An important part of maintaining a high level of IT security at the University is working to prevent, detect, and investigate IT security incidents. It's important that employees report incidents to the University that risk affecting the IT security negatively.
What is an IT security incident?
An IT security incident is something you encounter that can affect digital information, your IT environment or your user account in an negative way. This could be, for example, spam, phishing, malware, viruses or intrusions or attempted intrusions. IT security incidents can occur when:
- You receive an email that looks strange
- You click on a link in an email that directs you to a questionable website
- You download files from an email or a website.
IRT is part of the security function at ITS
The ITS security function coordinates the University's IT security activities and is a support function for all issues regarding IT security. You can contact the security function via Servicedesk.
Incident Response Team (IRT) is part of the security function at ITS. IRT is a certified team that works actively to prevent, detect, and investigate IT security incidents at Umeå University. All IT security incidents should be reported to the IRT.
What to do if you suspect an IT security incident
If you suspect an IT security incident, you need to contact the Incident Response Team (IRT). Report all types of IT security incidents to: firstname.lastname@example.org.
If you have received a strange email, forward it to the IRT. If it's not email related, send an email and describe your issue in as much detail as possible.
It is important that you do not turn off or restart your computer. This is important for the investigation in order to make a correct assessment of the situation.
IRT coordinates the investigation, working closely with other units within ITS and local system administrators. Depending on the situation, you can receive help either from the IRT, Servicedesk or from a local system administrator.
What happens after you send a ticket to the IRT?
After you have sent a ticket to the IRT, they will assess your situation. Different situations will demand different types of actions. Examples of actions:
- If you forward an email to IRT, they will examine your message. IRT has, for example, access to a system that allows them to open emails, links and attachments in a secure environment that does not affect other systems.
- If the email contains spam, IRT tries to adjust the the spam filters.
- If there is an ongoing intrusion, IRT may ask you to shut down your access to the network to prevent the intrusion from creating greater harm to the University's systems.
- If your email account sends spam, IRT can close the email account.
- If the university has discovered an incident that affects several parties, such as another University, the IRT can share information to stop an ongoing situation.
IRT can detect certain IT security incidents
Security incidents are sometimes also detected in other ways. Sometimes external parties reports potential IT security issues to the IRT and sometimes IRT discovers IT security incidents. IRT can detect security incidents, for example, when an email account suddenly starts sending more emails than allowed.
Frequently asked questions about IT security incidents
How do I prevent encountering an IT security incident?
There are many things you can do to avoid getting into a situation that affects your IT security negatively:
- Follow the IRT blog for Umeå University (Swedish only).
- Learn how to identify spam and phishing. Read more in the list below.
- Follow the advice in the Checklist for IT and information security.
- If you receive a strange email and you don't know if it's spam - forward it to the IRT.
How do I determine if an email is spam or phishing?
It can sometimes be difficult to decide whether an email is spam, a phishing mail or not. Here are some things to look out for:
- Check the sender's email address. If the message appears to originate from an email account other than an official email address, it may be an attempt at phishing.
- Check links in the email. If you move your mouse over the link (no clicking!) you can see where the link leads. If the address leads to a website other than the official one, or if the link looks strange - do not click the link.
- Check the language. Phishing emails are often translated using a translation program, which means that the language is not completely correct.
- Visit the sender's official website. You can often find phishing alerts on companies' websites.
- If the email message appears to be from an actual person - contact the person and ask if they have sent you a message.
- Does the email request information from you? For example, if the email asks for login information, account information or personal information, then it could be phishing. Umeå University never sends emails asking you for your personal password.