Cyber-attacks are a prevalent threat in the online world. They have the potential to cause substantial difficulties and disruptions to our daily lives. In this article, we're going to look at these attacks to help you understand what they are and how to stay safe from each of them.

Each attack has its own way of causing trouble, and we'll explain them in detail. By the end of this article, you'll have a better idea of how to protect yourself and your privacy online.

Let's get started!

1. Man-in-the-Middle (MITM) Attacks: When Someone Secretly Listens to Your Online Chats

Let's imagine that you're talking to a friend online, and there's a sneaky eavesdropper in the middle, listening to everything you say. That's what a Man-in-the-Middle (MITM) attack is like.

In an MITM attack, a cybercriminal gets in the way of your online chat, as though they're reading your messages without you knowing. They can steal important stuff like your passwords, credit card numbers, or secret messages.

How does it work? The hacker intercepts the messages you and your friend send to each other. They can do this by tricking your devices or by hacking into the network you're using. Once they're in the middle, they can read, modify, or even stop your messages from getting to your friend.

MITM attacks are dangerous because they can happen without you realizing it. To protect yourself, you can use secure and encrypted communication tools, avoid public Wi-Fi for sensitive tasks, and pay attention to website security signs like HTTPS. The best way to prevent MITM attacks is to use a VPN like ExpressVpn.

2. Phishing and Spear Phishing: Watch Out for Sneaky Email Tricks

Have you ever received an email that looks real but is actually a trap? That's what phishing and spear phishing are all about, and they're common online tricks.

Phishing is similar to a fisherman using bait to catch fish. In this case, cyber crooks send you fake emails or messages. These emails look like they're from a trustworthy source, like your bank or a big company. But inside, they have a hidden hook. If you click on links or give them your personal info, they catch you in their fraud.

Spear phishing is a more targeted form of phishing. Instead of casting a wide net, cybercriminals aim directly at you. They learn things about you to make their fake emails seem even more convincing. They might pretend to be your boss or a colleague and trick you into doing something you shouldn't.

How can you avoid falling for these tricks? Always double-check emails. If an email asks for personal info or seems strange, be cautious. Don't click on suspicious links or download strange attachments. Cybersecurity is all about staying sharp and not taking the bait!

3. Drive-By Attacks: Cyber Ambushes While You Surf

Imagine driving along a road, and suddenly, someone jumps into your car without you even realizing it. That's a bit similar to what happens in a "Drive-By" attack but in the digital world.

In a Drive-By attack, cyber baddies use sneaky tricks to get into your computer while you're just surfing the internet. You don't have to download anything or click on a suspicious link – they find a way in without you knowing.

When you visit a website that's been compromised, the bad guys use hidden code to exploit vulnerabilities in your computer's software. It's like they slip through a crack in the window of your digital house. Once inside, they can steal your personal information or infect your computer with malware.

To protect yourself from Drive-By attacks, make sure your computer and browser are always up to date with the latest security patches. Use a good antivirus program and be cautious when visiting unfamiliar websites.

4. Botnet Attacks: When Your Computer Joins a Secret Army

Picture your computer as a soldier in an army, but you don't even know it. That's what happens in a botnet attack, and it's a sneaky cyber trick.

In a botnet attack, bad guys secretly take control of many computers, just like recruiting an army of digital soldiers. These computers can be anywhere in the world, and their owners usually have no idea that their devices are being used for evil purposes.

These digital soldiers, called "bots," follow the orders of the cyber criminals who control them. They can do all sorts of terrible things, like sending spam emails, launching cyberattacks, or stealing information.

How do they do it? They often infect your computer with malicious software without you noticing. It's like a secret takeover. Once your computer becomes part of the botnet, it listens to the cybercriminal's commands.

To protect yourself from botnet attacks, keep your computer's software and antivirus up to date. Be careful about clicking on suspicious links or downloading files from unknown sources. By keeping your digital defenses strong, you can help prevent your computer from becoming a silent soldier in a cybercriminal's army.

5. Social Engineering Attacks: Tricking People, Not Computers

Imagine someone pretending to be your friend to steal your secrets. That's what social engineering attacks are all about, and they don't use fancy computer tricks – they trick people.

In a social engineering attack, cyber crooks use psychology and charm to manipulate you into doing things you shouldn't. They might pretend to be someone trustworthy, like a coworker or a tech support person, to gain your trust.

