Security Awareness 
Training Companion 
Internet Security for Employees 
   

INSTRUCTED BY 
Roy Davis 
bestofroy.com/about-security 
 
 
 
 
 
Table of Contents 
 
Section 1: Introduction 3 
Lecture 1: Welcome! The “What” and the “Why” 3 
Lecture 2: Example of Why this is Important 4 

Section 2: User and Device Accountability 6 

Lecture 3: Don’t Be Ashamed 6 
Lecture 4: Don’t Let Curiosity Get the Best of You 7 
Lecture 5: Open the Lines of Communication 8 
Lecture 6: Keep Your Desk Clear and Computer Locked 8 

Section 3: Phishing and Other Malicious Emails 10 

Lecture 7: Brief Intro to Spam Protection 10 
Lecture 8: Beware of Phishing 11 
Lecture 9: Examples of Scammy Emails 12 

Section 4: Social Engineering 14 

Lecture 10: Intro to Social Engineering 14 
Lecture 11: How to Spot Social Engineering Attempts 16 
Lecture 12: Examples of Social Engineering 17 

Section 5: Handling of Data (Data Leakage) 19 

Lecture 13: Transmitting Data 19 
Lecture 14: Keeping Information the Right Hands 20 
Lecture 15: Use of Cloud Storage 21 
Lecture 16: Overview of Protected Data Sets 21 

Section 6: Passwords and Security Questions 23 

Lecture 17: Why Good Passwords are Important and Common Passwords 23 
Lecture 18: Best Practices for Creating Passwords 24 
Lecture 19: Security Questions 26 

Section 7: Safe Browsing 27 

Lecture 20: Ads and Sponsored Content 27 
Lecture 21: Typosquatting and Malicious Websites 28 
Lecture 22: Malicious Websites and Dangerous Things to Search Online 28 

Section 8: Mobile Devices and Traveling 30 

Lecture 23: Connecting to Public Wi-Fi 30 

© 2019 Roy Davis of ​bestofroy.com/about-security  1 

 
 Lecture 24: Personal App Safety on Android and iOS 31 
Lecture 25: Your Personal Device in the Workplace 32 

Section 9: Ransomware 34 

Lecture 26: What it Does and How it Spreads 34 
Lecture 27: You’ve Been Hit, Should You Pay the Ransom? 35 
Lecture 28: How to Protect Against Ransomware 35 

Section 10: Conclusion 37 

Lecture 29: If You See Something, Say Something 37 
Lecture 30: Thank You for Viewing 38 
 
 
   

© 2019 Roy Davis of ​bestofroy.com/about-security  2 

 
  

Section 1: Introduction 

Lecture 1: Welcome! The “What” and the “Why” 

It is becoming increasingly important for organizations to develop a culture that 
prioritizes cybersecurity. The training and security implementation are no longer sole IT 
or security team functions - They're now functions for everyone. It's important for 
everyone to learn how to better protect themselves, their families, and their employers. 
 
Why group it all together like that you say? Besides personal and professional lives being 
melded together through technology, your behaviors are also similar in that - what you do 
at home is what you’ll do at work. 
  

© 2019 Roy Davis of ​bestofroy.com/about-security  3 

 
You are continuously being hit by warnings of new threats, breaches, and the like. So much 
so that it's overwhelming to keep up with. When you do get hit, people want to point 
fingers. That's not the style I want to promote. Know that as we go through this course I 
speak to you in a place of passion and not one of condescension. 
 
I don't wish to beat you over the head and speak down to you. My number 1 goal is to help 
you raise your defenses. And we'll do that by juking and sidestepping security fatigue by 
going over what threats are important to know about and why they're important to 
understand. 
  
So now you might be wondering, "Why is this a big deal?" Clicks on malicious URLs from 
mobile devices have doubled in 2016. That is expected to grow in 2017 and beyond. This 
means there is a huge need to protect devices beyond your home and workplace. Your 
nerdy friend or your IT department can't fully protect you. It's extremely important to 
understand you all have an important role to play in security, no matter what level you're 
at. 
 
I get it, there are hacks and intrusions that you cannot help detect and stop. I'm not asking 
you to learn extremely complicated hacking skills that require a computer science degree. 
In all honesty, an attacker is more likely to breach your company through you by way of a 
phishing email. This is effective because you may be juggling tasks at your job and want to 
keep your boss happy. 
  
As you go through the course, please don't hesitate to reach out and continue the 
discussion. I don't want this to be just another security awareness course that's only a 
checkmark on a compliance checklist. 
  
Oh and one more thing, this is important for Mac users too. Don't fall into the trap that 
you're safe because you don't use Windows. The usernames and passwords from your 
banking website, email, and other remote applications can be used regardless of what 
system you use. Furthermore, there are plenty of viruses and other malware crafted 
specifically for Mac. To see a few examples run a search for MacSpy, Flashback Trojan, or 
Mac Fake Downloads in Google. 

Lecture 2: Example of Why this is Important 

Let's say you get a suspicious email that you were not expecting. You're intrigued by the 
subject line and you click on the link just to see what it's about. The link takes you to a 
webpage that says you can upgrade your mail storage and receive an Amazon gift card for 

© 2019 Roy Davis of ​bestofroy.com/about-security  4 

 
testing this new upgrade feature. Awesome. All you need to do is enter your email 
username and password on the linked page. 
  
So you click on the link and enter your credentials on the page to see if you can get the 
rewards and nothing happens. It's almost like the webpage is broken. Oh well, it was worth 
a shot you say to yourself and then go about your day. After all, all you did was click a link 
and submit a quick login form. Within 24 hours, the attacker that sent you the email is now 
using your mailbox to send hundreds, even peaking into the thousands of spam and other 
malicious emails to random people. 
  
When you get into work the next day, you can't login to your email. The email system 
automatically disabled your mailbox. You call the helpdesk and a tech begins to diagnose 
the problem with you. The tech sees the mailbox was disabled for security reasons and 
needs to escalate this to someone on the security team. 
 
