"Information security aims to protect information of any kind and origin. Information can be stored on paper, in IT systems or even in the heads of users. IT security as a subset of information security focuses on the protection of electronically stored information and its processing.
The classic basic values of information security are confidentiality, integrity and availability". (BSI standard 200-1)
Information security is not a one-time setup or installation of a single piece of software or device - it is an ongoing process. So keep asking yourself the questions:
What would be the consequences if the data from my device were to fall into someone else's hands? What measures can I take to prevent this? (confidentiality)
What would be the consequences if important data on my device were to be changed, whether by malicious intent or technical errors? What can I do about it? (data integrity)
What would happen if my device suddenly failed? How can I prevent this or reduce the consequences? (availability)
IT Security Information from the Gauss IT Centre / Gauß-IT-Zentrum (GITZ)
A few "golden rules" should always be observed by all users, whether employees or students.
Update! Update! Update! Keep your software, operating system and especially your virus scanner always up-to-date on all your devices.
Use - if possible and reasonable - different user names (e-mail addresses) for different pages.
Use a different, secure password for each access (account, e-mail, ...)! With our password generator it is very easy to generate one.
Never click on "OK", "Next", "Yes", "Agree" or "Accept" etc. without reading and thinking about it first.
"Free" is often expensive: you pay with your data! Therefore, you distribute your data with care: You don't always have to fill in every online form field.
An e-mail is like a postcard, not like a letter!
Pay attention to the links and attachments in every e-mail and on every website: don't just click, look first! Phishing and blackmail Trojans are very fashionable! The more alert we are, the more sophisticated but also the tricks. Inform yourself!
Always activate a screen saver with password protection (e.g. for Windows: "Windows" key + "L") when you leave the computer, no matter how short it is!
Do not work as "administrator", but as a normal user (Windows: standard user). Deactivate or delete all applications and services that you do not need. What is not there cannot be attacked.
"Automatic" is not automatically good! Disable automatic connection with "known" WLANs - see the lecture WLAN Security
Backup! Backup! Backup! Back up your data often and regularly to a safe place - it's your only insurance against blackmail trojans - and against hardware failures.
Be prepared to find a larger number of partially well done phishing mails in your mailbox after returning from Christmas closing / vacation!
Even if the mails seem to come from contacts you know:
Do not open any attachments without first asking the sender whether he really sent you this document, preferably by phone and NOT by e-mail!
Never click on "Activate content" - no matter where the document was sent from.
Do not follow any links and especially do not download any documents! If it really is an important document, the sender can send it to you in another way - call them!
The aim of the attackers is to encrypt the entire file inventory of an organization. In many cases, decryption is technically impossible, even by the attackers themselves! After the initial infection, the malware spreads throughout the entire organization within a few hours!
Update: further phishing wave
In addition to the current Emotet/Ryuk campaigns, a smaller malware campaign with an attached Word document "Support Greta Thunberg - Time Person oft he Year 2019.doc". Further possible subjects are: * The biggest demonstration * Greta
Please delete these mails without opening them first!
Currently (19.12.2019) the ministry responsible for us reports:
Currently, we are receiving messages from individual universities that they have received e-mails from alleged senders from the Lower Saxony Ministry of Science and Culture (MWK) with links to malware.
At present, it is not yet possible to determine conclusively whether a malware infection at the MWK or at the universities that have reported to date may be responsible.
The BSI classifies the threat situation as "business critical".
In view of the current sharp increase in Emotet attacks via e-mail, which have already led to total IT failures in several cases, the Federal Office for Information Security (BSI) is again warning against this threat:
"Recently there have been a number of incidents involving the malware Emotet in the federal administration. Among other things, this has resulted in an outflow of e-mail communication.
This communication is used by attackers to send legitimate looking malware emails. Check your e-mails with a customized 3-second security check:
Is the sender's e-mail address known?
Does the subject make sense?
Is an attachment expected from this email address at this time?
Please note that the sender address displayed in your email program may not be the same as the actual sender.
Therefore, for the time being, pay particular attention to which pages links in e-mails refer to. Do not open any Office documents that are downloaded from such pages. If you open e-mail attachments, do not activate the macros under any circumstances. If you are asked to "activate content" in a document, this is a clear alarm signal. Never click on the 'Activate contents' button."
An old scam's coming back to life: "support scam".
For some time now, more and more fraud calls have been reported. These calls are made to the official telephone numbers of TU employees. The callers usually pretend to be Microsoft employees who, for example, pretend to want to fix an alleged infestation with malware or want to fix a "serious problem on your computer". In addition the called person must install a remote maintenance software on the own computer.
These calls are not real.
The only purpose is to have malicious software, disguised as remote maintenance software, installed on your computer and then to control your computer, either to send spam or to encrypt the computer and then demand a ransom, or to carry out other criminal activities, such as spying out credit card data.
Be careful: Microsoft and other technology companies never call customers on their own and ask them to install software!
End the call immediately. If you actually have something installed, contact our IT Service Desk. If you have issued a user ID/password, change your passwords immediately - all passwords that may be stored on the computer, including those from other websites and services.
E-mails with dangerous attachments are very common. The perpetrators are using increasingly sophisticated methods to get the user to open an attached document. This can be, for example, the use of a known sender with whom the victim has already had e-mail contact or an alleged application for an advertised position, which is intended to arouse the user's curiosity.
Since 13.05.2019, we have seen that a new variant of the perpetrator's existing e-mail communication between two people continues and the automatically generated response attaches the malicious software Emotet as an office macro.
Larger quantities for promotions are only available by prior arrangement, as printing the cards is expensive and time-consuming. Please send your request by e-mail to gitz-it-sicherheit(at)tu-braunschweig.de.
If you have seen one of our awareness posters somewhere: the slogans on it are largely self-explanatory, but nevertheless we offer of course further short explanations here: Meaning of the awareness posters.
The awareness posters can also be used for your own activities at the TU, interested IT coordinators please contact the IT Service Desk.
Lectures on topics related to information security
The announcements for the presentations of the European Cyber Security Month (ECSM) can be found here:
durchgeführt von mehreren GITZ Mitarbeitern: I. Die 10 Gebote der IT-Sicherheit (Markus Dietrich) Video download (2016, HD, 792 MB, nur im TU Netz), Video download (2016, FullHD, 1.49 GB, nur im TU Netz) Video download (2017, HD, 1.8 GB) PDF download ("11 Goldene Regeln", Dr. Christian Böttger, 2019)
With the introduction of Windows 10, Microsoft has introduced a variety of services that, at first glance, offer a simplification of use. However, these services are based on data transferred from your computer to Microsoft servers in the background. Using the default settings, the transferred data may be collected in the background without the knowledge of the user. With regard to the principles "privacy by design" and "privacy by default" required by the EU General Data Protection Regulation (EU GDPR / EU-DSGVO) (which came into effect on 25 May 2018), it is advisable to adapt the settings of Windows 10.
We only recommend settings, you are responsible for the protection of your confidential data and the security of your system. You will also be notified of any negative effects of the settings. Furthermore, we cannot guarantee that a system configured in this way complies with data protection laws - you yourself are responsible for this as well. The recommendations are not intended to be implemented 1:1 with every system - they must be adapted for the respective purpose!
And what do others do?
What do other institutions do about awareness for IT/information security (German only)?