Maybe you saw them last Thursday and Friday in the Administration building: around a hundred colleagues from Information and Technology Services, Communication and Marketing, and the Faculty of Humanities kicking up a storm.
What was going on?
On Thursday 4 and Friday 5 October, UU participated in the national cyber crisis exercise ‘OZON’. The purpose of the exercise was to test and improve the security of institutions in the case of a cyber emergency.
The exercise began on Thursday morning. At first only a few calls came in at the ICT Service Desk, but very quickly there was evidence of a much bigger threat: there was going to be a large-scale cyber attack! UU staff from various departments were evidently caught in a phishing trap. The email they received asked you to log-in and download a software update from a website. The website was fake and the passwords the staff used were stolen. To add insult to injury, a great deal of the staff members' data was also encrypted.
The response was rapidly scaled up, and UU people from various disciplines got busy surveying the damage so the crisis could be defused. After a day and a half, the crisis was under control, and with good collaboration the culprit could be apprehended: see the photo!
Leon van de Zande: ‘We did really well’
Leon van de Zande (Secretary General) looks back at the exercise with satisfaction. He was the one who called the crisis team to action on Thursday morning. ‘I think we did really well. We responded fast, professionally and completely adequately. We've noticed that in a crisis situation our organisation keeps getting better – both within the crisis team and those supporting the crisis team. Of course there is always room for improvement, and we are using this exercise in order to keep getting better in time’, Leon says.
‘Even though the security of IT services at UU is always improving, cyber criminals never sleep. That's why it's so important to practise a crisis simulation involving information security.’ In addition to technological improvements, such as the use of additional authentication for systems with sensitive data, an important factor is increasing the awareness of staff and students at UU. Leon: ‘Think of how it used to be when people used to leave a note for the milkman saying, “We'll be on holiday for the next two weeks, please don't deliver any milk”. No one does that any more, but when it comes to IT security it's often like we still are living in the past – and sometimes we aren't sufficiently aware of the dangers involved. We can use technology to lock the back door, but if you leave the front door wide open you're still going to have a problem. A good email password is much less secure if that email can be accessed using your smart-phone without any security code.’
Raoul Vernède: always stay alert
Raoul Vernède, Chief Information Security Officer (CISO) responsible for ITS security policy, also participated in the exercise. ‘Hacking on a large scale as we saw in this exercise, where internet criminals steal a whole bunch of log-ins, can be prevented in many instances by staying alert and thinking critically. For example, I keep my private emails strictly separated from my work-related emails. If I get an email from a webshop or my credit card company sent to my work email address, it looks suspicious because those organisations don't have my UU email address.’ Raoul also affirms that you always have to be careful logging in to websites that ask you for your user name and password. ‘Pay careful attention to see whether the website looks the way you expect it to, and never just install any old software that you find on the internet. Don't click mindlessly – even when you're in a hurry.’
How cyber safe are you?
At https://www.uu.nl/work-safely you can find information about working securely and test your own level of cyber safety. Change that note you left on the door for the milkman – today!