Phishing attacks

Barry Salmon made this Freedom of Information request to University of Aberdeen

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

The request was successful.

Dear University of Aberdeen,

1. What is your policy for using personally owned devices accessing IT applications?
• We allow access to both student and staff with personal and corporate devices
• We allow access to staff with personal and corporate devices
• We only allow access to corporate devices

2. Do you have visibility into devices that are used to access University applications?
• Yes
• No

3. Do you use multi-factor authentication (such as a hardware token, software code generated by a mobile phone app, or an SMS code) to access IT applications? Please select one answer only.

• Yes, we use multi-factor authentication for all access by students, faculty and staff onto the devices, apps, intranet or IT network
• Yes, we only use it for access to all sensitive data such as financial payments, grades and personally identifiable data (PII) data held on the network
• No, we just use single factor authentication today
• We just use single factor authentication today but we are planning on implementing multi-factor authentication in the next 12 months.
4. What security risks in personal devices are you most worried about when accessing University applications?
• Out of date software. Ex: Operating systems, browsers
• Physical security of devices. Ex: passcode lock
• Jailbroken / Rooted devices
• Others (Please specify)

5. What is your policy regarding patching and updating digital devices, operating systems and apps which access your corporate network? Please select one answer only.

• We implement all patches/upgrades within 48 hours from notification
• We implement all patches/upgrades within 7 days of notification
• We implement all patches/upgrades within 30 days of notification
• It is impossible for us to maintain all devices, operating systems and apps at the latest version and patches/upgrades typically take longer than 30 days to implement.
• We outsource the patching and upgrade of all our devices and systems to a third party

6. Has your university ever been the victim of a phishing attack (where an individual is duped into disclosing their login, password or credit card details via an email purporting to be from a trusted source)? Please select one answer

• Yes
• No
• Don’t know

6a. If yes, how often have you experienced a phishing attack in the last 12 months? Please select one answer.

• 0-5 times
• 6-10 times
• 11-50 times
• 51+ times
• Don’t know

6b. If yes, which is the most common target of the phishing campaigns? (please select one)

• Students
• Lecturers/faculty staff
• Employees
• Other (please specify)

6c. What type of data was being targeted? (select all that apply)
• Student personally identifiable information (PII) e.g. date of birth. National Insurance Nos.
• Employee PII
• Financial/payroll data
• Research/patents
• Other (please specify)

6d. Did you identify the attackers and, if so, are they? (select all that apply).
• Organised cyber-criminals
• Opportunistic hackers (non-organised)
• Political hacktivists
• Disgruntled employees/former employees
• Disgruntled students/former students
• State sponsored hackers
• Other (please specify)

Yours faithfully,

Barry Salmon

Foi, University of Aberdeen

Dear Mr Salmon,

I refer to your email of 14th December 2016 and, on behalf of the University, I acknowledge receipt and confirm that your request is being dealt with in terms of the Freedom of Information (Scotland) Act 2002. In terms of that Act, a reply will be sent to you within 20 working days.

Yours sincerely,
Amy Walsh.

Amy Walsh
Administration Assistant.
Email: [email address] Tel: 01224 273079

Core working hours: Monday - Friday: 8.45am - 1.00pm
The Sir Duncan Rice Library, LSC&M, Aberdeen University, Bedford Road, Aberdeen AB24 3AA

show quoted sections

Foi, University of Aberdeen

To: Barry Salmon [[1]mailto:[FOI #377121 email]]

Dear Mr Salmon

 

I refer to your email of 14 December 2016 requesting information on IT
applications at the University of Aberdeen.

 

Your request has now been considered under the Freedom of Information
(Scotland) Act 2002, “the Act”, and the responses given beneath each
question.

 

Q1:

What is your policy for using personally owned devices accessing IT
applications?

 

A1:

We allow access to both student and staff with personal and corporate
devices

 

Q2:

Do you have visibility into devices that are used to access University
applications?

 

A2:

Yes

 

Q3:

Do you use multi-factor authentication (such as a hardware token, software
code generated by a mobile phone app, or an SMS code) to access IT
applications? Please select one answer only.

 

A3:

We just use single factor authentication today but we are planning on
implementing multi-factor authentication in the next 12 months.

 

Q4:

What security risks in personal devices are you most worried about when
accessing University applications?

 

A4:

Out of date software. Ex: Operating systems, browsers

 

 

Q5: What is your policy regarding patching and updating digital devices,
operating systems and apps which access your corporate network? Please
select one answer only.

 

A5:

Appropriate action, such as patching and updating is taken when needed,
dictated by business urgency/priorities.

 

 

Q6:

Has your university ever been the victim of a phishing attack (where an
individual is duped into disclosing their login, password or credit card
details via an email purporting to be from a trusted source)? Please
select one answer

 

A6:

Yes

  

Q6a:

If yes, how often have you experienced a phishing attack in the last 12
months? Please select one answer.

