Tips and tricks for practical IT security
In the following, we have compiled some tips and information on the subject of IT security. These are intended to support you in your daily dealings with IT. In addition, you will find some references to external offers and training courses as well as videos on various aspects such as the secure PC, mobile device security and the handling of data and secure passwords.
Note: These pages are still under construction!
Choose strong passwords
Most important: Don't use same passwords for different services! Choose a unique password for each service, whenever this is possible. The Federal Office for Information Security published further information on how to make up strong passwords. While these information are only available in german, Harvard university also published information on how to make up strong passwords in english.
Store passwords safely
If you are using many services, each with a unique password, it might get challenging remembering them all. A password manager can store all your passwords for you, you just need to remember your master password. There are numerous options, also for mobile devices.
Anti-virus tools - which one should I use?
Cisco Secure Endpoint is an anti-malware software (or Endpoint Detection and Response, EDR) that can be used on PCs owned by of the University of Cologne. For your personal devices, you can use Sophos Home Premium (available for licensing until early 2025). Another option is the built-it Windows Defender for Windows devices.
The 10 Golden Rules of Information Security
1.) Secure your computer, your workspace, and your documents!
Your computer is the last barrier between you and your data. Make sure no-one but you has access to your device. This also applies to your physical workspace, e.g. you office desk, and all documents, records, and files stored there. Please ensure that such documents are locked away securely and inaccessible to others so that no-one can inspect, abstract or damage them. In practice appropriate measures include:
Lock your computer (or sign out of your account if you share a device) as soon as you leave your workplace, even if it is just for a short time.
Lock away all confidential documents, including external data media such as hard drives or USB sticks.
Check if data encryption is a feasible option for your data. Current operating systems can carry out device encryptions by default if the corresponding setting has been turned on:
Microsoft: Turn on Device Encryption
2.) Keep your software up-to-date!
Update prompts and security alerts can be bothersome — and oftentimes they are ignored or clicked away. However, security breaches can make systems and software unsafe to use. Third-party attackers may be able to compromise your device if security holes are exploited. To prevent this, update your software regularly, especially if the software requests you do it as soon as possible! Your operating system, your internet browser, and your PDF software have the highest priority in this regard as they are the most vulnerable software. For this reason, always pay attention to security alerts.
3.) Take caution when using external drives!
USB sticks, external hard drives and other such storage media may pose significant security risks. These devices can potentially install harmful malware into your network or the network of the university. Never connect external drives whose origin you do not know (e.g. because you found them somewhere) to your computer or portable devices. Be careful when using external drives from third parties like colleagues, friends, and family — their drives may be compromised without their knowledge.
4.) Use secure passwords!
The most important advice for this is: Do not use the same password for all services! Otherwise a password illegally obtained in e.g. a cyber attack may be used to compromise more than one account and/or system. If you use the same password for your private online shopping and your business accounts, one security breach in one automatically puts the other one at risk as well.
5.) Never share your login details with others!
Never share your login details or passwords with others for any reason, not even WiFi or VPN access. Just don’t.
This applies to the login details of all accounts you may have for digital services. Please note that the terms and conditions of your university account explicitly prohibit sharing your account data with third parties. Doing so may result in a ban of your account and that further action under German labor law may be taken against you.
6.) Backup your data on a regular basis!
A regular backup of your data is important to prevent data losses in the case of hardware defects or other issues. Not backing up your data risks not being able to access any of it in the case of crashes, malfunctions or compromisings. Please bear in mind that this also applies to data on external drives.
USB sticks in particular are prone to data losses and should not be used as a backup medium.
Backup on MacOS using "Time Machine": Apple: Time Machine Backups
The University of Cologne also offers the use of TSM as a backup system for advances users.
7.) Treat sensitive data responsibly!
Save data on trustworthy drives such as SoFS or internal network storages only. Be cautious when choosing storages for your data and its backups — sensitive data does not belong on third-party storage options such as Dropbox.
If you are unsure which data should be saved where, please do not hesitate to reach out to the RRZK help desk to address your questions or be redirected to the appropriate point of contact.
Never share information thoughtlessly with third parties. When discussing sensitive or business-related matters, always make sure to ask yourself which information and how much information is appropriate to share. This applies to all kinds of information regardless of its source or the medium of communication.
A responsible treatment of the data entrusted to you also includes the ability to delete data correctly, comprehensively, and irretrievably. You can find an introductory guide for this here.
