase cybersecurity risk because when you have highly restrictive technology, and this is true all the way up to the US government, that you have what's called shadow IT, where if you don't allow people to use services that they need to perform their job functions, then they will operate outside of your technical controls, outside of your technology infrastructure, and that introduces risk. And for that reason, highly restrictive technology environments generally do increase cybersecurity risk, which is very, not very, but somewhat counterintuitive. So the correct answers here were Shoot the Messenger, limited transparency, and highly restrictive technology. Those were the correct answers. Last one in this area of risk assessment. This is a really important area. This is generally the first thing that we start about. And that's why we have a lot of questions here. What are three ways to categorize information from a cybersecurity standpoint? And some of the responses here I just want to say are not necessarily wrong, but if you attended the cybersecurity ninja training, one of these should look familiar to you and should be a clear, correct answer for you. And so we'll wait to see if people identify that. And there's definitely one answer we're looking for here. And that's pretty straightforward. When we talk about cybersecurity and categorizing information, private to protected and public, high, medium, low, confidentiality, integrity, and availability retain, replicate, and remove in use at rest and in transit. Which of these is the correct answer? Looks like we've got everybody in, great. And we're going to close that poll and we'll share the results. The correct answer was that middle one, confidentiality, integrity, and availability. These other ways are not horrible ways to categorize information, private, protected, public, in use, at rest, in transit. That's actually in relation to encryption as the term that's used when you're talking about encryption of data. But for categorizing from a cybersecurity standpoint, confidentiality, how bad would it be if this information was exposed to someone who wasn't supposed to see it? Integrity, how bad would it be if we lost this information or if the information was changed and we didn't know about it? And availability, how bad would it be if the information was not available to us for some period of time, 24 or 48 hours, couldn't be accessed? Those are those questions. And thank you so much. So got some correct answers. We'll see if anybody's acing it so far, but certainly the majority of people are getting the correct answers for all of these. The next session was session two, basic network security. Talk about if you have a network, many organizations in their operating environments where they don't have a network or they're totally distributed, meaning there is no office or they're in a WeWork or some other co-working location where you actually can still have your own firewall and that's still not a bad idea. But certainly for the majority of organizations that have a network, good idea to have a firewall. If you have a firewall, it's good to have unified threat management. It's good to keep things up to date in terms of your switches, your firewalls, things like that. When I do my cybersecurity assessments, we run vulnerability scans. That is huge. I have yet to find a network that's got all their firewalls, all the switches, all the wireless access points up to date. And that means there's no vulnerabilities on all of those devices. Make your wireless access, your Wi-Fi secure and reliable, perform those vulnerability scans to tell you what's there. An antivirus is okay. We're not opposed to it, but it is by no means a cure-all for your cybersecurity concerns. It has to be in conjunction with lots of other things. And with that, on we go with the quiz. So we're definitely gonna run past 2.30, looking at the pace we're going, but we'll try to keep it rolling here. Unified threat management is, and you can select any or all of these, is a firewall, is a service that runs on some firewalls, can protect networks from intrusion malware or other threats, is a good idea for protecting a network, is too expensive for any small organization to purchase. We'll leave this open for a few more seconds and let people get their answers in. We don't have a lot of answers yet, so I'll keep this open for a bit. And Ben, can you be a favor and just keep an eye on the questions? I've got it between launching the polls and moving the slides. I've got a lot of things. So if anyone comes into the questions, can you flag that for me? I can. All right, thanks. And we'll leave this open for just another moment and let's show the results. Okay, we are a good job here. Is a service that runs on some firewalls is correct? Can protect networks from intrusion malware or other threats is correct? And is a good idea for protecting a network is correct? And no one picked the wrong answers there, which is a firewall and is too expensive. It looks like a couple of people missed the, is a good idea for protecting a network, which was one of the correct answers. But good job on that one, everybody. Next one, which of the options below is the most secure type of encryption for a wireless access point or WAP? Which of the options below is the most secure type of encryption for a wireless access point or WAP? So like one