X Close

Risky Business

Home

Tips and tricks for securing information

Menu

Cyber Security Awareness Month – Week Four

By Daniela Cooper, on 26 October 2022

It is week four and the last week of Cyber Security Awareness Month. This week is all about recognising and reporting phishing. There is also the last chance to win a £20 Amazon voucher.

Recognising and Reporting Phishing

Phishing emails are common these days and whilst email filtering does a good job of removing some if not most of them from our mailboxes, some will always get through. Chances are the ones that get through are the less easy ones to spot.

  1. Stop Skimming and Start Studying

We receive so many emails that we tend to skim them rather than fully read them, but when we do this, we take unnecessary risks. There can be clues on both the surface and just below the surface of the message that can alert us to things that aren’t right.

What to look out for in a phishing email:

  • “From” addresses, URLs, and embedded links can all masquerade as things they aren’t – Do not take these items at face value (even if a name, logo, or other identifiers seem familiar and safe). On your PC, hover over—or “mouse over”— these pieces of content and examine the info that appears (you will often see the true destination of a web address in the bottom left of your browser window). On mobile devices, use a “long press” or “long click” and review the information in the pop-up window. If there appears to be a mismatch between what you expected to see and what is actually presented, steer clear.
  • The content or topic of a message might not be quite right or not fully relevant to you. Be on alert if the tone of an email from a colleague, friend, or relative seems inappropriate or just doesn’t “sound like” them. Likewise, be sure to question receipt of an invoice or shipping notification that doesn’t make sense based on your ordering history. Thoroughly read what is written; don’t just skim past details.
  • Misspellings and poor grammar can be indicators that the email did not originate from a trusted source. This is particularly true with messages that appear to be from a well- known, well-established individual or organisation.
  • In general, any unsolicited email—that is, any email that you were not explicitly expecting to receive—should be looked at carefully. But you should be particularly wary of any email that seems like it’s designed to trigger an emotional response— fear, surprise, excitement, concern—and that urges you to respond or act in some way (click a link, download a file, confirm/change a password, etc.).
  1. Think It Through

After you read an email, take a moment to digest it. What you want to do is give yourself the space to act thoughtfully, rather than just reacting in the moment. Be particularly cautious with any email that requests a response or action that could compromise sensitive data, devices, or systems.

  1. Verify, Verify, Verify!

It’s critical to remember that, with phishing scams, things are never what they seem. The reality is that a message can look and even sound legitimate but still set off a warning bell. For example, an email that comes from a corporate IT address and tells you to download new security software can seem trustworthy; it appears real and is on topic. But would that really be the process your IT department would follow?

  • Instead of clicking on a link, open your web browser and type in a known, trusted URL and navigate to the site yourself.
  • Instead of replying to an email or calling a number included in the message, do your own fact-finding. Use an email address or phone number that you are able to confirm.
  • If you’ve received a questionable message from a colleague or friend, contact them via another channel (like a phone call or text message) to make sure they sent it.
  • Reach out to the UCL Information Security Group for advice (and to alert them that there is a potential active phishing threat).

See these short videos on spotting warning signs and why reporting is so important from Proofpoint:
https://videos.proofpoint.com/watch/GnuQi2oR5zNfQcjcFE5Q8C
https://videos.proofpoint.com/watch/dt84c3omwjHeRAN7d8EV2T

 

Would you like to help UCL researchers improve cybersecurity training (and possibly win an iPad)?

On the topic of phishing, we are working with UCL researchers who are running an independent study on how to improve phishing detection. They need volunteers to take a few minutes of their time to help. Participation includes the chance to win an iPad. If you would like to take part in this study, please register your interest here: https://forms.office.com/r/7c7GeKZZ2y

 

Launch of CybSafe

Just to let you know that next week we will be launching CybSafe, our new mandatory information security training platform, to all staff.  CybSafe is a more immersive cyber security training tool which contains up-to-date training and a knowledgebase. It is an NCSC approved learning platform with short, engaging modules which should take no longer than 30 minutes to complete. If you have any questions on CybSafe please email isg@ucl.ac.uk.

Quiz

Be in with a chance to win a £20 Amazon voucher by answering the following question:

What is the new mandatory information security training platform called?

