This document provides guidance to staff and students on maintaining information security at Kingston University. It covers password protection, securing devices from theft, identifying phishing emails and malware, using encryption, and safely handling data. The Service Desk is available to assist with any IT security questions or incidents.
1. KEEP IT SAFEAn Information and Technology Services guide to
security for staff and students
INFORMATION AND TECHNOLOGY SERVICES
@KU_ServiceDesk
Follow us on Twitter Contact the Service Desk on
63355 or 020 8417 3355
2. Contents
01 Welcome from the Vice-Chancellor and CIO
02 Help and Support
03 Password Guidance
05 Email Security
09 Physical Security
11 Virus Protection
15 Data Handling
17 Credit / Debit Card and Online Payments
18 Reporting Security Incidents
INFORMATION AND TECHNOLOGY SERVICES
3. Welcome – From the Vice Chancellor and CIO
Everyone works with digital information and whilst the benefits are enormous for education,
research and administration, technology exposes us to many security risks.
A failure to secure the information we store has serious implications for the University, staff
and students. Breaches carry significant financial penalties, not to mention damaging the
reputation of the University or individuals. We continue to invest heavily in information security
but the weakest link can often be people.
This booklet provides some practical advice for staff and students to help identify security
risks and remain safe whilst using IT at the University or elsewhere. The University has a duty
to protect the personal, sensitive and financial information processed by its IT services, and
you will no doubt be keen to ensure that the work you produce during your time here is safe
from theft, loss or plagiarism.
If you have questions after reading this booklet you can either visit the dedicated IT Security
pages on StaffSpace or MyKingston or contact the Service Desk, who will be happy to help.
Julius Weinberg
Vice-Chancellor
01
Simon Harrison
Chief Information Officer
4. 02
Keep IT Safe – Help and Support
IT Service Desk
The Service Desk offers help and support for any IT and Library related problems you may
encounter throughout your time here. Support is available via the telephone, Monday to
Friday between 08:00 and 18:30 by calling 020 8417 3355, or you can visit the IT Support
pages at mykingston.kingston.ac.uk/mysupport/itsupport and
staffspace.kingston.ac.uk/dep/it-services for online help and support.
However if you are unable to login to the Service Desk Portal, please submit an online form
at kusdpw.kingston.ac.uk giving us as much detail as possible about the problems you
are experiencing with your computer.
Follow the Service Desk on Twitter for regular IT service updates, news and support.
Please also see the IT System Status on the My Kingston and StaffSpace homepages.
Opening Hours
Monday - Friday: 0800 - 1830
T: 020 8417 3355
W: portal.kingston.ac.uk
@KU_ServiceDesk
If you are concerned about a possible security incident, you should contact the Service Desk.
Further information about security can also be found on My Kingston
mykingston.kingston.ac.uk/mysupport/itsupport/Pages/security
and StaffSpace staffspace.kingston.ac.uk/dep/it-services/Pages/Security
StaffSpaceService Desk My Kingston
5. 03
Keep IT Safe – Password Guidance
Your password is crucial to protecting the
security of your account.
Passwords ensure that only authorised users
can access the University’s IT facilities.
Your password keeps your stored data and
information private and secure.
What is a strong password?
Criminals have developed programs that
automate the ability to guess your password.
Someone with minimal skills and with the
right tools can easily guess short or normal words. The longer and more complex your
password is, the more difficult it is to deduce or guess.
Password strength tips:
• Use long words, or preferably phrases, that are more difficult to guess
• Use at least one upper case letter and a number to make it even harder to guess
• Some examples of strong passwords based on the phrase ‘day follows night’ include:
• ‘Dyfllwsnght’ which has the vowels removed
• ‘D2yf0ll0wsn1ght’ which has all vowels replaced by numeric characters
How can I protect my password?
Do
• Do use a ‘strong’ password
• Do change it regularly, or if you think someone else may know it
• Do use different passwords for different IT services, so that if someone gains access
to your password it is of limited use to them
Don’t
• Don’t write your password down
• Don’t let anyone else know your password
• Don’t let anyone see you typing it
• Don’t type your password into an open-text field, such as your username
6. 04
How do I change my password?
