Security

Tips & Information

For employees and students

Wi-Fi networks

Others will be able to see what you do on the internet and what kind of information you type in when you use open and unsecured Wi-Fi networks (networks without a required password). Don’t use networks that you don’t know or don’t trust when you’re working with confidential information such as e-mails, passwords and online banking data. Encrypt your own wireless network with WPA2-AES to prevent others from intercepting your data.

[Source: NCTV – Alert Online - www.alertonline.nl/]

Phishing

Phishing is a form of fraud using e-mail or phone calls. In these messages people are asked to share their personal or login information. LISA and the University of Twente will never ask for your account details via e-mail or phone. If someone calls you with this request, please write down their phone number and report this attempt to the Servicedesk ICT (phone #: 5577, servicedesk-ict@utwente.nl) or report directly to security@utwente.nl.

Should you receive a phishing e-mail, please forward that e-mail in full to security@utwente.nl. This applies only to phishing mails that try to gather information about accounts of the University of Twente. Other phishing mails will not be investigated.

If you replied to a request for information (by e-mail of phone) accidentally, please change your password immediately and contact the Service Desk ICT (phone #: 5577).

Spam

Receiving spam e-mail in your inbox. If you receive such a spam e-mail, you can inform the administrators of the SURFnet mail filter thereof. So this mail will be captured in the future by the mail filter.

This can be done in two ways:

1)Send an e-mail to mailfilter-beheer@surfnet.nl and attach the spam e-mail.

Drag the spam e-mail to your desktop. Compose an e-mail to the e-mail address and attach the message from your desktop into this e-mail. Add a subject and some explaining text to this e-mail and send it.

Note: please do not forward the spam e-mail, the administrators of the SURFnet mail filter will not receive this e-mail.

2)Through spam e-mail tag, follow the manual.

Social Engineering

Social engineering is a way to entice people to share private information or make unsafe use of their computers. A scammer will use this tactic to try to win their victims trust by pretending to be an acquaintance or a part of a legitimate organization. Social engineering can be used to convince the victim to open, download or install files that contain malware. An example of this is to hand out free USB sticks or to ‘lose’ them on purpose to try to get people to load the files on that stick onto their computer. Social engineering will often be used to complement a phishing attempt.

If you suspect social engineering, please report this attempt with the Service Desk ICT (phone #: 5577, servicedesk-ict@utwente.nl) or report directly to security@utwente.nl.

[Source: NCTV – Alert Online - www.alertonline.nl/]

Firewalls

Firewalls (both hard- and software) create a barrier used to control which connections are being made between your computer and the internet. It is strongly advised to activate a firewall on your computer.

You can check if your computer has open ports that are vulnerable to attacks at www.ipscanner.nl. Most modern modems and operating systems have built-in firewalls. Please check the manual of your modem or operating system (Windows, Mac OS X) to activate your firewall.

[Source: NCTV – Alert Online - www.alertonline.nl/]

Anti-Virus Software

Install an antivirus program to protect your computer, tablet or mobile device from malware. When using these programs, enable automatic updates and let the program scan your device regularly (e.g. once a week). If your antivirus software comes with a built-in firewall, enable that to control the connections that are being made between your device and the internet. Don’t forget to update these programs as soon as it’s needed. An example of good antivirus software at the moment is Hitman Pro.

[Source: NCTV – Alert Online - www.alertonline.nl/]

Software

Developers of operating systems, browsers and other software like Microsoft Office, Adobe Reader and Oracle Java will release regular updates to counter vulnerabilities in their software. To prevent hackers from using these vulnerabilities to access your data, search for and install software updates at least every month and enable automatic updates when possible. Internet fraud is mostly targeted at outdated software, so remember to update your operating system (Windows, Mac OS X), antivirus software and all the applications and programs that you use.

[Source: NCTV – Alert Online - www.alertonline.nl/]

Websites and downloads

You risk installing malware on your computer when you visit the wrong websites or download infected files, so please be careful of what you do on the internet and make sure your computer is well protected with a firewall and antivirus software.

Use of data carriers

Data carriers such as laptops, USB-sticks, mp3 players and external HDD’s often contain files you don’t want others to have access to, like personal information, photo’s and confidential documents. You can encrypt data carriers so others can’t acces these files in the event that you lose the device.

It’s also possible that data carriers contain malware that will be transferred to your computer and spread to other systems from there. To counter this, always scan a device before you try to access the files it contains.

Securing your hardware

Remember to use quality locks on your doors and windows and to store your confidential documents in a safe place. Locks and cables can be used to secure your computer. Taking precautions can prevent or greatly reduce the damage caused by theft, fire or flooding.

