IT Security Newsletter

Why IT security?

Everyone uses them every day - whether in the office, working from home or on their smartphone while travelling: digital services and processes. In an increasingly digitalised and networked world, working without them has become unthinkable for most people. Although this development makes processes easier, it also brings with it new risks that are unfortunately all too often underestimated. Even seemingly harmless actions such as opening emails, clicking on links or using weak passwords can give attackers access to digital information and systems. This information and systems form the backbone of almost all business processes - from administration and communication to research and teaching. Even minor negligence can significantly impair or even completely prevent the operation of the university, which makes effective IT security essential.

Goals of IT security

IT security has the task of permanently ensuring the confidentiality, integrity and availability of information and IT systems. It encompasses all technical, organisational and personnel measures with the aim of protecting information and IT systems from unauthorised access, manipulation and failure. This is necessary to ensure that digital services and business processes function reliably and trustworthily.

What threats are lurking?

Cyber criminals usually pursue clear objectives: financial gain, espionage or sabotage. They steal or modify sensitive information such as research data, personal information or access data in order to use it for their own purposes, sell it or make ransom demands. Others simply want to damage the reputation of an institution or obstruct work processes, whether for political, economic or ideological reasons. What all attacks have in common is the search for weak points, usually favoured by carelessness in everyday life.

What can I do to protect myself and the University of Würzburg?

IT security is no longer an issue that exclusively concerns IT departments and experts, but rather a personal responsibility that each individual shares through prudent behaviour in everyday life.

Use strong passwords that are different for different services, check emails and links critically and carefully before opening them and always keep software and operating systems up to date. These and other measures can be found in the 11 golden rules for increasing IT security on the JMU website.

Probably the most important and most effective measure is awareness and conscious action. Many attacks do not succeed due to technical weaknesses, but through careless and uninformed use.

Published: 28.07.2025

Why (secure) passwords?

Despite the increasing use of additional security procedures such as multi-factor authentication (MFA) or FIDO standards, passwords are still often the first and, unfortunately, all too often the only security measure against unauthorized access to systems and data. In the same way that a physical key secures access to a room or safe, a password protects access to digital resources. Only those who have the corresponding key or know the password can access the protected content. As with keys, it is therefore extremely important that passwords do not fall into the wrong hands.

For that reason, it is essential to keep passwords safe and choose them in such a way that they cannot easily be guessed. This is because weak passwords are particularly vulnerable to the brute force method, wherein a large number of combinations are tried automatically over a short period of time in an attempt to guess the correct password. Once compromised, passwords often serve as a gateway for further cyberattacks and therefore pose a serious security threat.

What makes a password secure?

To prevent passwords from being easily cracked, they should always be chosen to be as complex as possible. For high complexity, passwords should contain a combination of different types of characters: numbers [0-9], upper- and lower-case letters [A-Z; a-z], as well as special characters [e.g., !, +, =, $, &, etc.]. Simple patterns such as names, common words, or dates should be avoided.

The length of the password is also crucial for security. Longer passwords are much harder to guess and provide significantly greater protection. Each additional character increases the time required to successfully guess the password many times over. We recommend using passwords with a minimum length of 12 characters – passwords with 16 or more characters are even more secure.

It is only by combining complexity and length that a high level of security can be achieved. A long but simple password as well as a complex but short password can be quickly determined through a brute force attack.

Furthermore, every password should be unique. Using different passwords for different services or accounts significantly reduces the potential damage if one of them were to be compromised. After all, you wouldn't use the same key for all your doors and safes. Losing that key would also have serious consequences.

Storing credentials

Remembering a secure password for each of your accounts can be challenging for most people. To still meet the requirements for secure passwords, you should therefore store your passwords in a secure place. For this purpose, we recommend using a password manager (also known as 'password safe').

A password manager is a tool that enables you to manage your credentials securely and efficiently. They are protected by strong encryption within the password manager, meaning that only those who know the master password are able to access them. This means you can use a unique, secure password for each service without having to remember them all. You only need to remember the master password for the password manager itself. Of course, the master password must meet at least the same security requirements as all your other passwords. Please note that, although some browsers offer similar features, they do not meet the security standards of a dedicated password manager.

Find out which password manager best suits your needs here.

