Basic IT-Security

Content

  1. Overview
  2. Necessary and helpful programmes (technical protection)
  3. Passwords and two-factor authentication
  4. Personal behaviour
  5. Measures in the event of a virus attack
  6. System administration
  7. Wireless networks (WLAN) / Server
  8. Data encryption
  9. Disposal of computers, printers and data carriers
  10. Further information

1. overview

This document describes which programmes should at least be installed on the computers computers at Fulda University of Applied Sciences and how these programmes programmes must be configured so that a certain “basic security” is available. Since even the best security measures do not offer any protection if the users circumvent the users circumvent the protection or do not take the measures seriously measures seriously, there are also some tips on user behaviour. behaviour.

In the settings instructions from chapter 2 onwards “Start > … > …” means that you start with the Start entry in the menu bar (generally at the bottom left of the screen) and then click on an entry in the menu screen) and then start with an entry in the menu, a tab or another tab or another element that has the corresponding label. corresponding labelling.

Top of page

2. necessary and helpful programmes

(technical protection)

In order for you to be able to work with the computer at all, it requires an operating system. The operating system must always be up to date so that all known security security holes" are “plugged”. If the operating system provides an “Automatic Update” is available, this feature should be activated, as the security holes are then closed as quickly as possible. closed as quickly as possible. The current Windows operating systems from Microsoft offer this function. With Windows 10 you can you cannot actually prevent the system from updating automatically so you don’t have to do anything. If you nevertheless still want to start a manual search for updates, click in Windows 10 with the right mouse button on “Start” and then on “Settings”. Then click then click on “Updates and security” and then on “Check for updates” to start a search for current versions to start a search for current versions.

Access to the computer from the Internet or from programmes programmes on the computer to the Internet should be monitored and controlled. This task is performed by a firewall. Although all computers at Fulda University are protected by a central firewall, a local *firewall nevertheless a local firewall should be set up on each computer to protect computers within the university network (intranet). (intranet), which may be poorly maintained and therefore and are therefore infected with malware (viruses, worms, Trojans, etc.), etc.). In addition, the local firewall may be able to prevent malware from spreading from an infected computer to other computers in the from spreading from an infected computer to other computers at the university. Under Windows, for example, you can use the Windows firewall, which is included as standard in the newer Windows operating systems. Click with the left mouse button on “Start” and then select “Windows Security” (at the bottom of the programme list) if you are using Windows 10. There you should see for “Firewall & Network Protection” should say “No action required.” should be displayed. If actions are required, click on “Firewall & network protection” and then successively on “Domain network”, “Private network” and “Public network” and switch the switch there “Windows Defender Firewall” to “On”. **On Portable computers (notebooks) must have a firewall set up.

Every computer must be protected against malware (viruses, worms, Trojans, etc.) by an antivirus programme. The university Fulda uses the Sophos Intercept programme for this purpose, which must be used on all university computers. Please check all formatted attachments (Word, Excel, PDF, …) of emails for malware before you open the attachments with the corresponding programmes. open the attachments with the corresponding programmes. Further information (also for private computers) can be found on the Virus protection (Sophos) page of the computer centre.

Of course, you not only want to protect your computer but also use it. The required security settings for your email programme can be found in the separate document E-Mail and the settings for your for your web browser in the document web browser, as the number of different products is beyond the scope of this document. number of different products is beyond the scope of this document. the scope of this document. You can also open these documents via the navigation bar. The security settings for your other programmes should be researched in the Help of the programme or on the Internet.

Remember to update all programmes automatically or at least or at least regularly, so that you can prevent malware and hackers as difficult as possible.

Top of page

3. passwords and two-factor authentication

Choose a good password and keep it secret. The document Passwords describes how to create a good password and how to change it. change it. Please be sure to observe the following instructions.

  1. never give your password to other people, as you as you may be held responsible for this, if your user account (Account) is misused by other people. misused by other persons.

  2. do not write down your password or at least keep it far away at least far away from your computer and without any recognisable reference to your user account (never in the same room).

  3. never save your passwords in files or programmes to programmes to “make your work easier”, as they can otherwise be otherwise they can be read and misused by malware. by malicious software.

  4. change your password immediately if it has fallen into hands or if you suspect that it has become known to unauthorised it has become known to unauthorised persons.

  5. use different passwords for different computers or different computers or activities.

  6. never use your user name and password for competitions for competitions or similar.

  7. never use a password on any Internet site that is similar or even the same as your own password or even the same as your own password, as this will give a potential “hacker” an opportunity to break into your computer if these details are stored in plain text.