[Source: NCTV – Alert Online - www.alertonline.nl/]

Back-ups

Make sure you make regular copies of important files. These copies should be made at least once a week, and perhaps even several times a day when you’re working on an important document. Back-ups can be made by burning them onto a CD or DVD, by copying them onto a USB drive or to copy them to a personal home directory on your network. Keep your back-up in a safe and locked place, and keep it away from the source files. You can use dedicated back-up software to make your copies, or you can simply use your operating system to copy the files to your back-up system of choice.

Passwords

All of your systems, files and e-mail are available through your combination of username and password. You should never share these with others. Your password should be yours only and it should not be easy to figure out. Change your password regularly, especially when you suspect someone might have seen you type in your password. Don’t use the same password for everything and don’t save them in your internet browser.

Strong passwords are at least ten characters long and contain numbers, upper and lower case letters and punctuation marks. Strong passwords do not contain whole words or sequences.

Password managers

Password managers

LISA recommends using a password manager. This will eliminate any need to write down your passwords (either on paper or digitally), it will prevent the recycling of passwords across different platforms, and it will make it much easier to use complex, safe passwords. All known products are considered satisfactory, but for convenience and ease, LISA recommends LastPass.

What is a password manager?

More and more websites and applications require the user to create a password. When you have to remember dozens of passwords, there is a risk you will use very simple passwords or even reuse passwords across sites and programmes. This can easily lead to abuse and misuse of information. The password lists of web shops and similar websites are hacked on a somewhat regular basis. There is a high impact risk if you use the same password for different platforms. Proper passwords are long, complex, and unique for every single application. But this of course makes them quite unwieldy.
Writing down passwords in documents, spreadsheets, or notebooks will create even more risks. Password managers assist users in generating, managing, and storing passwords.

A conscious personal password policy is very important for security. Even using a password manager (especially if it is based in the cloud) can be considered a security risk. However, the advantages of having unique, strong passwords that are not written down anywhere outweigh the risks of using a password manager.

Password synchronisation allows the user to access their passwords in any system and at any location, as long as they have access to the internet.

There are certain applications that take over the entire password management from the user, as well as cloud services that work as plugins (assisting programmes) in the web browser (e.g., Internet Explorer, Safari, or Chrome). Moreover, the browser itself may also be capable of saving passwords, and the iCloud Keychain application (Apple computers only) offers a password synchronisation option. These last two systems are somewhat limited in scope (although they are quite useful and secure enough) and will not be discussed in detail here.

Recommendation

There are many options on the market. Two popular ones are LastPass and KeePass. These managers (as well as a number of others) are secure enough for use during UT work.

The Tweakers technology website posted an extensive password manager comparison here (text in Dutch): https://tweakers.net/reviews/5031/datalekkenjaar-2016-kiezen-uit-wachtwoordmanagers.html

LISA recommends using LastPass because it is easy to use and is suitable for a wide range of devices and browsers. KeePass offers a good alternative for users who need options that are a bit more advanced.

It is vital to secure the password manager itself with a strong password. This password is used to secure all other passwords that the user stores in the application.

LastPass is the easiest way to synchronise passwords across diverse systems. These passwords are stored in the cloud in an encrypted form, a solution that not everyone considers acceptable. LastPass offers plugins for virtually all browsers and systems (desktop/laptop, smartphone/tablet), and if all else fails, users can access their account through the LastPass website. LastPass offers a convenient free version. Taking out a paid subscription unlocks the more advanced options. There is a possibility to use two-factor authentication, among others by using an app.

 

KeePass

 

KeePass is an offline password manager, just like 1Password. The user can synchronise passwords through, among others, Dropbox or a USB flash drive. KeePass is a scalable, Open Source solution that offers a lot of features. It is a suitable option for the advanced user who wants total control. Use of KeePass is free of charge.

All password managers offer extra options, such as secure storage of notes, changing passwords, importing/exporting passwords, and safely sharing a password with someone who uses the same application without showing the password at any time. These additional options have not been considered for this recommendation.

Account sharing

Your combination of username and password are not only used to grant you access to a system. They will also be used to trace misuse to a specific person. For this reason you should never let someone else make use of your account or let them know your login details

Messages and files

When receiving an unexpected message with an attachment, (shortened) hyperlink or a request to log into a system, use common sense and disregard these messages, even when you know the person who sent them. Only accept a message when you expected to receive it. It is best to delete spam as soon as possible.

[Source: NCTV – Alert Online - www.alertonline.nl/]

Website certificates and URL's

Check the URL and the web certificate (the lock symbol in the address bar of your web browser) to make sure you’re not visiting a copied or unsafe website. If a website has no web certificate, don’t fill in any personal or confidential information. Bookmark websites that you use often and watch out when opening shortened URL’s. These are often used on social networking sites.