These attackers might call you on the phone, send you emails, or even meet you in person. They'll often use urgency or fear to pressure you into giving them sensitive information, like passwords or personal details.

You can protect yourself from social engineering by being cautious when someone you don't know well enough asks for personal info. Always double-check their identity, especially in unexpected situations. Remember, it's not just about protecting your computer – it's about protecting yourself from tricky people too.

6. SQL Injection Attacks: Sneaky Hacks That Trick Databases

Think of a database as a locked vault full of valuable information. Now, imagine a clever thief who can trick the vault into giving away its secrets without the key. That's what SQL injection attacks are all about.

In an SQL injection attack, cyber crooks exploit a weakness in a website or an application that connects to a database. They use special tricks to insert malicious commands into the places where you enter information, like search boxes or log in fields.

Once these commands get into the system, they can manipulate the database to give them access to sensitive data or even control the whole system.

To protect against SQL injection attacks, developers need to write secure code and validate user inputs properly. As users, be cautious when entering data into websites, especially if they seem odd or unreliable.

Just like a strong lock on a vault, good coding practices can keep your data safe from digital criminals.

7. Malware Attacks: Nasty Software That Can Harm Your Devices

Imagine using your computer or smartphone happily, but there's an intruder inside your causing trouble without you knowing it. That's what malware attacks are like, and they're a big concern in the digital world.

The word "malware" is short for "malicious software." It's like a digital virus that can harm your device and steal your personal information.

Malware can come in different forms, like viruses, worms, Trojans, or ransomware. They usually sneak into your device when you download something from a sketchy website, click on a suspicious link, or open an infected email attachment.

Once inside your device, malware can do nasty things. It might steal your passwords, mess up your files, or even take control of your device. Some types of malware can even lock your device and demand money to unlock it.

To protect yourself from malware attacks, be careful about what you download and click on. Use antivirus software to scan your device for potential threats. Regularly update your operating system and apps, as updates often include security fixes that can keep malware out.

Remember, just like washing your hands keeps you healthy, good digital hygiene can keep your devices safe from malware.

8. Cross-Site Scripting (XSS) Attacks: Malicious Code That Can Trick Websites

Think of a website as a big bulletin board where people share information. Now, imagine someone sneaking in and pinning a fake message on that board without anyone noticing. That's what Cross-Site Scripting (XSS) attacks are like in the digital world.

In an XSS attack, cyber crooks use clever tricks to inject harmful code into a website. This code can be hidden in places where users input text, like search boxes or comment sections. When another user views that page, the harmful code runs in their web browser.

The sneaky part is that the harmful code can do things like steal cookies (not the tasty kind – these are bits of data that remember who you are on a website), capture personal information, or even redirect users to a fake website.

To protect against XSS attacks, website developers need to write secure code and sanitize user input properly. As users, be cautious when clicking on links or visiting websites, especially if they seem suspicious.

Just like checking your food for anything strange before eating, being vigilant online can help you avoid falling victim to XSS attacks.

9. Password Attacks: When Cyber Thieves Try to Guess Your Secret Code

Imagine you have a secret code to unlock a treasure chest, but there's a sneaky thief trying to guess it. That's what password attacks are all about – cyber thieves trying to crack your secret online codes.

In a password attack, cybercriminals use various techniques to guess or steal your passwords. They might try thousands of combinations super-fast (that's called a brute force attack) or use a list of common passwords (a dictionary attack). They can also trick you into revealing your password through phishing or other tricks.

Once they have your password, they can access your accounts, steal your information, or even pretend to be you online.

To protect against password attacks, use strong and unique passwords for each of your accounts. A strong password is long, contains a mix of letters, numbers, and symbols, and is hard to guess. Consider using a password manager to help you keep track of your passwords securely. And be cautious about sharing your passwords or clicking on suspicious links that could lead to phishing frauds.

Just like locking your front door to keep burglars out, good password practices can help keep your online world safe.

10. Denial of Service (DoS) Attacks: When Cyber Troublemakers Clog the Digital Highway

Think of a busy road suddenly blocked by hundreds of cars, making it impossible for anyone to get through. That's what a Denial of Service (DoS) attack does in the digital world – it clogs up websites or online services, so they become inaccessible to users.

