Stolen Device

From CT Wiki
Jump to navigation Jump to search

My electronic work facility (laptop, PC, tablet or mobile phone) has been lost or stolen, now what?

Summary of actions

1. Report the loss or theft via an email to meldpunt-datalek@nikhef.nl 2. Change your Nikhef password via our SSO page: https://sso.nikhef.nl 3. You may want to change passwords for other (private) accounts too

Dataleak?

If your electronic work facility was lost or stolen, inside or outside of Nikhef, please contact the Nikhef privacy/security team as soon as possible via an email to meldpunt-datalek@nikhef.nl. Please include in the report what happened and how you can be contacted.

The Nikhef privacy/security team will then ask you some questions about the data that were present on the device and the protection of the device. This information allows to determine if the loss or theft should be considered as a data leak.

If there is indeed a data leak, Nikhef / NWO-I is required to report the incident to the Dutch Autoriteit Persoonsgegevens within a short time after the loss or theft was detected. Failing to report in time may lead to a fine for Nikhef / NWO-I. It is therefore mandatory that you inform the privacy/security team as soon as possible!

Preventing further damage

It is also important to make sure that whoever got your electronic device cannot use it to access your information or use your accounts on the device to access other services. Therefore you should change your Nikhef account password immediately via our SSO page: https://sso.nikhef.nl

This step ensures that others cannot access your email, files at Nikhef's storage systems or other services like UBW, SURFdrive or Jira.

If your device had (Grid) certificates or private (ssh) keys, inform the privacy/security team about that. They can help to revoke the certificates or make sure the private keys cannot be used.

And if your device contained access to other services, you may want to change the passwords for such accounts too.

Tips to prevent data leaks

<TBD>

Encrypt your hard drive! How do I do that?

With a stolen electronic work facility, there is a (possible) data leak and this has to be taken serious. To limit the damage, we would like to emphasise again the importance of disk encryption.

PLEASE SETUP YOUR DEVICE WITH DISK ENCRYPTION IF YOU HAVEN'T ALREADY DONE THAT!

Every modern operating system nowadays offers the possibility to do this and setting this up is very simple. See below for how to set this per operating system.

Windows

In Windows this functionality is called 'Bitlocker', here is described how you can easily set this yourself: https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838

macOS

In macOS this functionality is called 'FileVault', here is described how you can easily set this yourself: https://support.apple.com/en-us/HT204837

Unix

For the Unix users among us there are various options for encrypting your hard drive, please check the following link: https://www.tecmint.com/file-and-disk-encryption-tools-for-linux/

Tips on preventing data leaks

Below are some tips that can help to prevent that your account will be abused and a data leak occurs. More extensive documenation in Dutch can be found on the site of the National Cyber Security Centre (NCSC).

Accounts and passwords

  • Do not use your Nikhef email address for private purposes.
  • Choose strong passwords, certainly for work accounts or (private) banking accounts. Strong passwords are long (at least 10 characters), include various types of characters (lowercase and uppercase, numbers and special characters like !@#$%^&*()_+[];':",./<?>. Password that can be guessed because they are based on names or dates are not strong.
  • Use different passwords for all accounts and all registrations with web sites.
  • To remember all these different passwords, use a password manager like KeePass (https://keepass.info/), LastPass (https://lastpass.com/?lang=en_UK) or Bitwarden (https://bitwarden.com/).
  • Do not store passwords in unencrypted files.
  • Accounts and passwords are personal. Do not share them with others, also not with your colleagues.

Storing sensitive data

Sensitive data typically are personal data about other people. Within the scope of Nikhef, typical examples are information about applicants, apprentices and (former) employees, including (email) addresses, phone numbers, education or past work experience.

  • Collect and process only required information. Do not ask for data about people which is not strictly required.
  • Always inform the Computer Technology department if you intend to collect, store or process a new collection of sensitive data.
  • Remove data about persons when the data is not needed anymore. For example, after the end of an application procedure or when someone has left the institute.
  • Only store sensitive data on encrypted devices. That applies to your laptop and telephone, but also backups on a USB disk or NAS device at home.
  • Periodically clean up old data. Remove files that are no longer needed or will not be used anymore.
  • Organize sensitive data, know what you store and where you keep it, so that you can easily clean up when the data are no longer needed.

Travel abroad

Take into account that when you travel to certain countries the information on laptops or telephones can be inspected or copied by security agencies, or that they can take control of the device. This may happen when travelling to China, Russia, Iran, Turkey (article in Dutch) and the United States.

  • Bring an empty laptop and telephone, which you normally do not use. You can temporarily borrow a laptop via the Helpdesk.
  • Make sure there are no sensitive information or passwords on the telephone or laptop when travelling to these countries. The Helpdesk laptops are completely re-installed after each use.