F.A.Q. – Fre­quently Asked Ques­tions

The University of Paderborn's information security team

  • advises users, committees, and departments, as well as those involved in information, communication, and media technologies, on information security issues.
  • develops recommendations on technical, organizational, and awareness measures, and collaborates closely with the CIO, IT operators, data protection officer, and the University of Paderborn's Presidential Board.
  • is the central point of contact in the event of information security incidents and supports the responsible departments in coordinating efforts to limit damage to the university.

More information is available here.

Contact the Data Protection Team with:

  • Organizational questions about data protection
  • Questions about the directory of processing operations
  • Requests for information according to Art. 15 DSGVO
  • Questions about training workshops
  • Reporting data breaches


Contact your data protection coordinators with:

  • General questions about data protection
  • Confidential inquiries and/or complaints about data protection
  • Questions about the rights of data subjects


Contact the information security team with:

  • Technical questions
    • Point of contact for information security incidents
    • Development and maintenance of an IT security concept
    • Carrying out risk and threat analyses
  • Recommendations regarding technical and organizational measures (e.g., software procurement)
  • Awareness campaigns and organization of training workshops for employees

Information security incidents include all unexpected events that endanger the security of IT systems and their data.
Examples include attacks on IT systems, such as PAUL or research databases; the loss of smartphones or USB sticks; and spying on passwords through phishing emails.

Read the FAQs and our post on the topic to learn how to respond to such incidents.

More information on information security incidents can be found here.

If you suspect or discover an information security incident, whether intentional or unintentional, please fill out the notification form immediately. Include all available information so that a report can be submitted to the supervisory authority within 72 hours, and so that the affected parties can be informed.

You can find the notification form and more information here.

  1. Stay calm and avoid taking any ill-considered measures.
  2. Disconnect the device from the WiFi/network (unplug the network cable).
  3. If necessary, record what is happening (photo, video, etc.).
  4. Leave everything as it is.
  5. Do NOT turn off or disconnect the device from the power source.
    → Important tracking data could be lost
  6. Briefly jot down your own assessment of the incident and the amount of damage.
  7. Report the incident using the report form to obtain an assessment from the incident team.

Note:

  • Do not disclose information to third parties.
  • Do not pay extortion money under any circumstances.
  • Do not try to fix the problem yourself.

If you suspect your computer is infected with a virus — for example, if your antivirus program sounds an alarm or your system is behaving strangely — the following checklist can help you solve the problem.

  1. First of all: Stay calm. Don't panic.
  2. Next, inform our Information Security Team (IST) about the virus attack so they can block your network address.
  3. Then, disconnect the infected machine from the network by unplugging the network cable. Do NOT disconnect it from the power supply.
  4. If the virus has been identified, you can determine if a "soft" repair is possible without reinstallation. Our IST and various virus libraries, such as those from NAI or Symantec, can provide information on this.
  5. Decide whether a reinstallation is necessary in your case, for example, if the virus is difficult or impossible to remove or has caused significant damage. In principle, you can perform reinstallations without losing your files. However, be aware of potentially infected files.
  6. If possible, back up your files locally on secure storage media, such as USB sticks or CDs. If you try to save your files on other computers or servers, you risk infecting them with the virus.
  7. Remember that in the event of a virus attack, all passwords on the affected system may be compromised. Change all passwords. Even a fresh system with new passwords can be infected again.

Visit our Training and Further Education page to explore various options for furthering your education in information security.

English versions are coming soon!

There are various ways to ensure that your computer is working as securely as possible.

We have summarized these in the form of the Golden Rules of IT Security.

A secure password should contain at least 10 characters, including lowercase and uppercase letters, numbers, and special characters. The longer the password, the better.

Since passwords like this are usually hard to remember, you can use mnemonic devices, such as taking the first letters and special characters from a sample sentence.

Also, don't reuse a password. Once compromised, attackers will have access to all accounts using the same password.
You can use a password manager to better manage this variety of passwords.

You can find more information about passwords on our help wiki page.

It is a program that securely stores and manages your passwords for various applications and online services. Password managers can generate passwords and automatically fill out online forms. Password managers can be computer applications, mobile apps, or web browser extensions.

The main function of a password manager is to solve the problem of password fatigue, in which users have difficulty remembering multiple passwords for different services. With a password manager, users only need to create and remember one "master" password to access all stored information.

Password managers typically use encrypted databases to ensure the security of stored passwords. In addition to passwords, they can also store other data, such as credit card information, addresses, and personal information.

Multi-factor authentication with fingerprints or facial recognition is optional but not mandatory. Password managers can be installed on computers or mobile devices as applications or browser extensions.

We provide instructions on how to install the password manager KeePass in our help wiki:

Two-factor or multi-factor authentication (2FA; MFA) is a type of electronic authentication that requires users to present two or more proofs (or factors) of access to an authentication mechanism to gain access to a website or program. This typically involves entering a password and an access code sent via email or text message. These methods protect personal data from unauthorized third parties who could only discover the password, for example.