In a DoS attack, cyber troublemakers flood a website or service with an overwhelming amount of traffic or data. It's like sending so many cars onto a road that it becomes jammed. When this happens, the website or service can't handle all the requests, and it crashes or slows down significantly.

These attacks can be launched for several reasons. Sometimes it's to cause chaos and disrupt a service, but other times it's a distraction while cybercriminals carry out other attacks.

To protect against DoS attacks, website owners and service providers use specialized software and hardware to filter out malicious traffic. They also have backup systems to keep services running even if there's an attack.

As users, you might experience a website respond slowly during a DoS attack, but there's not much you can do to prevent it. Just like dealing with traffic jams on the road, patience is key when facing a DoS attack online.

11. Distributed Denial of Service (DDoS) Attacks: The Cyber Storm That Overwhelms

Imagine your favourite online game or a popular shopping website suddenly becoming so crowded that it crashes, and you can't access it. That's what a Distributed Denial of Service (DDoS) attack does – it creates a digital stampede that overwhelms and paralyzes websites and online services.

In a DDoS attack, instead of one troublemaker, there are many. These cyber attackers gather a network of hijacked computers and devices, often called a "botnet." It's like an army of digital zombies that follow the hacker's orders.

When the attack begins, the botnet floods the target website or service with a massive amount of fake traffic. It's like thousands of people trying to get into a tiny shop at once. The target gets so swamped that it can't handle all the requests, and it slows down or crashes.

DDoS attacks can be used for several reasons, from causing chaos to distracting security teams while another cyber-attack is underway.

To protect against DDoS attacks, websites, and service providers invest in strong cybersecurity infrastructure and monitoring systems to detect and mitigate the attack traffic.

As users, there's not much you can do to prevent a DDoS attack, but you can be patient and wait for the storm to pass. Just like waiting for a crowded event to calm down, staying calm during a DDoS attack is the key to getting back online.

12. Inside Attacks and Data Breaches: When the Enemy is Already Inside the Castle

Let's assume you're protecting a castle and one of your knights is a traitor who allows the enemy to sneak in. Inside attacks and data breaches are like that – when someone who's supposed to be on your side turns against you, and your precious data is stolen.

In an inside attack, someone within an organization usually misuses their access and knowledge. This person might be an employee, a contractor, or even a trusted partner. They already have some level of access to the organization's systems and data.

These "insiders" can steal sensitive information, mess up computer systems, or even leak confidential data intentionally or unintentionally. It's like a spy who's already inside the castle, causing damage from within.

Data breaches are the result of these inside attacks. A data breach is when sensitive or confidential information is exposed or stolen from an organization's systems. It could be customer data, financial records, or trade secrets.

To protect against inside attacks and data breaches, organizations implement security measures like access controls, monitoring systems, and employee training. You can use the principles of least privilege to limit access to sensitive information to only those who need it.

As individuals, knowing the importance of data security and following your organization's security policies can help prevent inside attacks and data breaches.

13. Cryptojacking Attacks: When Your Computer Mines Money for Malicious Miners

Imagine using your computer while someone else is utilizing it to produce money without your knowledge. That is what cryptojacking is: fraudsters stealing your computer's processing power in order to mine money.

In a crypto-jacking attack, bad actors sneak malicious code onto your computer, often through a website or a downloaded file. This code quietly uses your computer's processing power to mine cryptocurrencies like Bitcoin. It's like having an uninvited guest in your house who's using your electricity and computer to make money for themselves.

The tricky part is that you might not even notice it's happening. Your computer could slow down, and it might get overheated, but those are subtle signs. Meanwhile, the attackers are making money at your expense.

To protect against cryptojacking, keep your computer's security software up to date and avoid downloading files from untrusted sources. You can also use browser extensions that block cryptojacking scripts.

Conclusion

Staying safe online is like wearing a seatbelt in a car — it's crucial. In this article, we talked about different cyber dangers, but don't worry, you can protect yourself from them.

You can start by learning about these threats because understanding them is your best defence. Cybersecurity isn't just for experts, it's for everyone.

Stay informed, stay safe, and enjoy your digital journey with confidence. Just like in the real world, a little caution goes a long way in the digital world.

If you found this article useful, visit Stealth Security to read more articles on ethical hacking. You can also connect with me on LinkedIn.

