Device & Data Encryption

 

Introduction

In the course of University business, Arizona State University personnel routinely handle sensitive information including Personally Identifiable Information (PII), student records, health records, financial records, and research data. Federal laws, state statutes, and industry standards apply civil penalties for failure to protect sensitive information adequately. Encryption plays a key role in keeping information safe by ensuring that it can't be obtained through theft or eavesdropping.

As part of its overall program to ensure appropriate measures to protect PII and other sensitive data in a robust and least-intrusive manner, Arizona State University provides requirements for encrypting data in transit and storage.

Implementing encryption of data in storage is one of ASU's 2014 Top Five Critical Security Initiatives. As per a document cited by the CFO and Provost in a faculty/staff newsletter dated October 9, 2014, "Faculty and staff need to implement encryption and other standard security requirements on all devices accessing the ASU network.  This can include desktops, laptops, mobile devices, printers, HVACs, RFID readers, cameras, display boards, etc." [https://getprotected.asu.edu/content/encrypteverything]

 

Endpoint Encryption

Endpoint Encryption ensures that if your computer is stolen, any sensitive information on its disk will be unavailable to the thief. Encrypt your computer's hard disk using your operating system's built-in disk encryption software or other encryption software suggested by UTO.

All ASU maintained computers, backup media, and other devices used to store electronic data should be secured using full-disk encryption (FDE) everywhere possible, with key escrow adequate to provide for third-party data recovery in the event of legal requirements or business need. The minimum standard for encryption algorithms should be 128-bit AES, or the highest level allowed by export controls in the case of international applications.

Devices should comply with minimum hardware and software requirements for ASU-sanctioned FDE solutions. If a device cannot be encrypted because its operating system is obsolete, the device should be upgraded to a current operating system. If a device lacks the recommended hardware (e.g., minimum system requirements for compliant operating system, chipset including compliant TPM chip), the device should be upgraded or replaced with a compliant device.

Where possible, devices should use ASU's Active Directory environment for key escrow. If this is not possible, the administrative or academic unit responsible for a device must establish and document a key escrow process to ensure authorized third-party access to encryption keys when necessary.

The following documents provide more information on how to encrypt your computer. Consult your departmental technical support personnel for assistance.

 

Encryption in transit

Encryption in transit reduces the chance that data you access and send will be available to someone who is eavesdropping on the network. Here are some general practices to follow. Consult your departmental technical support personnel for assistance.

  • Use ASU ENCRYPTED wireless. Upgrade at http://www.asu.edu/wifi.
  • Use the SSLVPN when accessing ASU systems from any network off campus; download and installation instructions are available at http://sslvpn.asu.edu.
  • Use encrypted protocols (e.g., https, ssh) when accessing any networked system.
  • Note that electronic mail is not secure; even if you get and send your email using an encrypted connection, the person on the other side might not!

Please refer to the ASU Data Handling Standard for more information about use, transmission and storage of sensitive data.

 

 

Enterprise & Systems Encryption

The ISO can assist with implementation and review of Enterprise & Systems encryption technologies. For more information, please contact the ISO

 

 

Combatting Ransomware

The ASU Information Security Office has seen a recent increase in ransomware. Ransomware is a type of malware aimed at holding something hostage until the user pays a ransom fee to the attackers. Typically it comes in the form of a drive-by-download (malicious downloads hidden in ads or other site content users may be unaware of) or malicious email with a link. The malware will install on the user's system, silently encrypt files and documents (including on accessible network shares), effectively destroying the files for the user. It also attempts to destroy and stop data backups.

OpenSSL FREAK Vulnerability

A "new" vulnerability is hitting the press that affects systems using OpenSSL (a popular open-source encryption suite, used in many systems, including Apple products and Android devices). The vulnerability allows an attacker to weaken the encryption used, thus making it easier to crack, and allow information to be stolen. OpenSSL announced and released a patch for this vulnerability on January 8th, so systems running OpenSSL directly should be patched immediately. Systems that run other software that includes OpenSSL (i.e.

Telephone Scam Targeting International Students

Arizona State University has been informed by several students of a false telephone calls (a “telephone scam”) targeting international students at ASU and around the country. Students have received phone calls from people identifying themselves as employees of the Internal Revenue Service and other U.S. government agencies. The callers insist that students send them money to avoid immediate arrest or other legal action against them. The caller tells the student that they owe money to the US government for improper tax filing, missing documentation, or some other infraction.