Cyber Safety

Cyber safety quiz

Welcome to the first University of Twente Cyber Safety Quiz.
The quiz tests your knowledge about Privacy, Security and the new General Data Protection Regulation (GDPR).
Most of the answers you can find on this website. For some of the answers you need some basic knowledge about privacy and security.

What can you win?
Of course the knowledge you garner from the Cyber Safety website itself during your search for answers.
For the person with the most correct answers, and the closest match for question 10, there will be a goodie-bag with security and privacy related articles.

This quiz is only meant for UT students and employees. You may only participate once.

A total of 74 people participated in the quiz. The winner answered the first nine questions correctly. 

Answers

How do you prevent other people from reading from your laptop screen while working on your highly sensitive documents in the train?

The correct answer is to use a privacy screen.
A privacy screen is a sheet of plastic that you can use to cover your screen. Only if you are sitting straight in front of the computer can you see what is on the screen. People next to you can’t see anything.

Use a webcam-cover.
A webcam cover prevents people who have hacked your computer to make a movie or take pictures even though they have access to your webcam.

Use a laptop-sleeve.
A laptop-sleeve is a protection against physical damage to your laptop.

Use a firewall.
A firewall protects you from hackers trying to access your system. A number of firewalls also protect programs and applications on your computer to send data to attackers. Ransomware often wants to communicate with the criminals who send it out. If the ransomware can't connect to the internet, it won't work because it can't inform it's makers.

62 persons answered this question correctly.

How do you help criminals steal your identity?

All answers are correct.

Taking a picture of your passport and sharing it online.
Your passport contains sensitive information that can be used by criminals to steal your identity. If you need to share an image of your passport, or give somebody a copy, the Dutch government has an app which help you remove the sensitive data from the image.

Giving your driving license to a car dealer when you make a test drive.
The car dealer, or one of his employees, can access the sensitive data on the driving license and use that to steal your identity. If you are stopped by the police while making the test drive you have to provide your license. If the car dealer needs some proof of your identity you can make a copy of the license with the app the Dutch government provides.

Keeping the privacy settings of your Facebook account on default.
In default settings Facebook allows not only your friends to access your data but also all kinds of other organisations like advertisers. Even criminals can get access to the information, like when you are not at home. Keep in mind Facebook changes the settings page regularly and often resets them back to default.

Making a small payment (€ 0,01) to an unknown account at eBay.
If you open a new bank account, the new back often asks to send a small amount. They check whether the name belonging to the old account matches the new. Criminals use this method to set up bank accounts on the victim’s names. If you make a payment the bank uses that as proof the new account belongs to you. Even if you know nothing about it.

Using the same password on all your websites.
Websites get hacked every week if not every day. If hackers find a list of e-mail addresses and passwords, they use them on all kinds of other websites to find out whether they can get in there too. Use different passwords, or better yet passphrases, for each website. If you can’t remember them all use a password manager.

38 persons answered this question correctly.

What is the maximum period a TLS server certificate is valid when you request one from the university?

The correct answer is 2 year.
This is because as of 21th February 2018 the certificate and browser industry have decided to limit the maximum allowed length of an SSL certificate to 825 days. Our supplier, DigiCert, only works in whole years.

34 persons answered this question correctly.

At which telephone number do you report a security / privacy incident?

CERT-UT can be reached on (053 489) 1313. Members of CERT-UT don’t sit at the desk all the time so if they doesn’t answer the call is forwarded to one of the Security Managers. They can also be busy.

CERT-UT
(+31 53 489) 1313
 cert@utwente.nl

27 persons answered this question correctly, either the short or long form. Some people answered (+31 53 489) 5577, which is the number of the Service Desk ICT.

Starting what date will the GDPR be enforced?

The correct answer is 25th May 2018.
The GDPR is actually in effect since 25th May 2016.

58 persons answered this question correctly.

Who reported the most vulnerabilities in University computer systems in a responsible way?

Jose Carlos Exposito Bueno has submitted 21 vulnerabilities in systems at the university.
Good second is Ties de Cock and Roeland Krak is on third place.

Only seven persons answered this question correctly.

Which of the characteristics below is not personal data?

The only correct answer is the name of your pet.

IP-addresses, your Social Security Number, email address and car license are clearly personal data. Your location is too. In certain situations your shoe size, being bald or not and your religion are considered personal data. And of course your fingerprint is very certainly personal data.

Only five persons answered this question correctly.

How to recognize a phishing mail?

The correct answer is all of them.

An impersonal salutation.
Criminals often don’t know who you are. They use an impersonal salutation, like “reader”, or none at all. Sometimes they use your e-mail address in the salutation.
This doesn’t mean an e-mail with your real name in the salutation isn’t phishing. When they target you directly like this, we call this spear phishing. In that case they want something special from you and not just the general population. They will make an effort in getting to what and who they want.

Spelling and grammar mistakes.
In the past most phishing was performed by criminals in Africa with no knowledge of the Dutch language and barely any knowledge about the English. Today they often use professional translators or are native Dutch. That is most often true with spear phishing attacks.

An unclear sender.
If the criminal hasn’t hacked the account of the sender he has to impersonate that person. That is the hardest thing for a criminal to do.

Requests for personal information.
Criminals are after your personal information, whether that is your account credentials or other information they can use to steal your identity. Check whether the questions asked correspond with the sender normal intend. Would they ask these questions? Would they do it by email? Would they send you to a website to enter them?

64 persons answered this question correctly.

What is the name of the European agency that deals with Cyber security?

The correct answer is ENISA.
The European Union Agency for Network and Information Security started as the European Network and Information Security Agency, which gave it it’s abbreviation.

EDPS is the European Data Protection Supervisor. It is the EU’s independent data protection authority.

SURFcert is the community Computer Security Incident Response Team (CSIRT) of SURFnet. They offer support to organizations, connected to the SURFnet network, when dealing with cyber security.

SCIRT is the SURFnet Community of Incident Response Teams and consists of representatives of CSIRT’s at the organizations connected to the SURFnet network.

SCIPR is the SURF Community for Information security and PRivacy officers at connected organizations.

NCSC is the National Cyber Security Centre for the Dutch government and critical infrastructure.

40 persons answered this question correctly.

How many email messages were identified as spam in March 2018 (Estimation question)?

In March 2018 a total of 4196994 messages were presented to the mail filter the university uses. A total of 1675939 were legitimate messages and send to the intended recipient. A number of messages were blocked for various reasons before the filtering software could determine whether the message was spam. For instance messages with non-existing recipients aren’t even accepted by the filter.

In the end the filter determined 668574 were spam. This is the correct answer.

The closest answer was 10681 off.