X Close

Risky Business

Home

Tips and tricks for securing information

Menu

Coronavirus Related Scams

By Daniela Cooper, on 30 March 2020

I was planning on writing a blog post about coronavirus related scams, however I have found that ActionFraud have written a good page on this. So rather than reinvent the wheel I will post a link to their advice below:
https://www.actionfraud.police.uk/campaign/covid-19-guidance-and-advice

UCL have also created a page on ‘Staying safe during the coronavirus crisis’:
https://www.ucl.ac.uk/news/2020/mar/staying-safe-during-coronavirus-crisis

If you receive any coronavirus scams (or other fraudulent scams) please let us know at isg@ucl.ac.uk.

Securing the Dataflow

By utnvrrv, on 18 February 2020

Secure data, where-ever

Data and Information

A key component in research is data, which when processed and interpreted becomes information.  It therefore very important that the data (information) is protected at all stages during its lifecycle.


The Basics

A most common model designed to guide policies and practices for Information Security in an organisation is the AIC (availability, integrity and confidentiality) triad. What this means is that we use the triad to see if there are any risks to the data/information at each stage in the dataflow.
The next section covers a very simple dataflow that involves an exchange of information between entities, its processing, storage and subsequent transformation into a report.

The Case

A research study would like to interview patients (includes medical history and personal details) and prepare a research report. The interviews are conducted using encrypted voice recorders and the interviews are uploaded to the cloud for automated transcription. The converted text is then downloaded to the researcher’s machine and a research report is prepared. Sounds simple enough? Yes, but!

What could possibly go wrong?

There are several gaps where a breach could take place. Let’s identify some of them and see what controls (if any) can be implemented.
The encrypted voice recorders aren’t configured correctly, or the user has forgotten to turn the encryption function on. Maybe the user writes the password down and stores it along with the voice recording device. Oops! Not too bad, but what if the voice recording device is lost along with the password? Another point to watch out for; if the device uses an outmoded algorithm, in which case the encryption can be easily subverted and the recording/s accessed.

Assuming all goes well so far. The researcher now has to upload the encrypted recording to a ‘safe’ area so that decryption is possible. If the decrypting area isn’t sanitised or isn’t up to spec or patched, a hacker could exploit a vulnerability and access the recording. Maybe the hacker changes the encryption keys, thereby denying access to the recording/s and maybe asking for a ransom. Not going well so far? Read on!! There’s more. Anyway, let us assume that there are no problems this far; all the recordings are decrypted and transferred to the researchers laptop. As a precaution, the recordings are deleted from the decrypting server/s. Good practise, yes!! But is it?


And then?

The researcher now has the decrypted recording/s to be uploaded for automated transcription, but, hold on a minute, where’s the laptop that holds the recordings? I thought it was here a moment ago, I just kept it aside for a moment to pay for a beverage.Sounds familiar? Not to worry, the laptop’s password protected, not to mention that I’ve saved the password in my notebook which is safe and sound in the laptop carry bag. Oh no! This isn’t going well. Not to worry, the laptop has full disk encryption; we are safe, but unfortunately the recordings are lost as well as transcriptions. This is now a loss of Availability (refer the AIC triad). All the research data is lost, not to mention the loss of reputation and funding. Keeping source data separate and ensuring that there are secure backups of all versions is a good control to have in this case.


Oh No!!

The researcher can now upload the recording to the cloud application for automated transcription and subsequent download of the text. Hold on a minute, did I just say CLOUD? Where am I uploading the data to? Who controls the application in the “Cloud”? Does UCL have a formal agreement with the application provider? What will the application provider do with my data? Yes, but they’re certified ISO_something. They say so on their site. Yes, that’s good, but, is UCL covered in case the data is misused or their site is hacked. Read the T&Cs carefully. Ask Legal Services for advice and see if they can suggest suitable statements to protect UCL. Check with ISG to see what other controls can be implemented.


What next?

There are further nuances to this story but we will leave that for another post. In the meantime if you feel that there are other controls that can be implemented to protect the information, please email ISG [isg (at) ucl {dot} ac {dot} uk] and mention this post [Securing the Dataflow] and let us know if there are other issues that the researcher did not consider and a control that could’ve been thought about. Here’s your chance to win an Amazon voucher. This is open only to the academic research community at UCL. Quick!! Offer open to the first two entries only, I’m afraid! Good Luck!

