Difference between revisions of "Tips to prevent data leaks"

From CT Wiki
Jump to navigation Jump to search
(Created page with "=Encrypt your hard drive! How do I do that?= With a stolen electronic work facility, there is a (possible) data leak and this has to be taken serious. To limit the damage, we...")
 
 
(10 intermediate revisions by 2 users not shown)
Line 1: Line 1:
=Encrypt your hard drive! How do I do that?=
+
Data leaks occur when personal data about other people come in possession of other people who have no business with them, or when such data are lost and cannot be recovered. Sensitive data typically are personal data about other people. Within the scope of Nikhef, typical examples are information about applicants, apprentices and (former) employees, including (email) addresses, phone numbers, education or past work experience, performance reviews and even pictures.
  
With a stolen electronic work facility, there is a (possible) data leak and this has to be taken serious. To limit the damage, we would like to emphasise again the importance of disk encryption.  
+
A data leak may occur in various circumstances, for example:
 +
 
 +
* a computer account gets compromised, which allows unauthorized persons to access data
 +
* an electronic device is lost or stolen, after which an unauthorized person gets access to the data on the device
 +
* data are accidentally shared, ''e.g.'' via a public webpage or document that is distributed to people who have no need to access the personal data
 +
 
 +
 
 +
<big>'''If you discover a potential data leak, immediately report it to meldpunt-datalek@nikhef.nl'''</big>
 +
 
 +
 
 +
When a data leak occurs, Nikhef should quickly take action to comply with the law and do whatever is possible and needed to control damage. So please immediately report the discovery of a potential data leak.
 +
 
 +
 
 +
Fortunately, you can take some measures to prevent data leaks or to minimize the risk for one. Some measures are technical, other are behavioral and require awareness and a certain degree of discipline.
 +
==Preventing data leaks==
 +
The number 1 rule to prevent data leaks: ''what you don't store, you cannot leak!'' It is really as simple as that.
 +
 
 +
=== Storing sensitive data ===
 +
* Collect and process '''only required''' information. Do not ask for data about people which is not '''strictly''' required.
 +
* '''Remove data''' about persons when the data is not needed anymore. This is required in order to comply with the privacy laws! For example, after the end of an application procedure or when someone has left the institute.
 +
* Periodically clean up old data. Remove files that are no longer needed or will not be used anymore. Again, it is a legal obligation. For example, clean up data about participants of a conference or workshop after the event is finished.
 +
 
 +
 
 +
If you are sure you must collect or store personal and/or sensitive data, always report it to the Nikhef privacy team: privacy@nikhef.nl
 +
 
 +
Also take the following into account:
 +
* Only store sensitive data on '''encrypted devices''' (see below). That applies to your laptop and telephone, but also backups on a USB disk or NAS device at home.
 +
* '''Organize''' sensitive data, '''know''' what you store and where you keep it, so that you can easily clean up when the data are no longer needed.
 +
 
 +
==Encrypt your device! How do I do that?==
 +
 
 +
Encrypting your devices is a technical defense measure to prevent a data leak when the device is lost or stolen. This applies to laptops, desktop computers, mobile telephones, external devices like a USB drive or NAS.
 +
 
 +
Of course, when you encrypt your device, you must ensure that you keep the encryption key safe and that access to your device is '''protected''' with a good password, fingerprint, pin code or pattern. '''Do not share your code with others''', also not your family members!
  
 
<blockquote>
 
<blockquote>
Line 12: Line 45:
  
 
===Windows===
 
===Windows===
In Windows this functionality is called 'Bitlocker', here is described how you can easily set this yourself: https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838
+
In Windows this functionality is called 'Bitlocker', here is described how you can easily set this yourself: [[Windows Bitlocker]]
 +
<p>
 +
If you want more information about this topic, please read about it on the Microsoft website: https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838
  
 
===macOS===
 
===macOS===
In macOS this functionality is called 'FileVault', here is described how you can easily set this yourself: https://support.apple.com/en-us/HT204837
+
In macOS this functionality is called 'FileVault', here is described how you can easily set this yourself: [[macOS Filevault]]
 +
<p>
 +
If you want more information about this topic, please read about it on the Apple website: https://support.apple.com/en-us/HT204837
  
 
===Unix===
 
===Unix===
 
For the Unix users among us there are various options for encrypting your hard drive, please check the following link: https://www.tecmint.com/file-and-disk-encryption-tools-for-linux/
 
For the Unix users among us there are various options for encrypting your hard drive, please check the following link: https://www.tecmint.com/file-and-disk-encryption-tools-for-linux/
  
= Tips on preventing data leaks =
+
=== Android ===
Below are some tips that can help to prevent that your account will be abused and a data leak occurs. More extensive documenation in Dutch can be found on the [https://www.ncsc.nl/ site of the National Cyber Security Centre (NCSC)].
+
<TBD>
 +
 
 +
=== iOS ===
 +
Enabling encryption on an iOS device is very simple. Chances are you've already enabled this. When you set a passcode for your iOS device, you have automatically enabled the encryption process. Once your passcode is set, your device is encrypted. It will remain encrypted until you disable your passcode.
 +
<p>
 +
If you want more information about this topic, please read about it on the Apple website: https://support.apple.com/en-gb/guide/security/sece3bee0835/web
  
 
== Accounts and passwords ==
 
== Accounts and passwords ==
 
* Do not use your Nikhef email address for private purposes.
 
