Guide to information security for student
Scroll down to see more instructions to protect your data and identity against possible cyberwar actions against Finnish institutions.
1) Keep your username and password safe. You are responsible for all activity that occurs under your user account and have an obligation to protect your own data and that of others. Never reveal your password to anyone. If you know or suspect that your password has been compromised, change your password immediately or ask the IT Helpdesk to change it for you.
2) Select a password that is complex and difficult to guess while easy for you to remember. Use different, secure passwords for the IT systems of Tampere Universities and external systems.
3) Use caution when opening an email from an unknown sender. Fraudulent emails may contain malware or take you to a website that infects your computer with malware.
4) Be wary of phishing emails that try to entice you into disclosing your username and password or entering them on a fake website. Our administrators will never ask you for your password.
5) Always check the URL before clicking a link. Be especially careful with links that you receive by email. Learn how to separate fraudulent URLs from authentic ones. If you suspect the authenticity of a website, log in to the website tuni.fi or intra.tuni.fi first to find a link to the system and type the URL into the address bar of your browser.
6) Before accepting any terms of service, check at least that
- you retain ownership of your data
- your data will not be shared with any third parties
Be careful of what you post online (Facebook, photo sharing services, etc.)
7) Social media and online services can be used to spread malware. Use caution when clicking on pop-ups, ads and invitations.
8) Make sure your computer is protected with a firewall, anti-malware software and software upgrades and back up your data. You should also protect your smartphone and mobile devices, for example, with a passcode. Only install apps and software that you need on your computer and mobile device.
9) You should preferably use other storage media than USB drives, which are easy to break and are not secure enough to be used as the primary or only storage location for your files. Never store sensitive information on an unencrypted USB drive.
10) Report suspected data breaches and system misuse to the IT Helpdesk.
Recommended measures to avoid information security risks related to the war in Ukraine
As organizations are pondering their cyber security issues during the war in Ukraine, individuals should regularly ensure that their computers, mobile devices and software updates are up-to-date and that all passwords are safe and all important accounts are protected by multi-factor authentication. A way into the data in the universities community may be found via users’ personal devices and, in the current situation, every individual may be targeted for influencing purposes.
For some time now, we have already been the target of intense phishing, and the current situation is likely to make an already difficult situation worse. Phishing attacks may increase as attackers try to trick people into clicking on links that give the attackers access to computer systems. After that, the attacker may steal, destroy or encrypt information.
One of the threats tailored to the situation is fake donation sites and luring people with various appeals, such as those related to cryptocurrencies. The aim is always to get people to act based on some motive. Such a motive is often about appealing to emotions or creating a sense of urgency. In such a situation, it is easy for people to forget being cautious and to click on a link or open an attachment.
Here are things that help us to protect our own and our organization’s data. It is a long list, but the length reflects our digital operating environment. So, please try to read until the very end.
Update your passwords
- Use a long password, preferably a password sentence
- Do not use the same password in different services
- Do not use the same password body in all your passwords
- Avoid easy password
Be careful on social media. Do not share personal information online, check the data security and privacy settings of your social media. Beaware, Russia is changing web page certificates to Russian root certificate.
- Remove and block so called troll accounts which are spreading disinformation
- If you have a valid reason for not blocking such accounts, avoid disseminating their messages further or participating in the discussions
- Do not react to strange contact requests
- When visiting Russian web sites your browser gives you a warning of invalid certificate (basically always not good and you normally would not accept) now when Russia is taking own root certificate in use it is better to accept invalid certificate. Using Russian root certificate makes it possible to open and follow all traffic in between browser and www site. When receiving such message it is better to not share any sensitive information on such site.
Install data security updates without any delay
- In these times, many actors use so-called day-zero vulnerabilities that they have obtained, which means that they also become available to criminals. Using them is quick and they help outsiders to hack into devices and software. Security updates aim to plug such gaps. That is why it is important to do all data security updates without any delay.
Back up critical data to a couple of different storage locations or devices if possible. This will protect them from loss or destruction and damage caused by malware.
- The best way to protect your data is to keep one copy always off the network or off your devices. File-encrypting malware often try to encrypt everything they see, including network and cloud drives.
Do not share any data related to the safety of your device or the universities community with anyone or anywhere
- Data protection
- Data location
- Location of devices
- The models, names or versions of devices and software
Only use known Wi-Fi networks or mobile connections
- If you are using a connection with dubious security, please use EDUVPN.
- Protect your Wi-Fi devices with passwords and encryption. Also change the password of the administrator (main user) who manages the device, and preferably also change the name of the account if possible (i.e., create a new account to make it harder for automated phishing methods).
Protect the access to your email account
- Email is often used as a method to reinstate a forgotten account. If access to, for example, your Gmail mailbox is not properly protected, it may become a very difficult data leakage source from your point of view. Thus, please set up multi-factor authentication to protect the account and stop access to your data. Email may be used to enquire what you have bought and where, where you have accounts and whom you are in contact with. All this can then be abused, and all these accounts can be hijacked using your email account.