The security professional makes sure the threat is neutralized and assesses the damage. In 
the midst of the chaos, your organization's domain (@yourcompany.com) is blacklisted on 
2 major security websites. These blacklists are used by security devices and companies 
around the world. After a manager is briefed, the manager recommends to the CIO the 
blacklist removal fees should be paid at $10,000 a piece. 
  
After the fees are paid and outboxes are cleaned, the tech reaches back out to you and 
helps you change your password. A security team member then schedules a 1 hour 
security awareness training session with you. This process takes 3 days to sort out. 
  
Between the 3 people involved (minimum) and the blacklist fees, we're looking at roughly 
$27,000 for this low key incident, not including other potential time lost like other 
organizations blocking and throttling your organization. 
  
Nearly $30,000 and many man hours spent, all from a 20 second follow through on an 
email link. 
  
I would be remiss if I told you this happened every time an email link is clicked. Truth is, 
this won't happen every time. However, this is a low key, conservative example, the likes 
of which I've unfortunately seen several times. The goal here isn't to shock you with 
bombastic claims and scare tactics, the goal is to give you a behind the scenes glimpse of 
why this is important and how costly it is to not be in the know. 
   

© 2019 Roy Davis of ​bestofroy.com/about-security  5 

 
  

Section 2: User and Device 

Accountability 

Lecture 3: Don’t Be Ashamed 

If you've ever fallen victim to a scam or even get hit after going through this training, don't 
be ashamed. I won't think any less of you. Sometimes it takes a sting to get a feel for the 
environment. The important thing is to sort this out before you have the potential to 
experience any real damage. 
  
Let me tell you a story of the last time I fell for a scam. It was back when Myspace was a 
thing. Do you remember Myspace? They were pretty big before Facebook came along and 
ate their lunch. 
 

© 2019 Roy Davis of ​bestofroy.com/about-security  6 

 
One day I got a message from someone I knew. It was something along the lines of "I just 
saw that video of you. How could you do such a thing?" My out-loud reaction was "wait, 
what video? What are you talking about? I didn't do anything bad." 
  
I clicked on the link in the message to login to Myspace and see this video. Low and behold, 
when I logged in, the page didn't do anything but submit the login details to a database on 
the back end. 
 
The sad part is, I never checked the link. The doubly sad part is the message had horrible 
spelling and I didn't check with the person who supposedly sent the message. And finally, 
the even sadder part, is it took me a couple days to realize I've just been had. I changed my 
password but it was too late. My account sent several of my friends the exact same 
message. 
  
My total loss wasn't all that bad, well, besides my pride of course, about 20 of my friends 
unfriended me, which was a fairly small fraction at the time. 

Lecture 4: Don’t Let Curiosity Get the Best of You 

The story in the ​Don't be Ashamed​ lecture is a good example of not letting curiosity get 
the best of you. This lesson goes for pretty much anything you find or receive. 
  
If it's an email you don't recognize or expect, lean towards deleting it. 
  
If it's someone asking bizarre questions about your personal life or your workplace, lean 
towards playing dumb or straight up refusing to talk about the details. 
  
If it's a device you find, like a USB drive that doesn't belong to you, fight the urge to plug it 
in to see what's on it. 
  
There are many things that can go wrong and not a lot of things that can go right. 
  
Example of a USB device: A small computer and other materials that cost less than $20 
and require hardly any skill to setup or load the hacking software on it. This particular 
device plugs into your USB port on your computer and captures your web traffic and 
attempts to crack your passwords. This is just one of many devices and types of attack 
that could possibly be used against you. 
  

© 2019 Roy Davis of ​bestofroy.com/about-security  7 

 
Source: 
https://www.scmagazine.com/raspberry-pi-attack-compromises-locked-devices-steal-ad
min-creds/article/666772/ 

Lecture 5: Open the Lines of Communication 

Communication is important. And I'm not talking about 
here's-what-I'm-having-for-lunch-social-media type of communication. I'm talking about 
knowing and trusting your IT or security department. By the way I keep making this 
distinction between IT and security because sometimes these are separate departments 
depending on which organization you work at. 
  
If you don't know someone you can talk to about security at your organization, I challenge 
to you find and meet 1 person, yup just one person, that can help you or answer your 
questions. 
  
Doing this now will make upcoming security incidents a little less stressful. 
  
When it does come time for reporting, please don’t cut down your story. Something that 
seems small and insignificant to you could potentially save time in troubleshooting. 

Lecture 6: Keep Your Desk Clear and Computer 

Locked 
When you're away from your desk, it's best to keep prying eyes away from your screen. 
Whether it's an innocent prank or it's with malicious intent, people could have access to 
your data to do what they please. While they're in there, they can change or steal 
information. 
  
A few examples of both sides: 
 
1. A colleague sends a joke email in your name to a friend or your boss when you go 
out for a coffee. 
 
2. A rogue employee rifles through your stuff for confidential information. 
 
The pranking aspect is usually referred to as trolling but some refer to it inexplicably as 
goating. 
  
 

© 2019 Roy Davis of ​bestofroy.com/about-security  8 

 
In addition no one else should be able to use your login. Many organizations consider all 
actions done under your account to be of your own, regardless if you actually took any 
actions. 
  
To keep your desk clear, find an organization structure that works best for you. Just be 
sure to keep sensitive documents out from the open. 
  
To lock your Windows computer use CTRL + ALT + DEL and select Lock or press Win + L. 
  
To lock your Mac computer use CTRL + ​⌘​ + Q (command) or quickly press the power 
button. 
   

© 2019 Roy Davis of ​bestofroy.com/about-security  9 

 
  

Section 3: Phishing and Other Malicious 

Emails 

Lecture 7: Brief Intro to Spam Protection 

By some accounts, spam has been on the decline. That is of course relative, as we still see 
an enormous number of spam emails every year. Spam still accounts for roughly 90% of 
ALL mail sent, plus or minus a few points depending on trends. 
  
