KEEP IT SAFEAn Information and Technology Services guide to security for staff and students

INFORMATION AND TECHNOLOGY SERVICES

@KU_ServiceDeskFollow us on Twitter Contact the Service Desk on

63355 or 020 8417 3355

Contents

01 Welcome from the Vice-Chancellor and CIO02 Help and Support03 Password Guidance05 Email Security09 Physical Security11 Virus Protection15 Data Handling17 Credit / Debit Card and Online Payments18 Reporting Security Incidents

INFORMATION AND TECHNOLOGY SERVICES

Welcome – From the Vice Chancellor and CIO

Everyone works with digital information and whilst the benefits are enormous for education, research and administration, technology exposes us to many security risks.

A failure to secure the information we store has serious implications for the University, staff and students. Breaches carry significant financial penalties, not to mention damaging the reputation of the University or individuals. We continue to invest heavily in information security but the weakest link can often be people.

This booklet provides some practical advice for staff and students to help identify security risks and remain safe whilst using IT at the University or elsewhere. The University has a duty to protect the personal, sensitive and financial information processed by its IT services, and you will no doubt be keen to ensure that the work you produce during your time here is safe from theft, loss or plagiarism.

If you have questions after reading this booklet you can either visit the dedicated IT Security pages on StaffSpace or MyKingston or contact the Service Desk, who will be happy to help.

Julius Weinberg

Vice-Chancellor

01

Simon Harrison

Chief Information Officer

02

Keep IT Safe – Help and Support

IT Service Desk

The Service Desk offers help and support for any IT and Library related problems you may encounter throughout your time here. Support is available via the telephone, Monday to Friday between 08:00 and 18:30 by calling 020 8417 3355, or you can visit the IT Support pages at mykingston.kingston.ac.uk/mysupport/itsupport and staffspace.kingston.ac.uk/dep/it-services for online help and support.

However if you are unable to login to the Service Desk Portal, please submit an online form at kusdpw.kingston.ac.uk giving us as much detail as possible about the problems you are experiencing with your computer.

Follow the Service Desk on Twitter for regular IT service updates, news and support. Please also see the IT System Status on the My Kingston and StaffSpace homepages.

Opening Hours

Monday - Friday: 0800 - 1830

T: 020 8417 3355W: portal.kingston.ac.uk @KU_ServiceDesk

If you are concerned about a possible security incident, you should contact the Service Desk.

Further information about security can also be found on My Kingston mykingston.kingston.ac.uk/mysupport/itsupport/Pages/security and StaffSpace staffspace.kingston.ac.uk/dep/it-services/Pages/Security

StaffSpaceService Desk My Kingston

03

Keep IT Safe – Password Guidance

Your password is crucial to protecting the security of your account.

Passwords ensure that only authorised users can access the University’s IT facilities.

Your password keeps your stored data and information private and secure.

What is a strong password?

Criminals have developed programs that automate the ability to guess your password. Someone with minimal skills and with the right tools can easily guess short or normal words. The longer and more complex your password is, the more difficult it is to deduce or guess.

Password strength tips:

• Use long words, or preferably phrases, that are more difficult to guess• Use at least one upper case letter and a number to make it even harder to guess• Some examples of strong passwords based on the phrase ‘day follows night’ include:

• ‘Dyfllwsnght’ which has the vowels removed • ‘D2yf0ll0wsn1ght’ which has all vowels replaced by numeric characters

How can I protect my password?

Do

• Do use a ‘strong’ password• Do change it regularly, or if you think someone else may know it• Do use different passwords for different IT services, so that if someone gains access

to your password it is of limited use to them

Don’t

• Don’t write your password down• Don’t let anyone else know your password• Don’t let anyone see you typing it• Don’t type your password into an open-text field, such as your username

04

How do I change my password?

Staff If you have forgotten your password you can change your password using the Password Changer.

To use the staff email based Password Changer kusdpw.kingston.ac.uk/pass you will need to add your personal email address to the Content section of ‘Yourself’.

