Information security

Welcome to our information security page.

General Information

The definitions of terms are taken from the glossary of the German Federal Office for Information Security (BSI).

Information security aims to protect information. Information can be stored on paper, in computers or in people's heads. The protection goals or basic values of information security are confidentiality, integrity and availability.

Confidentiality is the protection against unauthorized disclosure of information. Confidential data and information must only be accessible to authorized persons in the permitted manner.

Integrity refers to ensuring the correctness (integrity) of data and the proper functioning of systems. When the term integrity is applied to "data," it expresses that the data is complete and unchanged. In information technology, however, it is usually defined more broadly and applied to "information." In this context, the term "information" is used to refer to "data" that can be assigned certain attributes, such as author or time of creation, depending on the context. The loss of integrity of information can therefore mean that it has been altered without authorization, that details of the author have been falsified, or that the time at which it was created has been manipulated.

The availability of services, functions of an IT system, IT applications or IT networks, or even of information, exists if they can always be used by users as intended.

Information technology (IT) includes all technical means that serve to process or transmit information. Information processing includes the collection, recording, use, storage, transmission, program-controlled processing, internal presentation and output of information.

Accordingly, IT security must protect all technical means that serve to process or transmit information. It thus represents a subarea of information security.

Data protection is intended to protect individuals from having their personal rights impaired by the handling of their personal data. Data protection therefore refers to the protection of personal data against possible misuse by third parties. Suitable technical and organizational measures (TOMs) must be taken for this purpose.

While data protection aims to protect personal data, information security is concerned with maintaining the protection of information, data and systems.

Strict legal regulations apply in data protection.

Threats

What are the threats to IT security? The consequences of these threats can lead to IT failure, data loss, leakage/manipulation of personal/secret data, identity theft, among others.

Phishing is a combination of the words "password" and "fishing". Phishing is an attempt to obtain access data for a service or website, for example, by means of fake E-mails or websites. Under certain circumstances (see social engineering), the victim does not question or recognize the actual authenticity of such a message or website and then unwittingly gives his or her access data into unauthorized hands.

Vishing (voice phishing) is a form of fraud via telephone. The scammers use manipulative tactics, for example, posing as employees of other Universities, business partners, friends or relatives, in order to gain access to their victims' sensitive data.

Quishing (phishing with QR codes) are phishing emails that contain a QR code instead of a link, which in turn tempts the user to enter their access data or is used to download malicious code. Unlike links and attachments, QR codes are viewed as images by current anti-virus programs and are therefore generally classified as harmless. This makes it more likely that such emails will be delivered directly to the users' mailboxes. The user is asked to take urgent action by scanning the QR code with his smartphone, which in turn leads to a manipulated website.

Smishing (phishing via SMS) is a form of fraud via (mobile) SMS with malicious links. Malware is then either installed on the device via this link or you are asked to enter personal data such as passwords, account data, etc. on a fake page that is not recognizable as such.

Social engineering exploits human characteristics such as curiosity, helpfulness, trust, fear, or respect for authority to skillfully manipulate people. In this way, cyber criminals entice the victim, for example, to disclose confidential information, bypass security functions, make bank transfers, or install malware on the end device at home or on the company network. Such social engineering attacks can take the form of a conversation, by phone, by e-mail or on social media.

CEO fraud as a special form of social engineering:

Here, perpetrators try to manipulate people in the company who are authorized to make decisions so that they transfer large sums of money abroad. The perpetrators pretend that the order comes directly from the head of the company (managing director or board member = chief executive officer = CEO).

Malware are malicious programs designed to cause harm to the user.

They are often multifunctional and, once they have infected a system, can download additional malware from the Internet, which then causes further damage.

There are numerous subtypes of malware, e.g. viruses, worms, trojans, rootkits, botnets, ransomware, spyware ... All work differently and cause different damage.

Malware is spread via malicious email attachments, links, macros in Office documents, manipulated USB sticks, among others.

Vulnerabilities in products/services can be exploited by attackers to penetrate IT systems, tap data and/or execute malware.

Countermeasure: Regularly update IT products/applications!

The BSI regularly reports such vulnerabilities: https://www.bsi.bund.de/DE/Service-Navi/Abonnements/Newsletter/Buerger-CERT-Abos/Buerger-CERT-Sicherheitshinweise/buerger-cert-sicherheitshinweise_node.html

Best Practice (students)

The following rules are based on the password guideline applicable at OTH-AW:

  1. The password for the University-wide OTH-AW identifier is known only to the University member.
  2. Under no circumstances may the password be given to third parties, not even to a good friend/fellow student.
  3. Please be sure to use a secure OTH-AW password: as long as possible (at least 10 characters) with upper and lower case letters, numbers and special characters; do not use last name, first name, user name; do not use words from dictionaries/encyclopedias; do not use personal information that is easy to find out.
  4. While entering the password via the keyboard, make sure that no third party is watching
  5. Under no circumstances should the OTH-AW password be used in private with other providers, e.g. with a private e-mail account/Internet service! If this is the case, please change the OTH-AW password!
  6. If the password is entered incorrectly more than three times, access will be automatically blocked for a certain period of time. Please contact the computer center by phone.
  7. Please never share the password unencrypted by e-mail!
  8.  Password change always via the ‘Password change’-Service.
  9. To keep the user ID+password combination assigned per application/service, it is recommended to use a password manager tool such as KeePass.
  10. If passwords are stored in the web browser (product dependency!), then it is essential to secure them with a secure master password (not the OTH-AW password!)!
  11. If passwords are stored in written form, make sure to store them securely (preferably in a safe!), i.e. inaccessible to others.