How {not} to lose data in the face of GDPR

By utnvrrv, on 25 November 2019

GDPR has now been around for 18 months and is going to stay with us for a while.
The objective of this post is to emphasise how we can protect the data entrusted to us while managing technological change.

Data retention – Let’s delete everything and start afresh!
This means that all information is lost and there aren’t any records to back up any decisions that have been made about the research, not to say, we’ve lost all the patient data that the project relies on. Let’s start again!
Top Tip! Categorise your data holdings. See the UCL Record Retention Schedule for further information.

Let’s just keep everything and not worry – Storage is cheap?
This could fall foul of established data retention policies. If there isn’t one for your specific area of work (record set), it would be a good idea to establish a data retention policy. The more data that is stored, the larger the breach, this may be data that might no longer be required.
Top Tip: Review your data holdings now.

Data Security – Let’s encrypt everything!
What would happen if the key (password/passphrase) was lost, misplaced or forgotten. Maybe a colleague left and forgot to share the password. In this case access to the data would be lost permanently. If encrypted correctly (long passphrase and the key stored securely) and the passphrase being unavailable, it would be difficult to break the encryption. Definitely not a good idea of encrypting everything without a plan if funding depends on the information that we hold about subjects.
Top tip: Use password management software to store and share passwords securely.

Running a legacy Operating System
This isn’t much of a problem unless.. the machine exchanges information by being connected to the network, or the internet or external USB drives being plugged in. A legacy platform, also called a legacy operating system, is an operating system (OS) no longer in widespread use, or that has been supplanted by an updated version of earlier technology. These older operating systems or applications may have security vulnerabilities due to lack of security patches being available or applied. This puts information at risk due to a malware infection, as the malware could encrypt the data or even mangle it in a way that it no longer is usable. Even with backups(possibly also infected), the risk of losing critical research data is also quite high. Article 32 (1)(b) in the GDPR states that (C)onfidentiality, (I)ntegrity, (A)vailability of the data should be assured. Please see the information from the Information Commissioners Office in the References Section below.
Top Tip: Conduct a risk assessment.

Running a self-managed machine
If you have administrator rights on your machine and if the machine isn’t patched frequently with the latest patches, there is a very high risk that some malware could infect your machine and encrypt all the data. If the machine is connected to the network, the malware could spread thereby making everyone’s data unavailable. This is also covered by the ICO’s guidance and Article 32(1)(b) of the GDPR.
Top Tip: You are responsible for the patching of your machine, keep it updated.

Useful links:
UCL Policies – https://www.ucl.ac.uk/information-security/
Guidance from the Information Commissioners Office – https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/

If you think that I’ve missed something or if there is an area that you would like to hear more about, then contact ISG: https://www.ucl.ac.uk/isvices/stay-secure

National Cybersecurity Awareness Month – Week Four

By Daniela Cooper, on 25 October 2019

Protect IT: Maintain your Digital Profile

Week Four and the final week of the National Cybersecurity Awareness Month is Protect IT: Maintain your Digital Profile. By researching and assessing your digital profile and then following good security practices you will be taking the necessary steps to protect yourself and your family.

Researching and Assessing your Digital Profile

The Centre for the Protection of National Infrastructure have written an excellent guide on tracking your digital footprint, it’s a guide to digital footprint discovery and management: https://www.cpni.gov.uk/system/files/documents/59/06/10_Tracking%20my%20digital%20footprint_FINAL.pdf

I recommend you read the guide that I’ve linked to above, but here is a quick summary of what they suggest you should do:

  • Decide what your stance is on information being published about you or your family online
  • Find out what information about you or your family is available to the public
  • Enter the minimum amount of real information into online registration forms
  • Remove metadata from pictures before you post them online
  • Protect your phone number – payments can be charged to your mobile phone bill
  • Think before you click – even a seemingly innocuous post can be used against you
  • Check privacy settings regularly and change them from their default settings
  • Keep passwords safe
  • Compartmentalise your (digital) life – use different email addresses for different activities
  • Do not give social media apps access to your phone or email address
  • If it sounds too good to be true then it probably is
  • Hand over personal information wisely
  • Make a plan for what to do if you lose your device
  • Don’t make your device easy for others to access

They have also included a really good website checklist, giving you details of which websites to check for your information and what to search for. I highly recommend you read the full guide.

