UCL is currently seeing a large number of emails claiming to be from HMRC and to be about how to claim your tax refund.  These are an attack known as phishing.

Unfortunately these are not from HMRC but from a criminal who want to trick people into sharing personal information. In particular they are hoping to obtain bank account information which could be used to steal money from you.  So please do not open these emails, click on any links they contain or open any attachments.

Most attacks of this type attempt to install malware to your device so they can carry out other attacks such as:

• Stealing your documents and photos
• Activating your camera and microphone to spy on you
• Encrypting your files and demanding a ransom
• Or even using your computer as a launching point to attack other people.

So please think twice before you click on links or attachments you are sent. If you want to report receiving this sort of email you can do this at https://www.actionfraud.police.uk/ and that site also has some excellent advice on what to do if you have shared information with a criminal.

Phishing is when someone malicious sends an email pretending to be from a legitimate person or organisation –  the email will most likely ask for details such as passwords or financial information, but it can also ask you to download a malware infected attachment or ask you to click on a link to a compromised website.

Phishing has long been a problem, and something that we see targeted at UCL almost constantly. A successful phishing attack is an easy way into an organisation that doesn’t involve a lot of skill or effort on behalf of the malicious attacker. Once in, an attacker can gain access to all sorts of information (personal, financial, sensitive), they can steal that information and destroy it. An attacker can also gain control of your computer!

Due to the frequency of phishing attempts and the seriousness of the consequences, the UCL Information Security Group are about to embark on a phishing campaign that will involve sending simulated phishing emails to staff. We hope that staff won’t respond to the phishing emails, however the campaign is intended to help us identify areas that need more education and support, as well as raising awareness on how staff can help protect themselves and UCL.

For more information on phishing and what to look out for: www.ucl.ac.uk/informationsecurity/phishing.

If you are ever unsure whether an email is legitimate, before you click or respond, just ask – phish@ucl.ac.uk.

Why classify information?

Information should be classified so that everyone with access knows how to protect it.

To protect information consistently, it is of paramount importance that there is a pan-organisational scheme for classifying information. This scheme should also inform users how information should be handled according to its requirements for confidentiality, integrity and availability. To elaborate further, the classification of data helps determine what baseline security controls are appropriate for safeguarding that data. By implementing an information classification scheme the organisation can endeavour to meet its legal, ethical and statutory obligations
Information classification can also protect the interests of the stakeholders of the organisation and about whom the organisation may hold information.

Information classification based on confidentiality ratings.

Levels of information classification

There are several levels of classification that can be applied to information. For example, HM Government Security Classification includes: Official, Secret and Top Secret which is based on 4 principles. Not all organisations may require such stringent principles when adopting an information classification scheme. However, each organisation must evaluate the risks in terms of reputational loss, loss of business, lawsuits, inadvertent disclosure of information. In some cases, an external partner may not share any further information if the organisation has been known to share information without appropriate controls e.g. encryption.

I’ve outlined some simple steps to help you get started.

Information Management Policy and guidance

It is important to develop an information management policy and guidance for your organisation. This should be commensurate with risks that your organisation may face and the expectations of your stakeholders. It is necessary to consider the legal and regulatory requirements of the country that your organisation operates in. It is also very helpful if a process for classifying and handling information is developed and adopted.

Awareness Training

Staff should undergo awareness training to ensure that they are aware of their responsibilities in managing information that they’ve been entrusted with. This can be tailored according to the kind of information that the staff deal with. Awareness training must be regularly carried out with periodic refresher courses as necessary.

At UCL, we have created a classification tool to help with classifying a specific information asset. See https://opinio.ucl.ac.uk/s?s=45808

If you are from UCL, please see the UCL Information Management Policy here:
Please do contact the Information Security Group if you need more information.

References:
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/715778/May-2018_Government-Security-Classifications-2.pdf

Phishing – What’s that?

Phishing is an email that fools targeted individuals into parting with private information. Mostly this includes credit card details, but could also involve tricking the victim to transfer money or installing malware on their device. In this blog, I will explain how to detect the majority of phishing emails and giveaway clues that might trick you into giving away confidential information

The art of the phish

Cyber criminals may research their targets well in advance in order to gain maximum benefit from the phish. As an example, the attacker may trawl the business social media sites, where the Personal Assistant of the CEO has mentioned their details online. The attacker crafts a very targeted mail to the PA which leads to the PA releasing private information.
You receive email from your bank regularly, but an email that threatens your account will be closed if you don’t respond urgently with your Secret Answer and card information may be a phishing attack.

The Anatomy of a phish

Some quick pointers on how to spot a phish

From Email address

The mail seems to have been sent from a legitimate organisation, but the FROM address is from a personal address. Is the email being sent to other people that you do not work with or do not know them either.
Just because you received an email from your friend does not mean that they sent it. Your friend’s account may have been compromised or their computer may have been infected with malware. If you received an email from a friend or a colleague that seems out of place, call them on the phone and inform them.

