Device security

Workplace computers are an especially popular target of attacks. Staff use applications that open online content, like web browsers, email programmes, PDF viewers and office suites. This is usually where malware comes into play: If users visit websites infected with a virus, open emails with compromising content or copy malware from a local drive to the university network, the malware spreads around the university network and/or prevents users from accessing files and systems (ransomware).

There is no perfect IT security

To prevent or minimize damage from an attack, there are a variety of technical and organizational measures that can be taken in the areas of prevention, detection and response. Malware and attack vectors are constantly being developed further and use new security gaps that may not yet have been closed (zero day exploits). There is unfortunately no way to have complete IT security. However, there are simple ways to minimize the risks.

Best practices: System hardening

• To generally protect against security gaps that have been closed, you should install security updates for your operating system and programmes as soon as they are released, preferably automatically. This is especially the case for applications that are used to access the internet, like web browsers, browser plug-ins, email programmes, PDF viewers and office suites. Make sure that your applications are still being provided with security updates. (Instructions for Windows 10 (in German))
   
• To reduce your system’s vulnerability to attacks, uninstall/deactivate all software, plug-ins (e.g. Flash, Java, Silverlight), functions and connections (e.g. bluetooth, remote access) that you do not need. (Instructions for Windows 10 (in German))
  • Deactivate the execution of “active content” in software applications (e.g. Word/Excel macros in Microsoft Office, Java script in browsers and PDF viewers). If macros are required for certain internal processes, then macros should only be allowed with a defined digital signature). (Instructions (in German))
     
• Install antivirus software that updates automatically to prevent the execution or spread of malware. Check your computer’s security status regularly (scan for malware). (Instructions (in German))
   
• Use the security functions of your operating system to make it more difficult for malware to infect your computer (Instructions for Windows 10), especially:
  • Administrative tasks should be separated from everyday tasks by using different accounts: There should be one standard account per user for everyday tasks and an administrator account for tasks such as software installation and system maintenance. (Instructions for Windows 10 (in German))
     
  • Application (directory) whitelisting reduces the number of applications that can be executed, blocking applications from running by default in the user directory which is generally where malware is downloaded to. (Instructions for Windows 10 (in German))
• Create password guidelines, set a limit for log-in attempts as well as a period of inactivity after which a computer is automatically locked. (Instructions for Windows 10 (in German))
   
• A well-configured desktop firewall reduces your vulnerability to attack. (Instructions for Windows 10 (in German))
   
• Protect your data from theft (especially mobile devices or external drives), for example, by locking up and encrypting drives. (Instructions (in German))
   
• The BIOS/UEFI set-up should be password-protected and the start sequence should be configured so that the computer boots from the primary drive (and not from a CD / DVD). Communication interfaces that you do not need should also be deactivated during start-up (e.g. FireWire, Thunderbolt). Using a secure boot protects against unreliable boot loaders, because only signed boot loaders are allowed, and it should be activated during the BIOS/UEFI set-up.

Best practices: Good IT hygiene

• Create regular, preferably automatic, backups of your data, to ensure you can access it at any time (e.g. if you fall prey to a ransomware attack). Data must be secured in an offline backup, since many types of ransomware also encrypt online backups, like data on NAS systems or shadow copies. Each backup operation should also include planning and preparation for restarting the system and restoring the data. (Instructions (in German))
   
• Make sure to create and use secure passwords. Never share your password or write it down in an easily accessible place. Use different passwords for different purposes. A privileged account should always use two-factor-authentication. A password manager software can help keep track of passwords. (Instructions (in German))
   
• If you would like to send confidential information (e.g. personal data), then encrypt it first. (Instructions (in German))
   
• Emails, especially those with sensitive personal information, should be moved from your inbox to a suitable secure file storage system (e.g. an encrypted document management system).
   
• Be suspicious of things like links or attachments sent to you via email.
  • If something seems suspicious (e.g. you received an unexpected email from an unknown sender), then try to verify the sender is legitimate. Check the full email address of the sender (instructions for Thunderbird (in German)). Call the sender if you are unsure. (Instructions (in German))
  • Attempt to verify the link listed in the email is a legitimate page. (Instructions (in German)) If you set your email account to the plain text view, then web addresses can’t be hidden in HTML formatting, which could protect you from unintentionally clicking on links to malware. (Instructions for Thunderbird (in German))
     
  • Try to assure that attachments are safe to open. Do not allow active content to run. If, even after contacting the sender, you are not entirely sure the attachment is safe, you should only open it on an isolated system (“sandbox”) and change it to another safer format before working with it. (Instructions (in German))
• Do not open any external drives on your computer, no matter whether they are your private ones, of from someone else or even one you found, before it has been confirmed that they are free of malware.
   
• Lock your computer when you leave, even if you will only be gone for a moment, and make sure your office is locked when the last person leaves. A password must be required to unlock the computer.
   
• Make sure you have “write” access only to the network drives where it is absolutely necessary. Drives where you have “read-only” access will not be endangered if you are the target of a ransomware attack.
   
• Do not synchronize any work files on external cloud services, not even backups and configurations (e.g. WLAN/Wi-Fi passwords). (Instructions (in German))
   
• In addition, regular scanning of IT systems can check whether system hardening and security measures have been appropriately implemented. Such regular checks should also include whether available updates for operating systems, browsers and other applications have been installed. (Instructions (in German))
   
• If you become aware of an incident involving either a threat to or breach of personal data or any other information security issue, please report it immediately. (Instructions (in German))
   
• Develop a damage-reduction strategy / incident response system, that, e.g.
  • identifies malfunctions as soon as possible
  • identifies and isolates infected devices as quickly as possible
  • limits the scope of damage and prevents additional damage
  • finds and closes attack vectors to prevent repeated damage
  • enables business to return to normal.

Further information (in German)

• BSI for everyone: How to secure your computer
• BSI for everyone: online risks 
• BSI for everyone: responding to an internet attack