Information Security

Cybersecurity Best Practises

In order to complement the information provided in the ICT Service webpages, you can adopt the following preventative measures to protect your data and keep your devices safe while contributing to keep EUI’s infrastructure and data safe.

Protect devices (laptop, tablet and smartphone)

Personally owned devices

To connect your personal devices safely to EUI’s infrastructure or to access email and cloud resources, it is of upmost importance that you keep your personal devices secure.

Protect your personal devices by applying patches and performing frequent data backups; encrypting it using the built-in tool (including USB drive). Protect devices using anti-malware software (see also free solutions available for all operating systems of smartphones and laptops).

You can refer to this online documentation for further information: Anti-Virus Protection

EUI service devices

Laptops and desktops are protected by anti-malware solutions and they are kept up-to-date and monitored to prevent malware infections as described in the following policy: Virus Protection Policy, User's Rights and Duties

Make sure to store your work-related data on the EUI servers (G: Drive, S: Drive, etc.) or on the EUI cloud (OneDrive for Business, Teams, SharePoint): Storage

Avoid pop-ups, unknown emails, and links

Beware of phishing. Phishers try to trick you into clicking on a link that may result in a security breach.

Phishers prey on employees in hopes they will open pop-up windows or other malicious links that could have viruses and malware embedded in them. So, be cautious of links and attachments in emails from senders you do not recognize. With just one click, you could enable hackers to infiltrate EUI’s network and infrastructure.

Never enter personal or company information in response to an email, pop-up webpage, or any other form of communication you did not initiate. Phishing can lead to identity theft or allow that ransomware attacks occur. Refer to additional documentation available in the Information security page.

Protect your digital identity

Criminals may try to get important pieces of personal information such as your name and address, date of birth and user account and password. You are advised to avoid sharing personal data, user accounts and password, ICT service will never ask your EUI password.

Enable multi-factor authentication when available (i.e. Facebook, LinkedIn, Dropbox offer additional verification methods to avoid profile’s compromise). You may check if your data in social media has been breached checking your personal email in one of the following sites:

https://haveibeenpwned.com/ (external lik)

https://cybernews.com/personal-data-leak-check/ (external link)

The risk of signing up to social media using EUI email

Users are advised to consider the risks of signing up to social media using EUI email and should not reuse password between accounts, especially regarding to EUI accounts. Information captured in social media leaks can be used to impersonate the victims, to identify their contact data, to allow threat actors to fine tune and highly target future phishing emails either to the individuals who had their data leaked or to their connections.

Fraud prevention

You can safeguard your personal details online, by checking your privacy settings and controlling what information you share. To keep your information secure:

• make sure your social media profiles are private
• always think carefully before sharing data with others

Scammers can sound genuine, as they may have gathered information about you online or in data breaches occurred in social media or in online shopping websites.

You may visit Europol link for further information on online frauds and Money Muling (external link).

EUI Account

Hackers attempt to compromise EUI accounts either to access data and mailboxes or to launch phishing campaigns against other users/institutions.

In case your mailbox is compromised, it may be automatically blocked not allowing any message to be sent outside the @eui.eu domain.

• If you suspect that your EUI email address (and password) has been compromised, contact the EUI Helpdesk immediately
• If the account has not been blocked yet, change the password immediately
• If the accopunt has already been blocked, contact the EUI Helpdesk

Please take into account it may take up to two weeks in order to remediate a compromised account!

non-EUI Account

For non EUI email accounts, you may check Have I Been Pwned? website.

Please remember NEVER to use the same password for personal (e.g. GMail, Hotmail, Yahoo, etc.) and work (@eui.eu) accounts!

