The Internet opens up the whole world and e-mail makes daily working life so much quicker and easier. However, in both cases, you can soon open the floodgates to malicious activity if you fail to think about your own information security. Would you leave the front door of your house open when you go out? In a manner of speaking, this is exactly what you do if you ignore the matter of security. A certain healthy scepticism when dealing with incoming e-mail is a good place to start.
Humans beat technology
Even though human beings are one of the most highly developed forms of life on our planet, when it comes to information security, they are still the weakest link in the (security) chain. With its 'awareness training', TU Wien therefore aims to provide training to employees to raise awareness and help identify security risks. This enables TU Wien to strike a balance between technical feasibility and technical necessity without completely regulating all activities in its own area of work. Well-trained employees are significantly more effective than any technical solution could ever be.
"There is a problem with your e-mail account, click here": the colourful world of phishing
We've all received e-mails like this: badly worded, poor grammar and spelling mistakes in e-mails that ask us to click on a link. However, these phishing e-mails are becoming more and more professional. The sender appears to come from the recipient's own organisation, the signature also looks like a company's signature and the text sounds plausible enough. And so we click on it – no one is immune from being taken in like this.
Two things can then happen as a result: in the first case, clicking on the link does not immediately cause anything dramatic to happen. A browser window opens asking you to enter your user data. This information is then used by the 'malicious' website for further actions such as sending further phishing e-mails to your entire address book or for siphoning the entire e-mail account including all sensitive information contained in it. This can soon lead to a snowball effect. In the other case, clicking the link will install malware on your own computer, which will attack this computer – and possibly the entire associated network – and block all access to all data (encryption trojans or ransomware). Only by paying a ransom in bitcoins will the computer/network be released.
What can I do myself?
If something like this happens to you, you must report your suspicion of phishing e-mails to email@example.com. In most cases, an organisation's IT department responds very quickly with countermeasures. For example, statistics show that within the first 30 minutes, about half of the incidents have already occurred.
To prevent this, we recommend a few simple tricks:
- Check the plausibility of an Internet address by hovering over the link with your mouse without clicking on it. Links from legitimate organisations are usually very 'expressive' and do not just consist of a complex string of numbers and characters.
- Read URLs (web addresses) from back to front – your brain will spot any inconsistencies. For example, you are likely to notice whether the spelling is 'tuwein.at' rather than 'tuwien.at'. When you read something quickly from left to right, the brain automatically sees the information it wants to see. If you read from right to left, the brain finds it much more difficult to read backwards and is more likely to spot an error.
- Check the e-mail address: do you recognise the e-mail address, not just the sender's name that is displayed?
If you suspect that this is a phishing e-mail, forward it as an attachment to firstname.lastname@example.org. This information allows the upstream protection mechanisms in the system to learn more quickly and enables them to be further adapted.
Information security at TU Wien
The aim of information security is to establish a consistent level of security for all TU Wien IT organisations, to which everyone refers. For this purpose, the Information Security Officer, Gregor Hartweger, opens an external URL in a new window, works independently on a number of interfaces, such as data protection and IT security.
Training on this topic
The next information security training will take place in the summer semester of 2020. Information about this will be circulated in due course.
An e-learning training course on information security has been available for all TU Wien employees since December 2019. This 40-minute training course equips you with the necessary tools to put you in a better position to cope with the risks of cybercrime. You can register for the training in the TISS further education catalogue issued by the HR Development department. The training is listed in the 'IT Information Technology' category under the heading 'Information Security at TU Wien *digital*' (https://tiss.tuwien.ac.at/personal/interne_veranstaltung/anzeigen/6256, opens an external URL in a new window).
Specific training for colleagues in Administration is also planned for 2020. Further information will follow.