Send all entries to isg@ucl.ac.uk with the subject line: Cyber Security Awareness Month – Week Four.

Entries will only be accepted from UCL email addresses.

 

*Thanks go to Proofpoint for helping to provide some of the content for this year’s Cyber Security Awareness Month.

 

Cyber Security Awareness Month – Week Three

By Daniela Cooper, on 19 October 2022

It is week three of Cyber Security Awareness Month and this week is all about updating outdated software. There is also another chance to win a £20 Amazon voucher.

 

Updating Outdated Software

It is really important to keep software up-to-date, outdated software exposes you and UCL to harm from malware and compromise.

Keep the following updated:

  • Operating Systems
  • Applications including browsers
  • Plugins

You should also use up-to-date anti-virus software that updates itself regularly, most anti-virus software will update itself every hour.

Use automatic updates where you can so that updating your machine and software does not rely on you remembering to check and update everything. You should always check that your updates are happening as malware often turns your updates and anti-virus off.

Only get updates from the company that provides the operating system, application or plugin. It is easy for criminals to trick people into thinking they are updating their machine with a pop-up on a website or phishing email when in fact the user will just be downloading and installing malware. It is also worth mentioning that you should always use legitimate software and not pirated or unlicensed versions of software. You can end up unwittingly installing malware or making your research invalid from using unlicensed software. It just isn’t worth the risk.

 

See this short video on why software updates are important from Proofpoint:

https://share.vidyard.com/watch/vEF3qvdQ5KUCnuwqn5YP5q

 

Quiz

Be in with a chance to win a £20 Amazon voucher by answering the following question:

What is an example of something that needs to be kept up-to-date?

Send all entries to isg@ucl.ac.uk with the subject line: Cyber Security Awareness Month – Week Three.

Entries will only be accepted from UCL email addresses.

 

*Thanks go to Proofpoint for helping to provide some of the content for this year’s Cyber Security Awareness Month.

Cyber Security Awareness Month – Week Two

By Daniela Cooper, on 12 October 2022

It is week two of Cyber Security Awareness Month and this week is all about using strong passwords and a password manager. There is also another opportunity to win an Amazon voucher.

Using Strong Passwords and a Password Manager

Let’s say you need to create a new password that’s at least 12 characters long, and includes numerals, symbols, and upper and lowercase letters. You think of a word you can remember, capitalize the first letter, add a digit, and end with an exclamation point. The result: Strawberry1!

Unfortunately, hackers have sophisticated password-breaking tools that can easily defeat passwords based on dictionary words (like “strawberry”) and common patterns, such as capitalizing the first letter.

Increasing a password’s complexity, randomness, and length can make it more resistant to hackers’ tools. For example, an eight-character password could be guessed by an attacker in less than a day, but a 12-character password would take two weeks. A 20-character password would take 21 centuries.

Having a unique password matters because people often reuse passwords across multiple accounts. Attackers take advantage of this, once they have one password, they will try it across multiple accounts.

It is impossible to remember all the different unique passwords we need for all the accounts we have these days, a secure and easy way to store passwords is to use a password manager like LastPass.

Password Security Tips

  • Never reuse passwords – Create a unique, strong password for each account or device. This way, a single hacked account doesn’t endanger other accounts.
  • Don’t share passwords – You can’t be sure someone else will keep your credentials safe. At work, you could be held responsible for anything that happens when someone is logged in as you.
  • Create complex, long passwords – Passwords based on dictionary words, pets’ names, or other personal information can be guessed by attackers.
  • Don’t write them down – Many make the mistake of writing passwords on post-it notes and leaving them in plain sight. Even if you hide your password, someone could still find it. Similarly, don’t store your login information in a file on your computer, even if you encrypt that file.
  • Don’t save login details in your browser – Some browsers store this information in unsafe ways, and another person could access your accounts if they get your device.
  • Use a password manager – These tools can securely store and manage your passwords and generate strong new passwords. Some can also alert you if a password may have been compromised.

 

See these short videos on password security from Proofpoint:

https://share.vidyard.com/watch/qL2mFJUD3ktKHZP5W56mdz

https://share.vidyard.com/watch/LLbauNmNYiEfudfAfaeqHm

 

Quiz

Be in with a chance to win a £20 Amazon voucher by answering the following question:

What is an example of a password manager?

