Data Protection

Introduction

Safeguard 3 - Data Protection

Data protection is a crucial component of cybersecurity. Through data management, risk classifications and protection measures are defined to meet compliance requirements and best protect sensitive information. It’s important to be able to locate sensitive information and securely remove it once it’s no longer needed.

Procedures

3.1 - Establish and Maintain a Data Management Process

A data management process addresses data sensitivity, assigns roles and responsibilities regarding data processes, and defines the processes for retaining and removing data. This documentation should be reviewed and revised annually.

Please refer to the following documentation for more information about Virginia Tech’s data management process:

In the event of data exposure, refer to the data exposure procedures.

3.2 - Establish and Maintain a Data Inventory

At minimum, all sensitive data should be inventoried. Review and update the inventory at least once per year, prioritizing sensitive data.

Virginia Tech has defined six specific data elements as Personally Identifiable Information (PII) in the Standard for High Risk Digital Data Protection:

  1. Social Security number.
  2. Credit card number.
  3. Debit card number.
  4. Bank account number.
  5. Driver’s license number.
  6. Passport number.

The standard defines additional data elements and their protections:

  1. Military ID numbers.
  2. Medical and mental health history, treatment, or diagnoses information.
  3. Health insurance policy numbers.
  4. Student data (non-directory information or items marked confidential) (FERPA).
  5. Export controlled research data (ITAR, EAR, CUI and others). At Virginia Tech, there are several roles responsible for data protection that are defined in the Administrative Data Management Standard as follows:

Data trustees are senior university officials responsible for planning and creating policies regarding university data management.

Data stewards typically classify data according to the Virginia Tech Risk Classifications, define and monitor data quality, monitor data flow, and create data definitions. Their responsibilities are assigned by their respective data trustee, and the guidelines for data stewards are available online.

Other roles such as data experts, data custodians, and data managers have day-to-day responsibilities regarding business processes. They work under the direction of a data steward.

Locating Sensitive Data with Spirion (Formerly Identity Finder)

Spirion looks for sensitive data (i.e. the PII defined above). It is a powerful tool that is available to Virginia Tech faculty and staff via https://network.software.vt.edu.

  1. Follow the installation instructions for your operating system.
    1. Windows Installation
    2. Mac Installation
  2. Refer to the Getting Started guide for your operating system.
    1. Windows Guide
    2. Mac Guide

Locating Sensitive Data with FindSSNs

FindSSNs is a tool to find sensitive information, including SSNs, credit card numbers, and debit card numbers. It’s freely available to everyone at https:///software/find-ssns/. Additionally, refer to the FindSSNs Reference Manual for more information regarding config files, program arguments, and output files.

Windows
  1. Download FindSSNs from https://security.vt.edu/software/find-ssns/.
  2. Unzip the file by right-clicking the file and clicking Extract All. Follow the on-screen instructions.
  3. Double-click the Find_SSNs.exe executable.
Linux
  1. Download FindSSNs from https://security.vt.edu/software/find-ssns/.
  2. In the File Explorer, right-click the file and click Extract Here, or Extract to… if you wish to extract it to a specific directory. Alternatively, you may use the unzip command.
  3. Run the command python Find_SSNs.pyw | Find_SSNs.exe to attempt to execute FindSSNs in GUI mode. Note: Python 2.4 through 2.6 and wxPython are required for GUI mode to work on Linux distributions.
  4. If running FindSSNs in non-GUI mode, usage is as follows:
python Find_SSNs.pyw -p /path/to/search -o /path/to/output/folder -t html|csv [-a | -c | -s] Find_SSNs.exe -p c:\path\to\search -o c:\path\to\output\folder -t html|csv [-a | -c | -s]

Options

-p The path to the directory to be searched. The path will be searched recursively.

-o The path to the directory that will contain FindSSNs output files. See OUTPUT FILES section for more information.

-t Type of main report file you would like FindSSNs to produce. Only html or csv are supported. Introduced in version 4.1. If you are using an earlier version, omit this option.

-a Search files for both U.S. Social Security numbers and Credit Card numbers.

-c Search files only for Credit Card numbers.