Staff
If you have forgotten your password you can change your password using the Password Changer.
To use the staff email based Password Changer kusdpw.kingston.ac.uk/pass you will
need to add your personal email address to the Content section of ‘Yourself’.
If you have any questions please contact the Service Desk.
Students
If you have forgotten your password you can change your password using the Password
Changer.
To use the student Password Changer you should update your personal email address in
‘OSIS’. If you didn’t provide a personal email address, then you can contact the Service Desk.
Yourself
Password
Changer
7. 05
Keep IT Safe – Email Security
Phishing
Email phishing is where a legitimate looking
email is sent by a fraudster in an attempt
to acquire sensitive information such as
usernames, passwords, credit card details,
bank details or other information.
It is not uncommon to receive an email
claiming to be from trustworthy sources
with the intention of tricking you into
providing sensitive and valuable data.
How to spot a phishing email
• The ‘from’ address may not be a real organisation domain
• Think whether you are expecting an email correspondence from the organisation
• The link in the email is different from the URL specified in the mail
• The subject field is a generic statement
• The message contains poor spelling and grammar
• Unknown or suspicious attachments
Do
• Do hover your mouse over links and check the sender is legitimate
• Do report incidents and phishing attacks to it-security@kingston.ac.uk
Don’t
• Don’t open any attachments you may consider suspicious
• Don’t click on links you may consider suspicious
• Don’t reply to the email
8. 06
From: Vincenzo Recupero <v.recupero@esattori.it> Sent: Mon 20/07/2015 11:07
To: Vincenzo Recupero
Cc:
Subject: R: Faculty and Staff Form Submission
1 2 3 4 5 6 7 8 9 10
Dear E-mail User.
Your EMAIL ACCOUNT PASSWORD Expires TODAY, to UPDATE Please Click LOGON and Follow Instructions.
Thanks
2015 ITS Help Desk Support Center
Subject: Is too generic
From: Not a Kingston University address
I&TS never ask for users to provide user credentials
Link: Not a Kingston University link
http://facultyportalmail.tripod.com
Click to follow link
The example below illustrates the points previously described.
9. Keep IT Safe – Email Security
SPAM
SPAM is defined as the sending of
unsolicited email to large groups of people.
This will include large groups of University
students and/or staff. If not necessarily
malicious, SPAM can have a detrimental
effect on the University’s computer network
and, in some cases, can prevent important
emails from reaching the intended recipient.
Do
• Do report large or excessive volumes of SPAM emails to it-security@kingston.ac.uk
• Do look for tick-boxes that allow you to opt out of newsletters and special offers etc.
Don’t
• Don’t reply to SPAM emails
• Don’t ‘reply all’ to University-wide emails
• Don’t publish your email address on any website unless absolutely necessary,
particularly on message boards and forums
• Don’t give your email address to suspicious websites in order to download shareware
or free programs
07
10. 08
Reporting suspicious emails
You can help us handle phishing and SPAM emails by reporting any suspicious emails.
We will submit suspicious emails to the Microsoft’s junk mail service, which in turn will
mean they are marked and dealt with appropriately in the future.
You should report any suspicious emails to it-security@kingston.ac.uk
Don’t forward the original email, attach it to a new email as follows:
In your University Outlook account:
1. Create a new email
2. Click on ‘Attach Item’ (envelope and paperclip icon at the top, just to the right of
centre) then select ‘Outlook Item’ and the phishing email from the list of items
3. Send to it-security@kingston.ac.uk
11. 09
Keep IT Safe – Physical Security
Laptop crime is on the rise and unattended
devices are easy targets for thieves.
Thieves will target computers, laptops and
mobile phones in cars, coffee bars, libraries
and even on public transport.
Apple has a service called find my phone,
which is available for users of Apple
computers or phones. It is advisable to
enable this feature if you can as it can help
to protect or locate your devices if they are
lost or stolen.
Users of Windows or Linux devices can look at the https://preyproject.com/, which
offers a similar service for such devices.
If you have an android phone, then please go to www.lookout.com
Reducing computer theft
Staff computers or laptops should be secured and offices locked when unoccupied.
A simple lock, cable and locked office door will deter the majority of opportunist thefts.
