• by telephone via the IT Service Desk's in-house line 1818
  or
• by e-mail to informationssicherheit [at] tu-freiberg [dot] de (informationssicherheit[at]tu-freiberg[dot]de)

If possible, please provide the following information:

• Who is reporting (name, email address, phone number)?
• Which IT system is affected (type and identifier of the system, building, room)?
• How did you work with the IT system? What did you observe?
• When did the event occur (date, time)?

Furthermore, the persons responsible for decentralized administration must be informed.

If you fear a (successful) attack on your workstation PC or another IT system, the following immediate measures should be observed:

1. Keep calm.
2. Leave the device switched on and disconnect it from the data network immediately by unplugging the network cable and deactivating wireless connections (e.g. WLAN, mobile network).
3. Suspend further work on the affected device or IT system.
4. Inform the IT Service Desk (see above) about the incident immediately.

In general, the following instructions apply when responding to security-related incidents:

• If possible, document your observations, e.g. by taking photos or screenshots.
• Passwords must be changed if they have been disclosed to third parties or if there is a reason to suspect that they have been: https://activate.tu-freiberg.de/account/change-password
• Implement further measures only after receiving instructions from the URZ, the information security officer or the persons responsible for decentralized administration.

A security related incident is an observation or deviation that indicates a possible impairment of information security and may jeopardize the confidentiality, integrity or availability of information or IT systems. Typical consequences of these events are spied on, manipulated or destroyed information.

The following examples are intended to help you to recognize a potential information security incident as such:

• Open windows and doors in security-relevant areas,
• unlocked PCs in absence,
• unknown persons in areas not accessible to the public,
• suspicious emails with attachments or links,
• unusual phone calls,
• unexpected error or warning messages on an IT system,
• IT systems react very slowly or are not accessible at all,
• loss or theft of devices or data carriers,
• data leaks (accidental or intentional release of confidential data to third parties),
• malware infections (viruses, Trojans, other malware).

As a general rule:

Better safe than sorry! If in doubt, report an incident in preference to not reporting it. The following examples are for illustrative purposes only and are by no means exhaustive.

E-mails

• Suspicious e-mails with attachments or links must be reported. It does'nt matter who the (supposed) sender of the email is.
• Suspicious emails without attachments or links do not necessarily have to be reported. Fake sender names are common in spam campaigns and occasionally cannot be filtered out by the central anti-spam gateway.

Examples of reportable emails

The quality of so-called phishing emails is increasing rapidly. Emails that contain previously tapped communication (e.g. Emotet) are particularly dangerous. The aim here is to persuade the victim to open files (usually text documents).

Always check whether the sender's name and email address are related to each other in a meaningful way. If you receive an email in the name of a university member that was sent from an external email address (i.e. without the @tu-freiberg.de extension), you should pay particular attention. The sender name of an email can easily be falsified.

Examples of non-reportable emails

Spam emails that could not be sorted out by our central spam filter are not reportable. One example of this is the so-called "Nigerian Connection".

• IT-Grundschutz: sicherheitsrelevante Ereignisse
• BSI: Spam, Phishing und Co
• BSI: How to recognise spam?
• BSI: Password theft through phishing
• BSI: Malware: Questions & Answers