Device & Data Encryption

 

Introduction

In the course of University business, Arizona State University personnel routinely handle sensitive information including Personally Identifiable Information (PII), student records, health records, financial records, and research data. Federal laws, state statutes, and industry standards apply civil penalties for failure to protect sensitive information adequately. Encryption plays a key role in keeping information safe by ensuring that it can't be obtained through theft or eavesdropping.

As part of its overall program to ensure appropriate measures to protect PII and other sensitive data in a robust and least-intrusive manner, Arizona State University provides requirements for encrypting data in transit and storage.

Implementing encryption of data in storage is one of ASU's 2014 Top Five Critical Security Initiatives. As per a document cited by the CFO and Provost in a faculty/staff newsletter dated October 9, 2014, "Faculty and staff need to implement encryption and other standard security requirements on all devices accessing the ASU network.  This can include desktops, laptops, mobile devices, printers, HVACs, RFID readers, cameras, display boards, etc." [https://getprotected.asu.edu/content/encrypteverything]

 

Endpoint Encryption

Endpoint Encryption ensures that if your computer is stolen, any sensitive information on its disk will be unavailable to the thief. Encrypt your computer's hard disk using your operating system's built-in disk encryption software or other encryption software suggested by UTO.

All ASU maintained computers, backup media, and other devices used to store electronic data should be secured using full-disk encryption (FDE) everywhere possible, with key escrow adequate to provide for third-party data recovery in the event of legal requirements or business need. The minimum standard for encryption algorithms should be 128-bit AES, or the highest level allowed by export controls in the case of international applications.

Devices should comply with minimum hardware and software requirements for ASU-sanctioned FDE solutions. If a device cannot be encrypted because its operating system is obsolete, the device should be upgraded to a current operating system. If a device lacks the recommended hardware (e.g., minimum system requirements for compliant operating system, chipset including compliant TPM chip), the device should be upgraded or replaced with a compliant device.

Where possible, devices should use ASU's Active Directory environment for key escrow. If this is not possible, the administrative or academic unit responsible for a device must establish and document a key escrow process to ensure authorized third-party access to encryption keys when necessary.

The following documents provide more information on how to encrypt your computer. Consult your departmental technical support personnel for assistance.

 

Encryption in transit

Encryption in transit reduces the chance that data you access and send will be available to someone who is eavesdropping on the network. Here are some general practices to follow. Consult your departmental technical support personnel for assistance.

  • Use ASU ENCRYPTED wireless. Upgrade at http://www.asu.edu/wifi.
  • Use the SSLVPN when accessing ASU systems from any network off campus; download and installation instructions are available at http://sslvpn.asu.edu.
  • Use encrypted protocols (e.g., https, ssh) when accessing any networked system.
  • Note that electronic mail is not secure; even if you get and send your email using an encrypted connection, the person on the other side might not!

Please refer to the ASU Data Handling Standard for more information about use, transmission and storage of sensitive data.

 

 

Enterprise & Systems Encryption

The ISO can assist with implementation and review of Enterprise & Systems encryption technologies. For more information, please contact the ISO

 

 

Adobe Flash Player Zero Day (2015-3113)

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux. These updates address a critical vulnerability (CVE-2015-3113) that could potentially allow an attacker to take control of the affected system.

Adobe is aware of reports that CVE-2015-3113 is being actively exploited in the wild via limited, targeted attacks. Systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets.

Adobe recommends users update their product installations to the latest versions:

LastPass Security Breach

LastPass reported on their security blog yesterday that they discovered suspicious activity on their network on Friday. Their investigation did not determine that any accounts were accessed, however they did find that user information, including email addresses, password reminders, and authentication hashes were compromised.

The stolen authentication hashes are well-encrypted, but LastPass is still requiring users to change their master passwords, and recommending that users change any other places that they may have used the master password.

Vulnerability in TLS

ASU has recently become aware of a vulnerability in certain implementations of HTTPS using TLS, which could allow for the disclosure of sensitive information. This vulnerability is caused by a basic design flaw in the way that TLS handles Diffie-Hellman key exchanges and allows an attacker to intercept the HTTPS connection from vulnerable clients or servers by downgrading the RSA key to a weaker, export-grade, 512-bit RSA key.