of the following. WEP, WPA, WPA2PSK with AES encryption, two factor encryption, public private key encryption. And let's see what people want to answer to this. We'll keep this open for a little bit longer. Which of the options is the most secure type of encryption for a wireless access point? Give you just a few more seconds on this one. Three, two, one. The vast majority of us got the correct answer, which is WPA2PSK AES encryption. Two factor encryption is unfortunately not a type of, a way at least currently that you can encrypt a wireless network. There's no such thing to the best of my knowledge as two factor encryption. If anyone else knows of a something that goes by two factor encryption, by all means let me know. And WEP and WPA are weaker forms of wireless encryption and public private key encryption is a very strong form of encryption, but not something that you can use on a wireless network. Again, to the best of my knowledge. Next question, a vulnerability scan is, we can select all that apply here. It is a type of penetration test. It is a scan of a network or system for known vulnerabilities. It is a good monthly or quarterly practice. Something it's best to do by yourself. It is too expensive for small organizations to perform. It is a type of penetration test. It is a scan of a network or system for known vulnerabilities, a good monthly or quarterly practice, something it's best to do by yourself. Too expensive for small organizations to perform. We'll leave this open for three, two, one. And let's go ahead and show the results for that one. Okay, yeah, this is a common mistake. A penetration test is a different kind of activity and we have a resource, I believe we provided on this on the differences between vulnerability tests and penetration tests. Penetration test is a much more intrusive and active thing, also more expensive. A vulnerability scan can be done as part of a penetration test, but it's not a type of penetration test. That is a different kind of test and a scan, but it is a scan of a network or system for known vulnerabilities. It is a good monthly or quarterly practice. It is not something it's best to do by yourself. It's definitely good to work with a third party and it is definitely not too expensive. It is typically a hundred or a few hundred dollars per year to do vulnerability scanning, especially for smaller organizations. And I think our next question, yep, our next question relates to our next topic. So let's go ahead. Your past session three, we talked about passwords with the session, your passwords are broken. And the key success factors there, passphrases are very useful, especially when you can't use things like two-factor authentication or password managers to manage your password. If it's something you actually do have to remember, for whatever reason, a passphrase, meaning a long, fully punctuated English sentence or phrase is a really good thing to use as a password. Two-F-A, two-factor authentication on everything you can use it on, using password managers and or single sign-on. And please don't share passwords in plain text, meaning don't email them to people, don't text them to people, don't write them on post-its and hand them to people that it's not a good practice. And we're gonna give you a couple of ninja questions on passwords, it's a fun one. Which of the following passwords is the most secure? There is, by the way, you're welcome to, after the quiz, go ahead and pop these into any password strength checker. If you're not sure that I've given you the right answer, that's what I did. And if you disagree with my answer, then you absolutely should do that. So which is the strongest password, the most secure password? I like cookies. This very complex U, ampersand, percent sign, four, capital M, small z, et cetera. You should pick me because I am the right answer. One, two, three, four, five, six, A, B, C, D, lowercase e, capital F, or password. Which of these is the correct? Everybody's put in an answer, good for you. And we're gonna close that and share the results. The correct answer, we lost a lot of you on this one. I had a feeling that was gonna happen. The correct one, and we just talked about passphrases, is you should pick me because I am the right answer. And the biggest reason why that's the best password is because it is by far the longest password that is there. Overdouble the length of any of the other passwords that are there, and length is a tremendously important factor in password complexity, and all those spaces in there, qualify as special characters in terms of how password generators work, the period operates as a special character. And you are welcome to take those two passwords, the one that most people go to on this question, and the other one and put them into these password string checkers. Sorry about that, but yeah, passphrases are really good in that way. All right, and here's our next question. What type of authentication is considered most secure by cybersecurity professionals? What's type? So I say which, that probably should have been which type. Which type of authentication is considered most secure by cybersecurity professionals? A password with 16 character alphanumeric minimum, SMS based or text based, two-factor authentication, touch ID or a fingerprint, authenticator based, two-factor authentication, meaning two-factor authentication using