8.) Be wary of Phishing and Spam
Phishing attempts and spam e-mails have existed ever since communication went digital. The number of phishing attempts has evidently and considerably risen worldwide in recent months and years. Our university is no exception here.
Be careful and stay calm if you should ever receive an e-mail that tries to extort money from you, threatens an account ban unless you log in to your account on a certain website, or puts you under any other kind of pressure. Phishing e-mails will also ask you to use sensitive login data on external or faked websites.
Make sure to check the sender, e-mail address, and the website you are being redirected to very carefully.
Never enter any sensitive account data on any website that looks even the slightest bit suspicious.
When in doubt, please always consult the RRZK help desk to discuss your concerns and find out if any kind of action on your part is required.
We have compiled some more useful information on phishing on this info page.
We have also made some example e-mails from recent phishing attempts available on our website (German only).
There is a host of information on spam and phishing available on external websites, e.g. from Cisco here.
Please also be wary of Spear Phishing, as this is a highly targeted and well-disguised kind of phishing attempts.
For more information on spear fishing, you may also want to read through this article on CSO Online.
By the way: Forging e-mails is as easy as sending a postcard under a false name. If you are not sure whether an e-mail you received was sent from the person named as the sender, check back with that person using a method of contact that you know is only accessible by that person. A quick phone call can often clarify the situation and prevent harm.
9.) Business / Private / Administration: Use separate accounts whenever possible!
Separating your business from your private life is always a good idea, and that is true for IT maters as well. Create different account for different purposes so that your data and your software can be used separately to avoid putting a lot of information and data at risk at the same time.
It is also advisable to use a local user account on your device.
This has been the standard for MacOS and Linux systems for some years now, but it will have to be set up separately if you use Windows 10:
10.) Ask questions and keep yourself informed!
If you are unsure whether cryptic error messages or suspicious messages are legitimate, do not hesitate to reach out to the appropriate support services. For the University of Cologne, the RRZK help desk can answer most of your questions or redirect you to the appropriate service or point of contact.
Large-scale phishing attempts at our university are also warned of on the RRZK website. This can be a useful resource for surveying the general situation if e.g. you receive a suspicious e-mail.
Most importantly: Keep calm, and do not let yourself be put under any kind of pressure.
Situations of mental pressure make it harder to judge the overall setting and may lead to significant misjudgments.
Do not be afraid to ask too much if you are ever in doubt regarding issues of information security.
Mobile devices
How to protect your Android smartphone or tablet from malware?
- Avoid downloading apps that are not from the Play Store. Apps that you download from a website as a separate APK file rather than from the Play Store may contain malware. Installing apps that are not from the Play Store is disabled by default. If you absolutely have to install an app that is only available separately, make sure that you can trust the download source. While there is a level of assurance in the Play Store that apps are pre-screened, this is also not always completely successful.
- Keep apps and the operating system of your Android device up to date. This is the only way to close security gaps that have become known public.
- Malware can also be installed via a so-called drive-by download. This involves exploiting security vulnerabilities in Internet browsers, then just visiting a website can be enough to download malware to your device. These drive-by downloads can also be triggered by advertisements embedded on other websites. Using an up-to-date ad blocker therefore reduces the risk of encountering a suitably manipulated ad. On Android, uBlock origin is available for Mozilla Firefox, for example.
uBlock origin might also be a good choice for your desktop computer where similiar risks exist! - Never agree to the installation of an app if you are asked to do so but did not trigger the installation yourself.
- Check the app's requested permissions prior to the installation. What kind of data does it want to read? Does it want to get access to your location? Does it want this access always or only when you are working with the program? Does the requested data match the app's usage capabilities (for example, giving a game app access to your location could be unnecessary)?
Are public wifi networks (hotel, café, airport etc.) dangerous?
When a device is connected to an open wifi network, the communication between the device and the wifi access point is not encrypted. This means that anyone with the appropriate knowledge can record the data traffic of other devices and, in a worst-case scenario, access data and then misuse it, unless the connection between your device and the actual website itself is specially encrypted. You can recognize this by the "key lock icon" in the address bar.
In addition, there is theoretically also the risk that the operator of the network will record the data traffic.
If you are in a public or generally untrusted wifi network, you can use the university's VPN service to establish a secure encrypted connection between your device and the university. When using the full tunnel, all traffic from your device will first be routed to the university in encrypted form and then, if necessary, on to the destination if it is outside the university network. Other users or the operator of the public WLAN can then no longer read your data traffic in plain text.
Contact
If you have any questions or problems, please contact the RRZK-Helpdesk