  8. if you have forgotten your password, you can a new password at the computer centre. at the computer centre. Your identity can be verified on site using a photo ID or via a video conference. video conference.

  9. protect the booting of your computer (the so-called boot process) with a password (the so-called (the so-called “BIOS password”, see sections “Functions” and “Security” in the German explanation of the BIOS or better explained in the section “Configuration” in the English explanation BIOS](https://en.wikipedia.org/wiki/BIOS)) if you store personal or other sensitive data on the computer. personal or other sensitive data on the computer. This protection must also be effective if an intruder uses the computer with its own CDROM, DVD, a memory stick or something similar. wants to start the computer. If the computer does not have such BIOS password protection, personal data may not be personal data only encrypted on the hard disc. stored on the hard disc.

Access to some functions of some applications (e.g. in the Huniversity Organisation System for **study and teaching (“horstl”)) is restricted for some persons (e.g. employees and lecturers) by means of a two-factor authentication (often also referred to as “two-factor authentication”), so that these persons must identify themselves legally by a second factor in addition to the password. The system can can then verify (authenticate) the identity of the factors (authenticate) and grant them the privileges privileges (rights) to which the proven identity is entitled (authorisation). identity (authorisation). The web page for two-factor authentication of the data centre describes which procedures are supported and how they can be can be set up. Further information on two-factor authentication can also be found at Wikipedia. Please note the following information.

  1. enter your second factor (smartphone with registered app registered app or hardware token for generating a one-time to generate a one-time password) to other other people, as you may be held responsible if your user account be held responsible if your user account (account) is misused by other misused by other persons.

  2. if you use a hardware token, it is prohibited to hardware token* together with the end device (e.g. notebook) in the same bag. notebook) in the same bag.

  3. loss of the second factor or suspicion of misuse of the second factor misuse of the second factor must be reported immediately to the IT security officer of the data centre. must be reported immediately.

Top of page

4. personal behaviour

Never enter personal data on the Internet, if it is not absolutely necessary. If necessary, make up names and addresses, when registering with web providers, discussing in forums or chatting in in chat rooms. Please also note the following tips.

  1. never change your password, the configuration of the operating operating system or a programme at the request of another (unknown) person who contacts you by telephone. Never download software from the Internet at the request of another person from the Internet at the request of another person in order to install it. Never call up certain web pages and never enter any commands never enter any commands if an unknown person by an unknown person.

  2. never pass on sensitive or internal information by telephone. by telephone.

  3. label portable data carriers (CDROM, DVD, memory stick, etc.) containing sensitive data and lock them lock them when you leave the room.

  4. ensure appropriate disposal of sensitive documents and documents and data carriers that currently contain confidential data or have contained confidential data in the past.

  5. never use CDROMs, DVDs etc. from unknown sources (simply “lying around” somewhere in public) on a university computer, as the autostart function can automatically install automatically install malware on the computer. could be installed on the computer.

  6. never open email attachments if you you were not expecting the email and before you have checked the attachment have checked the attachment for malware. Remember that the sender may be forged.

  7. never forward an email just because the email asks you to. it is requested in the email. Do not contribute to the spread malware or spam e-mail.

  8. do not send sensitive information by email or only in encrypted form.

  9. protect your computer with a password-protected screen saver or log off when you leave the room. when you leave the room.

  10. make sure that you always have the latest antivirus and antivirus and anti-spy software is always installed on your computer and use an up-to-date firewall.

  11. never deactivate or remove the antivirus software or the antivirus software or the firewall without the permission of the data centre.

  12. no one may download or use software that enables the circumvention of protection mechanisms. Exception: System administrators and system administrators to check and maintain the security of the systems.

  13. no one may connect their own network access to their workstation computer without the computer centre without the consent of the computer centre.

  14. students are not entitled to data backup and restoration, so that they may have to back up important data themselves. back up important data themselves.

15 Pay attention to security-relevant incidents and report them. report them.

Top of page

5. measures in the event of a virus attack

If you suspect or even know that your computer has been infected by one or more one or more malicious programmes (viruses, worms, Trojans, etc.) you should take the following measures.

  1. disconnect the infected computer as quickly as possible possible from the university network**, to avoid further damage by spreading the malware to other other systems. The affected system should not be disconnected from the power supply and also not be shut down, so that forensic analyses can be forensic analyses can be carried out later to investigate the malware and the damage caused and so that measures can be taken to contain consequential damage. can be taken.

  • If the computer is connected to the university network with a **network cable university network, the cable should be disconnected. The cable is provided with a tick, which is sometimes hidden under a plastic cover and must be pressed down before disconnecting. must be pressed down before disconnecting.

