Phishing attacks

Kirsten Scott made this Rhyddid Gwybodaeth request to University of the Highlands and Islands

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

Dear University of the Highlands and Islands,

1. What is your policy for using personally owned devices accessing IT applications?
• We allow access to both student and staff with personal and corporate devices
• We allow access to staff with personal and corporate devices
• We only allow access to corporate devices

2. Do you have visibility into devices that are used to access University applications?
• Yes
• No

3. Do you use multi-factor authentication (such as a hardware token, software code generated by a mobile phone app, or an SMS code) to access IT applications? Please select one answer only.

• Yes, we use multi-factor authentication for all access by students, faculty and staff onto the devices, apps, intranet or IT network
• Yes, we only use it for access to all sensitive data such as financial payments, grades and personally identifiable data (PII) data held on the network
• No, we just use single factor authentication today
• We just use single factor authentication today but we are planning on implementing multi-factor authentication in the next 12 months.
4. What security risks in personal devices are you most worried about when accessing University applications?
• Out of date software. Ex: Operating systems, browsers
• Physical security of devices. Ex: passcode lock
• Jailbroken / Rooted devices
• Others (Please specify)

5. What is your policy regarding patching and updating digital devices, operating systems and apps which access your corporate network? Please select one answer only.

• We implement all patches/upgrades within 48 hours from notification
• We implement all patches/upgrades within 7 days of notification
• We implement all patches/upgrades within 30 days of notification
• It is impossible for us to maintain all devices, operating systems and apps at the latest version and patches/upgrades typically take longer than 30 days to implement.
• We outsource the patching and upgrade of all our devices and systems to a third party

6. Has your university ever been the victim of a phishing attack (where an individual is duped into disclosing their login, password or credit card details via an email purporting to be from a trusted source)? Please select one answer

• Yes
• No
• Don’t know

6a. If yes, how often have you experienced a phishing attack in the last 12 months? Please select one answer.

• 0-5 times
• 6-10 times
• 11-50 times
• 51+ times
• Don’t know

6b. If yes, which is the most common target of the phishing campaigns? (please select one)

• Students
• Lecturers/faculty staff
• Employees
• Other (please specify)

6c. What type of data was being targeted? (select all that apply)
• Student personally identifiable information (PII) e.g. date of birth. National Insurance Nos.
• Employee PII
• Financial/payroll data
• Research/patents
• Other (please specify)

6d. Did you identify the attackers and, if so, are they? (select all that apply).
• Organised cyber-criminals
• Opportunistic hackers (non-organised)
• Political hacktivists
• Disgruntled employees/former employees
• Disgruntled students/former students
• State sponsored hackers
• Other (please specify)

Yours faithfully,

Kirsten Scott

FOI, University of the Highlands and Islands

Dear Ms Scott,

Re: Freedom of Information (Scotland) Act 2002 – Request for Information

Thank you for your enquiry, which has been logged and passed to the relevant department within the University for processing. Please quote reference number 086 should you need to contact the University regarding this request.

A response will be sent to you promptly and in any case not later than 20 working days after the date we received your email. The University will make every effort to provide you with the information requested; if any clarification is required, the University will contact you as soon as possible.

In some circumstances, it may not be possible to provide you with an answer to your enquiry. Where the University believes this is the case, you will be informed in writing, stating the reason(s).

If the information you are seeking is already published by the University, or is otherwise available to members of the public, you will be sent details outlining how to access the information.

You will be advised if it is necessary for the University to charge a fee to cover the costs of processing your request. Should this be the case, please note the information cannot be released until such payment is received.

If you have any questions regarding your request for information then please do not hesitate to contact me.
Yours sincerely

Christine Shaw
Corporate Governance Officer
DDI / Fòn: 01847 889380

dangos adrannau a ddyfynnir

Christine Shaw, University of the Highlands and Islands

Dear Ms Scott,

 

Re: Freedom of Information (Scotland) Act 2002 – Request for Information

 

I refer to your request for information received on 22^nd November 2016
relating to phishing attacks.

 

I regret to inform you that the University of the Highlands and Islands
will not disclose the specific information that you have requested because
to do so may unnecessarily lead to an increased risk of a phishing attack
to University systems and to the personal data contained within them that
would be in breach of  the seventh data protection principle. The
information you have requested is regarded as commercially sensitive and
confidential and disclosure of such information is exempt from disclosure
in accordance with Section 33(1) of the Freedom of Information Scotland
Act on the basis that it may lead to harm.  

 

I am however, able to advise that the University undertakes vulnerability
testing in accordance with a continual internal review process and  also
regularly contracts with Janet ESISS (Education Shared Information
Security Service) to conduct external penetration testing of the
University network and IT systems. I regret that all information contained
within reports provided by ESISS are subject to the strictest confidence
for the purposes of discussion between Janet ESISS and University of the
Highlands and Islands only and may not be disclosed to third parties
without prior permission of both parties.

 

The Primary contact at the University for Information Security matters is:

 

Director of Learning and Information Services

University of the Highlands and Islands

Executive Office Fairways

Clark Thomson House

Fairways Business Park

Inverness

IV2 6AA

Telephone: +44 (0)1463 279307

Email: [1][email address]

 

The University operates as a collegiate federal partnership comprising of
thirteen further and higher education colleges, specialist colleges and
research institutions and tuition fees are collected directly by these
independent institutions. A list of contact details for our partner
organisations is available at [2]http://www.uhi.ac.uk/en/campuses and you
may wish to contact our partners directly in connection with your request.

