Deutsch Intern
  • 50-jähriges Jubiläum des Rechenzentrums
Information Technology Centre

IT security incident measures

Despite all preventive measures to protect against viruses, trojans and phishing mails, you too can fall victim to cyber criminals in the university environment. Be it that your JMU account and password have been stolen, your credentials misused or your computer infected with a trojan. Basic rule:

Credentials stolen -> change password
Change the password of your JMU account and all other accounts that you use or have saved on your PC. In the event of a (possible) trojan infection, change your password via another PC - not via the suspect PC, as this may already be infected.

Trojan -> reinstallation required
Disconnect the suspect PC from the network (unplug the network cable, disable WLAN), back up your data and reinstall the PC. Employees should contact their network manager. Also change your password on another PC or on the newly installed PC.

For some scenarios, we describe the detailed sequence of measures to be taken:

As soon as a Trojan-infected PC is identified in the university network, these measures are initiated:

  1. The IT Service Center deactivates the affected user account and sets a new password
  2. The IT Service Center informs the responsible network administrator
  3. The PC must be disconnected from the university network (remove network cable, deactivate WLAN)
  4. The Mac address of the PC is blocked for access to the university network (IT Service Center, network manager)
  5. The PC must be reinstalled before it is reconnected to the university network via WALN, LAN or VPN
  6. User account
    • The new credentials will be sent by house mail to the service address or can be collected in person at the IT Support
    • In order for the user account to be reactivated, the user must confirm that they are changing their password and that the change is being made via a PC that is not infected by the trojan.
    • Once the confirmation has been received by IT Support, the user account will be reactivated
  7. Access to the university network
    • The PC may only be reactivated for the university network after the reinstallation has been confirmed
    • The PC is re-enabled for network access (IT Service Center, network manager)

As soon as an identity theft becomes known in which a JMU account and password are misused, e.g. to send mass spam mails, the following measures are initiated.

  1. The IT Service Center deactivates the user account and sets a new password
  2. The IT Service Center informs the responsible network/IT system manager
  3. The new access data is sent by house mail to the service address or can be collected in person from IT Support - however, the user account remains blocked
  4. If the stolen credentials have been circulated via an infected PC, the PC must be reinstalled. For further measures, see "Infection with Trojans"
  5. If the user is aware that they have recently entered their credentials on a phishing site and thus disclosed it , they can refrain from reinstalling their PC for the time being. However, the user should pay particular attention to other anomalies in order to recognise a possible trojan at an early stage. In the event of anomalies, the network/IT system administrator or the IT Service Center must be informed.
  6. The user account will only be reactivated by the IT Service Center if the network/IT system administrator contacts IT Support

For users with an Exchange mailbox (Outlook):
Check your rules in Outlook. Delete unknown rules that do not originate from you. Hackers often leave rules that delete all incoming mails, for example.

If you have entered your credentials on a phishing site or sent it via a phishing e-mail, these measures are necessary:

  1. Set a new password for your JMU account as soon as possible. You must never use the stolen password for your JMU account again in future.
  2. It is not necessary to reinstall the PC for the time being. However, it cannot be guaranteed that no malware has been introduced onto the PC.
  3. You should therefore pay particular attention to other anomalies in order to recognise a possible trojan at an early stage. In the event of anomalies, inform the person responsible for the network/IT system or the IT Service Center.

For users with an Exchange mailbox (Outlook):
Check your rules in Outlook. Delete unknown rules that do not originate from you. Hackers often leave behind rules that deletes all incoming mails, for example.

Anyone who clicks on a link in a phishing email runs the risk of their PC being infected with malware or having their data spied on. Unfortunately, it is impossible to predict the criminal intentions behind the phishing mail. Changing the password and reinstalling the PC are the most effective measures.

If the fraudsters "only" obtain credentials via the link, the following measures are sufficient:

  1. Set a new password for your JMU account as quickly as possible. You must never use the stolen password for your JMU account again in future.
  2. It is not necessary to reinstall the PC for the time being. However, it cannot be guaranteed that no malware has been introduced onto the PC.
  3. You should therefore pay particular attention to other anomalies in order to recognise a possible trojan at an early stage. In the event of anomalies, inform the person responsible for the network/IT system or the IT Service Center.

Changing your password is not enough if malware is installed via the link. For further measures, see "Infection with trojans". In case of doubt, contact the IT support of the IT Service Center directly to clarify how to proceed.

The risk of malware being installed on the PC via an opened email attachment is relatively high.

The attachments can disguise themselves as a supposed invoice, reminder, application etc. and come in a wide variety of formats. Not only exe or zip attachments are dangerous, but also all others such as doc, docx, xls, xlsx or html can be infected or download malware.

The PC should therefore be reinstalled. For further measures, see "Infection with trojans".

If you have replied to a phishing email without revealing your password, we recommend the following measures:

  1. Set a new password for your JMU account as soon as possible. You must never use the stolen password for your JMU account again in future.
  2. You should pay particular attention to other anomalies in order to recognise a possible trojan at an early stage. In the event of any anomalies, inform your network/IT system administrator or the IT Service Center.

As soon as it becomes known that the credentials of a JMU account including password is publicly accessible via a data leak, the following measures are required:

  1. The user must set a new password for their JMU account. The stolen password may never be used for the JMU account again.

If the IT Service Center is aware that university identities and passwords are publicly available on the internet, we will inform the user.

You can inform the IT Service Center about IT security-relevant incidents via the IT security incident report.