• The course is delivered through the EUI e-Learning platform and can be attended at one’s own pace in an around two-month timeframe. Recipients will receive an invitation with the link to the course
• Click here for an outline of the course (in PDF format)

EUI scholars and principal investigators who require ICT Service approval for information security should complete the Information Risk Management Questionnaire below and send it to the Data Secirity Officer (DSO) via [email protected]

You may refer to the below Information Security Guidelines  regarding the compliance with data protection requirements and the checklist of security controls. The information will be used by the DSO to assess the project risk level and to provide advice on the adequate safeguards to implement.

• Information Security Guidelines (EUI credentials required)
• Information Risk Management Questionnaire (EUI credentials required)

What Is Phishing?

Phishing is an attack that aims at collecting sensitive information by masquerading as a trustworthy entity. It starts with a personalised email or other electronic communication where the attacker is using social engineering, a technique attempting to fool you into taking an action.

The goal of the phishing action is that either you directly provide sensitive information or you help a malicious software (e.g. virus) to be installed and further harvest information, steal documents and login credentials to web pages, or access and infect other computers. The attacker then uses the collected information to harm the EUI or you (e.g. empty your bank account).

How Does Phishing Work?

The attackers want you to:

• Open an attachment
• Click on a link (with or without request to provide your login credentials)
• Continue the conversation

 Red Flags That Will Help You to Identify an Email Phishing Attack

• Password-protected attachments
• Sense of urgency
• Generic greetings
• Grammar and spelling mistakes
• Links with intention not to show apparent destination (e.g. "click here", URL shortening)
• Someone pretending to be a successor of somebody
• Someone offering money
• Internal ''Helpdesk'' email coming from a non @eui.eu email address

What Should I Do?

If an email seems odd or too good to be true (!) it is most likely an attack.

• Be suspicious of attachments and only open those that you were expecting.
• Be suspicious of any email that requires "immediate action" or creates a sense of urgency.
• Be suspicious of emails addressed to "Dear Customer" or some other generic salutation. If it is your bank they will know your name.
• Be suspicious of grammar or spelling mistakes; most businesses proofread their messages carefully before sending them.
• Never answer requests for passwords, pin codes, etc., even from an IT User support
• Be suspicious with email coming from someone you know but not from the usual email address (for instance, from @gmail.com when usually you interact with @eui.eu or @yahoo.com).
• Hover your mouse over the link. This will show you the true destination where you would go if you actually clicked on it. If the true destination of the link is different, this may be an indication of fraud

I Received a Phishing Email!

The EUI is actively protecting its networks and information systems against possible malicious intrusion.

Help us improve this service by notifying us of any suspicious email you receive in your mailbox!

• Please send any suspicious email to [email protected] email address.
• In case you clicked on a link, opened an attachment in a phishing email or notice any suspicious behaviour of your computer, please immediately report to [email protected] or call +39 055 4685 600 (ext. 2600).

The EUI is continuously targeted by various types of cyber-attacks. Staff travelling and on missions are particularly at risk, especially when travelling abroad. This page gives you some short Information security tips and tricks to reduce such risks.

General Advice When Travelling

1. Avoid Shared PCs
   
   Avoid shared PCs in hotel lobbies or airport lounges. Always assume they are not secure. If you must use them, just read the news and avoid typing sensitive personal information or passwords on these PCs.  Especially do not type EUI passwords on these PCs. PCs in hotel lobbies and airport lounges are both attractive and easy as targets, so it is likely that these PCs are compromised by several different attackers who are waiting to capture interesting information.
   
   
2. Be Aware of Your Surroundings
   
   When traveling it is important to be aware of your surroundings. Do not leave your devices unattended in public places, be aware who might be looking over your shoulder when you are working on them.
   
   
3. Be Careful With Free WiFi
   
   Be careful when using wireless network connections, such as free WiFi in coffee shops, WiFi in hotel rooms and conference venues, WiFi points in an airport lounge, etc. These WiFi points are attractive targets for attackers and they are often insecure. Attackers can easily set up a fake WiFi hotspot with a familiar sounding name.