Have you ever received a 'sextortion' email telling you that your computer has been hacked and warning you that if you don't pay up, they will release videos of an intimate nature to your entire contact list? Did the email include an old password of yours as 'proof' that their claims were true? Did you wonder how they got your password?

What is Phishing?

Statistically, this was probably from a phishing email. In 2018, 93% of all breaches globally began with a phishing or pretexting attack.

Phishing emails are extremely common and highly effective. They use emotion such as fear and shame (in sextortion emails or 'male enhancement ads'), urgency (my boss needs this now!), or greed (I won a new car??).

They can also be sent via text message (SMiShing), voice (vishing), email (phishing), and social media phishing.

The more people adapt, the more the hackers change in response – their tactics are constantly evolving.

Usually phishing emails contain a link or an attachment. Once you click the link or open the attachment, they may install malware on your device or trick you into entering your credentials into a fake site (which looks just like the real site). The malware will check to see if it can exploit unpatched vulnerabilities in order to install more malware onto your system (which can then steal passwords, install keyloggers to record all of your keystrokes – and therefore your passwords! – and so on).

Once the hacker has stolen your credentials, they can do things like exfiltrate your personal financial data or account information, or those of your customers if this happens on your corporation's device.

Phishing deserves its own article entirely, so if you're interested in learning how to phish, check out this article.

How can you stop phishing from impacting you?

Defending against phishing is also difficult. As an individual, the best thing you can do is use caution when opening emails – be wary of emails which play on your emotions, ask you to make quick decisions, or seem too good to be true.

Look out for unusual senders (do you recognize the person emailing you? Is this the same email address they've used before?), or unexpected links or attachments. If you're unsure if an email is legitimate, confirm that it is with the sender via a different method of communication.

You should also use antivirus and endpoint protection software. The paid version is better than the free version, as it is updated as new malware is identified. But the free version is usually better than nothing. I like Malwarebytes for laptops.

Security teams will use a myriad of tools:

• email filtering mechanisms that attempt to reduce the phishing and spam emails which reach user's inboxes,
• measures like SPF, DKIM, and DMARC which can help provide authentication that an email is telling the truth about where it came from,
• user awareness training,
• and endpoint protection mechanisms.

Endpoint protection mechanisms can range from simple anti-virus to agents installed on every device. These will try to prevent known malware from running, identify unusual behavior, and prevent malicious processes from running by alerting a security operations team or forcing the program to quit.

This way, even if the email gets through the filters and the user doesn't notice anything wrong, the endpoint protection will keep the malware from actually doing damage to the machine.

How else could someone have gotten my password?

Often when a hacker breaches a company, they will sell the usernames and passwords they've obtained on the dark web.

Surface Web: What you can find on Google or other popular search engines. This is probably most of what you think of as the internet. Compared to the deep web, this is a very small portion of information which is ‘online’.

Deep Web: Information which is online, but isn’t indexed (searchable) by Google and other popular browsers. This is information such as that contained in government or university databases. Often this information is hidden behind a paywall or other restriction mechanism.

Dark Web: The dark web requires certain browsers, such as a ‘TOR browser’ to access. Some, though not all, of this content is illegal. This is often a place where criminals gather to talk on forums, sell illegal services and goods, and sometimes activists living under repressive regimes gather to communicate.

If you were re-using passwords and usernames between different websites (particularly since your email is probably used as your username for many websites), a hacker might already have your username and password.

https://xkcd.com/792/

The hacker will then perform something called 'credential stuffing'. Credential stuffing is when an attacker takes these usernames and passwords and plugs them into an automated 'account checker' which basically tries the username/password combination across many, many different sites across the internet, from social media logins to bank accounts. If the password works, the hacker now has access to the account and can drain an account, sell the data, etc.

For a better description, check out XKCD's comic below.

https://xkcd.com/2176/

How do you defend against credential stuffing?

Don't reuse your passwords. Use a password manager like 1Password or LastPass. KeePass is (in my opinion) less user friendly, but it's free!

Password managers can securely store your passwords and often have browser extensions and apps so they can autofill your passwords across many accounts. Plus, you only have to remember one master password this way. But your master password now grants access to all of your other passwords, so make sure it's very strong!

They can also help you autogenerate very strong passwords, and some even have vaults so you can store other sensitive information (bank account details, insurance information, etc.).

