Phishing attacks

Barry Salmon made this Freedom of Information request to University of Bristol

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was successful.

Dear University of Bristol,
1. What is your policy for using personally owned devices accessing IT applications?
• We allow access to both student and staff with personal and corporate devices
• We allow access to staff with personal and corporate devices
• We only allow access to corporate devices

2. Do you have visibility into devices that are used to access University applications?
• Yes
• No

3. Do you use multi-factor authentication (such as a hardware token, software code generated by a mobile phone app, or an SMS code) to access IT applications? Please select one answer only.

• Yes, we use multi-factor authentication for all access by students, faculty and staff onto the devices, apps, intranet or IT network
• Yes, we only use it for access to all sensitive data such as financial payments, grades and personally identifiable data (PII) data held on the network
• No, we just use single factor authentication today
• We just use single factor authentication today but we are planning on implementing multi-factor authentication in the next 12 months.
4. What security risks in personal devices are you most worried about when accessing University applications?
• Out of date software. Ex: Operating systems, browsers
• Physical security of devices. Ex: passcode lock
• Jailbroken / Rooted devices
• Others (Please specify)

5. What is your policy regarding patching and updating digital devices, operating systems and apps which access your corporate network? Please select one answer only.

• We implement all patches/upgrades within 48 hours from notification
• We implement all patches/upgrades within 7 days of notification
• We implement all patches/upgrades within 30 days of notification
• It is impossible for us to maintain all devices, operating systems and apps at the latest version and patches/upgrades typically take longer than 30 days to implement.
• We outsource the patching and upgrade of all our devices and systems to a third party

6. Has your university ever been the victim of a phishing attack (where an individual is duped into disclosing their login, password or credit card details via an email purporting to be from a trusted source)? Please select one answer

• Yes
• No
• Don’t know

6a. If yes, how often have you experienced a phishing attack in the last 12 months? Please select one answer.

• 0-5 times
• 6-10 times
• 11-50 times
• 51+ times
• Don’t know

6b. If yes, which is the most common target of the phishing campaigns? (please select one)

• Students
• Lecturers/faculty staff
• Employees
• Other (please specify)

6c. What type of data was being targeted? (select all that apply)
• Student personally identifiable information (PII) e.g. date of birth. National Insurance Nos.
• Employee PII
• Financial/payroll data
• Research/patents
• Other (please specify)

6d. Did you identify the attackers and, if so, are they? (select all that apply).
• Organised cyber-criminals
• Opportunistic hackers (non-organised)
• Political hacktivists
• Disgruntled employees/former employees
• Disgruntled students/former students
• State sponsored hackers
• Other (please specify)

Yours faithfully,

Barry Salmon

University of Bristol FOI mailbox, University of Bristol

Thank you for your email.
The University will respond to requests under the Freedom of Information
Act within 20 working days. We may need to ask you certain questions to
clarify your request to ensure we fully understand what information is
being requested. If so, the 20 working day deadline will be calculated
once we have received such clarification. 
The University's A-Z index can help in locating information that is
publicly available on the University's
website: [1]http://www.bristol.ac.uk/index/
Our Publication Scheme is available
at: [2]http://www.bristol.ac.uk/media-library/s...
The Higher Education Statistics Agency (HESA) annually publish certain
data about students and higher education, and also have a bespoke data
request service: [3]https://www.hesa.ac.uk/
For further information about the University's FOI procedure, please
see: [4]http://www.bristol.ac.uk/secretary/foi/

--
Review procedure
If you are not satisfied with the University’s response to your request
you may ask the University to review the response by writing to:
Director of Legal Services
Secretary’s Office
University of Bristol 
Senate House
Tyndall Avenue
Bristol BS8 1TH 
Email: [5][University of Bristol request email] 
enclosing a copy of your original request and explaining why you are
requesting a review. The full review procedure is set out at:
 [6]http://www.bristol.ac.uk/secretary/foi/r...
Your request for internal review should be submitted to us within 40
working days of receipt of a response.  
If you are not satisfied with the outcome of the internal review you may
also contact the Information Commissioner’s Office at: 
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
[7]www.ico.gov.uk 
Best wishes
Freedom of Information Team
University of Bristol

References

Visible links
1. http://www.bristol.ac.uk/index/
2. http://www.bristol.ac.uk/media-library/s...
3. https://www.hesa.ac.uk/
4. http://www.bristol.ac.uk/secretary/foi/
5. mailto:[University of Bristol request email]
6. http://www.bristol.ac.uk/secretary/foi/r...
7. http://www.ico.gov.uk/