It is advisable to use two-factor authentication wherever possible because it adds an extra layer of security, making it more difficult for attackers to spy on your data.

From a data protection perspective, the use of external cloud services (e.g., Dropbox or OneDrive), messenger services (e.g., WhatsApp), or groupware services (e.g., Gmail or iCloud) is often questionable.
This is because it is often unclear what data is transmitted when using these services, whether it is encrypted, and if the providers comply with applicable EU data protection regulations.


Therefore, only cloud, messenger, and groupware services that comply with data protection regulations should be used. These include:

Physical destruction usually involves mechanically shredding the media into small particles. Locked collection containers with slots are available in certain university rooms for storing data storage media to be destroyed. Data storage media to be destroyed should be deposited there during office hours. Until destruction, the media are stored in a way that protects them from unauthorized access by third parties. A specialized company regularly empties the containers on site and securely destroys the data storage media in compliance with data protection regulations. The exact procedure is described in a leaflet from Department 5.

Further information can be found here:

The irretrievable deletion of the data on the data storage media simultaneously takes into account the sustainability aspect if these data storage media continue to be used elsewhere in the university or can be sold, for example, as part of a de-inventory.

The deletion methods are described in the document 'Secure Deletion of Data Carriers (Guideline for Secure Deletion or Destruction of Information)' under points 1.4 and 1.5. You can find the document at the following link:

Both in the case of intended de-inventorying and in the case of internal further use of IT hardware and/or transportable data storage media, the secure deletion of data must be carried out in the respective areas in accordance with points 1.4 and 1.5 of the above-mentioned appendix and confirmed on the enclosed form by the responsible administrator.

Further information can be found here:

Phishing emails are a method of attack used to obtain usernames and passwords. It refers to attempts to obtain an internet user's data via fake websites, emails, or text messages, thereby committing identity theft. The aim of the fraud is to use the obtained data to plunder the bank account and harm the person in question.

These attacks may be embedded in conversation histories and are often targeted. Therefore, you should use the checklist below for every email. With a little practice, it only takes a few seconds to prevent immense damage.

Further information on phishing can be found here:

Anyone who processes personal data must protect it using technical and organizational measures.


TOMs include:

  • Access control
  • Access control of the data processing facility at the network and server levels
  • Access control of the data processing system
  • Transfer control
  • Input control
  • Order control
  • Availability
  • Separation
  • Integrity
  • Confidentiality

The TOMs must be documented and reviewed accordingly on an ongoing basis (at least annually). If necessary, this information must be provided to demonstrate the security measures taken (e.g., when processing orders).

Processor:
According to Article 28 of the GDPR, a processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of a controller.

Processing contract:
A processing contract is a contract for an activity involving personal data that is subject to instructions and carried out by a service provider for a company. Therefore, every company that processes personal data must agree to a processing contract with its service provider. Existing contracts must be adapted to the GDPR's new requirements.

According to Article 30 of the GDPR, every controller and processor—i.e., anyone who decides how to process personal data—must keep a record of all processing activities.

This register must record which data is stored in which systems and how further processing is carried out, among other things. Those subject to this obligation include small and medium-sized enterprises, associations, liberal professions, and public bodies.

Email certifications provide an extra layer of protection by verifying the sender's address and the content of the message.
This is especially helpful for identifying phishing emails that pose as popular services, such as online banking, parcel services, and email providers.
More information about phishing, including detailed examples, can be found here: Notes on Phishing Emails.

When you receive a certified email, you can trust both the displayed sender address and the fact that the email's content was not altered during transmission.

Therefore, pay attention to the sender address! It should not be benutzerberatung@upb.de.hackerparadies.com or anything similar.

The IMT sends emails from imt@uni-paderborn.de or imt@upb.de.

 

You can learn how email signatures are created, who is allowed to use them, and what they look like in different email programs from our help wiki page on the subject:

Quishing is a type of phishing where criminals use QR codes to redirect victims to fake websites or prompt them to download malicious content. The term "quishing" combines the words "QR code" and "phishing".

Criminals take advantage of the fact that QR codes are often embedded as images in emails or letters, so they are not recognized by security programs. This allows them to direct their victims to fake websites where the victims then enter their login details or other sensitive data.

Quishing can also occur in public spaces, such as at electric car charging stations or parking meters, where criminals cover the real QR codes with fake ones. When users scan these codes, they are redirected to fraudulent websites where they disclose their account details.

To protect yourself from quishing, carefully check whether an email or letter is genuine, and contact the supposed sender directly if you are unsure. Users should also enable multi-factor authentication (MFA) and avoid scanning QR codes from untrustworthy sources.

After scanning a QR code, it is important to check the URL to ensure that it does not lead to a fraudulent website. Companies should educate their employees about quishing and ensure that smartphones are covered by security guidelines.

Virus scanners do not recognize quishing!!!

Further links:

https://www.cybersicherheit-bw.de/aktuelles/quishing-vorsicht-beim-scannen-von-qr-codes