Send all entries to isg@ucl.ac.uk with the subject line: Cyber Security Awareness Month – Week Two.

Entries will only be accepted from UCL email addresses.

 

*Thanks go to Proofpoint for helping to provide some of the content for this year’s Cyber Security Awareness Month.

Cyber Security Awareness Month – Week One

By Daniela Cooper, on 5 October 2022

It is that time of year again, it’s Cyber Security Awareness Month! This year the topics will focus on how to stay safe online using four key behaviours:

  • Enabling Multi-factor Authentication
  • Using Strong Passwords and a Password Manager
  • Updating Outdated Software
  • Recognising and Reporting Phishing

We will be giving away Amazon vouchers again this year so read on to find out how you can win one!

Week One – Multi-factor Authentication (MFA)

It is always a good idea to use multi-factor authentication (MFA) when it is offered as an option on your account. MFA adds an extra layer of security, so for example, if your password was compromised, the attacker would not be able to gain access to your account.

"Always take advantage of MFA when it is offered"

MFA increases security by requiring two or more pieces of information during the authentication process:

  • Something you know – like a password, PIN, or passphrase.
  • Something you have – like a real-time, unique verification code. These authentication codes are usually generated by a mobile app or security token, or they are delivered to you via a text message.
  • Something you are – like a fingerprint, iris scan, or voice pattern.

Why should you always opt for MFA:

  • It’s easy to add – whilst you do need to take some action to enable MFA, it shouldn’t be difficult and most sites provide simple step-by-step instructions explaining when to expect an MFA prompt and how to complete a login.
  • It’s easy to use – regardless of the technology behind the additional MFA factor(s), MFA add just a few seconds to your login process, and the extra seconds are worth it!
  • It’s far more secure than a password alone – cyber criminals have access to billions of stolen usernames and passwords on underground forums. So what if the only thing standing in between a criminal and your data, finances, and files is a compromised password? MFA helps to limit the damage that can be done if an attacker steals (or buys) account credentials.

See these short videos on Multi-Factor Authentication from Proofpoint:
https://share.vidyard.com/watch/gWPufbGUD9NmPYaMnqjw2A
https://share.vidyard.com/watch/adCugSNMGNEsEEX9hV2s3a

Quiz

Be in with a chance to win a £20 Amazon voucher by answering the following question:

What is an example of two pieces of information that can be used for Multi-Factor Authentication?

Send all entries to isg@ucl.ac.uk with the subject line: Cyber Security Awareness Month – Week One.

Entries will only be accepted from UCL email addresses.

 

*Thanks go to Proofpoint for helping to provide some of the content for this year’s Cyber Security Awareness Month.

 

Common Data Breaches Caused By Human Error

By Simukai Nehonde, on 24 September 2021

The mandatory Data Protection awareness training has proved to be effective over the past couple of years. UCL members are now more aware than ever, of the issues that data breaches can cause; but what are some of the most common causes of data breaches UCL members should look out for?

Data breaches are not only caused by someone acting maliciously. Verizon, one of the world’s largest IT solutions providers, found that more than 1 in 5 incidents resulted from a mistake made by a member of the organisation.

Within UCL the most common data breach incidents are caused by human error: usually involving personally identifiable information (PII) that been sent to the wrong recipient via email, or through the post or giving access to an unauthorised individual to information on IT systems.

In this blog piece I will discuss what UCL members should think about and do when sharing personal data via email.

It is everyone’s responsibility to adopt, maintain and follow information security and data protection best practices when processing information.

Avoiding Human Error When Sending Emails

 

When sharing personal information via emails, it is the responsibility of the sender to ensure the following:

  • Ask yourself what type of information are you sharing? – Any personal or sensitive data should be shared in a secure manner.
  • Who are the intended recipients? – Before sending the data, users are advised to exercise due diligence and double-check that the recipients ‘email addresses are correct.
  • Are there multiple recipients? – When sending emails to multiple recipients, ask yourself whether the recipients are known to each other and whether their email addresses can be disclosed to the other recipients. If not, always use the “BCC” option in your email client which hides email addresses not the “CC” option. Recently the BBC reported that more than 250 people’s lives were put at risk after the MoD mistakenly disclosed email addresses containing names of individuals who were Afghan interpreters. The data breach occurred when the 250 individuals were “CC’d” in an email sent to them, instead of “BCC” meaning they could see each other’s personal information.

