Improved security for ETH IT-infrastructure
In order to improve the IT-security measures at ETH, plans are underway to implement new services for helping to detect risks in IT-systems. This helps to protect IT-systems and data from abuse.
It can happen quickly: you click on a link in an email that appears harmless at first glance, and suddenly ransomware is installing in the background. Ransomware is malicious software that encrypts data on vulnerable computers or even extensive parts of an IT network. Cybercriminals then hold the data for ransom, trying to extort individuals or organizations by claiming that they will decrypt the data in exchange for large sums of money. Normally back-ups and security tools are sufficient for restoring the lost data, but this requires that the data had already been properly secured beforehand.
When your computer becomes a threat
If your computer is updated with the latest anti-virus software and using the most current operating system and software applications, then chances are good that typical attacks from ransomware and other malicious code will be recognised and blocked from installation on your machine.
If that isn't the case, however, then it's not only your data that’s at risk, but also the data of the data of other vulnerable systems. This means that a computer that is connected to the ETH network (either directly or via VPN (Virtual Private Network)) and infected with ransomware or other malware poses a serious threat to the IT devices and data of others in ETH community. It doesn’t matter whether it's a private IT device like a laptop, mobile phone or tablet or a device issued by ETH Zurich.
How can these kinds of vulnerabilities in the IT infrastructure be identified before they are exploited by attackers on a large scale? The only way to substantially reduce the risk of falling victim to cyberattacks is to quickly identify and close any points of entry that could be used by malicious actors.
How can ETH Zurich’s IT infrastructure be better protected?
The university is currently reviewing options for implementing a service that can check for these kinds of technical vulnerabilities. The goal is to identify weaknesses on devices connected to the ETH network in order to keep up to date with the latest IT security standards and requirements.
The Acceptable Use Policy for Information and Communications Technology (BOT) underwent a partial revision in order to provide a legal basis for this move. The new version of BOT entered into force on 1 June 2021 and contains provisions that make it possible for ETH to improve its monitoring activities with regard to vulnerabilities in university IT resources (BOT Section 6, Article 18–20bis). The updates to the policy have laid the groundwork for ETH to introduce a vulnerability management system that monitors IT systems in the university’s network for compliance with the latest patches and updates.
In the event of acute cyber threats, BOT expressly permits the responsible IT operator (e.g., the IT Support Group of the department) or the IT Security Officer of IT Services to order security updates on behalf of the Chief Information Security Officer (CISO) to be installed immediately (BOT Article 20bis para. 3). This authority has been granted to protect ETH Zurich's technical infrastructure from malicious attacks.
Does this mean that ETH will be checking what I'm doing on my computer in the future?
No. This new kind of system monitoring has nothing to do with accessing your private data or watching your workplace activities. The monitoring will solely focus on the technical condition of IT devices connected to the ETH network.
How can vulnerabilities of an IT device connected to the ETH network be detected in the future?
According to the updated policy (BOT Appendix No. 3, para. 1bis), IT Services is permitted to record and analyse data not connected to individuals by name (anonymous or pseudonymous data) in in order to monitor IT security and potential risks in IT resources (e.g., compliance with latest patches and updates, virus protection notifications, vulnerability scans). On behalf of the CISO, IT Services may carry out these checks at any time.
What else do I need to know?
The revised version of the BOT applies not only to the use of the entire IT infrastructure at ETH and all ETH devices, but also to outsourced services such as cloud storage platforms (BOT Article 3). The updated policy also applies to any private IT devices that are hooked up to ETH’s data network.
Tips to protect your data
- Always install updates for the latest firmware, operating system, software and apps as soon as you can.
- Use virus protection software and be verify that it is updated regularly in the background at least once per hour.
- Be sure to have regularly scheduled backups of your data and keep the backups in different places.
- You should occasionally check whether your backed-up data can be restored. Whenever possible, use a professionally managed backup service (from IT Services or your IT support team). This is the best and most reliable way of securing your data.
- Use secure passwords and change them immediately (using a safe computer) if you suspect that there is malicious software on your computer. Never use the same passwords.