If you have any questions please contact the Service Desk.

Students If you have forgotten your password you can change your password using the Password Changer.

To use the student Password Changer you should update your personal email address in ‘OSIS’. If you didn’t provide a personal email address, then you can contact the Service Desk.

YourselfPasswordChanger

05

Keep IT Safe – Email Security

Phishing

Email phishing is where a legitimate looking email is sent by a fraudster in an attempt to acquire sensitive information such as usernames, passwords, credit card details, bank details or other information.

It is not uncommon to receive an email claiming to be from trustworthy sources with the intention of tricking you into providing sensitive and valuable data.

How to spot a phishing email

• The ‘from’ address may not be a real organisation domain• Think whether you are expecting an email correspondence from the organisation• The link in the email is different from the URL specified in the mail• The subject field is a generic statement• The message contains poor spelling and grammar• Unknown or suspicious attachments

Do

• Do hover your mouse over links and check the sender is legitimate• Do report incidents and phishing attacks to it-security@kingston.ac.uk

Don’t

• Don’t open any attachments you may consider suspicious• Don’t click on links you may consider suspicious• Don’t reply to the email

06

From: VincenzoRecupero<v.recupero@esattori.it> Sent:Mon20/07/201511:07To: Vincenzo RecuperoCc:Subject: R:FacultyandStaffFormSubmission

12345678910

Dear E-mail User.

YourEMAILACCOUNTPASSWORDExpiresTODAY,toUPDATEPleaseClick LOGONandFollowInstructions.

Thanks2015ITSHelpDeskSupportCenter

Subject: Is too generic

From: Not a Kingston University address

I&TS never ask for users to provide user credentials

Link: Not a Kingston University link

http://facultyportalmail.tripod.comClick to follow link

The example below illustrates the points previously described.

Keep IT Safe – Email Security

SPAM

SPAM is defined as the sending of unsolicited email to large groups of people.

This will include large groups of University students and/or staff. If not necessarily malicious, SPAM can have a detrimental effect on the University’s computer network and, in some cases, can prevent important emails from reaching the intended recipient.

Do

• Do report large or excessive volumes of SPAM emails to it-security@kingston.ac.uk• Do look for tick-boxes that allow you to opt out of newsletters and special offers etc.

Don’t

• Don’t reply to SPAM emails• Don’t ‘reply all’ to University-wide emails• Don’t publish your email address on any website unless absolutely necessary,

particularly on message boards and forums• Don’t give your email address to suspicious websites in order to download shareware

or free programs

07

08

Reporting suspicious emails

You can help us handle phishing and SPAM emails by reporting any suspicious emails. We will submit suspicious emails to the Microsoft’s junk mail service, which in turn will mean they are marked and dealt with appropriately in the future.

You should report any suspicious emails to it-security@kingston.ac.uk

Don’t forward the original email, attach it to a new email as follows:

In your University Outlook account:

1. Create a new email

2. Click on ‘Attach Item’ (envelope and paperclip icon at the top, just to the right of centre) then select ‘Outlook Item’ and the phishing email from the list of items

3. Send to it-security@kingston.ac.uk

09

Keep IT Safe – Physical Security

Laptop crime is on the rise and unattended devices are easy targets for thieves.

Thieves will target computers, laptops and mobile phones in cars, coffee bars, libraries and even on public transport.

Apple has a service called find my phone, which is available for users of Apple computers or phones. It is advisable to enable this feature if you can as it can help to protect or locate your devices if they are lost or stolen.

Users of Windows or Linux devices can look at the https://preyproject.com/, which offers a similar service for such devices.

If you have an android phone, then please go to www.lookout.com

Reducing computer theft

Staff computers or laptops should be secured and offices locked when unoccupied. A simple lock, cable and locked office door will deter the majority of opportunist thefts.