* Do not use your Nikhef email address for private purposes.
* Choose ''strong'' passwords, certainly for work accounts or (private) banking accounts. Strong passwords are long (at least 10 characters), include various types of characters (lowercase and uppercase, numbers and special characters like !@#$%^&*()_+[];':",./<?>. Password that can be guessed because they are based on names or dates are not strong.
+
 
* Use ''different'' passwords for all accounts and all registrations with web sites.
+
* Choose strong passwords, certainly for work accounts or (private) banking accounts.  
 +
** Strong passwords are long (at least 10 characters), include various types of characters (lowercase and uppercase, numbers and special characters like !@#$%^&*()_+[];':",./<?>.
 +
** Password that can be guessed because they are based on names and dates are not strong. The longer the password, the more resilient against automated attacks!
 +
** Do not use personal information or real words in your passwords.
 +
 
 +
<blockquote>'''Tip:''' Use a passphrase. '''For example:''' 'If I could, I'd be in New-Zealand 365 days a year'. For example, you can make this more unrecognisable by shortening it to: 'Iic,ibiN-Z365daY' and using this as a password. As mentioned earlier: make a sentence in which you use capital letters, punctuation and numbers interchangeably. '''Extra tip:''' you can also use 'spaces' in your password to make it even longer!</blockquote>
 +
 
 +
* Use different passwords for all accounts and all registrations with web sites.
 +
 
 
* To remember all these different passwords, use a password manager like KeePass (https://keepass.info/), LastPass (https://lastpass.com/?lang=en_UK) or Bitwarden (https://bitwarden.com/).
 
* To remember all these different passwords, use a password manager like KeePass (https://keepass.info/), LastPass (https://lastpass.com/?lang=en_UK) or Bitwarden (https://bitwarden.com/).
 +
 
* Do not store passwords in unencrypted files.
 
* Do not store passwords in unencrypted files.
* Accounts and passwords are personal. Do '''not''' share them with others, also not with your colleagues.
 
  
== Storing sensitive data ==
+
* Do not write down passwords on paper.
Sensitive data typically are personal data about other people. Within the scope of Nikhef, typical examples are information about applicants, apprentices and (former) employees, including (email) addresses, phone numbers, education or past work experience.
+
 
* Collect and process only required information. Do not ask for data about people which is not strictly required.
+
* Accounts and passwords are personal. Do not share them with others, also not with your colleagues or family members.
* '''Always''' inform the Computer Technology department if you intend to collect, store or process a new collection of sensitive data.
 
* Remove data about persons when the data is not needed anymore. For example, after the end of an application procedure or when someone has left the institute.
 
* Only store sensitive data on encrypted devices. That applies to your laptop and telephone, but also backups on a USB disk or NAS device at home.
 
* Periodically clean up old data. Remove files that are no longer needed or will not be used anymore.
 
* Organize sensitive data, know what you store and where you keep it, so that you can easily clean up when the data are no longer needed.
 
  
 
== Travel abroad ==
 
== Travel abroad ==
Take into account that when you travel to certain countries the information on laptops or telephones can be inspected or copied by security agencies, or that they can take control of the device. This may happen when travelling to [https://www.volkskrant.nl/buitenland/ministerie-neem-alleen-lege-laptop-en-telefoon-mee-naar-china-rusland-iran-en-turkije~a4591490/ China, Russia, Iran, Turkey (article in Dutch)] and the United States.
+
Take into account that when you travel to certain countries the information on laptops or telephones can be inspected or copied by security agencies, or that they can take control of the device. This may happen when traveling to [https://www.volkskrant.nl/buitenland/ministerie-neem-alleen-lege-laptop-en-telefoon-mee-naar-china-rusland-iran-en-turkije~a4591490/ China, Russia, Iran, Turkey (article in Dutch)] and the United States.
 
* Bring an empty laptop and telephone, which you normally do not use. You can temporarily borrow a laptop via the Helpdesk.
 
* Bring an empty laptop and telephone, which you normally do not use. You can temporarily borrow a laptop via the Helpdesk.
* Make sure there are no sensitive information or passwords on the telephone or laptop when travelling to these countries. The Helpdesk laptops are completely re-installed after each use.
+
* Make sure there is no sensitive information or passwords on the telephone or laptop when traveling to these countries. The Helpdesk laptops are completely re-installed after each use.
 +
 
 +
== Further reading ==
 +
More extensive documentation in Dutch can be found on the [https://www.ncsc.nl/ site of the National Cyber Security Centre (NCSC)].

Latest revision as of 13:18, 13 August 2021

Data leaks occur when personal data about other people come in possession of other people who have no business with them, or when such data are lost and cannot be recovered. Sensitive data typically are personal data about other people. Within the scope of Nikhef, typical examples are information about applicants, apprentices and (former) employees, including (email) addresses, phone numbers, education or past work experience, performance reviews and even pictures.

