Information security

Welcome to the basic course in information security for university employees

This course will address why our information is vital and is in need of protection as well as what information security is all about. Moreover, it explains how your behaviour and the way your handle your data signficantly impacts the safety and security of your data.

Introduction

All videos in this course are from MSB:s Digital Information Security for All (DISA). Currently only available in Swedish.

Why is information security so important?
The security of our information - or information security - is something we all need to relate to, both professionally and in our private lives. Why? We handle more and more of our information as well as our contact with others through social media, the internet and various digital media Our mobile devices make us more or less constantly online - connected to the internet Spreading information to the entire world can be done with lightening speed The line between true and false, or faked, information is becoming increasingly difficult to see

The human factor
Incidents and cyber attacks happen constantly. Universities around the world are popular targets for attackers, making awareness and knowledge regarding risks, and how to reduce those risks, very important. Attackers often target us humans because the human factor is usually the weakest link, the link most difficult to secure, in the so called security chain.

Information security?

Information security means that the right person will have access to the right information/data at the right time, and that information must be protected with adequate level of security so that

Only those authorized can access it (confidentiality)
We can trust that it is accurate, not tampered with or corrupted (integrity)
It's actually there when we need it (availability)

Information security is a wide field, from users knowledgeable about risks, information classification, threat and risk analyses, development of processes, and more.

Cybersecurity is the part of information security that deals with external dependencies and threats in a larger and more complex digital ecosystem than (only) within the own organization or society. Among other things, threats can be antagonistic, political, economic or geographical, from individuals, groups or state actors.

The right level of security

The security level for systems and IT-solutions used for handling, sharing and storing information need to match the sensitivity in the information in question.

The sensitivity of the information is assessed using information classification.

Information classification

Information classification is a process in which someone assess the data they hold and the level of protection it will need.

We classify data in terms of confidentiality, integrity and availability (CIA).

Information classification needs to be done for all information handling

For example, information classification needs to be done in all research projects, as well as with any procurement of IT services or applications.

You can read more on how to do an information classification at the Staff Gateway: Information security risk management Links to an external site.

If you need help with your information classification, kontakt the Security and Safety Division, security@uu.se

Safe behaviour

We all handle information every day, in many different ways.

Awareness and safe behaviour means that you reduce the risks of the information you handle getting lost, destroyed or distorted. You are an important part of the daily information security work at Uppsala University!

Risk increasing behaviours can be going through sensitive e-mail or sensitive documents on the train, having conversations about sensitive matters when others can hear, leaving a computer or phone in unattended when traveling or when going to lunch.

An unintentional act can easily have unnecessarily large consequences. Being knowledgeable and behaving in a safe manner reduce that risk.

Social engineering (social manipulation)

Social engineering is a strategy used by individuals or groups to manipulate and mislead people into revealing sensitive information, such as login or bank credentials, or acting in a way that compromises their security. It can also be making someone pay a fake invoice, buying or sending gift cards, or making a money transfer.

Social engineering is based on psychology and knowledge of the human behaviour rather than technical know-how. Instead of cyber attacks, our trusting human nature is exploited to deceive us.

The most common attempts are made through telephone contact (phone, voice or text phishing) or e-mail phishing - usually just called phishing.

A warning regarding phone phishing!

A common type of social engineering is done through phone contacts - it can be either by calls (voice) or text (sms) messages*.

For example: Someone calls or texts you, pretending to be your bank, the IT division, a senior manager, Microsoft support or your ISP. The person regrets having to inform you about (made up) problems and says everything will be resolved if you log into your computer/bank or give the person your account details, passwords or codes.

The contact is usually made from fake phone numbers, to make it look like the phone call or text is coming from the bank etc. It makes it more credible and makes those subject to the phishing more likely to answer/reply.

*Vishing - Voice Phishing
Smishing - SMS Phishing

Design by Freepik

E-mail phishing

Phishing is one of the most common types of social manipulation. It is also by far the most common start of an upcoming cyber attack.

The goal of a phishing attempt is to trick the recipient, through an e-mail, text or chat, to click on a web link, open a document, visit a web site or download a file. That way the attacker can infect the client laptop with malware, and/or get access to login credentials as a first step in a larger attack.

We will go into e-mail and phishing in more detail in the next part of the course.