Security awareness quiz

Q1: Which of the following three is the strongest password?

starwars
1qaz2wsx
trEEGCv-

A: The correct answer is 3. This is a random password and thus the most secure one of the 3. starwars is not random and a commonly used password. 1qaz2wsx seems random but it's the first 2 columns of a qwerty keyboard and also commonly used. Attackers use these in wordlists to crack passwords or to gain access to existing sites for which you use this password.

Q2: Which of the following is a weak password?

123456
P@ssw0rd
ILoveYou123
All of the above

A: The correct answer is 4. All of the passwords are weak and already leaked in data breaches.

Q3: How often should I change a password?

Never
Every week
Every month
Every year
Only when there's proof or suspicion of compromise

A: The correct answer is 5. The best practices are to only change your password when there's proof or suspicion that your account might be hacked. More tips on how to know when an account is hacked can be found in this and this blog.

Q4: Is it considered safe to use the same complex password on all websites?

A: The correct answer is 2. If you reuse passwords across different sites a hack of one website can result in attackers using this stolen username and password to gain access to your accounts for another website. If you want to learn more about why password reuse is a bad idea, read this article.

Q5: What should I do after I learn about a data breach of a website? Choose the best answer.

Nothing
Change the password of my account for that website
Change the password for my account for that website and of all other websites where I use that same password

A: The correct answer is 3. If your username and password is stolen the account for that particular hacked website is at risk, but also your accounts for any other website were you use that same password. If you want to learn more about it read here why password reuse is a bad idea.

Q6: What are the characteristics of a strong password?

Long
Long, random and unique
Long, unique
Long, random

A: The correct answer is 2. Passwords should be long enough, minimum 12 or 14 characters is recommended. Passwords should also be random because attackers will have giant lists of predictable passwords they can use to crack passwords or gain access to your online accounts. They should also be unique. If you reuse passwords across different sites a hack of one website can result in attackers using this stolen username and password to gain access to your accounts for another website. If you want to learn more on how to create strong passwords, read this blog.

Q7: If you want to share a password with someone, what's the best option?

Send it via email
Send a text message
Tell it via the phone
None of the above

A: The correct answer is 4. A password is personal data which shouldn't be shared with others.

Q8: Which of the following is the most secure backup strategy?

One backup on an external harddisk and another one on a cloud backup
2 backups on 2 different external harddisks
A backup on an external harddisk

A: The correct answer is 1. Because you spread the backups over 2 geographically different regions, which makes your backup strategy more resilient. If you want to learn more about it how to put a secure backup strategy in place read this blog.

Q9: You open a website and it has a padlock in the browser bar (the lock icon in front of the URL). Which statements are true?

I can be sure that this is a legit, non-malicious site
It tells me that the site is 100% secure
The traffic between my computer (browser) and the server that runs the website is secured
No one, even my Internet Service Provider doesn't know which site I visit.
This could be a phishing site.

A: The correct answers are 3 and 5. A padlock in the browser bar implies that the connection between your browser and the website is secure, but it doesn't say anything about the intentions of a website, so it could be a phishing website. Your Internet Service Provider will still know which websites you visit.

Q10: Is it generally considered safe to use Starbucks Public Wi-Fi network for performing an online banking operation?

Yes, it is safe
No, it can be dangerous

A: The correct answer is 2. While a lot more websites are served over HTTPS nowadays, the security risks of using public Wi-Fi are lower but it's still not to recommend to do online banking on a public Wi-Fi. It might be a better idea to use your mobile data and/or switch on a VPN.

Q11: Is it secure to enter your private information (e.g., date of birth, identification number etc.) on a site with an address that starts with "http://"?

A: The correct answer is 2. When you enter data on a HTTP website the data could be intercepted and/or manipulated by an attacker. Enter personal data only when the address of the website starts with "https://". If you want to learn more about HTTPS read this blog.

Q12: Which of the following statements are correct? When I use incognito or private mode in a browser...

No one can see the websites I visited, even not my Internet Service Provider.
Others that use my device can't see which sites I visited
I'm anonymous for that website

A: The only correct answer is 2. Private or incognito browsing only implies that your search and browsing history isn't saved.

Q13: Your business email account has been compromised and leaked in a data breach. What is the best course of action(s)?

Change your password immediately
Inform the security team of your organization
Change the Password on all sites where you use the same password
All of above

A: The correct answers is 4.

Q14: Is it useful to run antivirus software on an Android phone?

Yes
It depends, only if you download apps from outside of Google's official app store
No

A: The correct answer is 1. Even Google Play, Google's offical app store is known to host apps that can contain viruses. It's always a good idea to have a virusscanner installed.

Q15: Which of the following are considered personal data under GDPR (more than 1 answer possible)?

