Spotlight: Data Security Basics

Posted October 6th, 2017 at 9:54 am.

Some words of wisdom before we get started:  there is no single “right way to do” data security, especially on the go.  What you choose depends on your needs and the data you mean to protect.  This post contains generalized advice on some things you could use and should think about, but it’s not a complete security primer.  If you have questions, or want additional specifics, please contact the Help Desk (x7440, help@brynmawr.edu) and ask for a consult.  If you have an IRB project, please contact the IRB for additional guidance.

All data created or maintained under the auspices of Bryn Mawr College is subject to the College Data Handling Policy.  All research projects that use human data must follow the guidance and requirements of the Bryn Mawr College IRB regardless of the content of this document.

Encryption

“Encryption is the process of converting data to an unrecognizable or “encrypted” form. It is commonly used to protect sensitive information so that only authorized parties can view it…

An encrypted file will appear scrambled to anyone who tries to view it. It must be decrypted in order to be recognized. Some encrypted files require a password to open, while others require a private key, which can be used to unlock files associated with the key.”[1]

Encryption needs to be used to protect sensitive data of any kind.  Data must be protected both in transit and at rest.  Data in transit is being moved from one system to another, for example when being uploaded or downloaded, or emailed, IMed, texted, etc. Data is at rest when it is saved somewhere such as your computer, mobile device, a database, a server or cloud service, etc.

Data at rest

At rest encryption can be scaled to your needs.  You can encrypt anything from a single file or folder to your whole disk.  Ideally, you would be working on a machine with an encrypted drive, and would further encrypt your files before you travel, when you store them on external media, or before you transit them digitally.

You want to choose a method that gives you, at a minimum, AES 128 bit encryption with AES 256 being strongly preferred.

The numbers and vocabulary when it comes to encryption “bits” can be confusing when you move from one type or another.  Higher numbers are better (AES 256 is preferable to AES 128), but AES 256 is a roughly equivalent level of security to an https connection using a 2048 bit key and TLS 1.2(below).  For the Curious:  A Primer.

Encryption Tools for Data at rest

These are a few suggestions of tools that, at the time of this writing, can be used to meet the security standards outlined here.  These change from time to time, and they are certainly not the only tools that can be used.

  • Partition Volume and Full Disk Encryption Options
    • BitLocker (Windows), FileVault (Mac), VeraCrypt, GNU Privacy Guard
    • If you are using a College computer, consult with LITS before attempting to apply a volume or disk encryption scheme.
  • AES Encrypted Archives
    • 7zip (Windows), Keka (Mac), p7zip, GNU Privacy Guard
    • If you are using a College computer, 7zip is pre-installed on Windows computers.
    • Keep in mind that when you encrypt files or folders, the unencrypted files are still left behind on your computer.  Remove these completely using your Operating System’s options for secure deletion in order to ensure the data is fully protected.

Keep in mind that if you lose or forget the master password you have set for your encrypted file or disk, you will not be able to recover the data.  Also keep in mind that if that password or key is not sufficiently strong (see below) and can reasonably be hacked, it will not sufficiently protect the data.

Mobile Devices

The Data Handling Policy requires any mobile device containing College data to have a passcode and be encrypted.  If you have an iOS device (iPhone, iPad) running an up-to-date version of iOS (currently iOS 11), when you add a passcode the device encrypts itself.  If you use an Android device, you will need to encrypt and set a passcode separately.

When you are protecting sensitive data (which may include the contents of your email, cloud-based files accessible through apps, or locally stored files), choose a longer passcode (6 or more digits) and do not use any personal or family information to create the code.

Also, some devices allow you to unlock them with a fingerprint, faceprint, gesture, or other option beyond the passcode.  Be aware that in the US, while you cannot be compelled to provide your passcode, you can be compelled to use your fingerprint to unlock a phone.  Laws and practices in other countries vary.

When using apps, be aware of where the app is storing your data and how it is securing the transit – see Cloud Services below.

See https://www.stopthinkconnect.org/tips-advice/safety-tips-for-mobile-devices for more.