Some facts

Human error accounted for 88% of incidents reported to the Information Commissioner’s Office (ICO) in year 2017/2018.

During the 1st Quarter of Year 2021/2022, the Information Commissioner’s Office (ICO) received a total number of 405 data breach incident reports which were caused by emails being sent to the wrong recipients

Human errors leading to data breaches can cause serious reputational damage and financial implications to organisations. In 2016 the BBC reported that an NHS trust was fined £180,000 after a Sexual Health Centre leaked the details of almost 800 patients who had attended the clinic. The disclosure was caused by a human error when a member of staff emailed the patients, entering their email addresses in the “To” field instead of the “BCC” meaning their addresses were visible to all the other recipients.

References:                                                                                                                                                                                                                                         

DATA BREACH INVESTIGATIONS REPORT (Data Breach Investigations Report) Verizon Business. Data Breach Investigations Report. [online] Available at: https://www.verizon.com/business/en-gb/resources/reports/dbir/

AFGHANISTAN: MOD SHARED MORE THAN 250 AFGHAN INTERPRETERS’ DETAILS ON EMAIL: BBC News. 2021. Afghanistan: MoD shared more than 250 Afghan interpreters’ details on email. [online] Available at: https://www.bbc.co.uk/news/uk-58629592

INFORMATION COMMISSIONER’S OFFICE (ICO) (Previous reports, 2021) Ico.org.uk. Previous reports. [online] Available at: https://ico.org.uk/action-weve-taken/data-security-incident-trends/previous-reports/

INFORMATION COMMISSIONER’S OFFICE (ICO) ico.org.uk. [online] Available at: https://ico.org.uk/media/action-weve-taken/csvs/2620168/data-security-incident-trends-q1-202122.csv

NHS TRUST FINED FOR 56 DEAN STREET HIV STATUS LEAK (NHS trust fined for 56 Dean Street HIV status leak) BBC News. NHS trust fined for 56 Dean Street HIV status leak. [online] Available at: https://www.bbc.co.uk/news/technology-36247186

 

Recent Phishing Email

By Daniela Cooper, on 3 March 2021

Lately, we have noticed some slightly more unusual phishing emails that have come in. These emails have been designed to look like they were sent from Microsoft and claim to have an audio attachment. However, the attachment is a .htm file that likely contains something malicious.

A screenshot of one of these emails:

A quick recap of what to look out for when trying to identify if an email is phishing or not:

•        A sense of:
o        Urgency – makes you feel like you have to do something quickly, so you don’t take the time to wonder if the email is suspicious.
o        Fear – for example, if you don’t click on the link, your account will be deleted, or you will be fined.
o        Promise of reward – lottery win notifications, or “I am the widow of a rich person” type of email.
o        Guilt or sympathy – “I am dying of…” type of email.

•        ‘To’ and ‘From’ address – these can be trivially forged and show false information. Often the ‘To’ address isn’t even your email address; a legitimate email would be addressed to your actual email address.
•        Web link – check to see if the link is in the UCL domain (ucl.ac.uk), it could look like a legitimate UCL URL but check by hovering over it as it could be going somewhere else entirely. If you are unsure about the URL, check with the sender.
•        Asking you to respond with your username and/or password – no legitimate email will ask you to do this.
•        Unexpected attachment – some phishing emails come with attachments that when opened will compromise your computer.
•        Headers and signatures – these can be forged; phishing emails often use them to appear more legitimate.

As always, if you need any help or support with a security related issue, please contact us: isg@ucl.ac.uk.

Coronavirus Related Scams

By Daniela Cooper, on 27 January 2021

I wanted to remind you all that coronavirus scams are rife at the moment, please be vigilant and remember to think before you click. If you are unsure if something is legitimate or not, please verify it with the organisation by using their contact details from their website (use Google to find the website, don’t click on a link to the website in a scam message). If you are unable to do that then please check with us – isg@ucl.ac.uk.