Your IP address
Your birthdate
Your home address
Only your firstname

A: The correct answers are 1, 2 and 3.

Q16: If you receive a call from someone that says to be a clerk from your bank, is it ok to give your bank account details over the phone?

Yes
Never
Only if I recognize that the phone number is from my bank.

A: The correct answer is 2. You shouldn't give your bank account details over the phone. A bank that takes your security seriously will never ask for sensitive data, like bank account details, over the phone. Even if you recognize the number it could be spoofed by an attacker.

Q17: You receive an email with subject: "$5 million donation from Bill Gates" and in the email they ask you to provide your telephone number and full postal address to claim the money. What's the best action?

Reply with my phone number and postal address, I want the 5 million dollars
Forward the email to friends, because sharing is caring
Report the email as spam and delete it

A: The correct answer is 3. If something is too good to be true it just isn't true. No one will email you out of the blue to give you such an amount of money.

Q18: You're browsing and on a random site a pop-up to get free access to Netflix appears. What's the most secure action?

Follow the pop-up instructions to get the free access
Immediately close the pop-up and don’t proceed

A: The correct answer is 2. It's even better to close the browser tab or the browser all together. If the pop-up is preventing you from doing this you can kill the browser process.

Q19: You receive an email from '[email protected]' that urges you to reset your Hyundai password. What should you do?

Change my password immediately as per the instructions given in the email
Don't proceed and delete the email

A: The correct answer is 2. If Hyundai would ask you to reset your password the mail would come from an official Hyundai.com email address. This is a malicious email to steal your Hyundai password.

Q20: Is the following statement true or false? Reusing the same password across multiple sites is a good idea. It's very convenient after all.

True
False

A: The correct answer is 2. It sure is convenient, but this convenience comes with a price. If your password is stolen in a hack of 1 site user can use that to gain acces to your accounts on other sites.

Q21: Is it considered a good security practice to leave your machine unlocked when you leave your desk?

A: The correct answer is 2. It's not a good idea, if you don't lock your device everyone in the office has the possibility to access the (confidential) data on your device.

Q22: If you receive an unexpected phone call from Microsoft technical support, should you?

Follow their instructions
Give them your password
Call them back
Hang up

A: The correct answer is 4. No one from Microsoft will ever call you to offer technical support. This is a scam. Hang up immediately. If you want to learn more about tech support scams, read this blog.

Q23: If you receive a suspicious email, should you?

Reply to it
Open the attachments
Click the links
Report it to the phishing reporting mailbox of your government

A: The correct answer is 4. Report the phishing mail and delete it afterwards. In any case don't reply, click on any links or open attachments in the email.

Q24: You’re being texted that your parcel delivery will be delayed. In order to expedite it you need to?

Reply to the text
Click on the link provided in the sms
Think first, am I expecting anything? If not report and delete the sms

A: The correct answer is 3. Attackers always will try to exploit things like urge. But always first ask yourself whether you're expecting that particular parcel. If not, it's a malicious email and the best action is to report and delete the email afterwards.

Q25: Is the following statement true or false. Because operating system updates are time consuming and may need to restart the machine it's a good idea to postpone them as long as possible.

A: The correct answer is 2. It's not a good idea to postpone operating system updates because they often contain fixes for security vulnerabilities. If you wait with installing these updates attackers might use these vulnerabilities to gain access to your device and infect it with malware and/or steal your data.

Q26: Which of the following statements are correct?

Phishing is a form of social engineering.
Phishing is a so called "spray and pray" technique in which an attacker sends out the same email to hundreds of potential targets in the hope they will fall victim.
All of the above

A: The correct answer is 3. Phishing is indeed a form of social engineering or in other words the psychological manipulation of people into performing actions or divulging confidential information and it can also be a mass attack.

Q27: Imagine you work for the finance department of a company. You received an email from your company’s CEO and they want you to immediately transfer a few millions to a bank account provided in the email. Will you execute the transaction?

Yes, I will do so if my CEO asks me.
I will only execute the transaction after I got confirmation from the CEO through another channel.

A: The correct answer is 2. Only if you get it confirmed via another channel (e.g. a phone call to the trusted number, initiated by you) - which should be defined in a procedure - you should execute the transaction. Criminals could have hacked the email account from the CEO or pretend to be the CEO by faking the CEO's email address.

Q28: If you suddenly see the following page in the browser, is it a good idea to claim your present?

A: The correct answer is 2. If something is too good or too unbelievable to be true it's just not true. This is a fake page, the only intention of the criminals to set up this page is to scam you.

Q29: Which of the following statements about a phishing email are true?

The email comes out of the blue. There's no context or previous contact with the sender
The email contains a sense of urgency to get a particular action done
All of the above

A: The correct answer is 3.

