Phishing attacks

Barry Salmon made this Freedom of Information request to University of Warwick

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was successful.

Dear University of Warwick,

1. What is your policy for using personally owned devices accessing IT applications?
• We allow access to both student and staff with personal and corporate devices
• We allow access to staff with personal and corporate devices
• We only allow access to corporate devices

2. Do you have visibility into devices that are used to access University applications?
• Yes
• No

3. Do you use multi-factor authentication (such as a hardware token, software code generated by a mobile phone app, or an SMS code) to access IT applications? Please select one answer only.

• Yes, we use multi-factor authentication for all access by students, faculty and staff onto the devices, apps, intranet or IT network
• Yes, we only use it for access to all sensitive data such as financial payments, grades and personally identifiable data (PII) data held on the network
• No, we just use single factor authentication today
• We just use single factor authentication today but we are planning on implementing multi-factor authentication in the next 12 months.
4. What security risks in personal devices are you most worried about when accessing University applications?
• Out of date software. Ex: Operating systems, browsers
• Physical security of devices. Ex: passcode lock
• Jailbroken / Rooted devices
• Others (Please specify)

5. What is your policy regarding patching and updating digital devices, operating systems and apps which access your corporate network? Please select one answer only.

• We implement all patches/upgrades within 48 hours from notification
• We implement all patches/upgrades within 7 days of notification
• We implement all patches/upgrades within 30 days of notification
• It is impossible for us to maintain all devices, operating systems and apps at the latest version and patches/upgrades typically take longer than 30 days to implement.
• We outsource the patching and upgrade of all our devices and systems to a third party

6. Has your university ever been the victim of a phishing attack (where an individual is duped into disclosing their login, password or credit card details via an email purporting to be from a trusted source)? Please select one answer

• Yes
• No
• Don’t know

6a. If yes, how often have you experienced a phishing attack in the last 12 months? Please select one answer.

• 0-5 times
• 6-10 times
• 11-50 times
• 51+ times
• Don’t know

6b. If yes, which is the most common target of the phishing campaigns? (please select one)

• Students
• Lecturers/faculty staff
• Employees
• Other (please specify)

6c. What type of data was being targeted? (select all that apply)
• Student personally identifiable information (PII) e.g. date of birth. National Insurance Nos.
• Employee PII
• Financial/payroll data
• Research/patents
• Other (please specify)

6d. Did you identify the attackers and, if so, are they? (select all that apply).
• Organised cyber-criminals
• Opportunistic hackers (non-organised)
• Political hacktivists
• Disgruntled employees/former employees
• Disgruntled students/former students
• State sponsored hackers
• Other (please specify)

Yours faithfully,

Barry Salmon

infocompliance, Resource, University of Warwick

Thank you for your email which has been received by the University Legal
Compliance Officer. 

 

The University undertakes to respond to Freedom of Information requests
within 20 working days and to Data Protection requests within 40 calendar
days. 

 

Thank you

Legal Compliance Team

infocompliance, Resource, University of Warwick

Dear Mr Salmon,

Thank you for your email dated 14^th of December 2016 requesting
information about the University of Warwick. Your request is being
considered under the Freedom of Information Act 2000. Please find below
your original request and our response.

1.         What is your policy for using personally owned devices
accessing IT applications?

·         We allow access to both student and staff with personal and
corporate devices

·         We allow access to staff with personal and corporate devices

·         We only allow access to corporate devices

The University allows access to both student and staff with personal and
corporate devices

2.         Do you have visibility into devices that are used to access
University applications?

·         Yes

·         No

No, the University does not have visibility into devices that are used to
access University applications.

3.         Do you use multi-factor authentication (such as a hardware
token, software code generated by a mobile phone app, or an SMS code) to
access IT applications? Please select one answer only.

·         Yes, we use multi-factor authentication for all access by
students, faculty and staff onto the devices, apps, intranet or IT network

·         Yes, we only use it for access to all sensitive data such as
financial payments, grades and personally identifiable data (PII) data
held on the network

·         No, we just use single factor authentication today

·         We just use single factor authentication today but we are
planning on implementing multi-factor authentication in the next 12
months.