Since there is so much spam, a few get through your email filter every once in awhile. Your 
email filter or other security devices at your organization cannot and will not stop every 
single bad email. Even my one of my Gmail accounts gets hit with spam and Google has an 
amazing spam filter. 
  
It’s extremely easy to modify the ​from address​ of an email so attackers abuse this detail by 
spoofing the address to help make it appear legitimate. You’ve no doubt seen emails 
promising monetary rewards and gifts. Don’t fall for it. There are no wealthy strangers 

© 2019 Roy Davis of ​bestofroy.com/about-security  10 

 
desperate to send you money. And if for some reason you are due payment over a special 
circumstance, you wouldn’t get notified via email through broken English. You would get 
notified via certified mail. 
  
Responding to spam. I highly recommend that you do not respond to spam messages. 
Doing so may make you feel good in the moment but what you're really doing is 
confirming to your spammer that your mailbox is active and you open and read the emails. 
Which means, yep you guessed it, more spam will be heading your way. 
  
A final note about spam. When you go on vacation or travel on business, your first instinct 
is to set your out of office message service in your email. While this is a helpful feature for 
letting your contacts know that you will not be able to respond right away, be careful how 
you phrase your message. You do not want to let potential attackers know that you are 
not home, or even worse, give specific details about your location and itinerary. It would 
be safer to say something along the lines of - ”I will have limited access to email between 
[date] and [date]." 
 
If possible, also restrict the recipients of the message to people within your organization 
or in your address book. Talk to your nerdy friend or your IT helpdesk for assistance on 
how to do this. If your away message replies to spam, it only confirms that your email 
account is active. This practice may increase the amount of spam you receive. 

Lecture 8: Beware of Phishing 

A Wombat Security Technologies survey found that 76 percent of information security 
professionals reported their organization had been victimized by a phishing attack in 
2016. A little over half of these people admitted their rate of attack is increasing. Notice 
the wording here. 76 percent of information security professionals reported their 
organization had been victimized. The actual value is most likely much higher for 
compromise across all organizations. 
  
Diving a little deeper, attacks rose 45% in Q4 of 2016. The reason being is attacks are 
shifting beyond executive leadership (at or from the C-level). They're now targeting other 
employee groups deeper within the organization. If you have a percentage of users that 
click through the attacks and get compromised, the easiest way to add fuel to the fire is 
increase the audience. 
  
The reason why this is important is because the phishing part, the malicious email part will 
most likely be the least invasive part of the attack. Systems infected through targeted 

© 2019 Roy Davis of ​bestofroy.com/about-security  11 

 
email phishing campaigns act as an entry point for attackers to spread throughout an 
organization's entire enterprise. And the next step after infiltration is to steal sensitive 
business or personal information, or disrupt business operations. This process can 
escalate quickly. 
  
Let's deconstruct this phishing attack by looking at this example from Microsoft: 
https://www.microsoft.com/en-us/safety/online-privacy/phishing-symptoms.aspx​. 
  
Suspicious links. If you are unsure whether an email request is legitimate, try to verify it by 
contacting the company directly. Do not use the contact information provided on a 
website connected to the request; instead, check previous statements for contact 
information. 
 
You can also ask your IT department. If I was on your team I would tell you to forward 
every email to me if you're unsure, even if the message came from me. I'd rather have you 
practice good behavior than potentially click on dangerous messages. Information about 
known phishing attacks is also available online from anti-phishing groups such as the 
APWG​. 
  
Assignment: ​https://www.opendns.com/phishing-quiz/ 

Lecture 9: Examples of Scammy Emails 

Google Doc example: 
https://arstechnica.com/information-technology/2017/05/dont-trust-oauth-why-the-go
ogle-docs-worm-was-so-convincing/ 
 
Google's response: ​https://twitter.com/googledocs/status/859878989250215937 
  
Wrapping up, here are a few topics to look out for: 
 
● Claims of winning a prize that you need to cover costs for (like insurance, 
processing fees, taxes, etc). You should never have to pay to get a prize. 
 
● Winning government grants (this is not how grant awards work. You can't win 
them). 
 
● Requests for bank and wire information 
 

© 2019 Roy Davis of ​bestofroy.com/about-security  12 

 
 ● Charity emails, especially for disaster victims or anything trending in the news 
 
Assignment or text lecture: I love this story - 
https://nakedsecurity.sophos.com/2017/10/04/email-fraudsters-foiled-by-a-smiley/ 
  
If the email comes from an unknown source, don't even open email, nor the files it 
contains. A lack of errors doesn’t mean an email is genuine but the presence of errors 
might be. Think of spelling errors, tone, phrasing, and more. 
  
This is another nice phishing training setup but it uses flash (yuck): 
https://www.consumer.ftc.gov/articles/0003-phishing​. 
   

© 2019 Roy Davis of ​bestofroy.com/about-security  13 

 
  

Section 4: Social Engineering 

Lecture 10: Intro to Social Engineering 

Simply put, social engineering is the practice of tricking you to divulging something. Think 
of it as a con or scam. The attacker may seem unassuming and has some kind of cover like 
pretending to be a new employee, repair person, contractor, or researcher. 
 
That's how they reel you in. This style of attack led by questions. They're hoping to get 
enough information to piece together to either compromise your organization somehow 
or by stealing for personal gain. 
  
