Systems up or down

 

IT Security Announcements

To maintain a safe and secure online environment, and to protect users of the University's IT facilities, Information Strategy & Technology Services (ISTS) regularly post announcements to educate users about IT security issues and steps to overcome them.

IMPORTANT NOTICE:

The UniSA IT Help Desk will NEVER ask you to verify your username and password and/or personal information via email, they will always speak to you over the phone and verify your identity. 

Unfortunately, phishing can also be conducted through hoax phone calls. If you receive a phone call claiming to be from the IT Help Desk you are welcome (and encouraged) to ask for a job reference number, you can then call the UniSA IT Help Desk (after locating their contact number on the UniSA website) and quote the reference number to confirm you are speaking with a UniSA staff member.

This article discusses a few simple steps to improve the security of your University login.

The University login provides staff with access to many resources required to perform their work tasks such as email, Internet access, staff portal, file sharing, etc.  For some staff this login also gives access to confidential information relating to University administrative processes.

In order to improve the security of your account:

  • Use passwords that are not found in a dictionary and contain a mix of letters and numbers.  Do not use passwords based on information that others may know or can easily discover such as car registration, phone numbers, names and addresses.
  • Do not allow applications or web browsers to save or remember your password.
  • Your account is for your own use only.  Do not share your password with anyone.
  • Ensure that your workstation is not left logged in and unattended. Either logout of the workstation or lock the workstation so that your password needs to be entered to unlock it.  Windows workstations can be locked by holding down the CTRL, ALT and DELETE keys then selecting “Lock this computer” from the menu presented or by holding down the Windows logo key and pressing the L key.
  • Choose a different password to your UniSA password when accessing third party web services (personal email, social media).  For work related subscriptions where you need to use your UniSA email address you should also use a password that is not the same as your UniSA password.

UniSA, along with other Australian universities, are seeing a large number of malicious emails being sent to staff mailboxes. These messages are intended to trick you into opening an attached file or clicking an included link in order to compromise your computer, lock your files for ransom and steal your logon credentials.

Recent malicious messages have been disguised as:

  • Warnings about changes to the university email system or storage that requires an immediate action or response.
  • Scanned documents sent from university printers.
  • Australia Post package collection and tracking notifications.
  • Invoices for services and goods.

If you receive an unexpected email with an attached document or included link then the best course of action is to not open the attached document and not click the link.

To make it easier to recognise suspicious email, ISTS have published examples with information and pointers that show the email is not legitimate. This information is available here:  http://w3.unisa.edu.au/ists/new/all/email/nuisance-emails.htm.

Example suspicious emails can be found on the IT Security Alerts page.

To protect yourself against fraudulent activity:

  • DO NOT enter your UniSA username and password into an external website or use your UniSA email address and password for non-university accounts
  • DO NOT reply to an email requesting your username and password. UniSA will never request your username and password via email
  • DO NOT click on any links or open any attachments contained within a suspicious email.

Social engineering attacks are designed to convince you to perform actions that result in the release of sensitive data such as UniSA login credentials, bank account details or other personal and confidential information.

As UniSA staff are often subjected to these types of attack, this list of common social engineering techniques is provided to increase your awareness and help you to avoid being tricked:

  • A phone call or face to face contact is made by someone claiming to be a staff member or student requesting their own personal information or changes to their passwords and contact information. Staff should follow established procedures for releasing or changing credentials and contact information.
  • The most prevalent social engineering method seen at UniSA are attempts to trick a large number of staff into revealing information or taking action through emails that claim to be from the IT unit, Helpdesk or external organisations (banks, energy providers and social media). Users are urged to open attachments or click on links that lead to a compromise of the user’s workstation or UniSA credentials. Staff should not open attachments or click on links in unsolicited email.
  • Targeted emails are sent to specific staff members who have privileged roles in an organisation. These are usually crafted to appear to be from senior staff or colleagues and often request confidential information or actions to be undertaken such as the transfer of funds, copy of exam papers, password changes, etc. Staff should follow established procedures for authorising changes and transactions or releasing information.
  • USB drives are dropped for employees to find or are handed in as found. This technique relies on people plugging the item into their workstation to see if they can identify the owner and in the process infecting the workstation. Staff should not attach unknown devices to their workstation.

If you think you have been subjected to any of these attempts please report them to and seek advice from the IT Help Desk.

The targeting of electronic devices used by personnel during overseas travel is a real and persistent threat. Electronic devices likely to be targeted include, but are not limited to, corporate and personal laptops, phones, tablets and removable media such as USB drives and SD cards. The compromise of electronic devices could impact the ongoing operation and security of any organization.

Generally, the risks associated with electronic device usage during overseas travel involve compromise of electronic devices that will allow attackers to:

  • Gain access to personal data (inluding user credentials)
  • Gain unauthorized access to the University network
  • Gain intelligence on sensitive University and research information 

If Staff are travelling overseas on University business, contact IT Help Desk for options on increasing security while traveling including use of temporary mobile devices and laptops.

Additional tips to consider while travelling include:

  • Always secure your mobile devices or laptops when not in your possession such as locked safes or cupboards.
  • Avoid travelling with confidential or sensitive data on laptops or portable storage devices. 
  • Utilize encryption on laptops and devices when able for further protection.