I personally use 1Password because I like the family account option – if anyone in your family ever gets locked out, someone else can reset their account password (but won't have access to your individual vault).

You can also set up free alerts with Have I Been Pwned. This site aggregates information from data breaches and provides consumers with the ability to use that information to protect themselves. You can navigate to the 'Notify Me' tab at the top and enter your email address.

After you confirm the email address you've entered (where it will provide your current exposure), the site will send you an email anytime your email is involved in a data breach. That is, any breach the site is alerted to – their coverage is very good, but no single source will contain every leaked data breach. This way, you can just change the impacted password, and won't have to worry about it impacting any of your other accounts.

If you're working on security for a large organization, enterprise password management software (the same companies listed above provide these services) is a great idea, as well as strong password policies (mandating that your employees use sufficiently strong passwords). Have I Been Pwned also has a service which allows the domain owner to monitor for breaches which involve any email on the domain (and it's free!).

How else do hackers get passwords?

There are a few other possibilities – shoulder surfing, or basically watching you type your password – though this is unlikely given that the person has to be physically watching you.

Then there's theft of passwords which have been written down, or just pictures of written down passwords which are visible in photos. Again, this is much less likely than any of the above options as it typically comes from a targeted attack (which is inherently less common than crimes of opportunity).

Avoiding these two is pretty simple – don't allow someone to watch you enter your password, and don't write down your password. Use a password manager instead! If you simply have to write it down, store it someplace that someone is unlikely to search through or find by accident. I'd suggest the bottom of a box of tampons. Much more secure than a sticky note on your monitor.

It seems really easy to get hacked. Should I be concerned?

The most important thing to remember about hacking is that no one wants to do more work than they have to do. For example, breaking into your house to steal your password notebook is a lot harder than sending phishing emails from the other side of the world. If there's an easier way to get your password, that's probably what a nefarious actor will try first.

That means that enabling basic cyber security best practices is probably the easiest way to prevent getting hacked. In fact, Microsoft recently reported that just enabling Two-Factor Authentication will end up blocking 99.9% of automated attacks.

So, enable 2FA, use a password manager to autogenerate long, complex, unique passwords for every account, and think before you click! Avoid clicking on sketchy or unexpected links and attachments, and stay vigilant.

https://xkcd.com/538/

###

##

What is the CISSP?

It is the Certified Information Systems Security Professional certification. It's generally the most widely-recognized, broad certification within information security. Essentially it's an inch deep and a mile wide - a HUGE amount of information grouped into 8 domains:

• Domain 1. Security and Risk Management (15%)
• Domain 2. Asset Security (10%)
• Domain 3. Security Architecture and Engineering (13%)
• Domain 4. Communication and Network Security (14%)
• Domain 5. Identity and Access Management (IAM) (13%)
• Domain 6. Security Assessment and Testing (12%)
• Domain 7. Security Operations (13%)
• Domain 8. Software Development Security (10%)

If you're only going to get one information security certification, this is the one. It's by far the most widely accepted and recognized.

Should you get it?

....maybe. It depends on what you want. In general, certifications are useful for entry level folks who are looking to get a foot in the door, or to understand the lexicon and framework with which people talk about security.

They can also be helpful at getting your resume past an initial screening, look impressive to future employers, and potentially add credence to your experience (even better if you don't have much experience!).

It does not mean that you are a 'cybersecurity' expert, and most folks won't see it as that. This particular certification is aimed more at managers than hands-on keyboard folks. This test won't teach you how to operate as a hands-on keyboard SOC (security operations center) analyst. But it will give you some exposure to a broad list of basic concepts.

Interested in reading more about certifications? Check out these posts.

Let's talk details.

In order to get the certification, you need at least 5 years of work experience in two or more of the domains. You can substitute a four year college degree or certain certifications from ISC² for one year of work experience (details here).

If you don't have the required years of work experience, you can still take the test and become an associate of ISC². You then have 6 years to gain the required 5 years of work experience.

The English version of the test is a 'computer adaptive testing' exam which means you can receive 100-150 questions during the test based on your performance. Computer adaptive testing (CAT) testing means that the test automatically adjusts the questions based on your performance.

So, for example, if you get a question wrong, the computer will then give you a slightly easier question. If you get a question right, the next question will probably be more difficult. The computer will continue giving you questions until it is able to confidently assess your level of knowledge and terminate the test. This type of testing thus takes fewer questions to confidently assess your level of knowledge.