  • If the computer is connected to the university network via the wireless network (WLAN), you should university network, you should try to switch off the network via the WLAN switch or the touch-sensitive screen (*touchscreen screen (touchscreen) to switch off the network. If the malware prevents this, you should try to switch off the switch off the device by pressing the on/off button for several seconds. In this case disconnect the device from the power supply if it is and remove the battery if this is possible. possible.

Then immediately inform the helpdesk of the data centre and the person computer centre and the person responsible for the administration of the computer.

  1. also report the incident to your IT security officer or your IT security officer, who may be able to assist you in cleaning your computer or tell you who can help you, remove the malware from your computer. Depending on depending on the type of infection, it may be necessary to reinstall the computer and restore the data from a from a data backup, as this is the only way to ensure that the that the malware has been completely removed. has been completely removed.

  2. if a new installation is not necessary and you want to you want to remove the malware yourself, you will need a so-called rescue CD, which contains a boot-compatible operating system and antivirus software (e.g. Desinfec’t). You will need to remove the CD/DVD or the memory stick on a different computer and then start your computer from this medium so that you have a “virus-free” environment. Then you can scan your hard drive with the antivirus programme and remove the malware. If no virus is found, your computer may still be infected with malware that the antivirus programme just cannot find. In this case, be sure to contact the computer centre before you reconnect your computer to the university network.

  3. to ensure that your computer is not immediately infected with malware again immediately, you should update the software on your computer computer software and, if you have not already done so, install an antivirus programme and a local firewall. You will find information on this in Chapter 2 of this document.

  4. the computer centre and the local system administrators are system administrators are obliged to ensure the operation and security operation and security of the university network and carry out the following actions if there is imminent danger is imminent:

  • If necessary, they block the IP address at the next possible location.

  • If the infected computer is in the university network via the (WLAN) in the university network, block the user account user account and interrupt the connection.

  • They notify the user or the administrator responsible or the responsible administrator about the error. administrator responsible about the error.

Top of page

6. system administration

System administrators have a special responsibility and special responsibility and should ensure that in their area of responsibility the IT security policy is implemented and adhered to. They should also observe the following instructions.

  1. user accounts should be created in such a way that only good passwords can be used and that the user user account is blocked if a password is entered incorrectly several times password is entered incorrectly (if the system offers these possibilities).

  2. change default passwords of telephone systems, computers, network components etc. and, if necessary, block standard users (guest (guest accounts) to protect the systems.

  3. regular data backups should be backups should be carried out and the data backup media should stored in fireproof and burglar-proof cabinets if necessary fireproof and burglar-proof cabinets where necessary for the data inventory. If personal or other sensitive data is stored externally, they should be stored in encrypted form.

  4. change or block the computer access authorisation, when a person leaves the university or is assigned a new receives a new area of responsibility. The required data must be from the Student Service Centre (SSC) for students and by the Human Resources Department for staff to the Computing Centre, which immediately forwards the data immediately to all system administrators and system administrators. to all system administrators.

  5. if a system administrator leaves the university, the system administrator leaves the university, **all system passwords must be changed immediately and, if necessary, the password files or databases must be searched for new for new accounts with privileges in order to privileges to ensure the security of the systems. Under UNIX-like operating systems, it may also be necessary to search for programmes with privileges (SUID or SGID bit set) that do not that are not part of the normal operating system.

  6. temporary user accounts should be deactivated if the project for which they were set up has been terminated. they were set up.

  7. users may not deactivate their user account deactivate by telephone or have it activated. Deactivation or activation can only be only be arranged in writing or in person. If the person is not known, the identity must be be verified beforehand. The verification can be carried out on site using photo identification or via a video conference. video conference. In the case of written applications, it should it should also be clarified whether the application was actually person has actually made the application.

8 System administrators should download and use software use software that makes it possible to check and maintain the security security of the systems (e.g. Password Cracker for checking verification of good and bad passwords passwords if the system allows access to the passwords). passwords).

Top of page

7. wireless networks (WLAN) / server

The following provisions apply to the operation of wireless networks (WLAN) and servers. the following provisions apply.

  1. the departments and central facilities may own wireless networks that allow access to the general computer computer infrastructure may only be operated with the consent of the computer centre. Isolated radio networks for for training may be set up and operated as required. as required.

  2. network access to productive radio networks may only take place via user authentication. Access via hardware or IP addresses is not permitted.

  3. data traffic in wireless networks must be encrypted. Under no circumstances may passwords be transmitted in plain text be transmitted in plain text in a wireless network. Instructions for setting up the WLAN can be found on the website WLAN (eduroam) of the computer centre.