Data in motion

Any time your data leaves the machine you’re working on to go to another computer, device, or person it’s in transit.  This includes when you back up your files to a cloud service or external device, when you email, when you upload or download, etc.  You should not transit any sensitive, legally protected, or personally identifiable data — even by secure means — without first enclosing it in an encrypted archive, ensuring that it remains encrypted at rest when it arrives at its destination. 

The reason to secure your data in transit is to avoid “sniffing.”  Sniffing is when a hacker collects information as it is moving from one place to another.  If it is unencrypted, your information has been comprimised.

Here are some secure methods of transit:

  • Web traffic (https)
    • All modern web browsers support the exchange of sensitive data between the client and host when necessary using https for communication. HTTPS uses a system of certificates and protocols such as TLS 1.2 to ensure secure traffic.  Make sure your browser is up to date.  Note: pay attention to your browser.  Sometimes a site using https is out of date, using outdated and vulnerable protocols, or appears in some other way fraudulent and your browser will indicate a problem.
    • Consider adopting HTTPS Everywhere from the EFF and Tor.
  • Secure shell (ssh)/SecureFTP (sftp)/Secure Copy (scp)
    • SSH encrypts all data between two ssh-enabled computers. Sftp and Scp are protocols utilizing SSH technology to secure traffic.
    • Bryn Mawr computers are equipped with PuTTY and WinSCP on Windows and Fetch on the Mac.
    • FileZilla is one popular file transfer tool.
  • Email
  • Instant Messaging
    • Several instant messaging clients support plugins that allow for the encryption of all messages sent between parties via instant messaging.  However, be cautious as these are developed by third parties and may not have sufficient security.

Practices

Even if you protect all of your data and devices as described, there are still ways to create risk of exposure.  Follow these practices to stay safe.

Shared computers

Don’t access or decrypt sensitive or confidential data from an Internet café, hotel business center, or any other shared computing environment.  Not only do you not know what is on those computers, but you could unintentionally leave behind cached copies of your data.

Password Security

Use strong passwords to protect your computer’s login, your computer’s disk encryption, and encrypted archives you may be transiting and sharing with others.  Don’t use the same password for more than one thing, and change your passwords often, especially after traveling internationally.  Definitely don’t travel with any passwords written down.  If it’s hard to keep them all straight, consider adopting a secure password manager.

The best passwords are both long and complex.  An 8 character password provides only minimal security – 12 or more is better, and security professionals would tell you to use at least 16.  We recommend the use of complex passphrases for any password you need to remember.  Leave out any information personal to you, especially if it can be found on social media (and remember, you might not post about your dog, but a family member might…) If you’re using a password manager, it can generate and remember long, complex, unique passwords for you.

Do not save passwords in your browser, an unencrypted file, written down, or in another accessible location.

Password != Encryption

There are many ways to password protect files, and only some provide real security.  Adding a password to an unencrypted Microsoft Office (Word, Excel, etc.), PDF, or Zip file is the equivalent of putting your lunch in a shared fridge labeled with your name.  Only common courtesy keeps the intern down the hall from scarfing down your most excellent food selections.  Be sure to use a tool that not only password protects but encrypts your files.

Cloud Services

Cloud (or hosted) services are common in today’s world because of their low cost and high convenience.  Know how your cloud service is secured, where the data is stored (both what country or countries and also what level of security the facilities offer).

Your Bryn Mawr account comes with OneDrive for Business storage where we have already ascertained these answers.  Use other services at your own risk.

Making sure your data travels with you

In order to avoid issues, it can be advisable to work entirely from a Cloud drive (such as Bryn Mawr’s OneDrive for Business). This will ensure that your data is safe and arrives home with you intact.  If your data is sensitive, it is wise to avoid syncing and to clear your cache when you are done working.

Anonymity and General Safety

Homeland Security puts out a brochure for business travelers with many good practices.

The Tor Project has a number of tools for increasing anonymity and helping to ensure your digital safety and security.  Nothing is foolproof, but these tools can sometimes help.

Run antivirus (yes, even on your Mac) and keep both your Operating System and your software updated.

 

[1] Encryption Definition. (n.d.). Retrieved April 27, 2017, from https://techterms.com/definition/encryption

Filed under: Announcements Tags: by Amy Pearlman

Comments are closed.