If you're being hit - how would you know? Instead of cutting off the outside world, here 
are a few common ways social engineers work their magic: 

© 2019 Roy Davis of ​bestofroy.com/about-security  14 

 
 
 
 
1. In person​: 
 
1. Tailgating, sometimes called piggybacking​ - this attack is usually directed at 
companies, with the intention of gaining unauthorized entry by following 
closely behind an authorized person. The goal is to get information about 
your organization. It seems simple but a good attacker won't stand out, and 
may even have a handful of boxes or other items to look official. Don't be 
afraid to question people you don't recognize. You don't have to be hostile, 
it can be as simple as asking if you can help them find something, within 
reason of course. You don't want the attack to get any easier. An attacker 
who wants to keep a low profile may shy away from questions or 
conversations and give up on the attack. 
 
2. Shoulder surfing​ - this type of attack could range from being a nosey 
neighbor to an attacker trying to glean information from your screen. The 
best way to help prevent this type of attack is to seat yourself so that your 
monitor or keyboard can't be easily seen by passing by. 
 
3. Conversation / walk-in​ - with this type of attack I can't help but think of 
movies like Catch Me if You Can and TV Shows like Burn Notice. The idea 
behind this attack is to pretend to be someone you're not and get 
information or access you wouldn't normally be able to get. 
 
2. On computer​: 
 
1. Phishing​ - Phishing attacks are so prevalent that I gave them their own 
section. Just keep in mind attackers like to take advantage of current events 
and rear their ugly heads during times of charity drives, holidays, natural 
disasters, epidemics and health scares, major political elections, and 
economic concerns. 
 
2. Tech support scams​: 
https://www.consumer.ftc.gov/articles/0346-tech-support-scams 
 
3. Social media 
 
 

© 2019 Roy Davis of ​bestofroy.com/about-security  15 

 
 3. Phone​: 
 
1. Smishing​ - is a form of phishing but through text message. The same best 
practices apply to texting as they do with email. The best way to remain safe 
is to not reply to text messages from people you don't know. This is 
especially true if the SMS comes from a number that doesn't look like a 
phone number, like a 5000 phone number. This usually means the text 
message was just an email sent to your phone. Ignore any messages about 
services unless you signed for the service. Also don't click on the links in text 
messages, even from friends, unless you verify they meant to send the link 
and you know what this link is. 
 
2. Vishing​ - is a form of phishing but over the phone instead of luring through 
websites and emails. Effective because you're actually talking to a human 
being. A common attack is a call from “tech support” who then ask you to 
verify your password or other confidential information. Your IT department 
or bank or whatever else, does not need your password. A good practice is 
to only give out information if you've initiated a call with a trusted entity, 
like calling your credit card company for example. If someone does call you 
for information, Get a full name, department, and contact information. You 
can call them back after you verify them. 
 
It's a good idea to warn your co-workers and report social engineering attempts because if 
they get all the information they can out of you, whether you told them what you know or 
you were firm in not speaking, they may contact another source within your organization 
and rely what you told then or even use your name and claim you told them something of 
value to add credibility. 

Lecture 11: How to Spot Social Engineering Attempts 

Social engineering is usually made up of a 3 part formula: someone you don't know + 
needs something now + or else. 
 
● It’s an urgent matter 
● A forgotten password 
● A computer virus or malware emergency 
● Any form of intimidation from “higher level management” 
● Name dropping to give appearance the request is coming from authorized 
personnel 

© 2019 Roy Davis of ​bestofroy.com/about-security  16 

 
 ● Straight up requesting passwords, serial numbers, brands, models, etc. 
● Claims of affiliation through a subcontractor 
● Claims of being a journalist or broadcaster 
● Inappropriate greetings or seduction from a stranger 

Lecture 12: Examples of Social Engineering 

Let's assume you have an awesome setup. Dare I say, your equipment is unhackable. 
Please, for the love of God, do not publicly say this, especially if you actually do think you 
are unhackable. There are people who will gladly take you to task. 
  
But I digress. Let's say you have unhackable equipment and I want to take over one of 
your accounts. I have a list of usernames and encrypted passwords obtained from a 
breach, again we're roleplaying here. There are always vulnerabilities and they don't 
always lie with technology. We'll examine one of them by looking at the trend of using 
security questions. These are sometimes called challenge questions and they're meant to 
reset your password. 
  
I have your encrypted password and odds are, I don't need to know your actual password 
to get in because I can probably figure out the answer to your secret question. If I only 
have your username, I can search Google with your online handle. The goal here is to see 
how many sites you use the same username on. Social Media sites are another great way 
to get your real name. Once I have your name, I can use the ever increasing number of free 
background search websites to find more information on you. A lot of security questions 
can be answered in these background reports.  
  
For instance, I can see where you lived, and who lived there with you. If one of the people 
in an older record is a woman that's significantly older than you, I can do the same lookup 
on her to figure out her maiden name. I can look at the school district from where you 
grew up and also find where you went to high school and college and the year you 
graduated. If I have any trouble with education I can just look you up on Facebook or 
LinkedIn. 
  
If I have trouble locating information, I could just call you with the current number I found 
for you. I could say something like, "Hello, I'm John Baum, and I'm a graduate student in 
the psychology department at your local university. I'm doing a study on naming 
conventions and pet bonding, and I was hoping you'd have 30 seconds to answer a brief 2 
question survey. I received your number from our alumni directory, and I will not collect 
any personally-identifiable information. 

© 2019 Roy Davis of ​bestofroy.com/about-security  17 

 
 
1. Have you had any pets during your life, and if so, what were their names? 
 
2. Did you have any favorites, and if so, what were their names? 
 
If you refuse, I can try to soften you up by telling you how important this project is to the 
university and that I need as many responses as possible. If now is not a good time, is there 
a better time for me to call back? If you still refuse, maybe I'll call your mom. One way or 
another, I'll have the name of your first pet. 
  
This is a very crude example but it's not far off of something that could potentially happen. 
Security questions are covered more in the security questions lecture. 
   