 

If you are not satisfied with our response or our reasoning set-out above,
you have forty working days in which to request a review of our decision.
Any request should be put in writing and should be sent to me at the
address detailed at the bottom of this email. Your request should:

 

(a)        describe the nature of your original request; and

(b)        explain the reasons why you are not satisfied with our
response. 

 

If you remain dissatisfied with how your request for information has been
dealt with, you also have the right to apply to the Scottish Information
Commissioner for a decision as to whether we have handled your request
properly. 

 

Information relating to your right to seek review is available from the
Scottish Information Commissioner's web page at:
[3]http://www.itspublicknowledge.info/faqs.... or by contacting the
Scottish Information Commissioner's Office at the following address:

 

Scottish Information Commissioner,

Kinburn Castle, 

Doubledykes Road, St Andrews,

Fife

KY16 9DS 

Telephone: 01334 464610 

Fax: 01334 464611 

E-mail: [4][email address]

Website: [5]www.itspublicknowledge.info

 

Yours sincerely

 

Christine Shaw

Corporate Governance Officer

DDI / Fòn: 01847 889380             

 

------------------------------------------------------------------------------------

From: Kirsten Scott

Sent: 22 November 2016 10:11:59 (UTC+00:00) Dublin, Edinburgh, Lisbon,
London

To: FOI

Subject: Freedom of Information request - Phishing attacks

 

Dear University of the Highlands and Islands,

 

1. What is your policy for using personally owned devices accessing IT
applications?

•             We allow access to both student and staff with personal and
corporate devices

•             We allow access to staff with personal and corporate devices

•             We only allow access to corporate devices

 

2. Do you have visibility into devices that are used to access University
applications?

•             Yes

•             No

 

3. Do you use multi-factor authentication (such as a hardware token,
software code generated by a mobile phone app, or an SMS code) to access
IT applications? Please select one answer only.

 

•             Yes, we use multi-factor authentication for all access by
students, faculty and staff onto the devices, apps, intranet or IT network

•             Yes, we only use it for access to all sensitive data such as
financial payments, grades and personally identifiable data (PII) data
held on the network

•             No, we just use single factor authentication today

•             We just use single factor authentication today but we are
planning on implementing multi-factor authentication in the next 12
months.

4. What security risks in personal devices are you most worried about when
accessing University applications?

•             Out of date software. Ex: Operating systems, browsers

•             Physical security of devices. Ex: passcode lock

•             Jailbroken / Rooted devices

•             Others (Please specify)

 

5. What is your policy regarding patching and updating digital devices,
operating systems and apps which access your corporate network?  Please
select one answer only.

 

•             We implement all patches/upgrades within 48 hours from
notification

•             We implement all patches/upgrades within 7 days of
notification

•             We implement all patches/upgrades within 30 days of
notification

•             It is impossible for us to maintain all devices, operating
systems and apps at the latest version and patches/upgrades typically take
longer than 30 days to implement. 

•             We outsource the patching and upgrade of all our devices and
systems to a third party

 

6. Has your university ever been the victim of a phishing attack (where an
individual is duped into disclosing their login, password or credit card
details via an email purporting to be from a trusted source)? Please
select one answer

 

•             Yes

•             No

•             Don’t know

 

6a. If yes, how often have you experienced a phishing attack in the last
12 months?  Please select one answer.

 

•             0-5 times

•             6-10 times

•             11-50 times

•             51+ times

•             Don’t know

 

6b. If yes, which is the most common target of the phishing campaigns?
(please select one)

 

•             Students

•             Lecturers/faculty staff

•             Employees

•             Other (please specify)

 

6c. What type of data was being targeted? (select all that apply)

•             Student personally identifiable information (PII) e.g. date
of birth. National Insurance Nos.

•             Employee PII

•             Financial/payroll data

•             Research/patents

•             Other (please specify)

 

6d. Did you identify the attackers and, if so, are they? (select all that
apply).

•             Organised cyber-criminals

•             Opportunistic hackers (non-organised)

•             Political hacktivists

•             Disgruntled employees/former employees

•             Disgruntled students/former students

•             State sponsored hackers

•             Other (please specify)

 

Yours faithfully,

 

Kirsten Scott

 

-------------------------------------------------------------------

 

Please use this email address for all replies to this request:

[6][FOI #372961 email]

 

Is [7][UHI request email] the wrong address for Freedom of Information requests
to University of the Highlands and Islands? If so, please contact us using
this form:

[8]https://www.whatdotheyknow.com/change_re...

 

Disclaimer: This message and any reply that you make will be published on
the internet. Our privacy and copyright policies:

[9]https://www.whatdotheyknow.com/help/offi...

 

For more detailed guidance on safely disclosing information, read the
latest advice from the ICO:

[10]https://www.whatdotheyknow.com/help/ico-...

 

If you find this service useful as an FOI officer, please ask your web
manager to link to us from your organisation's FOI page.

 

 

 

References

Visible links
1. mailto:[email address]
2. http://www.uhi.ac.uk/en/campuses
3. http://www.itspublicknowledge.info/faqs....
4. mailto:[email address]
5. http://www.itspublicknowledge.info/
6. mailto:[FOI #372961 email]
7. mailto:[UHI request email]
8. https://www.whatdotheyknow.com/change_re...
9. https://www.whatdotheyknow.com/help/offi...
10. https://www.whatdotheyknow.com/help/ico-...