Security is in your hands

Virtually all areas of life today are marked by computer science. This makes many activities easier for us, but it also harbours dangers. With your correct behaviour you make an important contribution to the security of data and infrastructure. Astronaut "Cybie" and his Trabant "Digi", the stars of the new awareness campaign for IT security in the Federal Administration, will give you helpful tips.

 

Me!

You are of interest. Great – but do you also know why?

Human error as the weak spot

Cyber criminals do not always get access to sensitive data by exploiting security leaks in hardware or software. Human error as the weak spot is often exploited in order to penetrate IT systems. The perpetrators take advantage of the inattentiveness, helpfulness or good faith of employees and private PC users to achieve their goals.

Social engineering - methods and tricks

In "social engineering", unsuspecting people are manipulated and moved to certain actions with the help of psychological skill and pretence of emergency situations. Some perpetrators specifically contacted people in order to persuade them, for example, to disclose passwords, download files or connect infected flash drives. In this way, attackers are able to bypass the entire IT security with relatively little effort. The inhibition threshold for many victims to be tempted to take ill-considered actions is low in particular in the case of trustworthy but bogus senders such as banks, police, IT support, indirect superiors or mutual acquaintances.

Examples of social engineering attacks:

  • By telephone:
    fake IT support staff want to help protect the PC from hackers or purge it of viruses and demand access data, or purported survey institutes ask for details on personal data, passwords, credit card information etc.
  • Fake-president fraud:
    employees are personally contacted by email (with deceptively real email addresses, by text message or social media) and incited to urgently send passwords or information to the supposed superior, to deposit keys etc.
  • Phishing:
    recipients are tempted to enter passwords or other sensitive data on websites via widely distributed phishing emails. Email attachments or links can hide malware that are automatically installed on the victim's PC.
  • Smuggling flash drives into businesses:
    infected flash drives, which are sent by criminals by post or handed in personally, are to be connected to PCs by employees. Malware such as viruses, Trojans, etc. can thus gain access to the company.
  • Social media scams:
    perpetrators carry out intensive research on people via the internet and social networks, gain trust as "friends", and persuade their victims to take ill-considered actions such as releasing passwords, transferring money, etc.

Proper conduct in the case of social engineering

Technical protective measures are of little help against social engineering. However, awareness and vigilance are helpful. Training and raising awareness of employees, but also of private individuals, is therefore very important. Not only naive ICT users are becoming social engineering victims; just a little carelessness or rashly provided assistance is enough to place sensitive data into the wrong hands. It can happen to anybody.

Healthy mistrust is therefore always appropriate!

  • Social media:
    critically question who you become friends with and what information (especially business information) you reveal.
  • Telephone:
    If the person calling is a stranger, sensitive information must not be passed on under any circumstances. Care should be taken even with acquaintances. Microsoft, banks and other companies never call to "solve a problem".
  • Emails:
    do not open email attachments from unknown senders. Take a close look at whether the address is correct, be careful with similar-sounding senders and even with senders you know, you should be careful.  

In general, the following applies:  

  • all employees must know how to behave in the event of contact attempts and requests from unknown persons.
  • never disclose passwords to anyone.
  • never connect someone else's flash drive to the PC.
  • do not allow unknown persons access to buildings (leaving doors open, etc.).
  • do not leave old files, hard disks, documents etc. lying around, instead destroy them in the correct way. 

 

Acting correctly:

 
 

Remark:

The ICT Security campaign is aimed at employees of the Federal Administration. Of course, a lot of information and tips also apply to users outside the Federal Administration. 

Last modification 04.05.2019

Top of page