© 2019 Roy Davis of ​bestofroy.com/about-security  18 

 
  

Section 5: Handling of Data (Data 

Leakage) 

Lecture 13: Transmitting Data 

One expression you'll see constantly is “​loose lips sink ships​.” The phrase originated in 
World War 2 to warn of the dangers of unguarded talk. Today it's used as an example of 
careless talk that could be used against you or your organization. I don't necessarily agree 
with the notion of a hamfisted "Be quiet or else" methodology but there are a few things 
worth mentioning. 
  
It’s easy to leak information by accidentally sending things to the wrong people - whether 
it's physical or virtual. This can include saying the wrong thing in the wrong place, 
accidentally leaving printed documents laying around, leaving meeting rooms without 
erasing whiteboards, emailing a confidential document, or using a flash drive to transmit 
sensitive documents to unauthorized people. 
  

© 2019 Roy Davis of ​bestofroy.com/about-security  19 

 
The difficult part is determining which information is worth keeping a lid on and which 
information is harmless. The most common way organizations tackle this issue is to 
develop a policy on the different types of information and what to do about them. The 
problem with that is there isn't a definitive answer on everything as policies are usually 
high-level overviews. In the next lecture we'll go over a few best practices to avoid data 
leakage. 

Lecture 14: Keeping Information the Right Hands 

People within your organization have varying access levels to your organization's 
information. People outside the organization could receive information in a hostile way or 
even take it as your organization's legal stance. So it's important to be cognizant of your 
communications. When you're about to start a discussion or send emails or documents to 
someone keep these points in mind: 
 
1. Get in the habit of erasing your whiteboard before you leave a meeting room. Not 
only will you give the next users of the room a clean slate, but you'll also keep 
potentially confidential information out of the phones of a camera-happy 
passer-by. 
 
2. So, re-read what you’re about to send in emails, instant messages or texts, and 
make sure that what you’re about to send will go to your intended recipients. 
 
3. When you’re talking with someone, be aware of where you’re standing and who is 
around you. Think of whether it's appropriate to share what you're saying about 
upcoming projects, disciplinary action against other employees, sales figures, 
targets, or other decisions with other people in earshot. 
 
4. Avoid revealing personal, financial, or official details in emails and do not respond 
to unexpected solicitations for this information. 
 
5. Review files before attaching them to emails – it’s super easy to leak sensitive 
information if it’s in a small section of a much bigger spreadsheet or document. 
 
6. If you use your personal accounts like home email or personal WhatsApp account – 
or anything else outside the reach of your IT’s policies for that matter – for work 
then can't protect you and you'll most likely be on the hook for consequences. 
 

© 2019 Roy Davis of ​bestofroy.com/about-security  20 

 
 7. Be wary of social media - social media sites can potentially be a goldmine of 
detailed information such as location, places you visit, friends list, place of work 
and more. Before you make that next post, take a brief moment to think. Are you 
posting something you don't mean to, like geotagging in a photo, or is there 
sensitive or identifying information in the background of a photo? What is your 
organization's social media policy? Could you be held liable for things you say? 
 
8. If you use your work devices for personal stuff, like personal website usage, storing 
pictures of your kids and pets, or anything else, just know that information can 
potentially be seen by people in IT, you supervisor, and maybe others. If you leave 
your organization, you won't be guaranteed to be able to get your files off the 
computer. Once again people may have access to it, including your replacement. 
Usually IT departments wipe your old computer before rebuilding it but there's a 
chance your replacement will have access to all files to continue the work that you 
were doing. We assume that most people are good but spreading out your personal 
information to that many people is potentially risky and unnecessary. 

Lecture 15: Use of Cloud Storage 

When you think of cloud storage these 4 major cloud storage providers come to mind: 
Dropbox, Box, Google Sync (Drive), Onedrive. There are many more but those previously 
listed providers are the most popular. 
  
It's worth bringing these up because your organization's usage policies or procedures may 
or may not cover their usage. I'm not necessarily discussing the banning or blocking of 
their usage as some places do to control information flow and storage. That is a topic for 
discussion but I'm simply referring to managing and securing. If it's outside the scope of 
your organization you may not be under their protection or be able to get support like 
you're used to. 

Lecture 16: Overview of Protected Data Sets 

Regulated data, or as I like to call sometimes protected data, refers to information that's 
regulated by a governing body. This is your auditing and compliance requirements you 
need to keep up with on certain sets of data. The goal for these protections is to hold 
companies accountable and prevent data leakage and unauthorized disclosure of data. 
Data is usually personally identifiable information that could ruin people's lives if misused. 
  

© 2019 Roy Davis of ​bestofroy.com/about-security  21 

 
This table from Solarwinds shows a great layout of regulations in the US across different 
industries. You may be familiar with some of these if you work in healthcare, finance, or 
retail for example. Keep in mind this isn't a complete list. Other countries have their own 
rules and regulations as well. 
  
It's good to be familiar with the type of data is covered so you know what if you find 
something that shouldn't be out. For example, let's say you work at a doctor's office and 
you get up to use the bathroom. While in the bathroom you notice someone left a detailed 
paper containing the results of a test with potential treatment options. That's not all, at 
the top has the patient's name, address, insurance, and all kinds of fun stuff. What do you 
do? Do you just leave it there? Throw it in the bathroom trash? No and No. The guidance 
based on rules and regulations will make it clear on what to do to help keep everyone 
involved safe. 
  
Organizations have differing responsibilities based on coverage so I can't give you specific 
tips to help you understand these regulations. The best I can do for you is encourage you 
to follow your organization's policies and procedures. 
   

© 2019 Roy Davis of ​bestofroy.com/about-security  22 

 
  

Section 6: Passwords and Security 

Questions 

Lecture 17: Why Good Passwords are Important and 

Common Passwords 
The problem with creating passwords is they can be a pain to come up with and even 
worse is they can be hard to remember. People use passwords like "12345" because 
they're easy to remember and easy to type. Old and tired recommendations of creating a 
super complex password can be difficult because you don’t remember what crazy 
characters you substituted for letters. And the letters you did substitute for numbers are 
incredibly predictable. These are things like 3s for Es and 1s for Is. 
  

