IT security

• If possible, use secure WLAN networks such as Eduroam and not the public WLAN network in cafés or the subway.
• Always use your LMU email address for your "university correspondence". This way, the recipients can make sure that you are you - because a free email address in your name can be created quickly.
• Stick to the infrastructure of LMU and LRZ, DFN always, as long as this is possible. These services have been checked under data protection law and have a very high level of protection. The services Sync and Share for exchanging files, the Zoom video conferencing systems or LRZmeet are available. Overview of LMU's central IT services

Use a different password for each account. When you create a new password, choose between the two options.There are two types of strong passwords:

• Long and less complex: Use at least 25 characters, two-character types are sufficient.Example: UniMontagProfessorinPrüfungsamt or lernen_handy_netflix_sonnenschein.
• Shorter and more complex: Use at least 8 (but preferably more) characters and combine four types of characters. Example: o&B45hH-§

FurtherTips:

• Choose your password wisely - i.e. no names or dates of birth, no keyboard patterns or key sequences that you would expect (1234abcd).
• It is not necessary to change a password regularly - if this is secure. You can check whether your password has already been compromised on sites such as HPI Identity Leak Checker (https://sec.hpi.de/ilc/search?lang=en) or https://haveibeenpwned.com.
• If possible, use multi-factor authentication (MFA)
• More information on secure passwords

Having many passwords may become confusing. Password managers that allow you to manage all your passwords securely have proven to be very useful. LMU staff use KeePass, an open source tool that encrypts and stores password information in your local device.
Please note the following points:

• Do not let anyone gain access to your passwords. This also means that you should not "hide" any notes with passwords under your keyboard or in your desk drawer.
• Do not reveal your passwords to anyone. Not even exceptionally to colleagues or friends.

• Do you suspect that your password has been compromised? Change it immediately!
• If you suspect that your LMU user ID has been hacked or suspect a data protection incident or misuse related to it, you are also welcome to contact the IT Service Desk.
• You can find out whether your email account or password has already been compromised by a data leak or hacker attack on the following websites:
  https://haveibeenpwned.com (external link) or on the website of the Hasso Plattner Institute at https://sec.hpi.de/ilc/search?lang=en (external link).
• LMU and the Leibniz Supercomputing Centre (LRZ) regularly check whether passwords, including those for the LMU user ID, appear in lists of leaked passwords. If this the case, users will be contacted and asked to change their password.

Further information on creating secure passwords can also be found on the website of the Federal Office for Information Security (BSI) at https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Informationen-und-Empfehlungen/Cyber-Sicherheitsempfehlungen/Accountschutz/Sichere-Passwoerter-erstellen/sichere-passwoerter-erstellen_node.html.

Be careful when clicking on links in emails! Phishing is not always easy to recognize. These suspicious issues should raise red flags:

The sender

• The email address is unusual (e.g. "support.lmu@gmail.com" instead of "@lmu.de")
• A known sender suddenly has a different name

The content

• Seems urgent or threatening, you should act immediately, otherwise you could face problems such as de-registration or inactivation of your account
• Prompts you to send confidential data, e.g. account details or passwords

Attachments or links

• Hover with your mouse over the link: does it look like a legitimate LMU address?
• Does the email have an attachment that you are not expecting?
• The The format of the attachment is eg. exe, .zip or .docm

The text is one of the following

• Full of grammatical or spelling mistakes
• Does not address you by your name?
• Looks or reads unprofessional

If an email seems strange to you, then

• Do not click on links
• Do not open any attachments
• If necessary, ask the sender directly (do not click on "Reply"!)
  

• Use up-to-date virus protection and always use the latest version of the operating system software

Unfortunately, IT devices are often lost or stolen. But it's not just the device that's gone - often your data may be gone too.

• Only allow data access with a password
• Encrypt your data. More information on: https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Informationen-und-Empfehlungen/Cyber-Sicherheitsempfehlungen/Daten-sichern-verschluesseln-und-loeschen/Datenverschluesselung/datenverschluesselung_node.html

• Even if you only leave your workstation for a short time or put your device aside lock the device manually. For Windows PCs, press the "Windows" and "L" keys simultaneously. For Mac devices, press "ctrl" + "cmd (Mac key)" + "Q"
• Do you work with sensitive data and travel a lot? Then a data protection film makes sense. It prevents strangers next to you or behind you from spying on your data.

Only share your sensitive data necessary. Anything you disclose about yourself can be used to your disadvantage. Only share information about yourself if this is really needed - especially if you do not trust the data recipient. Ask yourself, is this really necessary?

• Posts about yourself on social media
• Information that is requested in some forms
• Sharing sensitive information in public spaces, e.g. in the subway

Take advantage of training opportunities to become fit in topics related to IT security.

The German Federal Office for Information Security (BSI) offers a free online course based on the IT baseline protection compendium. The course is aimed at beginners and teaches the basics of information security. It is also suitable for students who want to familiarize themselves with the topic.

Access: BSI IT-Grundschutz training courses

Well-prepared and very comprehensive online training that can be used by everyone.
Access: https://secaware.nrw

Train your ability to unmask suspicious emails
Remember not to enter your real name and email address when registering!
Access: https://phishingquiz.withgoogle.com