To

Be careful of an email that has a generic salutation. Are you expecting a mail from this organisation? An organisation that emails you should know your name

Content

Check for grammar and spelling mistakes. All reputed businesses proof read their mails before sending them. Is there a threat? Does the email require you to carry out an immediate action? This is not a good sign, as there is an urgency to get the recipient to make a mistake. Companies will not seek your personal information.
Will your mailbox be disabled overnight? Never! Check the University’s webpages, call the Service Desk and verify.
Is there an incentive? Did you win the lottery? Most definitely not! Did a prince leave you his legacy? Really? So offers that are too good to be true, are not true.

Links

Exercise caution here. Are you expecting this link? Hover your mouse over the link, does the link make sense? The link should reflect what is mentioned in the content.

Attachments

Is there an attachment that you are being asked to open? Are you expecting the attachment? Click only if you are expecting an attachment in the format (extension) that is shown.

3 steps to avoid getting phished

1. Think before clicking on links or attachments
2. If it looks ‘phishy’ it most certainly is. Report it to the ServiceDesk or verify with the sender.
3. You are the last line of defence, if in doubt, throw it out!

Privacy

According to The Cambridge Dictionary ‘Privacy’ is defined as “someone’s right to keep their personal matters and relationships secret”. This should be taken to mean that people would like to share information selectively. Informational privacy is the ability of a person to control, edit, manage and delete information about themselves. The person should also be able to  decide how and to what extent such information is communicated to others.

Information Sharing

There are several theories about what constitutes privacy and its application in different cultures. I will not consider these as part of the blog posts. We do not  want to share our personal information with all and sundry. However, in today’s modern world, we share a lot of information with everyone; friends, organisations that we work with, the Government and others. We feel that the information thus shared will remain within the boundaries of the relationship. We share personal information in exchange for services, buying an air ticket, or earnings for tax purposes. We feel dismayed when this doesn’t happen and we should be assured of a decent level of protection when this sharing happens.

Collect just enough information (Short version)

When personal information is to be collected in the course of business working, an organisation must ensure that the collected data is relevant. Organisations should  consider a privacy by design approach. According to the Information Commissioner’s Office (https://ico.org.uk/), Privacy Impact Assessments (PIAs) are a tool, which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. An effective privacy impact assessment will help an organisation to identify and fix problems at an early stage. This will reduce costs and damage to reputation that may possibly occur.

In future blog posts I intend to cover the PIA process in some detail.

Language matters

Write policy statements in a way that can colleagues can read easily and interpret them correctly. Ambiguity is also a key point that one should watch out for. It is all too easy to get caught up in legalese, jargon and verbosity. This makes the policy incomphrehensible and boring to read. Everyone loves a policy that is simple to read, understand and put into practice. Separate out policy statements, guidelines and other content. Distil what should be a policy statement. Try and arrange the statements in a logical sequence of what you expect should happen. You could ask a colleague to critically review it. Once you are happy with the text you can send it out and seek feedback. If your organisation has a standard template, adopt it or design a cover page, use the organisation’s branding in the header, and include relevant text in the footer.

This is based on the information that business uses and the perceived risks to the information. Consider information risk as a driving factor towards a good information security policy. A good policy should not create unnecessary hurdles. A complicated policy may mean that business processes slow down. Colleagues find ways and means of circumventing the controls. Consider how real world threats impact the business, and how the policy statement would safeguard the organisation. Use an exception section only if necessary. A good policy should be between 1 to 2 pages long.

Endorsement and Approval

Consult with senior colleagues, accept feedback and finalise a draft version of the final policy. The document should then be sent to key decision makers within the organisation for a final endorsement. Keep a record of the distribution list and feedback received. Incorporate changes as necessary, or suggest suitable modifications. Once all mid-management approvals are in place (don’t forget the minutes), formally send the policy document for final approval from the Board. If you’ve have the endorsements in place, the final approval should be easy.

Congratulations!!

Management, Business, Information

Management’s role is to focus on the conduct business using the information it has on hand and to generate results. Not all the information or data that management uses would be public or completely private. Senior management should study the types of data that they deal with and how that data helps them make decisions.This would then lead to the development of an Information Classification policy. There would be a need to provide an appropriate guide to information handling. As a supplment an easy flowchart or matrix would be helpful for most end-users.

Governance Framework

All internal stakeholders at various levels should be able to share their views on the proposed information security policies. One way to do this is to have a cross-functional team review the draft policies. These may then be endorsed or approved as necessary. Depending on the size of the organisation this could be 2 to 3 levels of review. Managers/business heads should have a chance to understand how the policies will shape the organisation in the future. As each policy traverses the chain it may be necessary to highlight examples that prove the necessity of key policy statements and how the policy will help safeguard the business.