A data leak may occur in various circumstances, for example:

  • a computer account gets compromised, which allows unauthorized persons to access data
  • an electronic device is lost or stolen, after which an unauthorized person gets access to the data on the device
  • data are accidentally shared, e.g. via a public webpage or document that is distributed to people who have no need to access the personal data


If you discover a potential data leak, immediately report it to meldpunt-datalek@nikhef.nl


When a data leak occurs, Nikhef should quickly take action to comply with the law and do whatever is possible and needed to control damage. So please immediately report the discovery of a potential data leak.


Fortunately, you can take some measures to prevent data leaks or to minimize the risk for one. Some measures are technical, other are behavioral and require awareness and a certain degree of discipline.

Preventing data leaks

The number 1 rule to prevent data leaks: what you don't store, you cannot leak! It is really as simple as that.

Storing sensitive data

  • Collect and process only required information. Do not ask for data about people which is not strictly required.
  • Remove data about persons when the data is not needed anymore. This is required in order to comply with the privacy laws! For example, after the end of an application procedure or when someone has left the institute.
  • Periodically clean up old data. Remove files that are no longer needed or will not be used anymore. Again, it is a legal obligation. For example, clean up data about participants of a conference or workshop after the event is finished.


If you are sure you must collect or store personal and/or sensitive data, always report it to the Nikhef privacy team: privacy@nikhef.nl

Also take the following into account:

  • Only store sensitive data on encrypted devices (see below). That applies to your laptop and telephone, but also backups on a USB disk or NAS device at home.
  • Organize sensitive data, know what you store and where you keep it, so that you can easily clean up when the data are no longer needed.

Encrypt your device! How do I do that?

Encrypting your devices is a technical defense measure to prevent a data leak when the device is lost or stolen. This applies to laptops, desktop computers, mobile telephones, external devices like a USB drive or NAS.

Of course, when you encrypt your device, you must ensure that you keep the encryption key safe and that access to your device is protected with a good password, fingerprint, pin code or pattern. Do not share your code with others, also not your family members!

PLEASE SETUP YOUR DEVICE WITH DISK ENCRYPTION IF YOU HAVEN'T ALREADY DONE THAT!

Every modern operating system nowadays offers the possibility to do this and setting this up is very simple. See below for how to set this per operating system.

Windows

In Windows this functionality is called 'Bitlocker', here is described how you can easily set this yourself: Windows Bitlocker

If you want more information about this topic, please read about it on the Microsoft website: https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838

macOS

In macOS this functionality is called 'FileVault', here is described how you can easily set this yourself: macOS Filevault

If you want more information about this topic, please read about it on the Apple website: https://support.apple.com/en-us/HT204837

Unix

For the Unix users among us there are various options for encrypting your hard drive, please check the following link: https://www.tecmint.com/file-and-disk-encryption-tools-for-linux/

Android

<TBD>

iOS

Enabling encryption on an iOS device is very simple. Chances are you've already enabled this. When you set a passcode for your iOS device, you have automatically enabled the encryption process. Once your passcode is set, your device is encrypted. It will remain encrypted until you disable your passcode.

If you want more information about this topic, please read about it on the Apple website: https://support.apple.com/en-gb/guide/security/sece3bee0835/web

Accounts and passwords

  • Do not use your Nikhef email address for private purposes.
  • Choose strong passwords, certainly for work accounts or (private) banking accounts.
    • Strong passwords are long (at least 10 characters), include various types of characters (lowercase and uppercase, numbers and special characters like !@#$%^&*()_+[];':",./<?>.
    • Password that can be guessed because they are based on names and dates are not strong. The longer the password, the more resilient against automated attacks!
    • Do not use personal information or real words in your passwords.

Tip: Use a passphrase. For example: 'If I could, I'd be in New-Zealand 365 days a year'. For example, you can make this more unrecognisable by shortening it to: 'Iic,ibiN-Z365daY' and using this as a password. As mentioned earlier: make a sentence in which you use capital letters, punctuation and numbers interchangeably. Extra tip: you can also use 'spaces' in your password to make it even longer!

  • Use different passwords for all accounts and all registrations with web sites.
  • Do not store passwords in unencrypted files.
  • Do not write down passwords on paper.
  • Accounts and passwords are personal. Do not share them with others, also not with your colleagues or family members.

Travel abroad

Take into account that when you travel to certain countries the information on laptops or telephones can be inspected or copied by security agencies, or that they can take control of the device. This may happen when traveling to China, Russia, Iran, Turkey (article in Dutch) and the United States.

  • Bring an empty laptop and telephone, which you normally do not use. You can temporarily borrow a laptop via the Helpdesk.
  • Make sure there is no sensitive information or passwords on the telephone or laptop when traveling to these countries. The Helpdesk laptops are completely re-installed after each use.

Further reading

More extensive documentation in Dutch can be found on the site of the National Cyber Security Centre (NCSC).