Security Incident FAQ
Use the following questions and answers to learn more about IT security incidents and reporting. If you don't see your question or would like some clarification, contact the IT Support Center.
- What is an IT security incident?
- How do IT security incidents affect me?
- Why is it important to report IT security incidents immediately?
- How can I tell whether something qualifies as an IT security incident?
- How can I tell whether my computer is infected?
- How can I tell whether someone else has been using my UDelNet ID and password?
- How do I identify a phishing message?
- What do I do if I suspect an IT security incident has occurred or will occur?
- What do I do if my computer is infected?
- What do I do if I suspect someone else has been using my UDelNet ID and password?
- What do I do if I receive a phishing message?
- What do I do if my device is lost or stolen?
About IT security incidents
1. What is an IT security incident?
An information technology security incident (IT security incident) is any event that could lead to the compromise of an IT resource's confidentiality, integrity, or availability. Examples of IT security incidents include:
- An IT device being lost or stolen
- A data breach
- A member of the campus community falling for a phishing scam
- A UDelNet password being cracked or stolen.
2. How do IT security incidents affect me?
IT security incidents present legal, financial, and reputational risk to the University. If an IT security incident leads to a breach of University data, then the individuals represented by that data could become the victims of identity theft, intellectual property theft, or other harm, and the University itself may face its own legal, financial, and reputational setbacks. The University as a whole has an obligation to protect the confidentiality, integrity, and availability of the information it accesses, processes, stores, and transmits in order to protect the individuals and groups that information represents.
All members of the University community have a responsibility to protect the IT resources they use, including the University network, University computing equipment, and University information. When you protect IT resources, you're helping to protect not only your own personal information, but the information of every other member of the University community and more.
3. Why is it important to report IT security incidents immediately?
When an IT security incident occurs, IT resources are at risk of being exploited. This could potentially mean that University or personal information is exposed or that devices are being hijacked for further attacks. Reporting IT security incidents immediately gives us the best chance of identifying what occurred and remediating it before IT resources can be fully exploited.
If you suspect or observe that an IT security incident has occurred, report it immediately.
Identifying an IT security incident FAQs
1. How can I tell whether something qualifies as an IT security incident?
An IT security incident is any event that threatens an IT resource's confidentiality (how private it is), integrity (how authentic and trustworthy it is), or availability (how accessible it is to those who need to use it).
To determine whether an event qualifies as an IT security incident, think about whether it could possibly lead to someone gaining unintentional, unlawful, or unauthorized access to University information, the University network, IT devices, or University information systems. Any event that could have these outcomes is an IT security incident, even if none of these outcomes have resulted from it yet.
For example, providing your UDelNet password on a fake login form or in a reply to a phishing email is an IT security incident. By using your UDelNet ID and password, a hacker could gain access to the University's network and information systems, including email, where he or she could find sensitive information or launch an attack by posing as you. Likewise, a stolen device could provide a hacker with access to your sensitive personal and University information.
2. How can I tell whether my computer is infected?
There are many kinds of malware, and each affects computers differently. However, there are some common warning signs that may indicate that your computer has been compromised. Be wary if your computer
- seems abnormally slow to respond
- is suddenly unable to connect to network services
- seems to be launching unusual or suspicious applications, processes, or services or behaving unpredictably
- shows unusual activity in system or firewall logs
- has suddenly begun disabling security features or changing other settings
- is taking you to unusual webpages when you browse the internet
- is displaying popups, especially for programs that you didn't download
- is prompting you to download something from an unverified third party
- is showing launching or showing programs that you didn't install.
3. How can I tell whether someone else has been using my UDelNet ID and password?
If you notice unusual activity on your UDelNet account (for example, your settings appear to have changed or your account has been sending mail that you yourself did not write or forward), then report the incident to IT. It's possible that someone else has gained access to your account and may be using it.
If you suspect that you may have provided your UDelNet ID and password to somebody else, whether intentionally or unintentionally, then report the incident to IT immediately. Your account must be protected from both potential and actual misuse, and the suspicion that your UDelNet credentials have been exposed is enough to warrant protective action.