Published: 04.11.2025

What is multi-factor authentication?

Passwords have long been the standard for securing access, but in the face of increasing computing capacity and modern attack methods, such as phishing, they are proving increasingly inadequate as the sole means of protection against today’s security threats.

To prevent a compromised password from granting unauthorized users immediate access to systems and data, more and more services require at least one additional, independent layer of authentication alongside the password, such as authorization via an authenticator app. This is referred to as two-factor authentication (2FA), with the password forming the first factor and the authenticator app the second factor. If two or more factors are required, this is generally referred to as multi-factor authentication (MFA). It is, however, essential that the factors used are independent of one another and belong to different categories.

Categories of authentication factors

The factors used in multi-factor authentication can generally be divided into three categories: knowledge, possession and inherence.

A knowledge factor (‘Something you know’) is based on information that is not publicly known and, ideally, is known only to the user, such as a password, a pattern or a PIN. The level of security provided depends largely on the secrecy and complexity of the information used (see newsletter: Secure passwords and password managers). In practice, however, these factors are particularly vulnerable to attacks such as social engineering or brute-force attacks.

A possession factor (“Something you have”) requires the possession of, or access to, a physical or digital authentication method, such as a smartphone or a hardware token. So-called one-time passwords (OTP) are frequently used here. These are randomly generated numerical codes or alphanumeric keys that are valid for a single login or transaction only and are usually sent to the user unencrypted via text message or email. A more secure variant of one-time passwords is the time-based one-time password (TOTP), where the code is generated locally on the user’s device (using an authenticator app or hardware token), thereby eliminating the need for transmission. Similarly, an authenticator app can be used to authorize a login or transaction directly via a push notification, either through confirmation or a numerical match (“Number Matching”). The highest level of security is provided by hardware tokens, with modern models (e.g., YubiKey) replacing outdated OTP variants. Thanks to current standards (e.g., FIDO2), they enable secure, and in some cases password-less, authentication through cryptographic methods. To enhance security, hardware tokens and authenticator apps are often secured with an additional factor, such as a PIN, password or fingerprint scan.

The inherence factor (“Something you are”) is based on unique personal characteristics of a user, which are verified, for example, through fingerprint scans, facial recognition or the comparison of other biometric features. These personal characteristics are, by their very nature, non-transferable and particularly difficult to forge, and therefore offer a very high level of security and usability.

Use and application of multi-factor authentication

The use of MFA creates additional barriers for attackers, as a successful attack requires overcoming two or more different factors simultaneously. This provides significantly enhanced protection against attackers, as a compromised factor, such as a leaked password, does not immediately lead to unauthorized access.

It should also be noted that not all authentication factors offer the same level of security. You should therefore choose your factors so that each factor on its own already provides an adequate level of protection. Avoid weak factors such as insecure passwords and OTPs sent via SMS or email, and instead rely (in addition to a secure password) on more secure methods such as authenticator apps and hardware tokens.

The use of MFA requires, depending on the factors chosen, certain hardware (a smartphone or hardware token) or software (an authenticator app). The loss of this hardware – and thus of the factor – can, in the worst-case scenario, prevent you from accessing services or accounts. A secure process for restoring or resetting the factor should therefore be established. This could involve either backing up the factor or the underlying factor secret or setting up an additional (alternative) factor that can be used in place of the lost one. Alternatively, when setting up MFA, some services offer the option to generate backup or recovery codes, which can then be used once for recovery in the event of factor loss. It is important that factor backups and recovery codes are stored reliably and securely – ideally in a password manager.

MFA in the context of a comprehensive security strategy

Although the use of MFA significantly enhances security, it is important to note that even MFA does not offer absolute protection against all attack vectors. When considered individually, the authentication factors used are not infallible and, depending on their nature, may under certain circumstances be lost, stolen, intercepted, forged or otherwise bypassed. The combination of several independent factors within multi-factor authentication creates additional and significantly higher barriers for attackers, thereby considerably reducing the risk of successful attacks. However, MFA alone cannot generally guarantee complete protection, which is why MFA should always be viewed as part of a multi-layered and comprehensive security strategy. The use of MFA therefore does not replace the need for responsible and security-conscious use of digital systems.