The University currently uses single factor authentication but are
planning on implementing multi-factor authentication within the next 12
months.

4.         What security risks in personal devices are you most worried
about when accessing University applications?

·         Out of date software. Ex: Operating systems, browsers

·         Physical security of devices. Ex: passcode lock

·         Jailbroken / Rooted devices

·         Others (Please specify)

Others: malware, compromised devices.

5.         What is your policy regarding patching and updating digital
devices, operating systems and apps which access your corporate network?
Please select one answer only.

·         We implement all patches/upgrades within 48 hours from
notification

·         We implement all patches/upgrades within 7 days of notification

·         We implement all patches/upgrades within 30 days of notification

·         It is impossible for us to maintain all devices, operating
systems and apps at the latest version and patches/upgrades typically take
longer than 30 days to implement.

·         We outsource the patching and upgrade of all our devices and
systems to a third party

It is impossible to maintain all devices, operating systems and apps at
the latest version and patches/upgrades typically take longer than 30 days
to implement.

6. Has your university ever been the victim of a phishing attack (where an
individual is duped into disclosing their login, password or credit card
details via an email purporting to be from a trusted source)? Please
select one answer

·         Yes

·         No

·         Don’t know

Yes

6a. If yes, how often have you experienced a phishing attack in the last
12 months? Please select one answer.

·         0-5 times

·         6-10 times

·         11-50 times

·         51+ times

·         Don’t know

6b. If yes, which is the most common target of the phishing campaigns?
(please select one)

·         Students

·         Lecturers/faculty staff

·         Employees

·         Other (please specify)

6c. What type of data was being targeted? (select all that apply)

·         Student personally identifiable information (PII) e.g. date of
birth. National Insurance Nos.

·         Employee PII

·         Financial/payroll data

·         Research/patents

·         Other (please specify)

6d. Did you identify the attackers and, if so, are they? (select all that
apply).

·         Organised cyber-criminals

·         Opportunistic hackers (non-organised)

·         Political hacktivists

·         Disgruntled employees/former employees

·         Disgruntled students/former students

·         State sponsored hackers

·         Other (please specify)

For the above questions  6a and 6d, the University confirms that it holds
some of the requested information but declines to provide the information
as it believes it is exempt from disclosure under section 31(1)(a) of the
Freedom of Information Act.
The University is not obliged to provide information if its release would
prejudice the prevention or detection of crime. In this case, the
University believes that releasing detailed information regarding phishing
attacks creates a security risk and is likely to prejudice the prevention
or detection of crime under section 31(1)(a). Disclosure would make the
University more vulnerable to crime, including a phishing attack from an
external hacker. By divulging the requested information the University
would be likely to unnecessarily expose itself to the risk of harm and
potentially huge financial cost.

The exemption at section 31(1)(a) is a qualified exemption which means
that the University must consider whether the public interest in
maintaining the exemption outweighs the public interest in disclosure. The
University recognises that there is legitimate public interest in proving
information generally as this encourages openness, accountability and
informed public debate. However, the University also believe that there is
a strong public interest in maintaining the exemption if disclosure would
be likely to prejudice the University’s ability to perform its functions
effectively in that the University would be diverted from its day to day
work in order to deal with the consequences of phishing attacks. In
addition to the delay and disruption to the University, the consequences
of such attacks would incur a huge financial cost in repairing infected
devices and/or purchasing and installing new equipment. Therefore, the
University is of the opinion that the public interest lies in favour of
withholding the requested information.

If you are unhappy with the way in which your request has been handled by
the University of Warwick, you can request an internal review and in the
first instance you are advised to follow the procedure outlined here:
[1]http://www2.warwick.ac.uk/services/gov/l...

If you remain dissatisfied with the handling of your request or complaint,
you have a right to appeal to the Information Commissioner at:

The Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Phone: 0303 123 1113

Website: [2]https://ico.org.uk/

There is no charge for making an appeal.

Yours sincerely,

Helen Pennack

Helen Pennack | Director of University Marketing| External Affairs
University House | University of Warwick | Coventry | CV4 8UW

 

References

Visible links
1. http://www2.warwick.ac.uk/services/gov/l...
2. https://ico.org.uk/