Security Tips

Common Sense Principles:

1. Do NOT disclose any personal or QU confidential information unless it is absolutely necessary and given to appropriate party
2. Do NOT leave sensitive information lying around your workspace.
3. Do NOT install unauthorized or unlicensed applications.
4. Always lock your computer before you leave it
5. Always ensure that anti-malware software is running and is up to date
6. Always verify before you allow someone access to a work area where sensitive information is handled.

Passwords:

1. Do NOT use an easy to guess password
2. Do NOT share your password with anyone, even your supervisor or best friend
3. Do NOT use the same password for work and personal accounts
4. Do NOT write your password and leave it where others can find it
5. Do NOT use a public computer to log on to sites with sensitive information (e.g. bank)
6. Do use strong but easy to remember passwords – strong passwords have letters (upper and lower case), numbers, and symbols

Email, Instant Messaging, and Web Surfing:

1. Do NOT click on links that you receive in email messages unless you are absolutely sure they are safe.
2. Do NOT respond to email messages or phone calls that request personal or confidential information.
3. Do NOT send confidential information from work by email without proper authorization
4. Do NOT send confidential information to hosted personal email accounts such as Gmail or Yahoo!

Social Networking – Don’t Expose Yourself:

1. Golden rule #1: If you do not want the world to see it, do NOT post it!
2. Golden rule #2: do NOT allow others to break the first rule for you. Do NOT share with them what you do not want the world to see!
3. If you hold an important position, you are a prime target for attackers. Follow rules #1 and #2 closely.

Report Suspicious Activities:

1. If you think that sensitive information has been exposed
2. If you’re not sure about the safety of a message that you received
3. If you think your computer has been compromised or hacked
4. If you have other questions related to information protection
5. If you receive a well-crafted message from anyone at Qatar University that asks for personal account information including passwords, bank accounts, etc.

Contact the ITS Help Desk by phone to (+974) 4403-3456 or by email to helpdesk@qu.edu.qa

Electronic mail is used often by cyber criminals to spread malware among users into an organization. Some email messages are so well crafted that even IT professionals fall for them. Email security is further complicated by the fact that a recipient cannot absolutely be sure about the identity of the sender.

An improper response to an email message can bypass all security measures that a person or organization may have put in place. No matter what malware protection or network security protection technique is used; all it takes is one person responding to an email with personal or other sensitive information, or simply clicking on a link that takes them to an attacker's web site.

There are plenty of examples in the media of accounts being stolen and data security breaches that, when investigated, turned out to be the result of one person making a simple mistake.

Phishing

Phishing commonly refers to a method of collecting information by luring users into disclosing information or following a link that may lead to infecting a person's computer with spyware or other forms of malware. In a typical scenario, a user receives an email that requests personal information such as username or password. It may also claim to be from a system administrator and ask the user to follow a link and enter personal account information. Such details are then used to access personal or institutional resources where important and confidential information is stored.

"Spear Phishing" is a special case of phishing where the the email message targets a specific individual or organization. Such messages are very well crafted and sometimes include personal or confidential information that is not publically available. The sender is simply trying to gain the trust of the recipient and is luring them to provide even more sensitive information or access.

Vishing

Vishing, or Voice Phishing, is similar in principle to Phishing, except that the would-be intruder calls the victim and tries to manipulate them into disclosing additional information. For example, someone may call and ask for a specific person, provide their name, address, and phone number, and then pretend that s/he is trying to complete their application for a free credit card; all they need is their personal ID number, bank account information, etc. The information gained from such a conversation can later be used to dig deeper into personal or institutional information that is more sensitive in nature.

Safety Tips

Pay extra attention to the following guidelines and recommendations:

1. Do NOT click on links that you receive in email messages unless you are absolutely sure they are safe.
2. Do NOT respond to email messages or phone calls that request personal or confidential information.
3. Do NOT send confidential information from work by email without proper authorization
4. Do NOT send confidential information to hosted personal email accounts such as Gmail or Yahoo!
5. Verify the identity of the person/people requesting information

Report Malicious Activities

If you are the target of such attempts, please report this to us as soon as possible. We will then investigate the case further and identify any other potential victims and take other action to protect from these attempts.

Internet access has become an integral part of our life. Unfortunately, the many benefits of the Internet come with many risks to our privacy.

Cyber criminals are a constant threat to our privacy and our resources. They are always on the lookout to gain benefit from our personal information looking for resources that they can use to their benefit, financial and otherwise. In addition, many of these criminals are searching for computers that they can use to attack other sites and computers, so they develop programs that they can drop on a user's computer and use at a later time to launch their attacks.

