Image of a locked phone on a desk that reads 'Secured'

A new year, but the same cyber criminals!

  1. Intranet
  2. AskIT
  3. Cyber Security

 

We all enjoy the break at the end of the year but it's important to remember to always keep safe online. Technology is an integral part of daily life, so you need to remember the basics of keeping your information secure both in your professional and personal lives.
Remember, Cyber Security is Everybody’s Business!

Cyber criminals continue to discover new ways to steal data and to compromise organisations. Being proactive and security conscious is the only way to strengthen our position in the constant fight with cybercriminals.

Cyber security basics are more important than ever when we work-from anywhere. Below are some simple things you can do to avoid being a victim and to keep data and resources safe and secure:

  1. Protect Your Information
  2. Protect Your Devices
  3. Your Passwords Should Be Your Best Kept Secret
  4. Be Aware Of Social Engineering Attacks (Impersonation, Manipulation, Phishing)
  5. Report Incidents Immediately

Protect Your Information

Organizations in every industry store an abundance of confidential data, making them top targets for criminals. When a data breach occurs, not only can it result in loss of intellectual property, but can tarnish the reputation of both the organizations and the individuals involved.

Have you ever thought about the value of all the sensitive information contained in our documents, spreadsheets, applications and emails? All this information can’t be treated in the same way, so using the University information classification to help sort information into relevant categories is a great place to start.

University information is classified into four high-level categories:

  • Public - can generally be made available or distributed to the general public, e.g. course offerings.
  • Internal Information - for internal University use only and not for external distribution, e.g. daily operations.
  • Confidential Information - for internal use and is accessible only for staff who require it in the course of performing their role, e.g. financial details, health and other research data, information protected by Federal and/or State legislation.
  • Restricted Information - is to be kept strictly confidential with access on a strict "need to know" basis

Classifying information is essential to understand what information we have, where it is located, who has access to it, how confidential it is and how to protect it appropriately to reduce potential information loss and/or breaches.

The University provides a range of  data storage solutions for meeting different classification and use requirements.  ISTS can help you to choose an appropriate solution for your data!

Some common principles:

  • Be vigilant - not only about where you store your information, but how you are moving / transmitting it.
  • If you have access to confidential data, make sure you keep it secure and for its intended audience only.
  • Avoid leaving unattended devices in plain sight, such as in a car, restaurant or other such areas.

Back To Top

Protect Your Devices

Know how to properly prepare your devices and protect them to avoid exposure of business, client, or even personal information:

Prepare your devices:

  • Update the operating system, install any available patches, and update the antivirus software.
  • Make sure UniSA’s VPN is installed and configured in your laptop.
  • Backup your data regularly to an external location such as OneDrive, an external hard drive or a UniSA managed location (e.g. SharePoint or shared drives).
  • Encrypt the hard drive and any external drive(s) you may be taking with you.
  • Bring your own device charger, public charging stations cannot always be trusted.

Stop cyber criminals, protect your devices by taking these steps:

  • Setup remote tracking and wiping in case the device is lost (e.g. Find My Phone)
  • Disable Bluetooth to prevent unwanted connection attempts.
  • Disable auto connecting to open Wi-Fi. Only connect to known Wi-Fi networks.
  • Using a password/pin and/or encryption.
  • Only install legitimate software and keep it updated.

Remember to never let your devices out of your sight.

Back To Top

Your Passwords Should Be Your Best Kept Secret

Stolen passwords are often the primary point of attacks for cybercriminals. You need to use strong passwords to protect your email accounts, your social media accounts, your bank accounts, and so on.

What makes a password strong?

  • The longer the password or the passphrase, the better: experts recommend creating passwords that contain a minimum of 10 characters.
  • Avoid commonly used password patterns: most of passwords used follow these three common patterns:
    • One uppercase, five lowercase and three digits (Example: Koalas123)
    • One uppercase, six lowercase and two digits (Example: Kooalas12)
    • One uppercase, three lowercase and five digits (Example: Koal12345)
  • Method: the easiest and best to remember passwords is to take the first letter of every word in a long and memorable sentence and then add upper- and lower-case letters, numbers, and a few symbols to produce your password.
    Use a sentence like should you go from building c to building h tomorrow at 5?
    The password then becomes sygfbctbhta5?
  • Use unique passwords: Don’t cycle through the same set of passwords or recycle one across different services because that only diminishes the benefit of using a strong password.
    Use common sense:
    • A common way for criminals to gain access to your account is through “password stuffing”. Using your work email account for personal activities increases risk of your UniSA account being compromised. Avoid using your UniSA account for your personal activities.
    • Your UniSA password should be unique and not used for other access e.g. bank accounts, social media etc.
  • Don’t share your password with anyone for any reason.
  • Be careful where you store your passwords: Do not store your passwords in spreadsheets or upload it to the cloud unless it’s within an encrypted file.
    • Method: Password managers, such as LastPass or KeePass, are applications that can safely secure your passwords and account details. This makes it easier to have different and complex passwords for all your accounts while only needing to remember one strong password.
  • Wherever possible make use of two-factor authentication, this adds an additional layer of protection against hackers logging in with a stolen password. With two-factor authentication, the user must have her cell phone to verify her identity in addition to the username and password.

