Phishing Attacks

Barry Salmon made this Freedom of Information request to University of Sheffield

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was successful.

Dear University of Sheffield,

1. What is your policy for using personally owned devices accessing IT applications?
• We allow access to both student and staff with personal and corporate devices
• We allow access to staff with personal and corporate devices
• We only allow access to corporate devices

2. Do you have visibility into devices that are used to access University applications?
• Yes
• No

3. Do you use multi-factor authentication (such as a hardware token, software code generated by a mobile phone app, or an SMS code) to access IT applications? Please select one answer only.

• Yes, we use multi-factor authentication for all access by students, faculty and staff onto the devices, apps, intranet or IT network
• Yes, we only use it for access to all sensitive data such as financial payments, grades and personally identifiable data (PII) data held on the network
• No, we just use single factor authentication today
• We just use single factor authentication today but we are planning on implementing multi-factor authentication in the next 12 months.
4. What security risks in personal devices are you most worried about when accessing University applications?
• Out of date software. Ex: Operating systems, browsers
• Physical security of devices. Ex: passcode lock
• Jailbroken / Rooted devices
• Others (Please specify)

5. What is your policy regarding patching and updating digital devices, operating systems and apps which access your corporate network? Please select one answer only.

• We implement all patches/upgrades within 48 hours from notification
• We implement all patches/upgrades within 7 days of notification
• We implement all patches/upgrades within 30 days of notification
• It is impossible for us to maintain all devices, operating systems and apps at the latest version and patches/upgrades typically take longer than 30 days to implement.
• We outsource the patching and upgrade of all our devices and systems to a third party

6. Has your university ever been the victim of a phishing attack (where an individual is duped into disclosing their login, password or credit card details via an email purporting to be from a trusted source)? Please select one answer

• Yes
• No
• Don’t know

6a. If yes, how often have you experienced a phishing attack in the last 12 months? Please select one answer.

• 0-5 times
• 6-10 times
• 11-50 times
• 51+ times
• Don’t know

6b. If yes, which is the most common target of the phishing campaigns? (please select one)

• Students
• Lecturers/faculty staff
• Employees
• Other (please specify)

6c. What type of data was being targeted? (select all that apply)
• Student personally identifiable information (PII) e.g. date of birth. National Insurance Nos.
• Employee PII
• Financial/payroll data
• Research/patents
• Other (please specify)

6d. Did you identify the attackers and, if so, are they? (select all that apply).
• Organised cyber-criminals
• Opportunistic hackers (non-organised)
• Political hacktivists
• Disgruntled employees/former employees
• Disgruntled students/former students
• State sponsored hackers
• Other (please specify)

Yours faithfully,

Barry Salmon

Anne E Cutler, University of Sheffield

Dear Mr Salmon

I write in response to your recent Freedom of Information request to
Sheffield University:

1. What is your policy for using personally owned devices accessing IT
applications?
•       We allow access to both student and staff with personal and
corporate devices

2. Do you have visibility into devices that are used to access University
applications?
 
It is not clear what this question means.

3. Do you use multi-factor authentication (such as a hardware token,
software code generated by a mobile phone app, or an SMS code) to access
IT applications? Please select one answer only.

•       Yes, we use multi-factor authentication for all access by
students, faculty and staff onto the devices, apps, intranet or IT
network
•       Yes, we only use it for access to all sensitive data such as
financial payments, grades and personally identifiable data (PII) data
held on the network
•       No, we just use single factor authentication today
•       We just use single factor authentication today but we are
planning on implementing multi-factor authentication in the next 12
months.

 
None of the above.

4. What security risks in personal devices are you most worried about
when accessing University applications?
•       Out of date software. Ex: Operating systems, browsers
•       Physical security of devices. Ex: passcode lock
•       Jailbroken / Rooted devices
•       Others (Please specify)

Information not held.
 

5. What is your policy regarding patching and updating digital devices,
operating systems and apps which access your corporate network?  Please
select one answer only.

•       We implement all patches/upgrades within 48 hours from
notification
•       We implement all patches/upgrades within 7 days of notification
•       We implement all patches/upgrades within 30 days of notification
•       It is impossible for us to maintain all devices, operating
systems and apps at the latest version and patches/upgrades typically
take longer than 30 days to implement.
•       We outsource the patching and upgrade of all our devices and
systems to a third party

None of the above. 

6. Has your university ever been the victim of a phishing attack (where
an individual is duped into disclosing their login, password or credit
card details via an email purporting to be from a trusted source)?
Please select one answer

•       Yes 

6a. If yes, how often have you experienced a phishing attack in the last
12 months?  Please select one answer.

  There have been 51+ attempted attacks; this does not mean there have
been 51+ successful attacks.

6b. If yes, which is the most common target of the phishing campaigns?
(please select one)

•       Students
•       Lecturers/faculty staff
•       Employees
•       Other (please specify)

Information not held.

6c. What type of data was being targeted? (select all that apply)
•       Student personally identifiable information (PII) e.g. date of
birth. National Insurance Nos.
•       Employee PII
•       Financial/payroll data
•       Research/patents
•       Other (please specify)

Information not held.

6d. Did you identify the attackers and, if so, are they? (select all
that apply).
•       Organised cyber-criminals
•       Opportunistic hackers (non-organised)
•       Political hacktivists
•       Disgruntled employees/former employees
•       Disgruntled students/former students
•       State sponsored hackers
•       Other (please specify)

Information not held.

I am required under the Act to inform you that if you have cause for
genuine complaint regarding our reply to your request for information, you
should write to the University FOI Unit, 10-12 Brunswick Street, Sheffield
S10 2FN or email [1][University of Sheffield request email] explaining why you are not
satisfied with the result.

 

If you still remain unsatisfied with the University's decision, you will
be entitled to complain to the Information Commissioner, Wycliffe House,
Water Lane, Wilmslow, Cheshire SK9 5AF.

 

Yours sincerely

 

Anne Cutler

Corporate Information and Computing Services

University of Sheffield

10-12 Brunswick Street

Sheffield

S10 2FN

show quoted sections