Security locks
Laptops, LCD monitors and most computers can be secured with a security lock and
plastic coated steel cable. These come in a number of forms such as Kensington, the most
well-known manufacturer. Variations on this theme include security plates that are bonded
to two or more items and secured via a cable and lock.
12. 10
Locking your Computer
If you are office based it is important to lock your device when leaving it unattended, and to
turn it off at the end of each working day. This not only protects your device and its data,
but also supports the University’s green agenda by using less power.
If you are using one of the desktops in the LRC, then please remember to log out.
All staff laptops provided since summer 2015 now use BitLocker encryption to provide
an additional level of security for sensitive information stored on laptops. Staff with older
laptops who deal with sensitive information and would benefit from Bitlocker (or FileVault for
Apple devices) should please contact the Service Desk.
Extra care should be taken when working on systems that contain sensitive data such as
student information and financial data. Data loss incidents are far more likely to occur when
a user leaves their workstation logged in but not locked. You should always ensure that you
save your work to the H: drive.
When working in open areas such as LRCs, computer labs or teaching rooms, you
should never leave a computer unattended while it is logging off. The logoff process is not
immediate and can be interrupted if someone chooses to. You should always wait until you
see the login screen or the computer has powered off.
13. 11
Keep IT Safe – Virus Protection
What is a Virus?
A computer virus is a malware program
that, when executed, replicates by inserting
copies of itself (possibly modified) into
other computer programs, data files, or the
boot sector of the hard drive. When this
replication succeeds, the affected areas are
then said to be ‘infected’.
Viruses often perform some type of harmful
activity on infected hosts, such as stealing
hard disk space or CPU time, accessing
private information, corrupting data,
displaying political or humorous messages on the user’s screen, SPAMming their contacts,
logging their keystrokes, or even rendering the computer useless.
What is Anti-virus?
Anti-virus software is used to safeguard a computer from malware, including viruses,
computer worms, and Trojan horses. Antivirus software may also remove or prevent
spyware and adware, along with other forms of malicious programs.
The detection used in these programs is reliant on the user performing regular anti-virus
updates. On a University managed workstation, this update is performed automatically by
the system administrators. However on personal devices such as laptops and home PCs,
regular updates must be run.
There are a number of free and commercially available anti-virus software packages such
as AVG, ClamAV, McAfee, Norton and Kaspersky available on the market.
14. 12
Do
• Do make sure portable devices such as USB sticks are clean before transferring the
data from them
• Do contact the Service Desk If you experience issues
Don’t
• Don’t open attachments from unknown or suspicious sources
• Don’t click on links within emails
Malware
‘Malware’ is short for malicious software. Malware infections on your computer or other
data storage devices can have a serious impact, depending on what the malware was
designed to do. For example, it can:
• Corrupt or make important data inaccessible;
• Introduce hidden software which can detect usernames and passwords to University
systems, or personal data such as bank and credit card details, and transmit them to
criminals to use in fraudulent activities
15. 13
Keep IT Safe – Virus Protection
Spyware
Spyware is any technology that aids in
gathering information about a person or
organisation without their knowledge.
Spyware can get into a computer as a
software virus or as a result of installing a
new program, which could secretly capture
your username, password, email address,
banking credentials or credit card details.
Usually visiting websites for free downloads,
illegal software downloads, or illegal music
downloads can often result in a Spyware infection.
What is Anti-spyware?
Anti-spyware is used to detect and remove malware and advertising software.
Anti-spyware software such as ‘MalwareBytes’ can be used to remove spyware and malware.
Do
• Do avoid sites offering pirated software/videos and games
• Do pay attention to freeware you install, much of it these days is packaged with
spyware and users should be vigilant to ensure they only install what they want
• Do make sure your Windows/MAC/Linux OS installation is up to date with the latest
patches and updates
• Do report to Service Desk and stop using immediately if you think your PC is infected
with spyware
Don’t
• Don’t enter any personal details on websites unless the website is from a trustworthy
organisation and you can verify it
• Don’t open any email attachments that you are not expecting to receive. If it is a
known sender, under no circumstances should you ever give out or send personal
data back or follow any links unless you are absolutely sure
16. 14
What is a Firewall?