an authenticator app, or a password that expires every 48 hours, of course you'd have put in a new password, every 48 hours you have to do a new password. I'm sure everybody would just love that. I think Ben will implement that for round table starting tomorrow. That'll go over well. All right, everybody's answered that one. I'm pretty sure the support team would be at my door with pitchforks. Yeah, exactly. The majority of people did get this one correct. Good job, authenticator based, two-factor authentication is the correct answer here. SMS based would be a very close follow up here, but is a bit weaker than authenticator based app because of the relative ease of intercepting text messages and or spoofing phones for text messaging and that can be a vulnerability there. So the authenticator based app is the best of those. And I think we are on to encryption. Session four, the at pound dollar signs of encryption to ensure privacy, encryption must be implemented properly. Very important, encryption is really, really secure if implemented properly, but that can be a big if. To ensure privacy, it's got to be used in a disciplined manner, meaning I can't email a sensitive document using all my encryption once and then email it two hours later, not using encryption now. That's obviously not going to help me, and encryption will keep it from being shared in that one place but not in the other. And weaknesses in other areas, e.g. my endpoint, my computer is completely owned by some other party then whatever encryption I have on that computer isn't gonna help me a whole heck of a lot because this person can get whatever they want straight from my computer behind the encryption. And that can cause problems. And let's go ahead and get into our encryption questions. We're almost halfway through here in terms of the numbers of questions, everybody. Encryption is, select one or more of the following, a way of sharing information securely, a way of enhancing personal privacy, easy to defeat even if well-implemented, too complicated for use by regular people, a useful tool that significantly degrades system performance. Read this again, encryption is, a way of sharing information securely, a way of enhancing personal privacy, easy to defeat even if well-implemented, too complicated for use by regular people, a useful tool that significantly degrades system performance. Leave that open for just three more seconds, three, two, one. Let's go ahead and share the results here. A way of sharing information securely, absolutely correct. A way of enhancing personal privacy, absolutely the correct answer. The other three are all not true. It is not easy to defeat if well-implemented. It is not too complicated for use by regular people, although that's probably the most subjective answer there, but hopefully we've demonstrated that it can be used by regular people, and it is a useful tool, and in most cases does not degrade at all system performance, and no cases that I know of today significantly degrade system performance. That is a misconception of encryption that we attempted to overcome in our encryption session, but obviously did not 100% overcome, which is okay. Next question. Encrypting mobile devices, select one or more of the following, is easy and usually requires toggling just one-cent settings, makes them run much more slowly. Those of you who have been paying attention, you should. It was a little hit there from my last one. Protects all information, even if the device is not password protected. Sorry for all that shortening there, but we're limiting the character. Encryption protects all information, even if the device is not password protected, is a good idea for most people and makes them water resistant. Doesn't encrypting your mobile device make it water resistant? This is a question. I'm hoping that our ninjas, prospective ninjas are not spending too much time thinking about. We'll leave this open for three more seconds. Three, two up, everybody's in, and let's share the results there. Is easy and usually requires toggling just one setting, that is true. We showed that for iPhones, androids, most laptops, it's usually just the toggle sweating, the toggle sweating, toggle setting, and a restart and you're all good. It does not make them run much more slowly. Here's one, it will not protect the information if the device is not password protected. It will not protect your information if the device is not password protected because the lack of password protection on a device makes it easy to defeat the encryption. That would be a really good example of how encryption not properly implemented is easy to defeat. However, if you did have a strong password on your mobile device and it was encrypted, it would be incredibly difficult to defeat. It's definitely a good idea for most people. I'm really glad to see everybody answering that one and glad that no one thought it added water resistance to a mobile device. The fifth session, session five on the move. We talked about when you're working remotely, when you're traveling, when you're doing all of these things, this is where we started to have these slides for those of you who are in multiple sessions or all of our sessions where we had the things, our experienced ninjas already know. So using two-factor authentication already makes you a lot better when you're moving around. Encrypting your