  4. the access data (IP address, user account, time) for productive wireless networks productive wireless networks must be logged.

  5. the departments and central facilities may operate their own servers that are connected to the university network, only with the approval of the computer centre. Isolated servers in closed laboratory networks for may be set up and operated as required. as required.

  6. no servers may be operated in wireless networks.

  7. servers* may only be managed via external access points using a secure VPN connection. Information on setting up the VPN software can be found on the web page VPN access of the computer centre.

  8. the VPN access software, the configuration file for the VPN software the VPN software and the user ID and password for dialling into the for dialling into the wireless network of Fulda University of Applied Sciences not be passed on to other persons.

Top of page

8. data encryption

There are many products that support the encryption of data. encryption. If you want to send sensitive data as an attachment to an email, you can compress and encrypt the file or files for example with the programme 7-zip and encrypt it. The password for decryption can then be communicated to the recipient by telephone, for example. “7-zip” also supports the encryption of the archive directory (header encryption), so that an unauthorised person unauthorised person cannot even find out the names of the files in the archive. the names of the files in the archive.

If you work on your hard drive on a daily basis, you do not want to encrypt and decrypt the files manually, especially as the files would then be stored unencrypted on the hard drive for the would be stored on the hard drive for the duration of processing. For this you need product that encrypts the data automatically and transparently for you (on-the-fly) encrypts and decrypts the data. These products can be into two classes:

  1. products that encrypt files or all files in a file directory directory. This category includes, for example the product Encrypting File System (EFS), which is an extension of the of the NTFS file system from Microsoft and can therefore be used in every modern Windows* operating system. Since temporary files in the Windows world are often are often stored in other directories or even in other partitions partitions, it can happen that the temporary files are stored files are available unencrypted after processing (the temporary (the temporary file is deleted, but its content is not destroyed content is not destroyed, so that it could be be restored later).

  2. products that create an encrypted partition in a file (a so-called file (a so-called container) or encrypt a complete encrypt a complete partition of the hard drive. They are then divided into products that can only encrypt can encrypt data partitions and those that can can also encrypt system partitions. If a can encrypt both data and system partitions, the entire hard disc the entire hard drive can be encrypted. This group This group includes, for example, the commercial product SecurStar DriveCrypt and the free product VeraCrypt. Wikipedia presents in the article Comparison of disk encryption software" describes the features, availability, up-to-dateness etc. of many hard disk hard disc encryption programs. Microsoft Windows offers for some operating system versions the programme BitLocker for some operating system versions.

A detailed description of the use of these programmes would beyond the scope of this documentation. Further information can be found Wikipedia 7-zip, Encrypting_File_System, VeraCrypt, BitLocker.

Top of page

9. segregation of computers, printers and data carriers

When disposing of computers and data carriers, you should data carriers, you should remember that the data is not physically destroyed or overwritten when the files are deleted, so that they can be restored later under certain be restored later. It is therefore essential that you observe the following notes.

  1. make sure that sensitive documents or data carriers data carriers (hard disk, CDROM, DVD, memory stick, etc.) containing personal or other sensitive data data are not destroyed in a recoverable manner (e.g. using a shredder, where possible) before they are possible) before they are discarded.

  2. ensure that hard drives are completely magnetised if necessary magnetised or destroyed in such a way that they cannot be cannot be recovered if they contain personal or other sensitive data. or other sensitive data.

  3. remember that (network) printers are often equipped are often equipped with hard discs on which files are temporarily files before printing and therefore do not forget to destroy the data on these hard disks before the printer is discarded. is discarded.

  4. many devices store configurations in flash memories. Remember to delete the configurations before before removing the device from service, as knowledge of the configuration knowledge of the configuration may facilitate an attack on the IT infrastructure.

  5. remember that under certain circumstances multi-function devices, scanners, fax machines etc. may also be equipped with hard disks or flash memories on which data is stored temporarily. data is stored temporarily. Delete this data before you discard the device.

Top of page

10. further information

Modern copiers are generally equipped with hard discs, on which the copies are temporarily stored before printing. Do not forget to destroy the data on the hard discs, before the copier is discarded. If the copier is also used to copy personal or other sensitive data is to be copied on the copier, the photocopier should always be installed in a locked room and not be and should not be connected to the university network. The data can be read if a computer can be connected to the copier and the computer can be connected to the copier and the administrator password is known password is known (for many copiers, the standard password together with the the operating instructions on the Internet). Some copiers can be equipped with a module to securely erase the hard disc. hard disc.

Top of page