© 2019 Roy Davis of ​bestofroy.com/about-security  23 

 
Due to difficulty in managing passwords and tools that help predict human behavior 
you're left with passwords that are easier to crack than you think. Before we go into best 
practices for creating good passwords let's take a moment to go over the most common 
passwords. This list just blew my mind. 
  
Source: 
https://blog.keepersecurity.com/2017/01/13/most-common-passwords-of-2016-researc
h-study/ 

Lecture 18: Best Practices for Creating Passwords 

These days, password policies are shifting to be user friendly and the burden be put on the 
verifier when possible. This is leading IT departments around the world to stop asking 
users to do things that aren’t actually improving security. 
  
You can have a crazy long and complex password but something shorter with mild 
complexity may be able to serve your needs just as well as an 
impossible-to-type-or-remember behemoth, depending on the level of risk you're willing 
to tolerate. At some point there are diminishing returns. 
  
The only time passwords should be reset is when they are forgotten, if they have been 
phished, or if you think (or know) that your password database has been stolen and could 
therefore be subjected to an offline brute-force attack. 
 
● You must have a unique user ID and password to access stuff 
 
● Create a password of 12 characters or more with upper and lower case letters, 
numbers, and special characters. If you're thinking, "12 characters, that's crazy!" 
Just know that it's not as hard as you think. Just your exclamation of 12 characters, 
that's crazy, is 28 characters. 
 
● Be careful with digits and symbols. Spread them out since most people put capital 
letters at the beginning and digits and symbols at the end. If you do that, you get 
very little benefit from adding these special characters.” It’s that “most people” part 
that gets you in trouble. “It’s about predictability based on how many people do it”. 
 
● Don't share passwords or leave passwords in conspicuous locations (keyboard, 
monitor, mousepad, or desk). 
 

© 2019 Roy Davis of ​bestofroy.com/about-security  24 

 
 ● Use a different password for each website and application. You can use a password 
manager to help you with this. 
 
● You should activate password protected screen-saver or lock computer when 
stepping away from the desk and log off the computer when done. 
 
● There's no need to change passwords unnecessarily. You may fight with your IT 
department on this depending on how far behind the times they are. You only 
really need to change or reset your password when it's forgotten, you've been 
phished or suspect to being scammed, or if you think or know your password was 
stolen in a breach and could therefore be subjected to offline brute force attacks. 
Changing passwords frequently can encourage bad behavior in only editing certain 
characters in your previous password and submitting it as your new password. This 
fairly recent study shows as a proof of concept that if they know your previous 
password, they could guess your new password in 5 tries.  
 
Avoid weak passwords: 
 
● Easy to guess passwords such as a blank or "password" 
● Your name, spouse’s name, or partner’s name 
● Your pet’s name or your child’s name 
● Names of close friends or coworkers 
● Names of your favorite fantasy characters 
● Your boss’s name 
● Anybody’s name 
● The name of the operating system you’re using 
● String of numbers or letters, like 1234, abcd 
● The hostname of your computer 
● Your phone number or your license plate number 
● Any part of your social security number or Penn State ID 
● Anybody’s birth date 
● Other information easily obtained about you (e.g., address, town, alma mater) 
● Words such as wizard, guru, password, gandalf, and so on 
● A username in any form (as is, capitalized, doubled, etc.) 
● A word in the English dictionary or in a foreign dictionary 
● Place names or any proper nouns 
● Passwords of all the same letter 
● Simple patterns of letters on the keyboard, like asdfg 
● Any of the above spelled backwards 
 

© 2019 Roy Davis of ​bestofroy.com/about-security  25 

 
 ● Any of the above followed or preceded by a single digit 

Lecture 19: Security Questions 

Security questions are one of those things that sounds secure on paper but don’t really 
add protection since attackers can easily get your information to answer the questions. 
There are proposals to remove security or knowledge based challenge questions but until 
any traction is made on this front. It's better to lower the risk by switching things up a little 
bit. 
  
Let's say you select a security question like "What is your pet's name?" In the answer 
section, do not put in your pet's name or any variation of it. Put in something completely 
different like "kitchen@#sink." If you don't have a pet, this is even better. You can put 
something in the answer field like "HaiHasallergies." You don't even have to spell 
correctly or even have good grammar.  
  
The more you can throw off a potential attacker the better. 
   

© 2019 Roy Davis of ​bestofroy.com/about-security  26 

 
  

Section 7: Safe Browsing 

Lecture 20: Ads and Sponsored Content 

Finding information on the Internet does not guarantee it’s true. Anyone can publish 
information online. Before you accept a message as truth or decide to take action, verify 
the source is reliable. 
  
Be wary of advertisements for free downloadable software. These can be spyware or 
viruses disguising as useful applications. 
  
Sponsored content at the end of the article is designed to make a ton of advertising dollars 
and not actually deliver valuable content. This is the clickbait style of writing like "doctor's 

© 2019 Roy Davis of ​bestofroy.com/about-security  27 

 
hate him," "your area is mad about this important change" and so on. They also have the 
potential to deliver malware. Here are a few examples. 

Lecture 21: Typosquatting and Malicious Websites 

Just like publishing content, anyone can register a domain (fancy way of saying website 
name). Anyone can also create a website; you don't need to know coding anymore. 
  
When you type in or click on a link, pay attention to the URL of the website. It's super easy 
to misspell a website address and that's exactly what the bad guy wants. Malicious 
websites may look identical to a legitimate site, but the URL may use a variation in spelling 
or a different domain (e.g., .com vs. .net, or Amozon vs. Amazon). 
  
These sites are designed to redirect users to other pages to pass credibility, capture login 
information, or deliver malware to your computer. Some larger websites and companies 
have already lent a hand with this and redirect common misspellings (like Google with too 
many Os, Gooogle) to the correct address but you can't rely on this since there are so 
many that haven't. 
  