Examples of Coronavirus scams circulating at the moment

  • HRMC COVID-19 scam text messages
    This particular scam mentions a grant that does not exist, however, there have been 275 other HMRC scams discovered since March last year.
  • COVID-19 vaccine scams
    These scams can be via email or text message and are asking for personal and/or financial details. Coronavirus vaccines are free, if you are unsure if a message like this is legitimate or not, contact your local surgery.
  • Continued risk of ransomware
    There is a continued risk of ransomware, be careful not to click on links or open unexpected attachments. Back-up your data just in case!

Where to look for advice and information on scams

The National Cyber Security Centre provide weekly threat reports, and general information on how to protect yourself and your family:
https://www.ncsc.gov.uk

The NCSC have also created a good infographic on phishing:
https://www.ncsc.gov.uk/files/Phishing-attacks-dealing-suspicious-emails-infographic.pdf

Action Fraud is good for reporting scams, for news on the latest scams and tips on how to protect yourself:
https://www.actionfraud.police.uk

 

If you have any questions or need support on any security related issues, please do not hesitate to contact us – isg@ucl.ac.uk.

Check your Computer is Up-To-Date

By Daniela Cooper, on 15 May 2020

Now is a good time to check that your computer is up-to-date, even when using auto updates it is still a good idea to regularly check that these updates are being installed and everything is working as it should. Whether it is a UCL owned computer or your own personal computer, it is really important to make sure that it is up-to-date to minimise the risk of your computer being compromised.

Anti-Virus Software

If it has been a while since you installed your anti-virus software, check the UCL Software Database to see if there is a newer version. Your anti-virus is likely to still be working however the newer version will have newer features and may be able to detect more than the older version. VPNs that use posture checking will often only work with the latest versions of anti-virus even if the anti-virus is working and still receiving regular updates. Don’t forget to make sure that your anti-virus software is set up to regularly scan your computer.

Operating System Updates

It’s important that your operating system is receiving (and installing) updates as these will include security updates. It really is worth checking regularly that your operating system is up-to-date, your computer will have a dedicated update manager although how this is done will vary depending on which operating system you are using.

Application Updates

Like operating system updates it’s important to make sure that your installed applications and software are receiving (and installing) updates too. Out of date browsers are often the reason for some malware infections and compromises so make sure you update any browsers (and plugins) you have installed. Next up is your email client and any office like software you have installed. Lastly, absolutely any other application you have installed. If there are any applications that you have installed but you do not use, consider uninstalling them.

General Tips

Some general tips on keeping yourself and your computer safe:

Phishing

There are lots of scams around at the moment related to the Coronavirus so it’s important to be especially vigilant right now.

When reading your email, look out for the following:

•        A sense of:
o        Urgency – makes you feel like you have to do something quickly, so you don’t take the time to wonder if the email is suspicious.
o        Fear – for example, if you don’t click on the link, your account will be deleted, or you will be fined.
o        Promise of reward – lottery win notifications, or “I am the widow of a rich person” type of email.
o        Guilt or sympathy – “I am dying of…” type of email.
•        ‘To’ and ‘From’ address – these can be trivially forged and show false information. Often the ‘To’ address isn’t even your email address; a legitimate email would be addressed to your actual email address.
•        Web link – check to see if the link is in the UCL domain (ucl.ac.uk), it could look like a legitimate UCL URL but check by hovering over it as it could be going somewhere else entirely. If you are unsure about the URL, check with the sender.
•        Asking you to respond with your username and/or password – no legitimate email will ask you to do this.
•        Unexpected attachment – some phishing emails come with attachments that when opened will compromise your computer.
•        Headers and signatures – these can be forged; phishing emails often use them to appear more legitimate.

Avoiding Malware

  • Keep your browser and plugins up-to-date (particularly Java and Flash)
  • Do not open attachments that you are not expecting
  • Ensure your anti-virus software is working and up-to-date
  • Ensure your firewall is turned on
  • Be careful browsing non-reputable websites

Back-Ups

In the event that something bad does happen, you would be really grateful for back-ups! If you can, use central ISD services as these are backed up for you.