Back To Top

Be Aware Of Social Engineering Attacks (Impersonation, Manipulation, Phishing)

Threat actors will attempt to use psychological manipulation of people to trick them into performing actions or divulging confidential information.

What kinds of social engineering attacks do you need to be aware of on your personal, professional, and mobile lives?

Tailgating: where an authorized person is used to gain access to restricted areas where some electronic barrier is present (e.g. Can you hold the door for me? I don't have my key/access card on me. How often have you heard that in your building?).

Use common sense:

  • When you are in public, keep an eye on your devices and use discretion when accessing or discussing sensitive information.
  • In the office, make sure no one slips in behind you when you enter a secured area.
  • Lock your workstation when not in use.
  • Keep a clean desk (no important documents notes)

Vishing: this attack attempts to trick victims into giving up sensitive information over the phone. For example, criminals will call and pretend to be a fellow employee or a trusted outside authority such as a customer support from your bank. They will ask you for Personally Identifiable Information (PII) like your credit card information, PIN, or other sensitive details.

Phishing: is a malicious email that attempts to gain some benefit from your interaction, such as responding, clicking a link, or downloading a file. Attackers use them to collect sensitive data, gain access to accounts, or steal money. The number of phishing attacks continue to rise, scammers revel in the opportunity to take advantage of unprecedent situations, especially those that breed vulnerability and uncertainty, such as a pandemic. So, stay alert for phishing emails:

  • Never click on random links or download random attachments.
  • If something seems off, if a message contains awkward phrasing, poor grammar, unrealistic promises, or urgent language, don’t click.

USB drop attacks: Cyber criminals leave infected USB drives at public places with a hope of someone picking it up out of curiosity and using it on their devices. There are three main types of attacks:

  • Malicious code: In the most basic USB attack, the user clicks on one of the files on the drive, this unleashes a malicious code that automatically actives upon viewing and can download further malware from the internet.
  • Social engineering: The file takes the user to a phishing site, which tricks them into handing over their login credentials.
  • HID (Human Interface Device) spoofing: when the USB stick is plugged into a computer, it injects keystrokes to command the computer to give a hacker remote access to the victim’s computer.

Use common sense:

  • If you find a USB flash drive, don’t plug it in! Hand it in to Security.

Malware: refers to a software that damages devices, steals data and causes disruption. There are many types of malware:

  • Adware: software that automatically displays or downloads unwanted advertisements when a user is online.
  • Spyware: malicious software that send a computer user’s confidential data back to cyber-criminals.
  • Keyloggers: malware that logs and records what someone types on their computer.
  • Ransomware: a type of malware that encrypts files or denies access to a computer system a ramson has been paid.

Malware can come from different attack vectors, the most common being phishing, malicious web sites and a compromise of the supply chain (vendors used by the university). So, remember to be super vigilant.

Back To Top

Report Incidents Immediately

Please report anything you think is suspicious and any security incidents immediately. We appreciate your assistance because timely reporting allows UniSA to investigate and remediate security incidents quickly and helps prevent similar events from recurring in the future. The longer you wait to report something the more damage it could cause.

If you know or believe an incident has occurred, report it to the IT Help Desk with as much information as possible. Please do not attempt to investigate incidents yourself, attackers can exploit many different types of vulnerabilities and interacting in any way is a risk.

  • For staff, students and visitors of UniSA please report any cyber security incidents to the IT Helpdesk by emailing ithelpdesk@unisa.edu.au or by calling (08) 8302 5000.
  • For external people reporting misuse or abuse of UniSA IT facilities, please report the incident to abuse@unisa.edu.au.

Please familiarize yourself with UniSA's information security policies and guidelines and know the role you play in keeping information safe. Information is an asset and should be treated as such.

We once again welcome you back, if you have any questions or need help with anything, please ask the IT Help Desk.

Keep up to date with the latest notifications of issues and advisory information through the Security@UniSA Teams site.

Back To Top