Phishing attacks

The request was successful.

Dear Kingston University,

1. What is your policy for using personally owned devices accessing IT applications?
• We allow access to both student and staff with personal and corporate devices
• We allow access to staff with personal and corporate devices
• We only allow access to corporate devices

2. Do you have visibility into devices that are used to access University applications?
• Yes
• No

3. Do you use multi-factor authentication (such as a hardware token, software code generated by a mobile phone app, or an SMS code) to access IT applications? Please select one answer only.

• Yes, we use multi-factor authentication for all access by students, faculty and staff onto the devices, apps, intranet or IT network
• Yes, we only use it for access to all sensitive data such as financial payments, grades and personally identifiable data (PII) data held on the network
• No, we just use single factor authentication today
• We just use single factor authentication today but we are planning on implementing multi-factor authentication in the next 12 months.
4. What security risks in personal devices are you most worried about when accessing University applications?
• Out of date software. Ex: Operating systems, browsers
• Physical security of devices. Ex: passcode lock
• Jailbroken / Rooted devices
• Others (Please specify)

5. What is your policy regarding patching and updating digital devices, operating systems and apps which access your corporate network? Please select one answer only.

• We implement all patches/upgrades within 48 hours from notification
• We implement all patches/upgrades within 7 days of notification
• We implement all patches/upgrades within 30 days of notification
• It is impossible for us to maintain all devices, operating systems and apps at the latest version and patches/upgrades typically take longer than 30 days to implement.
• We outsource the patching and upgrade of all our devices and systems to a third party

6. Has your university ever been the victim of a phishing attack (where an individual is duped into disclosing their login, password or credit card details via an email purporting to be from a trusted source)? Please select one answer

• Yes
• No
• Don’t know

6a. If yes, how often have you experienced a phishing attack in the last 12 months? Please select one answer.

• 0-5 times
• 6-10 times
• 11-50 times
• 51+ times
• Don’t know

6b. If yes, which is the most common target of the phishing campaigns? (please select one)

• Students
• Lecturers/faculty staff
• Employees
• Other (please specify)

6c. What type of data was being targeted? (select all that apply)
• Student personally identifiable information (PII) e.g. date of birth. National Insurance Nos.
• Employee PII
• Financial/payroll data
• Research/patents
• Other (please specify)

6d. Did you identify the attackers and, if so, are they? (select all that apply).
• Organised cyber-criminals
• Opportunistic hackers (non-organised)
• Political hacktivists
• Disgruntled employees/former employees
• Disgruntled students/former students
• State sponsored hackers
• Other (please specify)

Yours faithfully,

Kirsten Scott

Murr, Cathy, Kingston University

Dear Kirsten

Thank you for your recent request for information relating to Kingston University. Your request was received on 22/11/2016 and is now being dealt with under the terms of the Freedom of Information Act 2000.

Please note that in some circumstances a fee may be payable prior to information being supplied. If a charge is applicable in this case I will contact you to request payment before proceeding further. Details of the University’s charging policy can be found in section 3 of its Freedom of Information Policy, available at the link below:

http://www.kingston.ac.uk/aboutkingstonu...

I will be in touch again in due course and in any event not later than 20/12/2016 this being twenty working days following receipt of your request. In the meantime, please feel free to contact me if I can be of any further assistance.

Kind regards

Cathy

…………………………………………….
Cathy Murr

Resources and Compliance Team
Library and Learning Services
Kingston University

show quoted sections

Murr, Cathy, Kingston University

1 Attachment

Dear Kirsten

 

Further to your recent request for information, the University’s response
follows.

 

1. What is your policy for using personally owned devices accessing IT
applications?

We allow access to both student and staff with personal and corporate
devices

 

2. Do you have visibility into devices that are used to access University
applications?

Yes

 

3. Do you use multi-factor authentication (such as a hardware token,
software code generated by a mobile phone app, or an SMS code) to access
IT applications? Please select one answer only.

 

• Yes, we use multi-factor authentication for all access by students,
faculty and staff onto the devices, apps, intranet or IT network

• Yes, we only use it for access to all sensitive data such as financial
payments, grades and personally identifiable data (PII) data held on the
network

• No, we just use single factor authentication today

• We just use single factor authentication today but we are planning on
implementing multi-factor authentication in the next 12 months.

The University believes that disclosure of the requested information would
be likely to be harmful to the security of the University and, is
therefore exempt from disclosure under section 43 (2) of the Freedom of
Information Act (2000). Please see attached a Public Interest Test.

 

4. What security risks in personal devices are you most worried about when
accessing University applications?

Out of date software. Ex: Operating systems, browsers

 

5. What is your policy regarding patching and updating digital devices,
operating systems and apps which access your corporate network? Please
select one answer only.

This varies depending on the relevant risk profiles. The University
believes that disclosure of the requested information would be likely to
be harmful to the security of the University and, is therefore exempt from
disclosure under section 43 (2) of the Freedom of Information Act (2000).
Please see attached a Public Interest Test.

 

6. Has your university ever been the victim of a phishing attack (where an
individual is duped into disclosing their login, password or credit card
details via an email purporting to be from a trusted source)? Please
select one answer

Yes

 

6a. If yes, how often have you experienced a phishing attack in the last
12 months? Please select one answer.

0-5 times

 

6b. If yes, which is the most common target of the phishing campaigns?
(please select one)

Employees

 

6c. What type of data was being targeted? (select all that apply)

Other (please specify) Address box

 

6d. Did you identify the attackers and, if so, are they? (select all that
apply).

Opportunistic hackers (non-organised)

 

This completes the University’s response to your information request. If
you are unhappy with the service you have received in relation to your
request and wish to make a complaint or request an internal review of our
decision please contact:

 

Director of the Vice-Chancellor’s Advisory and Support Department, email :
[email address] or by post: Kingston University, River
House, 53-57 High Street, Kingston upon Thames, KT1 1LQ.

 

In the event that you are not content with the outcome of your complaint
you may then apply directly to the Information Commissioner for a
decision. Generally, the Information Commissioner cannot make a decision
unless you have exhausted the complaints procedure provided by Kingston
University. The Information Commissioner can be contacted at:

 

The Information Commissioner’s Office, Wycliffe House, Water Lane,
Wilmslow, Cheshire, SK9 5AF.

 

I hope that you now have the information you require.

 

Cathy

…………………………………………….

Cathy Murr

 

Resources and Compliance Team

Library and Learning Services

Kingston University

 

Dear Kirsten

 

Thank you for your recent request for information relating to Kingston
University. Your request was received on 22/11/2016 and is now being dealt
with under the terms of the Freedom of Information Act 2000.

 

Please note that in some circumstances a fee may be payable prior to
information being supplied. If a charge is applicable in this case I will
contact you to request payment before proceeding further. Details of the
University’s charging policy can be found in section 3 of its Freedom of
Information Policy, available at the link below:

 

[1]http://www.kingston.ac.uk/aboutkingstonu...

 

I will be in touch again in due course and in any event not later than
20/12/2016 this being twenty working days following receipt of your
request. In the meantime, please feel free to contact me if I can be of
any further assistance.

 

Kind regards

 

Cathy

 

…………………………………………….

Cathy Murr

 

Resources and Compliance Team

Library and Learning Services

Kingston University

 

show quoted sections