Your antivirus will help but don't get used to relying on it for everything. The best thing 
you can do is bookmark frequently visited sites. That way you don't have to type in the 
address or run a search in Google to find it. After all, that's what bookmarks are for. 

Lecture 22: Malicious Websites and Dangerous Things 

to Search Online 
Anytime someone is trending can be potentially dangerous. We've seen the most 
dangerous celebrities to search online like Amy Schumer and Avril Lavigne. What makes 
these celebrities dangerous to search for is the buzz and rumors surrounding them. 
Attackers capitalized on this and made dangerous websites designed to install malware on 
your machine if you were unfortunate enough to land on their websites.  
  
Just like phishing emails, timely events are also potentially dangerous to search online. 
Things like man-made and natural disasters where information is scarce is a good one. 
Criminals like to ride the buzz and viral traffic on certain things. 
  
It doesn't stop at websites either. Social media accounts have become a major feature of 
the threat landscape. In late 2016, a type of phishing attack called "angler phishing" grew 
150% over the previous year. 
 

© 2019 Roy Davis of ​bestofroy.com/about-security  28 

 
  
The way it works is an attacker will make a legitimate looking account and respond to your 
question you point to the real company. Let's look at this example by Fortune. You tweet 
at your bank saying "hey, I can't transfer money." And an attacker capitalizes on this 
problem by pretending to be customer support and linking a fake page to you in order to 
steal your bank credentials. 
  
The “angler phishing” scam is mostly found on Twitter, but is now rearing its ugly head on 
Facebook and Instagram, where brands setup up social media teams to engage with 
consumers. The new con is proving effective because consumers have come to expect a 
response from the brands on social media and crooks produce fake accounts that look so 
realistic and respond quicker. 
  
Not everything is as dangerous as losing banking credentials though. Someone could 
assume a fake customer support position with a company with the intent to stir the pot. 
One of the most famous examples was when Target made the move to sport more gender 
neutral products. There was a big uproar about this store decision and someone took 
advantage of the ruckus to troll a large number of people.  
  
The moral of the story is, be careful of what you search and who you talk to online. You 
may get an experience you were not expecting. 
   

© 2019 Roy Davis of ​bestofroy.com/about-security  29 

 
  

Section 8: Mobile Devices and Traveling 

Lecture 23: Connecting to Public Wi-Fi 

Mobile devices in this context refers to any computer that is not a desktop. This includes 
but is not limited to smartphones, tablets, and laptops. Even though these devices have 
different use cases and different types of software, most policies bundle them together 
since they are easy to carry around. 
  
Any network you're on has the ability to see which website you're visiting and potentially 
what you're doing and who you're communicating with. This is true no matter what 
network you're on, whether it's your home, your work, or out in public. 
  

© 2019 Roy Davis of ​bestofroy.com/about-security  30 

 
Public networks are especially scary because you don't know who could be on the 
network snooping around. At home you don't expect a whole lot of activity from other 
users and your work hopefully has protections in place but it's not foolproof. 
  
Your coffee shop or hotel of choice, however, most likely has very little protection and 
frequent visits from many different users. 
  
While it's important to make sure the websites you visit uses HTTPS (the 's' means it's 
secure) so your transactions are encrypted, I would recommend you do not do any critical 
work or browsing while connected to a public network. 
  
The transactions are encrypted but information on source and destination are not. This is 
where experts will tell you to use a VPN service, whether it's your organization's client or 
a service you purchase on your own. 
  
Some may say it's fine to do what you want if you have access to a VPN but that could 
potentially be an unnecessary risk, mainly that your VPN provider will then have access to 
some network information. This could potentially be problematic with 3rd party providers 
and usage of your organization's VPN would put you in scope of their acceptable usage 
policies since you'll be on their network. 
  
It would be best to leave public browsing to casual surfing and light, non-critical work. 

Lecture 24: Personal App Safety on Android and iOS 

Counterfeit mobile apps exist out in the wild and it's important to understand that just 
because an app can be found and downloaded in the app store, doesn't mean they've 
check to make sure it's safe.  
  
I'm referring to both Apple's App Store and Google's Play store. While some of these apps 
simply monetize by display annoying banner ads, others have the potential to steal your 
information through malware. Scammers could also benefit from unsuspecting customers 
by having in-app purchase options in these bogus apps. 
  
Before installing an app, check the legitimacy of it by doing the following: 
 
● Check to see who published the app. Be careful though, scammers will use similar 
names to the original company. This was the case for ​Overstock.com​ (real) and 

© 2019 Roy Davis of ​bestofroy.com/about-security  31 

 
 Overstock Inc​ (fake). 
 
● Check the reviews in Apple's App Store and Google's Play store. A real app will 
likely have thousands of (hopefully positive) reviews, while a fake one will likely 
have zero or a ridiculously low amount for the type of brand recognition the 
company has. 
 
● Review the privacy settings. Does it make sense that the app you're looking for has 
access to contacts, phone logs, location, and photos? A good example of excessive 
permissions is the ​Brightest Flashlight​ app that collected data about you and sold 
them to advertisers. 
● Look at the publish date. A fake app will have a recent publish date, while the real 
one will have an "updated on" date. That fake Overstock app mentioned previously 
was published much later than the real one. 
 
● Check for spelling mistakes in the title or description. Many of the knockoff apps 
come from China. 
 
● Beware of apps that promise shopping discounts. More often than not it's too good 
to be true. 
 
● When in doubt, visit the store's website in your browser and look for an icon or 
button that reads "Get our app." This will take you to the App Store or Google Play 
store where you can download the correct app. 

Lecture 25: Your Personal Device in the Workplace 

It's kind of funny to think back to the time when the first widely adopted smartphones 
came out. There was a huge discussion on whether bring your own device would be a thing 
or if it's just a fad no IT department would ever endorse. There was much resistance but 
now BYOD is commonplace, even extending to devices outside of smartphone usage. 
  