devices already makes you a lot safer. Keeping your devices up to date is another important one. Password protecting your devices is really important. If you have an unlimited data plan or have enough data that it's not a cost problem using your mobile data plan, instead of tethering to your mobile device, instead of using public Wi-Fi is a good idea. You can also use a VPN or a virtual private network. And you can also consider MDM or mobile device management solutions if your organization can support those. Let's go with some of our questions around. Mobile working, virtual private networking is a good way to improve security when using public Wi-Fi. It's too difficult for most people to use. It's a useful tool for working remotely. It's used primarily by cyber criminals. It's a guaranteed way to hide your identity online. Virtual private networking is a good way to improve security when using public Wi-Fi. Too difficult for most people to use. A useful tool for working remotely used primarily by cyber criminals. A guaranteed way to hide your identity online. And we'll close that up. Realize that I'm reading all of these out loud that if there was anyone that was a really experienced like SAT study person who did SAT tutoring, like the way that I've praised a lot of these responses is a dead giveaway. Or maybe not a dead giveaway, but a giveaway for someone. Okay, good way to improve security when using public Wi-Fi, absolutely correct. Too difficult for most people to use. False, excellent. Useful tool for working remotely. 100% of people got that, great. And used primarily by cyber criminals, not true. Guaranteed way to hide your identity online. That's where that phrasing comes in. It is a way that you can hide your identity online. Absolutely not a guaranteed way though. You can certainly use a VPN and still expose your identity online in all sorts of ways. So it's not a guaranteed way. But other than that, everybody, great job on that one. Okay, I think that takes us to our next slide. Key success factors, gone fishing and ransomware. The key success factors here is train your staff, train your people, have security awareness training, teach people about fishing and social engineering and those kinds of things. And then because we go to ransomware here, best practice for ransomware, backups, backups, cloud-based backups tend to trump other types of backups in terms of being protected against ransomware. And other best practices, patch management, account hygiene, network security, access controls. Incidentally, every single one of these things would have been really helpful defenses against the wanna cry malware that went around. If you did all of these things well, it's almost impossible that you would have been compromised by wanna cry. And you'd be very protective, especially the patch management since they were all known vulnerabilities. And train your people, then you wouldn't have had the fishing come in the first place. That's all good stuff. All right, so let's launch our question here. Which qualities are signs of possible social engineering? Select all that apply. Initiation, emoticons, urgency, empathy, fear. Which qualities are signs of possible social engineering? And select the correct ones here. Initiation, emoticons, urgency, empathy, fear. Which ones do we think are the correct ones here? We'll leave this open for a little bit more. I see people kind of thinkin' through it. Initiation, emoticons, urgency, empathy, fear. Which are signs of possible engineering, social engineering? Leave this open for three more seconds. Two, one, and let's take a look. A bit all over the map here. Initiation is definitely a sign of possible social engineering. Someone calls you, someone emails you. They initiate the interaction. That is a sign. Emoticons are not a sign of possible social engineering. Conceivable they could be, but not in, when we talked about it, we had some specific things. Urgency is very much a sign. You must do this now. You must change your password now. You must do this within 24 hours. I need the password reset right now. I'm out with the client. Empathy is not a sign of social engineering. Having empathy for you. Not typically a sign of social engineering. However, fear very much a sign of social engineering. Someone trying to cause fear saying, if you do not do this, this bad thing will happen to you or to me or to our organization is very much part of social engineering. So the correct answer there were initiation, urgency, and fear, emoticons and empathy were not signs of social engineering there. Next question, successful phishing attacks can result in which of the following? Select any of these. Malware installation, theft of money and or information, breach of passwords, identity theft, unauthorized access to systems. Successful phishing attacks can result in which of the following? Malware installation, theft of money and or information, breach of passwords, identity theft, unauthorized access to systems. We'll leave this open for five more seconds. Four, three, two, one. And we're gonna close that up and we'll share the results there. All right, malware installation, all of these were correct. All of these are things that can happen as a result of phishing attacks. So if you click on a link or download or open the document, it can install malware. If you get phished into giving away your credit