The non-english version is fixed and has 250 questions. You get a maximum of 3 hours for the english test (and 6 hours for the non-english version).

The test is available in English, French, German, Brazilian Portuguese, Spanish, Japanese, Simplified Chinese, Korean, and Visually impaired. The test is offered by Pearson VUE and is administered by their proctors.

The cost is $699 and you need 700/1000 to pass the exam. You can register for the exam on the Pearson VUE website here.

After you pass the exam, you have 9 months to complete the 'endorsement process', (unless you're applying for an 'associate of ISC²) which involves getting someone who is an ISC² certified professional (someone who has an ISC² credential in good standing, and can attest to your professional experience) to certify that your professional experience claims are true.

If you don't know someone who fits this category, you can ask ISC² to serve as your 'endorser'. Then, your certification is good for life, as long as you pay an annual maintenance fee (currently set at $125 for certificate holders, and $50 for associates) and complete your required continuing professional education credits (CPE).

CISSP certification holders are required to submit 120 credits, while associates are required to submit 15 each year.

You can get CPE credits for a variety of activities, such as taking an academic course (1 hour of instruction in a domain = 1 CPE, up to 40), reading a book (5 CPEs per book, with a 250 word description), magazine (5 CPEs per magazine issue, with a 250 word description), or whitepaper (1 CPE with a 250 word description), or attending ISC ^2 events and webinars.

You can find more details on the CPE process here.

What was my experience?

The test took me about 80 minutes and I went through 100 questions before I passed.

In order to prepare, I did the following over a period of roughly 2+ years. I would study for a week or so, then forget about it for a few months, then come back to it as I had time.

I probably only intensely studied for about a month (meaning I was spending a couple hours on weekdays studying and closer to 6 hours on the weekends). I also knew almost nothing (and had no degree or experience) when I started studying. I initially started studying in the hope it would help give me a framework to understand corporate security - which it did (though I'm not sure it was the best option for that).

If you have several years experience working in information security, you could probably just read the 11th hour book a couple weeks before the exam, brush up on unfamiliar topics, try some practice questions, and take the test. I've rated the resources I used out of 10 based on their usefulness in preparing.

1. Read the ISC² Official Study Guide (yeah, the entire thing. Probably don't do that. It's definitely more information than you actually have to know.) 6/10
2. Kelly Handerhan videos (I watched the old ones, then when she released updated content, I watched the new ones. These are solid, though they're not as in-depth as the exam can be.) 7/10
3. 11th Hour CISSP guide (like three times). 8/10
4. IT Dojo Daily CISSP Question Videos (I watched all of them. Some of them more than once. The guy who runs the series has a really great way of explaining complicated concepts, but I don't think the questions were reflective of the exam questions.) 6/10
5. Made a million (probably around 1000) flashcards whenever I got a question wrong or ran into difficult concepts. Studied them. Made more (every time I ran into something I didn't know). Studied them again. 10/10
6. Used the Shon Harris book to research specific topics I didn't understand. And asked other people, googled the topics, read blogs, watched youtube videos, etc. 9/10
7. Watched this video, this video, and this video on testing mindset. Several times. 10/10
8. Took all the practice questions in the ISC² Practice Test book (twice - same link as the study guide). The questions were good, but not necessarily reflective of what the exam questions look like. 7/10
9. Took all the Boson practice Qs. Took them again and read all of the explanations. These were the single most useful resource. The explanations were great, though the questions were more technical than the exam was. 10/10

None of the practice questions were perfect representations of the test, but Boson seemed the closest.

The best piece of advice I received before taking it was to look at the answers, and if any of the answers told me to do something (take a system off a network, change a password, perform an account lockout, etc.), to skip it in favor of an answer which involved documenting, instructing someone else, etc.

Getting in the 'CISSP' mindset is key to passing the test. Imagine, for each question, that you're running the security team while it's handling the situation described in the question.

What would you do (or what would you tell your team to do)? Turns out I was way, way, way over prepared for the technical concepts (though I was still (mostly) glad I learned the information!).

Eventually, you just need to book the test - I don't think anyone feels ready when they're preparing (and definitely not when they're taking the test!), but at some point you have to accept that you've done as much as you can. Happy studying!