-s Search files only for U.S. Social Security numbers.

3.3 - Configure Data Access Control Lists

An access control list (ACL) determines what roles can access certain sensitive information based on data classifications. ACLs use the principle of least privilege, where the only users that are able to access sensitive data are those that need it to accomplish their work. This principle ensures that the minimum number of people necessary have access to sensitive data, minimizing the risk of data leaks.

The Data Steward should work with their relative Data Trustee and the IT Security Office to assure that data is classified according to the Virginia Tech Risk Classifications.

  1. Identify sensitive data using the Virginia Tech Risk Classifications.
  2. Create an access control list to determine which roles within your department or work group should and should not have access using the principle of least privilege.
  3. Implement the ACL using relevant access controls.

Please refer to Policy 7100 - Administrative Data Management and Access Policy for more information regarding data administration and transparency.

3.4 - Enforce Data Retention

Sensitive data should only be stored for as long as it’s needed. Data inventories should be regularly reviewed to determine what should be securely disposed of.

Refer to the Virginia Tech Risk Classifications to determine what level of risk data has and then follow the respective protections in the Virginia Tech Standard for High Risk Digital Data Protection.

3.5 - Securely Dispose of Data

Server hard drives should be wiped before disposal. If they are not, VT data may be exposed to whomever obtains the server. Servers will have at least one physical hard drive and possibly more drives configured in a logical RAID array. This procedure covers how to wipe each physical hard drive. Before following this procedure, you must know how many hard drives are in the server.

  1. Make sure to copy all the files that you wish to keep from the server.

  2. Download the latest Debian ISO image and copy it onto a CD, DVD or USB stick. Follow the Debian instructions on how to do this.

  3. Set the server to boot from CD, DVD or USB.

  4. After booting Debian, wipe each physical hard drive using this command.

$ dd if=/dev/urandom of=/dev/YOUR-HARD-DRIVE-LABEL bs=1M
  1. The process may take anywhere from several hours to several days (depending on the size of the hard drives).

  2. Once the process is complete, remove the CD, DVD or USB Drive, run this command, wait for it to finish, then power off the server.

$ sync
  1. Surplus the server by following the instructions on the Surplus Procedures web page.

3.6 - Encrypt Data on End-User Devices

Microsoft Windows

Disk encryption is a great way to protect the data on a device so it can only be accessed by those who have authorization. The following information is from the Microsoft Windows Support Website

  1. Sign into Windows with an administrator account
  2. Select the Start button, then select Settings > Update and Security > Device Encryption. (If Device Encryption does not appear, follow the BitLocker encryption instructions)
  3. Open Device Encryption
  4. Select Turn On

BitLocker Encryption (Only available on Windows 10 Pro and Enterprise)

  1. Sign into Windows with an administrator account.
  2. In the search box on the taskbar, type Manage BitLocker and select it from the list of results.
BitLocker search box
  1. Select Turn on BitLocker.
BitLocker menu
  1. Follow the on-screen instructions.

Apple FileVault

To enable disk encryption on macOS we will use a service called FileVault 2, which is available on OS X Lion or later.

  1. Choose Apple Menu > System Preferences > Security & Privacy.
  2. Choose the FileVault tab.
  3. Choose the Lock symbol, then enter the administrator’s name and password.
  4. Choose Turn On FileVault.
  5. If there are multiple users on the Mac, you will choose who will have to unlock the disk with their password.
  6. Choose who you will recover your disk in case you forget your password.
  7. The encryption will begin in the background on your Mac, you can view the process in the FileVault section of Security & Privacy.

Linux dm-crypt

Disk encryption is available on Linux via dm-crypt. WARNING the following will overwrite all data on the partition you decide to encrypt.

To install dm-crypt on Ubuntu and Debian, run the following command:

# apt-get install cryptsetup

To install dm-crypt on Fedora, run the following command:

# yum install cryptsetup
dm-crypt

To encrypt a specific partition, use the following instructions:

  1. First we need to create a cryptographic device mapper in LUKS encryption:
# cryptsetup --verbose --cipher aes-xts-plain64 \\
--key-size 512 --hash sha512 --iter-time 5000 \\
--use-random luksFormat /dev/<name of partion>
  1. Follow the on-screen instructions to create a password.