Even though it's accepted to bring your smartphone into the workplace and even use the 
device for work purposes, there are a couple items worthy of discussion. 
  
Despite owning your device and having authority to use it, your usage of your 
organizations files and network resources are still under the purview of your 
organization's usage policies. This means if you want to view and edit company documents 
or use company services, you may have to install a management app that's managed by 

© 2019 Roy Davis of ​bestofroy.com/about-security  32 

 
your organization. These mobile management apps typically enforce specific 
configurations to your phone and contain company information so they still retain control. 
The network part is just like it normally is with computers. Using your organization's 
network and subsequently their internet connection is subject to their control. 
  
Privacy could potentially be a hot button issue. When you use company issued devices, it's 
expected that you have little control of the resources and they are subject to changes and 
investigations. How about when you own the device? Would you be ok with surrendering 
your property if something needed to be done? Would you even have a choice? These are 
at the very least, things to keep in mind when you use someone else's resources. 
   

© 2019 Roy Davis of ​bestofroy.com/about-security  33 

 
  

Section 9: Ransomware 

Lecture 26: What it Does and How it Spreads 

Ransomware is a nasty type of software that locks your computer or the files within. It 
does this by either locking the screen or changing the files to be unreadable without a 
special key. The idea is to lock you out of your own system until the ransom is paid. After 
the initial infection, the ransomware may attempt to spread itself, depending on the type, 
to any shared or mapped drives and other devices on the network. 
  
Ransomware is distributed the same way as other viruses and malware, which is through 
malicious emails, infected websites, fake apps, and more. Usually bad guys trick you into 
opening the bad file in some manner. 
  
Getting hit with this stuff causes all kinds of chaos and confusion. Besides the "who's 
extorting us" question, the more immediate question is "should I pay?" 

© 2019 Roy Davis of ​bestofroy.com/about-security  34 

 
Lecture 27: You’ve Been Hit, Should You Pay the 
Ransom? 
If you or your business gets hit, it’s understandable that you may want to do whatever it 
takes to get your data back. This is especially true if you work at a hospital. You may have 
an inability to function. But before you pony up and paid that ransom, you should know 
the risks associated in doing so: 
  
● Paying a ransom does not guarantee you’ll get your data back. There are people out 
there who reported never getting the special key to unlock their data after having 
paid a ransom. 
 
● After paying the demand, some victims have been asked to pay more before the 
key is released. This is the worst type of upsell 
 
● Some victims who paid the demand have reported being targeted again at a later 
time by the same group. 
 
● The group that infected your computer may very well have a breach of their own or 
they could share their success with a partner group. The attackers of your 
attacker’s attacker or the partner group could very well come after you. 
 
● Paying could further encourage this criminal business model. You would be 
essentially funding the continuation of this effort for more bad stuff to happen to 
others. Again, this is only for a chance to get your files back. 

Lecture 28: How to Protect Against Ransomware 

First things first, make sure you have a modern antivirus app. Antivirus vendors are pretty 
good when it comes to detection of common ransomware files. Make sure your antivirus 
software is up to date and never disable or tamper with your protection when you find an 
unknown file. 
  
Your workplace will have some sort of backup option for shared storage but you may not 
have readily made backups of your computer. This is where it would be good to make 
copies to your network space in case of a computer disaster. This also helps with other 
dangers like hardware failure and other things. Your IT department can't help you recover 
your data if they don't have access to any form of it. 
 

© 2019 Roy Davis of ​bestofroy.com/about-security  35 

 
  
Your home is a bit different. Here you'll want to backup your files to a device that can be 
removed from your computer or your network. This is important, when you backup your 
files, remove the external hard drive or flash drive from your computer. Ransomware is 
designed to find all reachable files within a specified file type so if you have your backup 
drive plugged in, this drive will be hit as well. 
  
Once again because it's super important, please be careful with links in emails. Also be on 
the alert with attachments, especially ZIP file attachments. People are capable of lying 
and tricking you on the Internet. 
   

© 2019 Roy Davis of ​bestofroy.com/about-security  36 

 
  

Section 10: Conclusion 

Lecture 29: If You See Something, Say Something 

Here are a few indicators that something may be wrong: 
 
● Your system unexpectedly crashes without clear reasons. 
● New files or programs with strange names mysteriously appear. 
● Sudden high system activity like hard drive or processor activity. 
● Bizarre changes in file lengths or modification dates. 
● Denial of service. 
● Unexplained poor system performance. 
● Suspicious communication with unknown sources. 
 

© 2019 Roy Davis of ​bestofroy.com/about-security  37 

 
Now just because you don't have access to the Internet or your system is slower than it 
usually is doesn't mean you're compromised or your experience a denial of service attack. 
The best thing to do is to reach out to your IT department and give them a heads up on the 
changes you noticed. 
  
Strange system performance is one thing, but if you believe that you have been a victim of 
a phishing attack or ransomware infection, immediately report the incident to your 
information technology (IT) helpdesk or security office. The more information you can 
give them, like what you were doing or things you noticed were different, the better they 
can assist you. 
  
If you're a home user, live in the US, and you think or know your identity has been 
compromised, use the Federal Trade Commission's resource at​ ​www.identitytheft.gov​ to 
report the incident and get guidance on your recovery plan. 
  
If you believe you might have revealed sensitive information about your organization, 
report it to the appropriate people within the organization, including network 
administrators. This can help your organization be on alert for any suspicious or unusual 
activity. 

Lecture 30: Thank You for Viewing 

Thank you for joining me. If I can explain something better or add something you think is 
important let me know. I'm more than happy to keep this thing updated to serve you. 
Please leave an honest review; it does help get more eyes on this course. Other than that, 
have a great day and stay safe out there. Thank you. 
 

© 2019 Roy Davis of ​bestofroy.com/about-security  38