[Source: NCTV – Alert Online - www.alertonline.nl/]

Pop-up's

When closing a pop-up never click on ‘agree’, ‘OK’ or ‘X’. You may accidentally install malware when doing this. Instead, use the key combination ‘Alt+F4’ (Windows). You can also install a pop-up blocker.

[Source: NCTV – Alert Online - www.alertonline.nl/]

Social Networks

It’s very easy to put information online, but it can be very difficult to remove it, so think carefully on what you want to share with the world on the internet. Shield your personal networking sites and take care in choosing who you allow to access your profile and personal information. Should you share your personal information somewhere, check which organization it is, how long your data will be kept and who else will have access to your personal information. Never give out more data than absolutely necessary.

[Source: NCTV – Alert Online - www.alertonline.nl/]

Cloud services

External cloud services such as Dropbox, Google Drive and Microsoft Onedrive can be very useful, but remember that by using these services you’re giving others access to your files. Therefore, you should never save confidential or personal data with these services.

Computer use

Your computer will probably contain confidential information such as personnel files, dissertations, project documents and personal files and photo’s. It will only take someone a minute to copy, delete or modify these files. For this reason you should always lock your computer or laptop when you leave your seat or work station. Also, don’t forget to shut down your computer when your leave work.

[Source: NCTV – Alert Online - www.alertonline.nl/]

Reporting ICT vulnerabilities

Here at the University of Twente we consider the security of our systems of the utmost importance. However, it’s always possible that one of our systems contains a vulnerability. Should you find such a vulnerability in one of our ICT systems, we would greatly appreciate your report on this. We would like to work together to better protect our users and our systems.

You can send your report to responsible-disclosure@utwente.nl. If this report contains sensitive or confidential data that you wish to encrypt, please make mention of this in your e-mail. We will send you an address to which you can send your PGP encrypted e-mail.

Quarantainenet

If a system within the UT network is being misused to, for example, send out spam or attack other networks, this system may be put into quarantine. The ICT Service Centre will then start an investigation as to the cause of this misuse. If your system is put into quarantine, please contact the Servicedesk ICT (phone #: 5577, servicedesk-ict@utwente.nl) for more information.

Maintenance and failure

Library, ICT Services & Archive maintains a calendar with current and planned downtime of services. Malfunctions will also be displayed on this page. When unable to reach a system or service, please follow this link for more information: http://www.utwente.nl/status

Send e-mails to large groups

Very often UT employees or students want to send an e-mail to large groups of UT students and/or employees. If this serves an educational or commercial purpose, there are various options for this. Before this type of e-mail can be sent, a request has to be submitted to the Centre for Educational Support (CES) for e-mail to be sent to students, or the Human Resources (HR) for e-mail to be sent to employees. The CES or HR will assess the request and (in consultation with the LISA) will send the e-mail.

Within exchange, measures have been taken to prevent bulk e-mails. If someone wishes to send an e-mail to more than 750 people within one hour, that is only possible if exchange email lists are used. In that case, the e-mail may not exceed 50 MB. This e-mail list can be requested from: The Service Desk ICT.

All e-mails to large groups of students or employees that are not sent in accordance with the procedure outlined above will initially be considered to be spam. LISA will then contact the sender and will take the appropriate actions to prevent a repeat.

In any case, please remember the following: To err is human. If you receive an e-mail that, in your opinion is spam, forward this to the LISA using the address abuse@utwente.nl, outlining your complaint.

For employees

Codes of Conduct ICT

The University of Twente has set up a code of conduct ICT for employees. See the following link for more information:

http://www.utwente.nl/hr/en/terms-of-employment/cao-regulations-codes-conduct/codes-conduct/code-of-conduct-itc-internet/

Gedragscode ICT functionarissen

The University of Twente has set up a code of conduct ICT for employees with an ICT function. See the following link for more information (Dutch only):

http://www.utwente.nl/sb/uim/informatiebeveiliging/Gedragscode_ICT-functionarissen.pdf

Information security policy

The information security policy can be found here (Dutch only):

http://www.utwente.nl/sb/uim/informatiebeveiliging/informatiebeveilingsbeleid_ut.pdf

For Students

Codes of conduct ICT

The University of Twente has set up a code of conduct ICT for students. See the following link for more information:

http://www.utwente.nl/sb/en/policy/information_management/Gedragscode%20e-mail%20studenten%2026%20mei%202011_EN.pdf

Codes of conduct campus network

To use campus network the code of conduct is made by Student Net Twente. See the following link for more information (Dutch only):

http://www.snt.utwente.nl/helpdesk/beleid/aup