Cyber Hygiene

It’s an odd choice of words really, it’s an attempt to compare cyber hygiene with personal hygiene, something that we do to keep healthy. So, the idea is if you following cyber hygiene you can keep your digital-self healthy.

A lot of cyber hygiene talks about steps you can take to secure an organisation, as I’m trying to keep these articles aimed at what we can do to help ourselves in a personal capacity I’ll list those that are relevant in our home lives:

  • Know what devices you have and what is being used in your family
  • Ensure those devices are configured securely
  • Maintain the devices with security patches (operating systems and software)
  • Use anti-virus software, consider turning on email and web browser protection
  • Use a firewall
  • Be careful opening unsolicited emails and browsing dodgy looking websites
  • Have a plan for backing up your data – particularly photos, you can never get those memories back if you lose them!
  • Use strong passwords and make sure they are managed securely
  • Make sure that everyone in your family knows what to look out for and how to protect themselves.

Week Four Quiz Question

What organisation has written a guide on tracking your digital footprint?

Please send answers to isg@ucl.ac.ukwith the subject line of “NCAM – Week Four”.

The winner for week four will be contacted on Friday.

This is the end of the National Cybersecurity Awareness Month for this year, please come back again in October next year for more information and prizes to be won. In the meantime, subscribe to our blog so that you are automatically informed whenever we post a new blog article.

As always, if you have any queries or concerns regarding information security at UCL, please contact us at isg@ucl.ac.uk.

National Cybersecurity Awareness Month – Week Three

By Daniela Cooper, on 16 October 2019

Secure IT: Secure your Digital Profile

Week Three of the National Cybersecurity Awareness Month is Secure IT: Secure your Digital Profile. It’s important to secure your digital profile by using strong passwords with good password management, use multi-factor authentication where possible and to look out for phishing emails trying to steal your passwords.

Creating Strong Passwords

Using strong passwords is important in helping you to keep your accounts secure, but it won’t help if you have a key logger on your machine, so it’s really important to keep your machine free from malware. The other thing to consider is making sure that all your accounts have different passwords, if one of your accounts becomes compromised you do not want all of your accounts becoming compromised.

There are many ways to create strong passwords, some ideas include:

  • Using a password generator that uses complexity such as upper- and lower-case letters, numbers and symbols to create a random password.
  • Combining words numbers and symbols to make a long sentence-like password – these tend to be easier to remember and due to the long length harder to crack.
  • A good way to combine creating strong passwords and ensuring that you have different passwords for each account is to use a password manager such as LastPass. These can help you generate strong passwords with an inbuilt generator and also means you only need to remember the one password instead of hundreds. Again, it’s no use having a strong password if you have a keylogger on your machine so make sure that whatever device you use to enter your password is malware free.

Multi-factor Authentication

You’ve probably already come across multi-factor authentication when using internet banking, where your bank sends you a text message to your mobile phone with a code to enter on their website so that you can complete the login process. When using multi-factor authentication, if your password was captured by a key logger, then it wouldn’t work as to log in the 2ndfactor also needs to be used. Office 365 has the option to use multi-factor authentication, however it may only be available to certain groups of staff at the moment. Where possible, consider turning multi-factor authentication on.

Protecting Against Phishing

You are all probably sick of me bleating on about this topic, but it doesn’t hurt to remind you what to look for in a phishing email and how you can avoid being phished.

When reading your email, look out for the following:

  • A sense of:
    • Urgency– makes you feel like you have to do something quickly, so you don’t take the time to wonder if the email is suspicious.
    • Fear– for example, if you don’t click on the link, your account will be deleted, or you will be fined.
    • Promise of reward– lottery win notifications, or “I am the widow of a rich person” type of email.
    • Guilt or sympathy– “I am dying of…” type of email.
    • So, if an email makes you feel: guilty, panicky, afraid, or greedy, stop and ask yourself why. It’s probably a phishing email.
  • To’ and ‘From’ address – these can be trivially forged and show false information. Often the ‘To’ address isn’t even your email address; a legitimate email would be addressed to your actual email address.
  • Web link– check to see if the link is in the UCL domain (ucl.ac.uk), it could look like a legitimate UCL URL but check by hovering over it as it could be going somewhere else entirely.
  • Asking you to respondwith your usernameand/or password– no legitimate email will ask you to do this.
  • Unexpected attachment– some phishing emails come with attachments that when opened will compromise your computer.
  • Headersand signatures– these can be forged; phishing emails often use them to appear more legitimate.