  2. In order to unlock the device, run the following command.

# cryptsetup open --type luks /dev/<name of partion> <device label>
  1. You can then mount the device to transfer data.
# mount -t ext4 /dev/mapper/<label> /mnt
  1. Unmount the device when you are done.
# unmount /mnt
cryptsetup close <label>

3.7 - Establish and Maintain a Data Classification Scheme

The following definitions establish the Virginia Tech Risk Classification labels from Virginia Tech’s risk classification standard.

High-Risk

Data and IT resources are classified as high-risk if:

  • Protection of the data is required by law/regulation/contractual obligation, and
  • Virginia Tech is required to self-report to a government agency and/or provide notice to the individual if the data is inappropriately accessed; or
  • The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse to catastrophic impact on our mission, safety, finances, or reputation.
High Risk Examples

Moderate-Risk

Data and IT resources are classified as moderate-risk if they are not considered to be high-risk, and:

  • The data is not generally available to the public, or
  • The loss of confidentiality, integrity, or availability of the data or system could have a mild to moderate adverse impact on our mission, safety, finances, or reputation.
Medium Risk Examples

Low-Risk

Data and IT resources are classified as low-risk if they are not considered to be moderate or high-Risk, and:

  • The data is intended for public disclosure, or
  • The loss of confidentiality, integrity, or availability of the data or system would have no impact on our mission, safety, finances, or reputation.
Low Risk Examples

Risk Data Types

High-Risk Data
  • Student records (non-directory data OR items marked confidential)
  • Personally Identifiable Information (PII)
    • Social Security numbers (SSN)
    • Credit/debit card numbers
    • Financial account numbers
    • Driver’s license, state ID, military ID, passport, visa numbers
  • Medical/mental history, treatment, or diagnosis information; health insurance policy numbers; protected health information
  • Export controlled research data, sensitive research data where disclosure may place an individual at risk of criminal or civil liability, or be damaging to their financial standing, employability, educational advancement, or reputation, or research data with contractual requirements for increased security measures
  • Engineering, design, and/or operational information regarding VT infrastructure considered “Critical to the University”
Medium-Risk Data
  • Unpublished research data that is not classified as High-Risk (at the discretion of the PI)
  • University employee ID numbers
  • Employment applications and personnel files without PII, as well as non-directory contact information
  • Internal communications and email, non-public reports or contracts, intellectual property, and all other information releasable in accordance with the Virginia Freedom of Information Ace
  • Donor contact information and non-public gift information
Low-Risk Data
  • VT Directory (Faculty, Staff, and Students)
  • Unrestricted, non-sensitive research data (at the discretion of the PI)
  • Public VT websites
  • Procedure manuals designated by the owner as public
  • University employment advertisements
  • Information in the public domain (e.g. campus maps or photography)

3.8 - Document Data Flows

The flow of data should be documented alongside the development of data inventories (see Safeguard 3.2) using data classifications.

  1. Create documentation outlining where enterprise owned data originates from and goes to. At a minimum, this should include data flows to external enterprises.
  2. Review the aforementioned documentation at least annually and when there are enterprise changes that affect the flow of data.

3.9 - Encrypt Data on Removable Media

Microsoft Office File Encryption

  1. In order to encrypt a Microsoft Office document, click the File tab to bring up the following menu. Then, view the Info section.
    Microsoft Word Info section
  2. Click the icon to Protect Document (or Worksheet / Presentation) and select “Encrypt with Password” from the dropdown menu.
    Word Info section dropdown menu with the second option highlighted
  3. It will prompt you to input a password to encrypt the document (a longer password is more secure). Then, click OK.
    Encrypt document password prompt
  4. The next time the document is opened, Microsoft Office will ask for the password before allowing the document to be viewed or edited.
    Password prompt to view/edit document

PDF File Encryption

These instructions are for Adobe Acrobat Pro 2020. If you use some other PDF software, you should follow one of the other file encryption procedures listed on this page.

To share files encrypted with Adobe Acrobat Pro 2020, you can encrypt the file using a Digital Certificate, ensuring only specific people can view the document. To do so, follow the following steps.