Coronavirus Related Scams

By Daniela Cooper, on 30 March 2020

I was planning on writing a blog post about coronavirus related scams, however I have found that ActionFraud have written a good page on this. So rather than reinvent the wheel I will post a link to their advice below:
https://www.actionfraud.police.uk/campaign/covid-19-guidance-and-advice

UCL have also created a page on ‘Staying safe during the coronavirus crisis’:
https://www.ucl.ac.uk/news/2020/mar/staying-safe-during-coronavirus-crisis

If you receive any coronavirus scams (or other fraudulent scams) please let us know at isg@ucl.ac.uk.

Securing the Dataflow

By utnvrrv, on 18 February 2020

Secure data, where-ever

Data and Information

A key component in research is data, which when processed and interpreted becomes information.  It therefore very important that the data (information) is protected at all stages during its lifecycle.


The Basics

A most common model designed to guide policies and practices for Information Security in an organisation is the AIC (availability, integrity and confidentiality) triad. What this means is that we use the triad to see if there are any risks to the data/information at each stage in the dataflow.
The next section covers a very simple dataflow that involves an exchange of information between entities, its processing, storage and subsequent transformation into a report.

The Case

A research study would like to interview patients (includes medical history and personal details) and prepare a research report. The interviews are conducted using encrypted voice recorders and the interviews are uploaded to the cloud for automated transcription. The converted text is then downloaded to the researcher’s machine and a research report is prepared. Sounds simple enough? Yes, but!

What could possibly go wrong?

There are several gaps where a breach could take place. Let’s identify some of them and see what controls (if any) can be implemented.
The encrypted voice recorders aren’t configured correctly, or the user has forgotten to turn the encryption function on. Maybe the user writes the password down and stores it along with the voice recording device. Oops! Not too bad, but what if the voice recording device is lost along with the password? Another point to watch out for; if the device uses an outmoded algorithm, in which case the encryption can be easily subverted and the recording/s accessed.

Assuming all goes well so far. The researcher now has to upload the encrypted recording to a ‘safe’ area so that decryption is possible. If the decrypting area isn’t sanitised or isn’t up to spec or patched, a hacker could exploit a vulnerability and access the recording. Maybe the hacker changes the encryption keys, thereby denying access to the recording/s and maybe asking for a ransom. Not going well so far? Read on!! There’s more. Anyway, let us assume that there are no problems this far; all the recordings are decrypted and transferred to the researchers laptop. As a precaution, the recordings are deleted from the decrypting server/s. Good practise, yes!! But is it?


And then?

The researcher now has the decrypted recording/s to be uploaded for automated transcription, but, hold on a minute, where’s the laptop that holds the recordings? I thought it was here a moment ago, I just kept it aside for a moment to pay for a beverage.Sounds familiar? Not to worry, the laptop’s password protected, not to mention that I’ve saved the password in my notebook which is safe and sound in the laptop carry bag. Oh no! This isn’t going well. Not to worry, the laptop has full disk encryption; we are safe, but unfortunately the recordings are lost as well as transcriptions. This is now a loss of Availability (refer the AIC triad). All the research data is lost, not to mention the loss of reputation and funding. Keeping source data separate and ensuring that there are secure backups of all versions is a good control to have in this case.


Oh No!!

The researcher can now upload the recording to the cloud application for automated transcription and subsequent download of the text. Hold on a minute, did I just say CLOUD? Where am I uploading the data to? Who controls the application in the “Cloud”? Does UCL have a formal agreement with the application provider? What will the application provider do with my data? Yes, but they’re certified ISO_something. They say so on their site. Yes, that’s good, but, is UCL covered in case the data is misused or their site is hacked. Read the T&Cs carefully. Ask Legal Services for advice and see if they can suggest suitable statements to protect UCL. Check with ISG to see what other controls can be implemented.


What next?

There are further nuances to this story but we will leave that for another post. In the meantime if you feel that there are other controls that can be implemented to protect the information, please email ISG [isg (at) ucl {dot} ac {dot} uk] and mention this post [Securing the Dataflow] and let us know if there are other issues that the researcher did not consider and a control that could’ve been thought about. Here’s your chance to win an Amazon voucher. This is open only to the academic research community at UCL. Quick!! Offer open to the first two entries only, I’m afraid! Good Luck!