The IT security landscape is constantly evolving, giving rise to new methods and opportunities for attacks, which in turn require continuously adapted and refined protective measures. With the introduction of multi-factor authentication, the JMU is taking an important step, together with its users, towards further strengthening information security.

Published: 19.03.2026

What is social engineering?

IT security encompasses far more than simply securing computer systems and networks. Where cybercriminals encounter resistance due to advanced technical safeguards, the focus shifts to the user – the ‘Human Factor’ – as the perceived weak link in the security chain. In so-called social engineering, users are increasingly targeted by fraudulent strategies designed to carry out criminal intentions.

Social engineering deliberately exploits human traits such as helpfulness, trust, fear, or respect for authority to skillfully manipulate individuals and provoke the desired reactions in those affected. Similar to traditional con artists, attackers in the digital realm also rely on assuming false identities within credible scenarios or on enticing promises of rewards. A victim who falls for the deception acts in good faith, believing they are doing the right thing.

What the criminals are after

By employing manipulative techniques, cybercriminals trick their victims into taking actions that they would not normally take and that primarily serve the attackers’ interests. Depending on their motives, the perpetrators pursue different goals: Financial gain is often the primary objective – for example, by triggering fraudulent payment orders or fraudulently obtaining funds or valuables. In other cases, attackers aim to pressure their victims into disclosing sensitive information. In addition to login credentials, they are particularly interested in confidential research and business data. Another scenario involves manipulation designed to trick users into installing malware or bypassing security features in order to gain control over IT systems or networks.

In summary, the human element is deliberately exploited as a critical point of entry to compromise even highly secure IT infrastructures or gain unauthorized physical access to buildings. In this way, perpetrators establish the necessary foundation for far-reaching criminal activities.

Methods of Manipulation

The effectiveness of social engineering relies on the exploitation of human behavior. Attackers increasingly rely on deliberately deceiving victims about their identity and true intentions, as well as creating time-sensitive or emotional pressure. A classic example of this is a request to confirm an account via a link within a very short period to prevent its supposed deactivation. Such scenarios aim to panic victims and prompt them to act impulsively.

A key method is so-called phishing, in which fraudulent messages (via email, text message, or Microsoft Teams) are sent to trick the victim into visiting rigged websites or opening malicious attachments. You can learn more about phishing in the next newsletter. This is often combined with pretexting. In this method, attackers construct credible scenarios and assume false identities (e.g., as IT support, a colleague, or a well-known service provider) to appear as a trustworthy source. Through this deception, they gain their victims’ trust and request sensitive data such as passwords. In preparation, attackers often use publicly available information from social networks (e.g., LinkedIn) to tailor attacks precisely to the victim’s position and personal background. A particularly critical form is CEO fraud, in which the identity of an executive (e.g., a direct supervisor, president, or chancellor) is impersonated to exert a high degree of psychological pressure on the employee and persuade them, for example, to make an urgent transfer, often under the pretext of averting potential damage to the institution.

The use of AI-powered tools has taken the sophistication of these attacks to a new level. Foreign actors, in particular, are now able to generate messages that are linguistically flawless and highly personalized. Furthermore, deepfakes – AI-generated video, image, or audio content that is virtually indistinguishable from the real thing – make it significantly more difficult to identify attempts at manipulation.

How to protect yourself

To protect yourself from social engineering attacks, every individual can play a crucial role by staying alert and adhering to basic security measures. Do not allow yourself to be pressured by feigned urgency or threats of consequences, and never follow instructions without thinking them through. Always question unusual requests – particularly those of a financial nature – and always consider the possibility of an attack. Be especially skeptical of messages from external or unknown sources, whether via email or platforms like Microsoft Teams.

If there is even the slightest suspicion of an attempt at manipulation, it is advisable not to respond when in doubt. Always verify suspicious messages by personally contacting the alleged sender through an officially recognized channel. This way, you can directly confirm whether the request is legitimate before taking any further action. Always treat your passwords as strictly confidential and never share them under any circumstances. Neither JMU’s administrators nor IT Support will ever ask you to disclose your login credentials or sensitive information.

Share as little personal information as possible on social media, as cybercriminals can misuse it for targeted profiling. This applies equally to professional networks. Protect the confidentiality of your work and your employer by handling information responsibly in the digital space.

Published: 08.05.2026