The consequences of responding to a phishing email (or opening an attachment in a phishing email) are that an attacker can steal your information and/or take control of your machine.

If you are ever unsure whether an email is a phishing email or not, before you click or respond, just ask us – isg@ucl.ac.uk.

Week Three Quiz Question

Which password manager is mentioned?

Please send answers to isg@ucl.ac.uk with the subject line of “NCAM – Week Three“.

The winner for week two will be contacted on Friday.

 

Don’t forget to check back for next week’s edition – Protect IT: where we’ll be looking at cyber hygiene, and researching and assessing your digital profile.

National Cybersecurity Awareness Month – Week Two

By Daniela Cooper, on 9 October 2019

Own IT: Understand your Digital Profile

Week Two of the National Cybersecurity Awareness Month is Own IT: Understand your Digital Profile. It’s easy to get carried away with social media, and to only think about using it for its intended purpose and nothing else, it’s understandable as that’s why we download these apps in the first place. However, it’s really important to think about the privacy and security aspects of these applications and devices in order to protect yourself and others from harm.

Privacy Settings

When using social media, in fact when using any app, the first thing you should do is read the terms and conditions to check that the makers of the app aren’t getting your permission to do whatever they like with your personal information! Then make sure that all privacy and security features are turned on. It’s also important to consider that if you are using other people’s personal information, that they agree to you using it in this way. Unless you really want the whole world to see your content, make your profile private.

Safe Social Media Posting

Before posting information on social media, stop and think about who the audience is, do you want what you are about to say to be made public to the world? Consider making use of privacy settings. Is there anything in your post that will identify you or other people? You have the right to have yourself identifiable on social media, but if your post identifies other people, you must check that they are happy for you to do so. Whilst you might not mind being identifiable, be mindful of the sorts of information you are putting out there:

  • Your date of birth with a picture of your birthday and how old you are
  • Making references to where you live, including pictures of your house
  • Letting people know you are away from home, they may know where you live and that your house is currently unoccupied

Make sure you use strong passwords, the last thing you need is to have your account taken over by a malicious person who could post malicious things using your name.

Smart Technology

We all love the convenience of smart technology: being able to turn the heating on when away from home, seeing who is at your front door, or asking Alexa any question that’s on your mind (whether she’ll be able to answer it is another matter!). We’ve inadvertently opened ourselves and our homes to all sorts of privacy and security concerns, and it’s only going to increase with smart technology becoming more prevalent. Smart speakers like the Amazon Alexa work by recording what you say, Amazon actually stores these conversation in your Amazon account. You should try and log in and delete these conversations regularly, you should be aware that third parties can listen to what is being said in your household. One way around this is to only switch these devices on when you are actively using them. There have been cases where Alexa recordings have been requested to help solve crimes, such as the following case of a double murder in the US: https://www.independent.co.uk/life-style/gadgets-and-tech/news/amazon-echo-alexa-evidence-murder-case-a8633551.html

 

In conclusion, carry on enjoying using social media and smart technology just bear in mind the privacy and security concerns surrounding them and turn on privacy and security features wherever you can.

Week Two – Quiz Question

What should you do first after downloading an app?

Please send answers to isg@ucl.ac.uk with the subject line of “NCAM – Week Two“.

The winner for week one will be contacted on Friday.

Don’t forget to check back for next weeks edition – Secure IT: where we’ll be looking at creating strong passwords, multi-factor authentication and protecting against phishing.

National Cybersecurity Awareness Month

By Daniela Cooper, on 2 October 2019

Now that October is upon us it is time to announce that the Information Security Group are taking part in the National Cybersecurity Awareness Month. As the name suggests, this will continue for the entire month of October.

What to expect

We will be releasing weekly information articles throughout the month of October, they will be available here on the Information Security Group blog.

*Prizes to be won*

At the end of each weekly information article, there will be a question to answer, the winning entry will be randomly chosen from all entries received (UCL staff and students only). The prize each week will be an Amazon voucher.