The threats of cyber criminals are constantly on the increase, and we must be very cautious when we browse the Internet.

Safe Browsing

Most modern browsers provide some protection mechanisms such as pop-up blockers or known malicious site lists. However, these mechanisms are ineffective if the user chooses not to use them or follow their recommendations.

You, the user, can take some steps to minimize the risks associated with Internet browsing:

1. Keep your browser up to date
2. Do not install plugins, extensions, or add-ons unless you absolutely need them. Remove the ones that you do not use.
3. If you install such browser add-ons, make sure they are kept up to date
4. Enable your browser's built-in protection mechanisms and follow their recommendations
5. Only visit reputable web sites; many modern browsers and anti-malware programs have a way to recognize well-known malicious sites
6. Make sure that your computer has anti-virus and anti-malware sotware installed and constantly updated
7. Follow the other security tips provided elsewhere on this site

Dangers of Social Networking

Social networking sites such as Facebook, Instagram, Twitter, YouTube and others introduce other risks to your privacy and information protection.

If you use social networking sites, follow these simple guidelines:

1. Do not post any personal or confidential information on any public web site
2. Be careful what you post online. If you don't want the world to see it, don't post it!
3. The personal information that you share with others can be used by cyber criminals to steal your identity. Guard it closely.
4. Do not allow others to use your accounts
5. Do not trust requests from strangers, or even friends, before verifying their identity.
6. Review the privacy policy and settings of your social networking web sites. Many of them change without informing the user.
7. Practice common sense in what you post online. Do you really want your employer to see what you post?
8. The last point is especially important if you are looking for a job. Many hiring agents nowadays search the Internet for information about potential employees. Do you want them to see what you share with your friends?
9. Beware of posting information that allows others to track you and find your location. Your life or property could be endangered if they know they can take advantage of the information.
10. If you hold an important position, you should be extra careful. You are a prime target for attackers.

 

When handling Qatar University institutional information, please follow these guidelines:

• Keep in mind the terms and conditions of the Confidentiality Agreement that you signed. If have not signed one already, you should contact Human Resources and do this immediately.
• Understand the sensitivity of the information that you are handling
• Do not store sensitive QU information on unauthorized or personal devices
• If you need to send sensitive information by email, use some encryption mechanism to protect its privacy and confidentiality.
• Never send sensitive information to public personal email accounts such as Gmail or Yahoo!
• Never store sensitive information on public sites or public cloud services such as DropBox, Apple's iCloud, or Google Drive, unless you have taken proper precautions such as encryption and management approval
• Don't share sensitive information with others before authenticating their identity and always do it in a safe manner.
• Be extra careful when storing or sensitive information on USB or other movable media. Encrypt it at all times to limit the risk in case the media is lost or stolen
• Beware of exchanging USB memory sticks and ensure that programs do not automatically start from such devices
• Be extremely cautious before using USB sticks that you may have found, received as part of a promotion, or received from a stranger.
• Always ensure that you have multiple copies of original work, in case your computer or media are damaged, lost, or stolen
• Do not install unauthorized software on your work computer
• Do not leave documents with sensitive information lying on your desk where anyone can see or copy them
• Whenever you leave your computer, make sure you lock it. Ensure that your screen saver is password-protected as well.

Protect your Computer

The following tips apply to both your work and personal computers. Take them seriously, especially if you use them for both work and personal activities.

• Be sure that your system and applications are up to date, especially with respect to security patches and releases
• Turn on automatic updates on your system
• Keep your computer clean; uninstall unused or unnecessary programs/applications. You may use some freely available tools to help you in this regard. See the tools and resources section for additional information
• Make sure that your system's persnoal firewall is turned on at all times
• Install a good anti-virus/anti-malware program/application and make sure it remains updated
• Limit your use of browser plugins/addons/extensions. If you must use them, ensure they remain updated
• Use one of the freely available resources to check the health of your browser
• Consider turning on your browser's privacy settings to protect your online activities
• Maintain a list of all the programs/applications that are installed on your computer, in case you need to rebuild the system for some reason
• Back up your documents on a regular basis. Computer hardware and software failures and many malware infections can cause data loss. Make sure you maintain long-term backups, in case some of your files are infected

Identity theft is one of the dangers of losing personal information.

Identity theft is the term used when someone pretends to be you and is able to take actions as if you were taking them yourself. The harm from such actions ranges from someone sending an email message pretending to be you, to the perpetrator stealing money from your bank account or obtaining and using credit cards in your name and going on a spending spree.

The circle of damage may extend further to gaining access to your confidential records and to resources to which you have access, both at work and at home.