About Using Your Laptop

4. Software Updates
   
   Give your laptop all software updates and patches before leaving on a mission. This is very important! To get updates and patches bring your laptop to the office, connect it to the fixed network, log off or restart the PC, while keeping it connected. Make sure updates and patches are installed at least weekly and definitely before taking the laptop on a trip. If you cannot bring the laptop to the office then connect with the remote access connection and then log off or restart the PC. This will install any updates and patches.
   
   
5. Remote Access
   
   EUI's remote access service is available through secure VPN connection to access personal and shared folders at EUI. See VPN Remote Connection for further details.
   
   
6. Disk Encryption
   
   In the case you arestoring personal and sensitive data on your laptop, you might consider to protect your EUI laptop with full disk encryption (also known as bit locker), which prevents people from accessing your data, even when the laptop is stolen. But it is important to keep this (BitLocker) code secret. This security measure has been adopted on new laptops and it is deployed upon request.
   
   If your laptop is stolen, then notify the EUI Helpdesk immediately.
   
   
7. Anti-virus
   
   Your EUI laptop (and desktop) is protected with anti-virus products. But it is important to avoid suspicious files and suspicious emails because the EUI faces advanced attackers who avoid detection by anti-virus products. Avoid using or exchanging USB sticks with others. Do not accept USB sticks you find or which are offered to you while on mission.  Prefer an exchange of files via email. See also Share Safe topic.

About Using Your Smartphone or Tablet, Whether Personally-owned or Corporate

8. Software Updates
   
   Smartphones and tablets are typically more secure than normal PCs and many of the cyber-attacks for PCs do not work on smartphones or tablets. But it is not impossible to hack smartphones. It is important to keep your phone software up-to-date. Update the software before leaving on a mission.
   
   
9. Telephony and Texting
   
   When travelling do not exchange sensitive information via normal telephony or SMS messages, because normal telephony and SMS can be easily intercepted.
   
   
10. Disk encryption
    
    Most smartphones (like iPhones) have full disk encryption automatically turned on. This prevents data leakage when your phone is stolen or lost. But it is important to keep the PIN of your phone secret.
    
    If your phone is stolen, notify the EUI Helpdesk immediately!
    
    
11. Internet Connections
    
    If eligible, favour cellular data connection (3G and 4G) or corporate/institution WiFis rather than free/public ones for internet browsing and be aware and always make sure that webpages you visit use HTTPS.

To reduce the risks of cyber incidents caused by phishing attacks, EUI is checking links to external websites via a service called Advanced Threat Protection (ATP). When you open the link, the email security system will check its threat status. If there is no risk detected, it will simply redirect your browser to the initial URL. In case the link doesn’t seem secure, the URL will be blocked.

Why?

Emails are one of the main instruments of cyber-attacks. To protect the EUI against threats, emails that come from outside are checked at entry into the EUI's IT systems. The EUI’s security system checks any web links that they contain, to ensure that the sites they point to are safe.

Attackers now commonly use web links that seem to point to inoffensive sites to defeat the security system. Moments after the messages have been successfully checked and delivered to their recipients' mailboxes, the attackers change the URL to carry malicious payloads. This means that even if a harmless message is delivered in your mailbox, it can be turned into a threat.

Would It Be Possible to Disable This Protection (i.e. Is There an Opt-out Mechanism)?

The purpose of rewriting URLs in emails is to protect information (both the EUI's and the users) and the whole IT environment. The URL rewriting and checking mechanism is therefore applied systematically, as part of the EUI's email services, as a matter of Information security. The original URL is contained in the rewritten URL, and can be recovered if needed (see Safe Links for more details).

Additional Information

For further information on this topic, please check Office 365 Advanced Threat Protection.

• Contact the EUI Data Security Officer (DSO) at [email protected]
• Report phishing to [email protected] 
• Report abuse and malware to [email protected]
• If your EUI account has been blocked or hacked, contact the EUI Helpdesk