Never use your UDelNet ID and password to register for non-University services or accounts. Your UDelNet password in particular should never be used on other accounts, including social media and commercial accounts. Never share your UDelNet credentials with anyone else.
4. How can I identify a phishing message?
As with malware, phishing messages take many forms, and learning to identify them helps protect your data and devices from hackers. Some threaten victims with an account shutdown or even legal action if they fail to comply with the scammer's demands. Others promise rewards to victims who are willing to surrender their banking information. Still others pose as "routine maintenance" and request your credentials to confirm your identity or update the systems. But all of them are just clever ways to steal your data—and possibly your money and identity.
Most common phishing messages include some combination of
- an illegitimate or unfamiliar sender
(for example, email coming from a yahoo.com account claiming to be IT)
- a guise or pretext that makes the message seem legitimate
(for example, a signature saying "IT help desk," or an explanation that "IT" is performing "maintenance")
- urgency, especially by demanding that you take action to avoid consequences
(for example, providing your account information in order to avoid having your email account shut down)
- suspicious links that lead to fake or unofficial websites
(for example, "www.udel.biz" or "microsoff.com")
- requests for your personal information or credentials
(legitimate businesses will not ask you to provide this information through email)
- unsolicited or suspicious attachments
(for example, a .zip file names "files you asked for" or an attached "speeding ticket")
- inconsistent information
(for example, different dollar amounts in an "invoice" or a subject line that doesn't match the content of the email)
- poor spelling and grammar
(for example, missing words or "broken English").
In addition to these tell-tale signs of phishing messages, you must also look out for spear phishing messages. Spear phishing is a particularly dangerous form of phishing in which the scammer uses stolen or official-looking logos, names, dates, and other information to trick members of a company or group into believing that the email is official. For example, a spear phishing message targeted at University employees might use the UD logo or claim to come from the provost.
If you have doubts about the legitimacy of an email, contact its alleged sender through a separate channel and ask about it. Don't reply to the email, don't click on links, and don't open attachments until you're sure that the email is legitimate.
Handling an IT security incident FAQs
1. What do I do if I suspect an IT security incident has occurred or will occur?
If you have reason to believe that an IT security incident has occurred or will occur, report it to IT Security. Your report should include as much information as possible about the nature, extent, and cause of the incident. The more information you can provide, the faster and more completely IT can investigate the incident.
If the IT security incident involved a lost or stolen device, notify Public Safety at (302) 831-2222. Notify IT Security if that device contained sensitive University information.
2. What do I do if my computer is infected?
If you suspect or have confirmed that your computer is infected by malware, follow these steps:
- Disconnect your computer from the University network. Do not turn off, reboot, or repair your computer; leave it on and running while the incident is investigated.
- Determine whether any sensitive University information or sensitive personal information is stored on or accessible from your computer.
- Notify IT Security about the incident, including as much detail as possible in your report.
- Await followup containing instructions on how to remediate the incident.
- Once the incident has been resolved, reconnect your device to the University network and resume regular use.
You should also ensure that McAfee VirusScan, which is licensed by the University and available for free to the University community, is installed, updated, and running on your computer.
3. What do I do if I suspect someone else has been using my UDelNet ID and password?
Enable two-factor authentication (2FA) for your UDelNet account to help protect it from unauthorized access.
4. What do I do if I receive a phishing message?
If you think you've received a phishing email, you can check the Secure UD Threat Alerts blog to see if the email has been identified as a known scam. If another member of the University community has already reported the phishing message, it will appear there in a blog post. If you don't see the message there, forward the email to email@example.com and erase it. Don't reply to the email, don't click on links, and don't open attachments.
If you think the email could be legitimate, but aren't sure, contact its alleged sender through a separate channel and try to verify it. Don't reply to the email, don't click on links, and don't open attachments until you're sure that the email is legitimate.
5. What do I do if my device is lost or stolen?
Report the lost or stolen device to Public Safety at (302) 831-2222.
If sensitive University information was stored on the device, notify IT via e-mail to IT Security.