Security locks

Laptops, LCD monitors and most computers can be secured with a security lock and plastic coated steel cable. These come in a number of forms such as Kensington, the most well-known manufacturer. Variations on this theme include security plates that are bonded to two or more items and secured via a cable and lock.

10

Locking your Computer

If you are office based it is important to lock your device when leaving it unattended, and to turn it off at the end of each working day. This not only protects your device and its data, but also supports the University’s green agenda by using less power.

If you are using one of the desktops in the LRC, then please remember to log out.

All staff laptops provided since summer 2015 now use BitLocker encryption to provide an additional level of security for sensitive information stored on laptops. Staff with older laptops who deal with sensitive information and would benefit from Bitlocker (or FileVault for Apple devices) should please contact the Service Desk.

Extra care should be taken when working on systems that contain sensitive data such as student information and financial data. Data loss incidents are far more likely to occur when a user leaves their workstation logged in but not locked. You should always ensure that you save your work to the H: drive.

When working in open areas such as LRCs, computer labs or teaching rooms, you should never leave a computer unattended while it is logging off. The logoff process is not immediate and can be interrupted if someone chooses to. You should always wait until you see the login screen or the computer has powered off.

11

Keep IT Safe – Virus Protection

What is a Virus?

A computer virus is a malware program that, when executed, replicates by inserting copies of itself (possibly modified) into other computer programs, data files, or the boot sector of the hard drive. When this replication succeeds, the affected areas are then said to be ‘infected’.

Viruses often perform some type of harmful activity on infected hosts, such as stealing hard disk space or CPU time, accessing private information, corrupting data, displaying political or humorous messages on the user’s screen, SPAMming their contacts, logging their keystrokes, or even rendering the computer useless.

What is Anti-virus?

Anti-virus software is used to safeguard a computer from malware, including viruses, computer worms, and Trojan horses. Antivirus software may also remove or prevent spyware and adware, along with other forms of malicious programs.

The detection used in these programs is reliant on the user performing regular anti-virus updates. On a University managed workstation, this update is performed automatically by the system administrators. However on personal devices such as laptops and home PCs, regular updates must be run.

There are a number of free and commercially available anti-virus software packages such as AVG, ClamAV, McAfee, Norton and Kaspersky available on the market.

12

Do

• Do make sure portable devices such as USB sticks are clean before transferring the data from them

• Do contact the Service Desk If you experience issues

Don’t

• Don’t open attachments from unknown or suspicious sources • Don’t click on links within emails

Malware

‘Malware’ is short for malicious software. Malware infections on your computer or other data storage devices can have a serious impact, depending on what the malware was designed to do. For example, it can:

• Corrupt or make important data inaccessible;• Introduce hidden software which can detect usernames and passwords to University

systems, or personal data such as bank and credit card details, and transmit them to criminals to use in fraudulent activities

13

Keep IT Safe – Virus Protection

Spyware

Spyware is any technology that aids in gathering information about a person or organisation without their knowledge. Spyware can get into a computer as a software virus or as a result of installing a new program, which could secretly capture your username, password, email address, banking credentials or credit card details.

Usually visiting websites for free downloads, illegal software downloads, or illegal music downloads can often result in a Spyware infection.

What is Anti-spyware?

Anti-spyware is used to detect and remove malware and advertising software.

Anti-spyware software such as ‘MalwareBytes’ can be used to remove spyware and malware.

Do

• Do avoid sites offering pirated software/videos and games• Do pay attention to freeware you install, much of it these days is packaged with

spyware and users should be vigilant to ensure they only install what they want• Do make sure your Windows/MAC/Linux OS installation is up to date with the latest

patches and updates• Do report to Service Desk and stop using immediately if you think your PC is infected

with spyware

Don’t

• Don’t enter any personal details on websites unless the website is from a trustworthy organisation and you can verify it

• Don’t open any email attachments that you are not expecting to receive. If it is a known sender, under no circumstances should you ever give out or send personal data back or follow any links unless you are absolutely sure

14

What is a Firewall?