card number or get phished into wiring some money out, that can result in theft of money and or information. If you get phished into giving away W-2s, if you get phished into logging on to a fraudulent site, that's gonna give away your password. If you get phished out of your social security number and your W-2 and other things, that can actually result in identity theft. And if you get phished out of your passwords and other confidential information, that can obviously result in unauthorized access to systems as can malware that gets installed as rolls of phishing. So all of those are correct. Onward, session seven, a little privacy please. So this is a little bit of a slight, ever so slight detour from cybersecurity strictly and talking more about privacy. And with privacy, we talked about understanding what you're sharing. We talked about sharing thoughtfully. We talked about limiting the metadata that you share. We talked about using two-factor authentication, encrypting, browsing with Tor, using a virtual private network, getting active, meaning advocating for things like net neutrality, if digital privacy is something that is important to you. And this is the one area where we sort of advocated for certain kinds of, I guess I'll say social action in the sense that if digital privacy is important, some of the laws impact how easy or how difficult it is for you to have privacy. And then of course staying informed about all the different ways in which your privacy can be compromised. And on that note, we're gonna launch into, this may be my favorite question in the whole quiz, which of the following does Facebook know about you if you use Facebook regularly? Which of the following does Facebook, I mean, I should probably, I think we have probably here, so I'll say, not definitively, but which of the following does Facebook probably know about you if you use Facebook regularly? So does it know your political affiliation? Does it know your sexual preference? Does it know your intelligence relative to others? Does it know your marital status? And does it know your gender? Which of the following does Facebook know about you? Again, does Facebook probably know about you? I think we had to drop the word probably if you use Facebook regularly. Which of the following does Facebook probably know about you? We'll leave this open for three more seconds. Two, one, closing it up. And it is all of those things. And I showed, I believe each of these when we did this session. And it will have a, if you use Facebook regularly, then it will have, they will have a very strong sense of how you relate on all of these things. Next one, examples of metadata would be. This might be the hardest question in the entire quiz. So this will be the one where I think folks may struggle, but we'll see how everybody does. Examples of metadata would be, select all that apply, the type of phone used to take a photograph, the content of a Microsoft Word document, a recording of a phone call, the date and time a Facebook post was put online, the time and duration of a phone call. Examples of metadata would be, the type of phone used to take a photo, the content of a Microsoft Word document, a recording of a phone call, date and time a Facebook post was put online, the time and duration of a phone call. We just open for four more seconds. Three, two, one, closing that one up. Let's share the results. The correct answers are, number one, the type of phone used to take a photo. And the easiest definition of metadata is data about data. The content of a Microsoft Word document, that is the data, that is not data about the data, that is not metadata. A recording of a phone call again is data, not data about the data. The date and time a Facebook post was put online, that is metadata and the time and duration of a phone call is metadata. The three ones are a type of phone used to take a photo, the date and time a Facebook post was put online, time and duration of a phone call, those are all examples of metadata. And then the next one, which of the following tools would be most useful for anonymous web browsing? Which of the following tools would be most useful for anonymous web, oh, I think I skipped one. I assume this is still part of privacy, but this is actually tools, that's okay. We'll answer it now. Which of the following tools would be most useful for anonymous web browsing? Incognito mode in Google Chrome, a virtual private network. Duck duck go, tour, pretty good privacy. We'll leave this open for three more seconds. This is one where you either know the answer or you don't, I think, two, one, zero, closing in up. The correct answer there was tour. Those of you who grabbed tour, that's a good one. That is, again, the way that for us to trade the most useful for anonymous web browsing if you really did want to say anonymous tour would definitely be your best chance at staying anonymous doing web browsing. And that is the correct answer there. And so I jumped the gun a little bit. I should have jumped to this slide, which was session eight, your Ninja Toolkit. And the key success factor is there, where first of all, select your tool thoughtfully. There's not necessarily any kind of single arbiter of all the tools to say this is the best one. So you need to do some research and use some brain power and common sense. There are lots and lots of tools available and definitely