Information Security Framework Baseline

Work out the baseline framework for the Information Security Policies. Usually, the ISO27000 set of standards (www.iso.org) work well. Alternatively, ISACA (isaca.org) has a framework for the governance and management of enterprise IT. This needs further refinement with management support to derive the overall policy outline. Having a set of policies based around a standard also helps gain the confidence of auditors and external stakeholders. The information security policies must aim to cover the organisation based on organisation processes. One should have a policy that has a few simple mandates rather than an all encompassing one that only a few observe.

In my last post I spoke about the need to encrypt sensitive information if sending it via email. I mentioned a tool called 7zip which is available for free, and allows you to encrypt files with a password. It’s simple and easy, and in this post I will show you how.

Create an archive

First you need to create an archive for your files. Right click the file, hover over 7zip, and select “add to archive”.

Creating an archive with 7zip

This will give you a pop up menu with a number of options.

Encrypt the archive

In the pop up menu to create an archive, there is an  option to encrypt with a password. Choose a strong password and enter it here.

Password protecting an archive

Once you have done this and clicked “OK”, you have finished creating your encrypted archive!

Important considerations

• The files themselves are encrypted, but the file names are not. Do take care to ensure that you are not leaking information through the filename. “John Doe disciplinary meeting notes” for example is still leaking some information about the subject of the meeting. Either select the “Encrypt file names” option when creating the archive, or use an innocuous file name.
• I said it in the last post but it bears repeating; always use a different method to share the password. Use a call, or a text. Sharing it via email undermines the steps taken to encrypt the file and removes the protection by making the password visible to anyone who can intercept the emails.
• It may sound like stating the obvious, but please make sure that you agree with the recipient that they will make sure to only email the encrypted archive too; the information is only protected if all parties maintain it.

Thanks for reading and I hope this is helpful. It really is a simple step to take that can help control who is able to access sensitive information.

We’ve had a few posts now about email and cryptography, and I thought it would be helpful to look at some real world scenarios involving these topics. Email is a vital part of our work but it can introduce risks that may not be immediately obvious. System admins can see the mail that passes through their systems. This is not to say that they are malicious, simply that they can access it. This does not matter very much in most cases. Problems come when we need to share sensitive information, as in these cases, the risk is much higher. Sensitive information should only be read by the people who need to see it. While it might not be worth the time to take steps to render a normal email unreadable, if you are sharing sensitive information it is always worth it.

So what should I do?

If you need to share something sensitive, there are steps you can take. The first step is to be certain that this person needs to have it. If you’re not sure, then ISG or the Data Protection Office can help you. Once you’ve done that, you can encrypt the file on your PC, and send the encrypted file as an attachment. One way to encrypt a file is to use 7zip, which is available for free in the UCL Software Database. (When you encrypt, please be sure to use a strong password!) Once you have done this, call or text the person to let them know the password. It’s important not to share the password by email as then anyone else who can see the first email with the attachment can also see the second email with the password.

And that’s it. It’s a small extra step that can help avoid a major headache if the wrong person were to get access to data.

 

“Phishing is a fraudulent attempt, usually made through email, to steal your personal information”. – PhishTank.

Phishing is unfortunately something that we have to learn to live with, it’s not going to go away any time soon. The best way to protect ourselves against phishing is to learn to identify it.

Things to look out for

1. A sense of:
   1. Urgency – makes you feel like you have to do something quickly, so you don’t take the time to wonder if the email is suspicious.
   2. Fear – for example, if you don’t click on the link, your account will be deleted, or you will be fined.
   3. Promise of reward – lottery win notifications, or “I am the widow of a rich person” type of email.
   4. Guilt or sympathy – “I am dying of…” type of email.
   5. So if an email makes you feel: guilty, panicky, afraid, or greedy, stop and ask yourself why. It’s probably a phishing email.
2. ‘To‘ and ‘From‘ address – these can be trivially forged and show false information. Often the ‘To’ address isn’t even your email address, a legitimate email would be addressed to your actual email address.
3. Web link – check to see if the link is in the UCL domain (ucl.ac.uk), it could look like a legitimate UCL URL but check by hovering over it as it could be going somewhere else entirely.
4. Asking you to respond with your username and/or password – no legitimate email will ask you to do this.
5. Unexpected attachment – some phishing emails come with attachments that when opened will compromise your computer.
6. Headers and signatures – these can be forged, phishing emails often use them to appear more legitimate.

The consequences of responding to a phishing email (or opening an attachment in a phishing email) are that an attacker can steal your information and/or take control of your machine.

If you are ever unsure whether an email is a phishing email or not, before you click or respond, just ask us – isg@ucl.ac.uk.

In my next blog post I will be talking about test phishing campaigns.