Awareness

If you accidentally shared a password with a third party or you reused a password you have to change all relevant passwords to new and unique ones. If your HCU password reached a third party please proceed as written at en/informationssicherheit/sos-it-sicherheitsvorfall.

Each password shall only be used for one service. It is recommended to use a password manager since you then can have hundreds of complex and unique passwords. Password managers store all your passwords securely and you just have to remember the password for your password manager. Instead of remembering hundreds of passwords you just have to remember the one to unlock them all. We recommend using Bitwarden, Keepass or the in the HCU-Nextcloud integrated one.

Some password managers offer the shared usage of group passwords so that you can securely share just the passwords you want to share. This functionality is included in the HCU-Nextcloud-password-manager.

One alternative to passwords are passkeys. If you use passkeys you don’t have to remember passwords at all. More on that a few topics below.

If cyber criminals got their hands on a valid mail address and password combination, they can login to the service. A measurement against this is using multi factor authentication. With that you not only need the password to login but also a secondary factor like a one-time code that refreshes every 30 seconds. If one only has the password but not the valid code access is denied.

Learn more about Multi-Factor-Authentication, why it’s important and how to set it up at: en/informationssicherheit/2fa

Passkeys are a new and secure way to login online. You have to set it up once and then can use it for every login after that. The confirmation that it’s really you, does not involve passwords like you know but rather biometric markers like your fingerprint or face. Like with everything else it’s also important to make and keep backups of your passkeys.

Passkeys offer several advantages.

• You don’t have to remember complicated passwords.
• A passkey can’t be too short or insecure.
• A password can be stolen, your face or fingerprint not.
• Passkeys are phishing-resistant.

You can find more information (in German) on passkeys at the website of the Federal Office for Information Security: Schafft die Passwörter ab?!

Phishing is an attack tactic where cyber criminals try to “phish” your login information and use that to gain access. Phishing usually happens via emails. You get a mail that urges you to click on a link and enter your password and site that appears to be real but actually is fake.

You can learn more about phishing and how to recognize phishing at our video learn platform SoSafe: en/informationssicherheit/sosafe

Also: If you use passkeys besides other advantages, you’re resistant to phishing.

CEO-Fraud is a method where attackers pretend to be high-ranking persons in your organization. They try to use the pretend authority to pressure you to reveal secret information or lending them money.

To counteract this, it’s important to be cautious with sketchy requests and stick to the official guidelines. When in doubt rather ask in person or contact them in a different and established way not as a direct answer to the concerning mail.

Ransomware is the name for a special type of software that once it has infected your computer begins to encrypt all data on it. For the decryption a ransom usually in form of a cryptocurrency is asked. That’s also the name’s origin, a blend word: Ransom + Software = Ransomware

Some ransomware does not even decrypt the data after the ransom is paid. Then money and data would be lost.

Besides a general careful computer usage, the important way to prevent data losses by ransomware attacks is utilizing a good backup strategy. Preemptively make backups and store them offside, for example in the HCU Nextcloud or on an external hard drive. Of course, this external drive has to be disconnected during the ransomware infection or it gets encrypted as well so remember to unplug your data drives when not actively using them and have a dedicated backup drive.

Infostealers are programs that aim to collect and steal your data. The specific data can vary and could include meta data that builds your browsing profile or serious data like passwords and banking logins.

Not all infostealers are separate programs, some mask es helpful software like a browser extension. Of course, this is not to say all browser extensions are bad, some, like a good adblocker (e.g., uBlock origin) are actively improving your online security. But be cautious which software you install and look out for reputable sources. With browser extensions it’s a good practice to take a look at if the browser company recommends and monitors an extension before you install. Especially with third party software it’s important to be cautious.

USB sticks are not only good to store data on they can also be a tool for cyber-attacks. There are special devices that look like a regular USB stick but emulate a keyboard and execute malware as soon as they are plugged in. There it’s not that great of an idea to plug unknown or found USB sticks in to see what’s on them even if you’re curious.