take advantage of the ones that are out there. Implementation matters a lot with cybersecurity. We talked about that around encryption. But when you're using these tools, if you're not using them correctly, they're not going to do what you're hoping they're gonna do. Implementation matters a lot. Rapidly changing landscape, constantly new tools, constantly new services online and staying informed through newsletters, podcasts, webinars, we've provided some links of our favorites in there. That is one of the key ways that I am able to stay informed is, for me it's not a crazy amount. I probably do an hour or two of reading and listening stuff like that at minimum a week. Maybe that sounds like a ton of people on cybersecurity, but it's not a huge commitment if you want to stay up to date on these things. And the next question, and we are down to three more questions everybody. We are almost there. Which of the following tools would be most useful for private messaging? Which of the following tools would be most useful for private messaging? So select one of the following. Facebook Messenger, WeChat, Signal, Skype, Snapchat. Which of the following tools would be most useful for private messaging? We'll leave this open for three more seconds. It's another one we either know this or you don't. Three, two, one. And the answer was Signal. Those of you who picked Signal, that would be the best tool. The, I specifically did not put, that's what I'm thinking of now. WhatsApp in here, which does have encrypted messaging. And is that the one I'm thinking of Ben? I'm thinking of the wrong one. No, WhatsApp. There is a messaging app. Go ahead. I think you're thinking of WhatsApp. WhatsApp. Okay, so I'm thinking of one. The concern is that Facebook has access to the data. That's right. Correct. Yeah, yeah. The encryption of WhatsApp, of WhatsApp messaging is considered pretty good. And actually they use the Signal encryption with the same technology. Because it's owned by a third party company that we have some concerns about, that's why that's a little bit less. But I didn't include that in here because I didn't want there to be any confusion because that would have been an acceptable answer, I think as well. But Signal is definitely unquestionably, I think, superior to all of these for private messaging. And with that, we go into our last session, other than this one, which was what now, internet response planning. And we have the factors for success there. Our plan, do incident response planning have a plan, right? If you do have an incident, make sure you understand to declare that you're having an incident. Hey, we are declaring this is an emergency. And we are now implementing and activating our incident response plan that hopefully we have, contain, meaning stop whatever bad thing is happening and contain it as much as you can. Communicate, and that really wraps around the whole thing. Communicate clearly with everybody, with all the stakeholders throughout the whole process. And when it's all done and the dust is settled, what have we learned? What are we going to change? What can we do differently? How could we have done better at this? And with that, we'll go into our last two questions. What are some good ways to increase the likelihood of discovering a security breach? Check all that applies. A little bit tricky. What are some good ways to increase the likelihood of discovering a breach? A high volume of administrative alerts. Encouraging a see something, say something culture. A low volume of administrative alerts. Reviewing monitors to see what normal activity looks like. A shoot the messenger culture. That's a little bit tricky. I'll give people a few seconds to think about this one. A high volume of administrative alerts. Encouraging a see something, say something culture. A low volume of administrative alerts. Reviewing monitors to see what normal activities looks like. And a shoot the messenger culture. We'll leave this open for three more seconds. Two, one, and closing the poll. High volume of administrative alerts. That's really the biggest reason why this was a tricky one. And when we taught this class, we talked about that having a really large volume of alerts, a poor signal to noise ratio, so to speak, makes it very hard to interpret the signals amongst all the noise. And a high volume of administrative alerts. So I'm getting 50 alerts a day. I'm probably gonna start ignoring all of them. So a low volume of administrative alerts is better because you're only getting alerts that you actually have the bandwidth to pay attention to and you're less likely to start ignoring things. See something, say something culture as much as we New Yorkers make fun of that phrase. That is in fact, a really useful thing to have in your sort of culture. We talked about that before with the opposite of issues in messenger culture, which is not a correct answer here. And reviewing monitors to see what normal activity looks like is a great idea if you have the capacity to do that. And those are all the correct answers. The correct answers here are encouraging to see something, say something culture. Low volume of administrative alerts, reviewing monitors to see what normal activity looks like, those middle three. And with that, our last question. Which choice below reflects the best approach to incident response? Select one of the