Themes and Topics

The themes for this year’s National Cybersecurity Awareness Month are Own IT, Secure IT and Protect IT. We are separating these out into the topics as follows:

  • Own IT
    • Privacy settings
    • Safe Social Media Posting
    • Smart Technology
  • Secure IT
    • Creating Strong Passwords
    • Multi-factor Authentication
    • Protecting Against Phishing
  • Protect IT
    • Researching and Assessing Your Digital Profile
    • “Cyber Hygiene”

Week One – Quiz Question

In what month does National Cybersecurity Awareness Month take place every year?

Please send answers to isg@ucl.ac.uk with the subject line of “NCAM – Week One“.

Don’t forget to check back for next weeks edition – Own IT: where we’ll be looking at privacy settings, safely using social media and smart technology.

Windows 7 and Server 2008 End of Life

By Daniela Cooper, on 29 July 2019

From the 14th January 2020, Windows 7 and Server 2008 will no longer be supported. This means that from this date they will no longer receive security updates or support.

What do you need to do?

Windows 7

If you are using Windows 7 then you need to upgrade to Windows 10. If you are using a UCL departmental machine then speak to your IT manager. If you are using a personal machine then you can buy a heavily discounted education version of Windows 10 from the hub (for students it’s free).

Server 2008

If you are using Server 2008 then please look to upgrade to a later supported version of Windows Server in the very near future.

It may seem like you have a long time till you need to worry about this but it really is best to plan ahead to ensure that you are not caught out at the last minute.

If you have any queries please contact us at isg@ucl.ac.uk.

Change in Licensing for Sophos

By Daniela Cooper, on 1 April 2019

As of the 31st March Sophos is no longer available as a site license for UCL.

What do I need to do?

If you are currently using Sophos as an anti-virus product, you now need to uninstall Sophos and install F-Secure instead.

Previously Sophos was the only option for Mac users, however F-Secure now has a version for the Mac as well as a version for Windows and Linux.

How do I do this?

  • Firstly, go to swdb.ucl.ac.uk and search for F-Secure. Download the version that is appropriate for your computer. You will need to make a note of the serial key to be able to activate it once it’s installed.
  • At this point I would take my computer off the internet and reconnect it to the internet once F-Secure has been installed and is ready to update itself.
  • Uninstall Sophos. When Sophos was installed it should have also installed a utility to uninstall itself.
  • Install F-Secure.
  • Make sure that F-Secure is up-to-date.
  • Run a full computer scan.

Now that you have put a new anti-virus product on your computer, it’s important to regularly check that the software is being updated, and regularly scan your computer for malware.

There are some departments that will continue to use Sophos. If you are unsure if this includes your department, please speak to your departmental IT manager.

Identifying a Phishing Email

By Daniela Cooper, on 6 March 2019

I know what you’re thinking, “Oh no, not another post about phishing emails!“. I know we do tend to bang on about this subject, but we do so with very good reason. A compromise through a successful phishing campaign is still one of the easiest ways for an attacker to get in, so for this reason alone we will continue to bang on about it. Phishing emails are still SO prevalent, if we can all learn to easily identify them, then that’s a big risk of ours reduced.

The phishing email

Before Christmas we sent out a phishing email to all staff at UCL, see below for a screenshot of the email:

Tell tale signs of a phishing email

There are a few common tell tale signs that we ought to bear in mind when we read our email, the following signs relate to the phishing email screenshot above:

  1. The from address – ucl@systemaccess.network does not look like a real email address, let alone a legitimate UCL email address.
  2. The to address – in this case the ‘to’ address was correct, but often in phishing emails the ‘to’ address is something other than the recipients email address.
  3. Subject line – the subject line suggests a sense of urgency.
  4. Opening line – the email does not address the reader by name, it says ‘Dear user’. A legitimate email should address the reader by their actual name.
  5. Spelling mistakes – some but not all phishing emails contain spelling and grammar mistakes.
  6. The URL – like the from address, the URL does not look legitimate either, it’s trying to look like a UCL domain but it isn’t. Always hover over a link to see where it will take you, as it may be different to what the text says in the email.
  7. Overall sense of urgency – the whole email has been designed to get the reader to take action quickly without taking the time to properly think about it.

If in doubt?

Even legitimate emails can sometimes look like phishing emails, it may be a good idea to gently point this out to the author when you come across these. As always, if you are not sure whether an email is legitimate or not, before you respond or click – ask us (isg@ucl.ac.uk).