A Firewall is software or hardware that monitors incoming and outgoing traffic and restricts or allows access to and from your computer depending on your firewall settings. Make sure you keep it turned on at all times.

Keep IT Safe– Data Handling

The Data Protection Act states that you are responsible and liable for any personal or sensitive data you handle, so it is essential you do so securely.

This section refers mainly to the handling of information on non-University devices.

My Desktop Anywhere

Whenever possible, remote access to University IT services should be via My Desktop Anywhere. This service is a secure method of working with your normal KU desktop from any device anywhere in the world.

My Desktop Anywhere allows you to access University software applications and securely work on sensitive, personal or financial information without the need to save anything on your local device.

My Desktop Anywhere can be accessed from both My Kingston at mykingston.kingston.ac.uk/tools/Pages/My-Desktop-Anywhere and StaffSpace staffspace.kingston.ac.uk/applications/Pages/My-Desktop-Anywhere

USB Memory Sticks

Popular for their ease of use, USB memory sticks are used by many people across the University to store and transport files and other data to work with remotely. USB memory sticks are an insecure method of storing information, and are easily lost or misplaced.

The University strongly advises against the use of USB memory sticks to hold sensitive data unless they are encrypted. Encryption can be either ‘hardware encrypted’ in which case the USB device has a small numeric keypad on it, and access to data on the device requires entry of a valid PIN, or ‘software encrypted’ requiring the entry of a valid PIN or password once the device has been inserted and recognised by a computer. Encrypted USB sticks are available widely through high street and online stores.

15

Encryption

Encryption, put simply, means the translation of data into a secret code. Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it.

Full disk encryption ensures that everything stored on your device is encrypted. It is recommended that you consider using this facility to ensure the privacy of your data.On Windows computers you can use BitLocker, which is part of the standard Windows operating system, and the equivalent on Apple computers is FileVault.Before adopting either of these tools you should perform a full backup of your computer.

Email encryption is supported by Office 365. However, the University does not offer email encryption as a standard service at this time, although it is expected that future Office 365 implementations at the University will include this.

‘Remember Me’

Many IT services require a username and password in order to identify and authenticate you. It is common for many computers to offer a ‘Remember Me’ function to avoid the need to enter these credentials every time you need to use the service. It is strongly recommended that you do not tick this option to ensure that your credentials are not stored on the computer.

Email Attachments

Email is an insecure communication medium. Email attachments are stored in temporary folders and will often remain there long after you have closed your email application and left the device. It is strongly recommended that information of a sensitive nature is not sent or viewed as an email attachment.

Sending or Receiving Large Files

Occasionally it may be necessary to transfer large files of information between the University and a third party. In such cases a secure file transfer protocol (FTP over SSL or FTPS) mechanism, or similar, should be used. If unsure, contact the Service Desk for assistance.

16

Keep IT Safe – Credit / Debit Card & Online Payments

Telephone Payments

When making payment over the telephone you should be careful that you are not overheard. When possible make sure that you are in a room alone, or can be certain that others are out of hearing distance.

Online Payments

When making payments using a website’s online payment facility, it’s important that the page you enter your details onto is using a secure connection. This ensures that your details are encrypted as they pass between your device and the supplier’s website over the internet.

Always look for the padlock symbol in your web browser’s address bar, and the HTTPS:// prefix to the URL. If you are unsure or can’t easily identify it as being secure then don’t enter your details. When you do enter your details into a secure website it’s also important to make sure that nobody can see you do it.

17

Keep IT Safe – Reporting Security Incidents

Remember, if your system suffers from a security incident, you should contact the

Service Desk or email

it-security@kingston.ac.uk

18

W portal.kingston.ac.uk

NEEDSUPPORT?Contact the Service Desk

T 020 8417 3355

(internal)63355

OPENING HOURS Monday - Friday: 0800 - 1830

@KU_ServiceDeskFollow us on Twitter

V-01-04022016