following. Planning, declaration, containment, communication and learning, response, remediation and resumption of normal state. Ensuring an incident never happens in the first place. We wish, that would be a great one. All hands on deck, primary alternates, contingency, emergency, pace, the famous pace acronym. I'm sure we're all familiar with. Which choice below reflects the best approach to incident response? Planning, declaration, containment, communication and learning, response, remediation and resumption of normal state. Ensuring an incident never happens in the first place. All hands on deck, primary, alternate, contingency, emergency, pace. We'll leave this open for another three seconds. Two, one. Closing that up. And almost everybody got that one. Planning, declaration, containment, communication and learning, that would be the correct answer. And the other ones, certainly ensuring an incident never happens in the first place would be great if it were possible. But it is, by all accounts, not possible to stop. And that's one of the things we've talked about. You can't eliminate risk. Risk is always going to be there. And that is the end of our quiz. And that was 20 questions. And we have all of your answers in our go-to webinar response. So we will be able to see who aced it and who got 80% or more. And we will follow up with emails for those of you who are due a certificate and or an Amazon gift card. And again, if multiple people aced it, they'll all get that gift card. If no one aced it, then I think we'll do the top three. We'll get a $50 Amazon gift certificate. And I have to think about what I'm gonna do if no one got 80% whether you get a certificate or not. But what I think that we will do, and this is what we'll talk about in a little bit, is at our ninja site, ninja.rtt.nyc, we will post this last session. And we have a Google quiz version of the same thing. And for those of you who attended, we'll give you a special link to that. And if you wanna retake it and try to get it, then I think we'll be happy to give you a certificate once you get the correct answers in our online quiz. So if you feel like retaking that, retaking this to get your certificate, I think we'll offer that out. And with that, we'll wrap up and do some Q and A. And I just wanted to tell everyone, I have not, by the way, for those of you who attended other webinars, I believe that we have not a single animated gift in any of our cybersecurity ninja ones. And that was really something that I was trying to do because they're just so silly, but I couldn't resist destroying one at the end here. And I wanna say a bonus gift, and this is for everybody, regardless of how you do it in the quiz, if you want your own personalized gift, go ahead and send me a head shot or just tell me, hey, just use my head shot on LinkedIn. And I will send you your own, hopefully that you like personalized animated gift because as Ben knows, I spend most of my time making silly animated gifts in memes. That's actually when I'm not listening to Cybersecurity Podcasts, that I'm making gifts. That's just how I roll. And Q and A for everybody. All right, we have some questions. One from Roberta, how did, well, this is great. Thank you, Roberta. How to get a quote from Roundtable to review our system. That's super easy, just email us. So go ahead and email me, Joshua at roundtabletechnology.com. You can go to our website. We have a contact us form and just ask and we will be delighted to follow up with you and talk to you about getting some cybersecurity help. That obviously is one of the things. And we, another thank you so much. Clear an example why a fundraiser should not be in charge of cybersecurity is an Excel techie. I'm very hopeful despite my test score. I'm sorry that you didn't get a strong test. I did, just so everybody knows, I, and Ben can attest to this. I ran this by a couple of my colleagues and also some people outside to get feedback on other questions were too hard, whether people thought the answers were misleading or deliberately. And the feedback I got was, that it was about right. Just so everybody knows, Ben taking it blind without being able to go to the internet and do research. He squeaked by with 80. So he was able to get the security certificate. Or in fact, actually even attending the first two webinars. The first two sessions, yep, yep. And he actually gave me feedback on the questions that I changed where he thought it was a little bit misleading and I did change it based on that feedback form. And so we tried to make this as fair as possible. I, you know, we don't want to give up these certificates, you know, so easily because we, you're going to have that hanging in your office or in your home. We want to make sure you actually know your stuff. And so we wanted to make it difficult enough that it would demonstrate to us that you really did have a good knowledge. And for those of you who struggled with it, my apologies, but like I said, well, we'll give you another shot at it. And thank you so much. All of you who've attended these and been here for this whole session, we really, really appreciate it. It's great. And this has been a lot of fun teaching it. And thanks so much to Ben for being here with all except for the first two sessions. And if there's no other questions, I think we're all set. And wow, that's it. Bye everybody. This was fun. Out we go.