Q30: You receive a SMS from a supplier/vendor who asks you to click on a link to renew your contract. You should:

Proceed without worrying
Don’t proceed by clicking on the link in SMS

A: The correct answer is 2. Don't click this link. You wouldn't expect a supplier or vendor to send a renewal link via SMS. In any case if you doubt always reach out to the vendor to check if they really send this link.

Q31: Which month is considered or recognized as Cyber Security Month?

September
October
November
December

A: the correct answer is 2. October is Cyber Security awareness month. During October a lot of practical security awareness content is being shared.

Q32: The person who performs a social engineering attack is known as?

An Information Engineer
A Social Engineer
A Social Media Activist

A: The correct answer is 2.

Q33: Imagine you find a USB device in the hallway at work. What's the best thing to do?

Pick it up and plug it in to see what’s on the USB device. Maybe you can identify the owner.
Leave it in the hallway or bring it to the reception desk, such that the person who lost it can get it back.
Pick it up, don't plug it in but inform your IT department because this could be a USB device containing malware to infect your company's systems.

A: The correct answer is 3. You shouldn't trust USB devices you find. This is a common way to get malware distributed.

Q34: Which URL(s) bring(s) you to Google’s Home Page?

The correct answer is 4. Tools like urlscan.io can help you to gain more insights about a website. It's not bullet proof, its not because a site is trusted it means that it could be malicious. But if it's flagged malicious certainly don't visit it. In this case we can see that the effective url is https://www.google.com, Google's official website.

Q35: Which of the following URLs could NOT be used in a so called 'Typosquatting Attack'?

A: The correct answer is 1. In typosquatting attackers abuse the fact that users mistype URLs. For instance attackers might hosts a malicious site on the domain http://mircosoft.com which will be incidentally visited by a lot of people.

Q36: You receive the following email which contains "This message was sent from a trusted sender" in the body. Does this mean you can trust that this email is legitimate?

A: The correct answer is 2. This sender can't be trusted, a text in an email body doesn't say anything about whether a sender can be trusted or not. This is clearly a spam email and like you can see in the screenshot it's also detected as such.

Q37: If you receive the following email, is it a good idea to proceed to get help from CBD?

The correct answer is 2. This sender can't be trusted, this is clearly an unsolicited email that try's to trick the receiver into clicking malicious links or giving away personal data. Like you can see in the screenshot it's detected as spam by the mail client.

Q38: You receive the following invite to take a quiz. You decide to take the quiz to receive the free glasses. This is...

A good idea, free stuff is always nice
This is a bad idea, this is a scam to steal my personal data

A: The correct answer is 2.

Q39: Which of the following things help to decide whether an online shopping website is trustworthy?

The address of the website starts with 'https://'
There's a seal on the website that says '100% secure'
Do a bit of research to see whether the site has a good reputation
Read on the website and look for positive reviews of other customers

A: The correct answer is 3. Malicious sites can also run over https and security seals can be easily faked. The website owner can also put fake reviews of other customers on their website.

For more information also read this post.

Q40: For online shopping it's best to use...?

A credit card
A debit card

A: The correct answer is 1. Credit cards have an insurance against fraud. When you pay with a credit card, the money is not directly withdrawn from your account. This gives you time to dispute fraudulent charges and the bank can block the payment while they investigate the incident. Some credit cards also offer additional insurance for your online purchases.

For more information also read this post.

Q41: I don’t use a PIN on my smartphone but keep it with me. What could go wrong?

When I lose it all my information and apps are accessible by the finder
When I leave my phone unattended, miscreants can gain access to all my online accounts using my email address
When my phone gets stolen the thieves can access all my information and apps
All of the above

A: The correct answer is 4. When you have no pin code on your device and you leave it unattended, lose it or when it gets stolen an unauthorized user can gain access to your personal data. For instance your pictures and videos, text messages or your phone contacts. They'll also have access to all the apps on your phone and your email account which contains a treasure trove of information and which can be used to reset the password for all accounts that you registered with this email address.

Q42: Is it a good idea to pay criminals that encrypted the files on your computer by deploying so called ransomware? Why or why not? Select all applicable answers.

Yes, because you can be sure you will regain access to your files.
Yes, because you don't have to care about backups yourself.
No, because you have no guarantee that you will regain access to your files.
No, because even when you get your files back criminals might attack you later again because they are still active on your network.

A: The correct answers are 3 and 4. Never give in to criminals trying to extort you. There are simply no guarantees that you will regain access to your files or that they will not do the same again in the future because they are still active on your network and because they know you are willing to pay. Also make sure you have working backups in place. If you want to learn more about ransomware and how to protect against is do read this blog.

If you have questions or remarks about these security awareness quiz questions and answers, feel free to reach out on social media or through email.