A Firewall is software or hardware that monitors incoming and outgoing traffic and restricts
or allows access to and from your computer depending on your firewall settings. Make sure
you keep it turned on at all times.
17. Keep IT Safe– Data Handling
The Data Protection Act states that you are
responsible and liable for any personal or
sensitive data you handle, so it is essential
you do so securely.
This section refers mainly to the handling of
information on non-University devices.
My Desktop Anywhere
Whenever possible, remote access to
University IT services should be via My Desktop Anywhere. This service is a secure method of
working with your normal KU desktop from any device anywhere in the world.
My Desktop Anywhere allows you to access University software applications and securely
work on sensitive, personal or financial information without the need to save anything on your
local device.
My Desktop Anywhere can be accessed from both My Kingston at
mykingston.kingston.ac.uk/tools/Pages/My-Desktop-Anywhere
and StaffSpace staffspace.kingston.ac.uk/applications/Pages/My-Desktop-Anywhere
USB Memory Sticks
Popular for their ease of use, USB memory sticks are used by many people across the
University to store and transport files and other data to work with remotely. USB memory
sticks are an insecure method of storing information, and are easily lost or misplaced.
The University strongly advises against the use of USB memory sticks to hold sensitive data
unless they are encrypted. Encryption can be either ‘hardware encrypted’ in which case the
USB device has a small numeric keypad on it, and access to data on the device requires
entry of a valid PIN, or ‘software encrypted’ requiring the entry of a valid PIN or password
once the device has been inserted and recognised by a computer. Encrypted USB sticks are
available widely through high street and online stores.
15
18. Encryption
Encryption, put simply, means the translation of data into a secret code. Encryption is the
most effective way to achieve data security. To read an encrypted file, you must have access
to a secret key or password that enables you to decrypt it.
Full disk encryption ensures that everything stored on your device is encrypted. It is
recommended that you consider using this facility to ensure the privacy of your data.
On Windows computers you can use BitLocker, which is part of the standard Windows
operating system, and the equivalent on Apple computers is FileVault.
Before adopting either of these tools you should perform a full backup of your computer.
Email encryption is supported by Office 365. However, the University does not offer email
encryption as a standard service at this time, although it is expected that future Office 365
implementations at the University will include this.
‘Remember Me’
Many IT services require a username and password in order to identify and authenticate you.
It is common for many computers to offer a ‘Remember Me’ function to avoid the need to
enter these credentials every time you need to use the service. It is strongly recommended
that you do not tick this option to ensure that your credentials are not stored on the computer.
Email Attachments
Email is an insecure communication medium. Email attachments are stored in temporary
folders and will often remain there long after you have closed your email application and left
the device. It is strongly recommended that information of a sensitive nature is not sent or
viewed as an email attachment.
Sending or Receiving Large Files
Occasionally it may be necessary to transfer large files of information between the University
and a third party. In such cases a secure file transfer protocol (FTP over SSL or FTPS)
mechanism, or similar, should be used. If unsure, contact the Service Desk for assistance.
16
19. Keep IT Safe – Credit / Debit Card & Online Payments
Telephone Payments
When making payment over the telephone
you should be careful that you are not
overheard. When possible make sure that
you are in a room alone, or can be certain
that others are out of hearing distance.
Online Payments
When making payments using a website’s
online payment facility, it’s important that the
page you enter your details onto is using a secure connection. This ensures that your details
are encrypted as they pass between your device and the supplier’s website over the internet.
Always look for the padlock symbol in your web browser’s address bar, and the HTTPS://
prefix to the URL. If you are unsure or can’t easily identify it as being secure then don’t enter
your details. When you do enter your details into a secure website it’s also important to make
sure that nobody can see you do it.
17
20. Keep IT Safe – Reporting Security Incidents
Remember, if your system suffers
from a security incident,
you should contact the
Service Desk
or email
it-security@kingston.ac.uk
18
W portal.kingston.ac.uk
NEED
SUPPORT?Contact the Service Desk
T 020 8417 3355
(internal)63355
OPENING HOURS Monday - Friday: 0800 - 1830
@KU_ServiceDesk
Follow us on Twitter