  1. To access your mails, use either the university's GroupWise client, an alternative mail client or WebMail (without mail client).
  2. For access via smartphone use the smartphone data synchronization of the data center!
  3. Communication with the university should only be done via the OTH-AW mail address!
  4. If the sender's mail address is not @oth-aw.de, such mails are always marked with the subject line prefix [EXTERN]. This is to visually mark mails in which the name of an OTH-AW member (e.g. professor) is misused as sender, in order to support you in recognizing spam/phishing mails. Possibly ask by phone!
  5. Please do not forward OTH-AW mails to a private email address!
  6. Mails sent to the university from a private email address will not be processed!
  7. The OTH-AW mail address should not be used for private use (e.g. for private orders). It is imperative to use a private e-mail address with its own password for this purpose.
  8. Before opening a mail, please do the 3-second security check: Is the sender known? Does the subject make sense? Do you expect an attachment from this sender?
  9. After opening, doubts should arise in the following cases: impersonal salutation, request for personal information, building up time pressure, threats, promises to win, etc.
  10. Delete such unwanted mails (SPAM or PHISHING) immediately and do not react to them in any way! So do not reply, do not open links, do not open attachments, do not call, do not buy anything!
  11. You can report such mails by forwarding the mail AS ANNEX to spam@oth-aw.de or phishing@oth-aw.de.

  1. When working in PC pools, be sure to use your personal area on the MyFiles Filr file server for data backup, which is regularly backed up by the computer center.
  2. Secure data exchange via the OTH-AW internal file server MyFiles Filr (= internal cloud) – also possible with non-university members.
  3. External clouds (= outside the university) should be used sparingly for university data exchange. Depending on the confidentiality level**, the data should be encrypted in advance (V3, V4) and also only stored there for as long as necessary.
  4. Gigamove is recommended as an external cloud for secure data exchange of very large files.
  5. External clouds from commercial providers (e.g. Dropbox) are not considered compliant with the General Data Protection Regulation (GDPR). With such often free external clouds, you pay with your data. The OTH-AW access data (mail address, user ID, password) must not be used or deposited with external cloud providers as a matter of principle.
  6. Data from external clouds are not backed up by OTH-AW.
  7. The cloud guidelines in force at OTH-AW must be observed.

** Confidentiality levels:

V1 = public, V2 = internal, V3 = OTH-AW confidential, V4 = strictly confidential.

V1 examples: Course catalog, press releases, flyers, public events, public portions of website.

V2 examples: Intranet, process portal, rules and regulations, instructions for action, correspondence, internal e-mails, internal telephone directories, internal events

V3 examples: personal data, travel, payroll, research data, technical data, restricted theses, auditing

V4 examples: in cooperation with third parties (military, research, business) due to official or contractual obligation

  1. Secure connection to the OTH network via VPN-Access
  2. Video-conferencing via BigBlueButton, Jitsi
  3. Virtual courses/lectures: Moodle, BBB via Moodle
  4. Communication/Chat: RocketChat
  5. Team/project work: MicroFocus Vibe, MyFiles Filr, MS Teams (with limitations)
  6. Polls/voting via scheduler

  1. If possible, only use https websites (s stands for secure, i.e. encrypted communication!).
  1. Before clicking on links or images, check the actual link by mouseover: Mouseover without clicking shows the actual web address (look closely at WER area between http(s):// and next /!).
  2. Software downloads only from trusted sites or official stores.
  3. Refrain from doing anything that disrupts or jeopardizes the proper operation of the University's facilities.

  1. Think twice before you post something
  2. Do not share confidential information
  3. Be careful when talking about job or employer
  4. Avoid reusing passwords
  5. Use different profile photos for your accounts
  6. Keep the number of online connections (friends) as small as possible and limit them to people you actually know
  7. If someone harasses or threatens you, remove them from your friends list, block them and report the incident to the website operator
  8. Use privacy settings for social media

IT measures

General security measures to be taken can be found here:

c’t-Security-Checklisten kompakt 2022
c’t-Security-Checklisten kompakt 2021

Awareness strengthening

Awareness strengthening offers opportunities to strengthen one's own information security awareness. This supports and improves information security in the university (and also privately!).

KIT Research Group Security - Usability - Society (SECUSO)

NoPhish videos to detect dangerous attachments and links:
https://secuso.aifb.kit.edu/english/1047.php

Playfully learn how to protect yourself:
NoPhish Quiz: https://secuso.aifb.kit.edu/english/1536.php
NoPhish Android App: https://secuso.aifb.kit.edu/english/521.php
NoPhish - Online game "Phishing Master": https://secuso.aifb.kit.edu/english/1523.php

Useful links from the BSI on the topics:

    1. Using E-mail securely
    2. Recognizing phishing in E-mails und websites
    3. Secure passwords
    4. Protecting smartphone, tablet

A nationwide information and awareness campaign by BMI and BSI on the topic of IT security in everyday life (social networks, online shopping, home office, smarthome, online gaming): #einfachaBSIchern ... is the key to a fearless approach to the digital worlds.

IT security on the move:

https://www.bsi.bund.de/DE/Themen/Verbraucherinnen-und-Verbraucher/Informationen-und-Empfehlungen/Cyber-Sicherheitsempfehlungen/IT-Sicherheit-auf-Reisen/it-sicherheit-auf-reisen_node.html

For podcast lovers

The University of Mannheim has developed a cybercrime podcast that wraps information security topics into a story in 6 episodes:

https://www.uni-mannheim.de/informationssicherheit/sicherheitstipps/podcast/ - and everywhere podcasts are available.

Episode 1 - Emails hacked?

Episode 2 - Encrypted! What next?

Episode 3 - Is everything really lost?

Episode 4 - Office crime scene

Episode 5 - Escape?

Episode 6 - Fact check with the ISB of the University of Mannheim as summary

Listen in! It's worth it!

Contact

Barbara Kostial, Dipl. Inf. (FH)