The potential damages from such actions are enormous, and they can be very difficult, if not impossible to repair.

Sources of Personal Information

Nowadays, the majority of our personal information is available in an electronic format and stored in various places such as our own computers and on other institutions’ computers with which we deal on a regular basis. These institutions may include government agencies, our workplace, schools, universities, banks, online retailers, social media sites, etc.

Much of this confidential information is needed by others to conduct business with us, so we accept the risk of sharing it with them with the expectation of full privacy. With the explosive growth of the Internet and social media sites, we tend to share personal information with the world at large. This includes locations, travel plans, photos, contact information, family and other relations, etc.

The Risks

With this wealth of information available online about a person, it has become relatively easy to “steal” one’s identity by providing information that was in the past very personal and unknown to many.

The threats to the confidentiality of such information is also increasing with time. There are many examples of security breaches in the news, many of which touch our lives in one way or another. In many cases, especially when financial institutions' systems are breached, our most confidential information is leaked to a world of criminals who are use it for financial and other gains.

How do we Minimize the Risk?

There are many guidelines that we can adopt to help protect our information. Unfortunately, none of them guarantees full privacy and security. The best that we can do is not to expose our personal information to others, whenever possible. This can be a very difficult task, but here are some recommendations to guard our information:

1. Before sharing any information with another person or entity:
   • Make sure that you understand the reasons for sharing the information and what security measures are followed to protect its privacy.
   • Understand the sensitivity of the information that you are providing. If applicable, follow the guidelines set by the data owner to secure the information.
2. Share only the information that is required to conduct business with others.
3. Tip: When answering personal questions, share answers that you use for that purpose only. If your Facebook page or your email template uses a lot of blue color, a person with malicious intent may think that your favorite color is actually blue. When asked about your favorite color as a privacy question, answer with "red" for example. This will minimize the risk of someone guessing your answer based on your publically available information.
4. Closely follow the security tips provided elsewhere on this site about best practices when choosing a password, communicating by email, surfing the Internet, and while doing other activities online.
5. Contact us to report any suspicious activities.

Internet access has become an integral part of our daily lives, whether we are at home or on the road. We always find ourselves attached to work and have to dedicate some time to respond to work activities while traveling. Some of us travel on business, and this is really the target of this series of tips and guidelines.

While at home or work, you have a certain level of confidence in your network access environment. The story is different when you are on the road, however. Ask yourself these questions:

• Do I really know whose wireless network I am using?
• Are there any security controls to protect my data?
• Can I trust the provider?
• Is my hotel neighbor a hacker? How about people sitting around me in the airport?
• Could I be targeted because I posted on a web site that I would be traveling?
• Am I authorized to access work information over the Internet while traveling?
• If so, what security measures should I take?

If my laptop or smart device is misplaced or stolen, do I have any data on it that may jeoperdize its confidentiality and cause damage to the Unversity's reputation and well-being?

These and other questions should always be on your mind when traveling, especially if you plan to do some work or you are on a business trip. We have put together a set of best practices and tips that should help you do your work in a protected manner while on the road.

Before You Leave

• Back up your data to a secure location and leave it behind.
• Password-protect any sensitive information that you may have on your device
• Encrypt your data on your computer and on the backup storage device
• Ensure that you know how to use the QU VPN service, in case you needed to access QU resources from a remote location. Contact the ITS Help Desk for assistance in that regard.
• Make sure your system and applications are updated, especially your anti-virus/anti-malware software
• Turn OFF file and print sharing
• Consider purchasing a tracking application for your device in case it is misplaced or stolen
• Carry your devices with you on the plane and do not send them with other luggage While Traveling

We are always tempted to connect to freely available "hotspots" or to the wireless network provided to us at the hotel or conference venues. This is fine, but it must be done in a secure manner:

• Ensure that the network to which you are connecting is truly the one provided by a legitimate provider
• Ensure that all your communications are encrypted, typically using "https", not "http". This is especially important if you are connecting to your personal or work email or sites.
• If you need to access University resources on the road, connect to the QU VPN first, then access them. This ensures that the communication is private (encrypted) and that it is not susceptible to eavesdropping.
• Be extra cautious of updates to your system, applications, and web browser add-ons.
• Do NOT use someone else’s computer or publically available computers; assume they are insecure and may have malware that is designed to steal your credentials and information.
• As a good practice, always lock your computer before you leave it in a secure area.
• Do NOT leave your device in a public location, even for a few minutes.
• Minimize your access to non-work related sites
• Should you lose your device, report it promptly

 

Contact us if you have any questions related to the above, or to report a lost or stolen device.