Protect your social media and private accounts with multi-factor authentication.
Here are links to instructions on how to protect your social media accounts and services by enabling multi-factor authentication. Always use an application rather than a SMS message, if available, because state actors and many malwares can hijack SMS messages.FB
Be careful with junk mail and phishing
- At present, phishers are exploiting people’s interest in topics related to the war in Ukraine and enticing people to download harmful attachments. One example of such an email is “Recall: Ukraine-Russia Military conflict: Welfare of our Ukrainian Crew member”. Moreover, the Finnish language no longer protects against cybercrime even though the number of phishing attempts is smaller. When messages require actions, read all such communications very carefully.
- It is always important to check that the sender’s email address is genuine, and to check for any typos in the messages. Attachments should not be opened, and links should not be clicked unless you are sure that the message is secure. If necessary, contact the sender by some other means (e.g., call them or send an instant/text message) and check that the message is really from them.
- If you receive a dubious message:
- Do not open it or the links and attachments it contains
- If you make the mistake of opening an attached file, do not give permission to activate additional functions or install programmes.
- If you make the mistake of clicking a link in a message that takes you to a site asking you to submit a user account or password, do not give them.
Only install software from known services and websites.
- Use official app stores (Google Play, Apple App Store)
- Links given on TUNI’s pages
- Updates from the software’s own update links
- Consider very carefully if a website asks you to provide the PIN code of your bank card or your credit card information
Only connect devices you know to your devices
- For example, do not connect a USB flash drive you have found or do not know to your computer.
- Do not connect any Bluetooth devices from unknown owners or users
- Do not accept images, links or files that come in wirelessly (e.g., via Bluetooth) unless you know for sure who sent them
- Avoid using WiFi networks in, for example, foreign congress centres, trade fairs or airports
Only use safe instant messaging apps and think of what you want to communicate in them
- Despite the intense campaigning that is sowing uncertainty, Signal is currently the safest and most secure instant messaging app. Avoid using other apps.
- Instant messaging should not be used to communicate personal data
- Telegram is a Russian instant messaging tool that has been heavily campaigned for since the start of the war in Ukraine. We do not recommend using Telegram!
- Because Whatsapp and FB Messenger apps collect and process personal data in violation of EU legislation, they are also banned at the universities community.
Update your network connected devices at home and unplug old or unnecessary ones
- Connected devices that have not been updated jeopardise your security and privacy. Think whether it is worth connecting them at all, and whether connecting them offers any real benefits. You can also create a so-called home network that is not connected to the internet. Network devices of all kinds that have not been updated are often misused, for example, in cyberattacks, and your devices may be used to disturb other people.
Reserve cash for situations where electronic means of payment are not working.
- In recent days, there have been numerous denial of service attacks on key media and financial sector actors around the world. The attacks are aimed at disrupting the functioning of organisations and causing general chaos. Criminals want to deny citizens access to online services and paralyse businesses regular operations. Therefore, a small amount of cash is a good safeguard.
- It is a good idea to have a supply of food, water and other essentials for 72 hours at home.
- https://www.varmuudenvuoksi.fi/aihe/elintarvikehuolto/529/72_tuntia_on_kotien_varautumisen_uusi_mitta (page in Finnish)
Influencing through information - True or false?
- Who is the author?
- From whom did you get the information?
- Can the name or URL be found?
- Who was it made or directed for?
- Where was it published?
- Why is it you particularly that came across the information?
- What is really the message?
- Is it an ad or a news item?
- Why was it done?
- Is someone trying to influence you in some way?
- Which information is it based on?
- Are there references to the sources of information?
- Are the images real?
- Are the images related to the text?
- Have the images or videos been manipulated?
When are there grounds for suspecting disinformation?
- The message is repeated very frequently.
- The message is accompanied by striking images.
- The message is intended to provoke a strong emotional response.
- The message has strong narrative elements.
- The sources used in the message are strange or unusual.
(For example, the meta data on the page leads to a different country than the content of the message suggests.)
- Search engines find the same or almost the same message, but with a significantly older date.
- The photos related to the message can be found online via other links using a reverse image search.
- The person or body spreading the message is spreading other suspicious content.
Necessary questions regarding source criticism/information evaluation
- Timeliness: When was the information published? Is it still accurate?
- Which perspective does the source represent (researcher, authority, funder, lobbyist, expert by experience, possible political standpoint)?
- How can the source be chosen and found? When using search engines: were multiple search engines compared to prevent bias?
- What was the purpose of the information found?
- Is it an original document or second-hand information?
- If it is statistical indicators, who compiled the statistics?
- Surely a press release from a company or other body is not the only source?
- Does the source distinguish fact from opinion? Is it a strongly narrative or deliberately emotive text? Is it accompanied by emotive images or video material?
- Does the source used reveal its own sources? Their accuracy must also be checked.
- You need to check that the links work. If you are suspicious about a domain address, you can check the domain owner by using eg WHOIS.
+358 294 520 500
it-helpdesk [at] tuni.fi