University of Bristol FOI mailbox, University of Bristol

Dear Mr Salmon
Thank you for your recent Freedom of Information request. We are aware
that the deadline for responding to your request is Tuesday 17 January
2017, and we are in the process of dealing with your request. We regret
that we do not anticipate being in a position to respond on that date, but
we will endeavour to respond within the following week. We apologise in
advance for the delay.
Kind regards
Freedom of Information Team
University of Bristol

University of Bristol FOI mailbox, University of Bristol

1 Attachment

Dear Mr Salmon
Thank you for your recent Freedom of Information request, as follows:

1. What is your policy for using personally owned devices accessing IT
applications?
•       We allow access to both student and staff with personal and
corporate devices
•       We allow access to staff with personal and corporate devices
•       We only allow access to corporate devices

2. Do you have visibility into devices that are used to access
University applications?
•       Yes
•       No

3. Do you use multi-factor authentication (such as a hardware token,
software code generated by a mobile phone app, or an SMS code) to access
IT applications? Please select one answer only.

•       Yes, we use multi-factor authentication for all access by
students, faculty and staff onto the devices, apps, intranet or IT
network
•       Yes, we only use it for access to all sensitive data such as
financial payments, grades and personally identifiable data (PII) data
held on the network
•       No, we just use single factor authentication today
•       We just use single factor authentication today but we are
planning on implementing multi-factor authentication in the next 12
months.
4. What security risks in personal devices are you most worried about
when accessing University applications?
•       Out of date software. Ex: Operating systems, browsers
•       Physical security of devices. Ex: passcode lock
•       Jailbroken / Rooted devices
•       Others (Please specify)

5. What is your policy regarding patching and updating digital devices,
operating systems and apps which access your corporate network? Please
select one answer only.

•       We implement all patches/upgrades within 48 hours from
notification
•       We implement all patches/upgrades within 7 days of notification
•       We implement all patches/upgrades within 30 days of notification
•       It is impossible for us to maintain all devices, operating
systems and apps at the latest version and patches/upgrades typically
take longer than 30 days to implement.
•       We outsource the patching and upgrade of all our devices and
systems to a third party

6. Has your university ever been the victim of a phishing attack (where
an individual is duped into disclosing their login, password or credit
card details via an email purporting to be from a trusted source)?
Please select one answer

•       Yes
•       No
•       Don’t know

6a. If yes, how often have you experienced a phishing attack in the last
12 months? Please select one answer.

•       0-5 times
•       6-10 times
•       11-50 times
•       51+ times
•       Don’t know

6b. If yes, which is the most common target of the phishing campaigns?
(please select one)

•       Students
•       Lecturers/faculty staff
•       Employees
•       Other (please specify)

6c. What type of data was being targeted? (select all that apply)
•       Student personally identifiable information (PII) e.g. date of
birth. National Insurance Nos.
•       Employee PII
•       Financial/payroll data
•       Research/patents
•       Other (please specify)

6d. Did you identify the attackers and, if so, are they? (select all
that apply).
•       Organised cyber-criminals
•       Opportunistic hackers (non-organised)
•       Political hacktivists
•       Disgruntled employees/former employees
•       Disgruntled students/former students
•       State sponsored hackers
•       Other (please specify)

​To the extent that your request is a valid request for recorded
information under the Freedom of Information Act 2000, please find
attached the University's responses. 
--
Review procedure
If you are not satisfied with the University’s response to your request
you may ask the University to review the response by writing to:
Director of Legal Services
Secretary’s Office
University of Bristol 
Senate House
Tyndall Avenue
Bristol BS8 1TH 
Email: [1][University of Bristol request email] 
enclosing a copy of your original request and explaining why you are
requesting a review. The full review procedure is set out at:
 [2]http://www.bristol.ac.uk/secretary/foi/r...
Your request for internal review should be submitted to us within 40
working days of receipt of a response.  
If you are not satisfied with the outcome of the internal review you may
also contact the Information Commissioner’s Office at: 
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
[3]www.ico.gov.uk 
Best wishes
Freedom of Information Team
University of Bristol

References

Visible links
1. mailto:[University of Bristol request email]
2. http://www.bristol.ac.uk/secretary/foi/r...
3. http://www.ico.gov.uk/