 

A6a:

Don’t know

 

Q6b:

If yes, which is the most common target of the phishing campaigns? (please
select one)

 

A6b:

Other (please specify) – Phishing emails will be received by all staff and
students; we cannot identify targets

 

 

Q6c: What type of data was being targeted? (select all that apply)

 

A6c:

•        Student personally identifiable information (PII) e.g. date of
birth. National Insurance Nos.

•        Employee PII

•        Financial/payroll data

•        Research/patents

 

 

Q6d: Did you identify the attackers and, if so, are they? (select all that
apply).

 

A6d:

Other (please specify); not identified.

 

 

Should you be dissatisfied with this response, you have the right under
the Act, to request a review.  A request for review must be made within 40
working days of the date of this reply, and must specify the grounds for
dissatisfaction with the decision. Please send your request for review to
our mailbox, [2][University of Aberdeen request email]. The University will respond to your
request for a review within 20 working days of receipt of your request.

 

If you are unhappy with the outcome of the University’s internal review
process, you have the right to appeal to the Scottish Information
Commissioner, within 6 months from the date of receipt of the University’s
review notice. Details on how to make an appeal to the Commissioner are
 available at:  [3]www.itspublicknowledge.info/Appeal. Should you remain
dissatisfied with the Commissioner’s decision, you have a right of appeal
to the Court of Session on a point of law.

 

Yours sincerely

 

Lorna Maguire

University Records Manager

Library, Special Collections & Museums

The Sir Duncan Rice Library

The University of Aberdeen

Bedford Road

Aberdeen

AB24 3AA

 

T: 01224- 273175

Email: [4][email address]

 

 

From: Barry Salmon [[5]mailto:[FOI #377121 email]]
Sent: 14 December 2016 15:00
To: Foi
Subject: RE: SALMON Freedom of Information request - Phishing attacks

 

Dear University of Aberdeen,

 

1. What is your policy for using personally owned devices accessing IT
applications?

•             We allow access to both student and staff with personal and
corporate devices

•             We allow access to staff with personal and corporate devices

•             We only allow access to corporate devices

 

2. Do you have visibility into devices that are used to access University
applications?

•             Yes

•             No

 

3. Do you use multi-factor authentication (such as a hardware token,
software code generated by a mobile phone app, or an SMS code) to access
IT applications? Please select one answer only.

 

•             Yes, we use multi-factor authentication for all access by
students, faculty and staff onto the devices, apps, intranet or IT network

•             Yes, we only use it for access to all sensitive data such as
financial payments, grades and personally identifiable data (PII) data
held on the network

•             No, we just use single factor authentication today

•             We just use single factor authentication today but we are
planning on implementing multi-factor authentication in the next 12
months.

4. What security risks in personal devices are you most worried about when
accessing University applications?

•             Out of date software. Ex: Operating systems, browsers

•             Physical security of devices. Ex: passcode lock

•             Jailbroken / Rooted devices

•             Others (Please specify)

 

5. What is your policy regarding patching and updating digital devices,
operating systems and apps which access your corporate network? Please
select one answer only.

 

•             We implement all patches/upgrades within 48 hours from
notification

•             We implement all patches/upgrades within 7 days of
notification

•             We implement all patches/upgrades within 30 days of
notification

•             It is impossible for us to maintain all devices, operating
systems and apps at the latest version and patches/upgrades typically take
longer than 30 days to implement.

•             We outsource the patching and upgrade of all our devices and
systems to a third party

 

6. Has your university ever been the victim of a phishing attack (where an
individual is duped into disclosing their login, password or credit card
details via an email purporting to be from a trusted source)? Please
select one answer

 

•             Yes

•             No

•             Don’t know

 

6a. If yes, how often have you experienced a phishing attack in the last
12 months? Please select one answer.

 

•             0-5 times

•             6-10 times

•             11-50 times

•             51+ times

•             Don’t know

 

6b. If yes, which is the most common target of the phishing campaigns?
(please select one)

 

•             Students

•             Lecturers/faculty staff

•             Employees

•             Other (please specify)

 

6c. What type of data was being targeted? (select all that apply)

•             Student personally identifiable information (PII) e.g. date
of birth. National Insurance Nos.

•             Employee PII

•             Financial/payroll data

•             Research/patents

•             Other (please specify)

 

6d. Did you identify the attackers and, if so, are they? (select all that
apply).

•             Organised cyber-criminals

•             Opportunistic hackers (non-organised)

•             Political hacktivists

•             Disgruntled employees/former employees

•             Disgruntled students/former students

•             State sponsored hackers

•             Other (please specify)

 

Yours faithfully,

 

Barry Salmon

 

-------------------------------------------------------------------

 

Please use this email address for all replies to this request:

[6][FOI #377121 email]

 

 

 

 

The University of Aberdeen is a charity registered in Scotland, No
SC013683.
Tha Oilthigh Obar Dheathain na charthannas clàraichte ann an Alba, Àir.
SC013683.

References

Visible links
1. mailto:[FOI #377121 email]
2. mailto:[University of Aberdeen request email]
3. http://sut1.co.uk/sLJ85vvXsn4Tubvajtvcoq....
4. mailto:[email address]
5. mailto:[FOI #377121 email]
6. mailto:[FOI #377121 email]