  1. Go to vt.edu.
  2. In the search bar, search for the name of the person you want to receive the document.
  3. Select that person.
  4. Next to PDC, select and download their .pem file.
  5. In Adobe Acrobat, select Tools > Protect > Encrypt. Certificate Security Settings menu
  6. Choose what elements of the document you want encrypted.
  7. Select the encryption algorithm.
  8. Under Digital Security, select Add Digital ID.
  9. Select your digital ID.
  10. Here you can add recipients, so select browse and choose the .pem file you downloaded.
  11. Select next to finish encrypting the file.

LastPass File Encryption

LastPass allows you to store files and other forms of information in your LastPass vault. This vault can be encrypted and shared with others. To export your LastPass vault, follow these steps.

  1. Log in to LastPass.
  2. Select Account Options or <your username> at the bottom of the menu.
  3. Go to Advanced > Export > LastPass Encrypted File. LastPass menu with the Encrypt option circled
  4. You may be prompted to enter your master password.
  5. Create and confirm an encryption key.
  6. Follow the onscreen instructions and a CSV file will be downloaded containing your LastPass vault data.

To import this data on another computer, follow these steps.

  1. Log in to LastPass.
  2. Select Account Options > Advanced > Import. LastPass sidebar menu with the Import option circled
  3. Select LastPass.
  4. Browse your computer and select the LastPass encrypted CSV file.
  5. Enter the Encryption key.
  6. Select the file you want to import.

The provided information and more can be found on the LastPass support page

VeraCrypt File Encryption

VeraCrypt is an open source encryption solution that is easy to use and works on Windows, macOS, and Linux. It can be downloaded from https://www.veracrypt.fr/en/Home.html. The most common way to use VeraCrypt is to create an encrypted volume and then store files inside the volume that need to be encrypted. Steps have been provided below for the creation and mounting of a VeraCrypt volume.

Creating a VeraCrypt Volume

  1. Open up the VeraCrypt application and select Create Volume.
    VeraCrypt Encrypt Volume button

  2. Select Create an encrypted file container and click Next.
    VeraCrypt Volume Creation Wizard pop-up

  3. Create a name and select a location to save the VeraCrypt volume that you will be creating and select Next. It is helpful if you create a volume name that ends with the extension .vc. This will associate the volume with the VeraCrypt application.
    Creation Wizard Volume Location screen

  4. VeraCrypt provides some options for encryption. Select the desired encryption algorithms and select Next. VeraCrypt uses the AES algorithm by default and is recommended for selection. In most cases a 500mb size volume is suitable. However this depends on the user’s need and should be adjusted accordingly.
    Encryption Options menu

  5. Create the size of the volume that you would like to create. Click Next.
    Volume Size menu

  6. Create a password for your encrypted volume. Click Next. The longer the password the better it is. It is important to not lose your password. A lost password will make the data unrecoverable.
    Volume Password creation menu

  7. Select the file system and click Format. The default is suitable in most cases.
    Volume Format menu

  8. Your volume has been created. Click Exit
    Volume Created screen

Mounting a VeraCrypt Volume

  1. Select the VeraCrypt volume that you would like to mount. Select the letter drive location you would like to use. Click Mount.
    VeraCrypt volume selection screen with the N drive selected and the Mount button highlighted

  2. Enter your password for the VeraCrypt volume. Click OK.
    VeraCrypt volume password prompt

  3. The drive is now unencrypted and ready for use at the drive location you have selected. Save files and documents as you would normally do with a mounted drive.
    VeraCrypt volume selection screen with the N drive showing the newly-created volume

gocryptfs File Encryption (Linux Only)

  1. Initialize a new encrypted file system and set a strong, yet memorable password.
    Terminal with gocryptfs password creation prompt and creation successful message

  2. Mount the encrypted file system and copy your files to it.
    Terminal with password prompt and file system mounted message

  3. When you are finished working with the files, unmount the encrypted file system.
    Terminal with unmounted file system

Generic File Encryption

Any type of file may be encrypted using GPG. Both the sender and the recipient must have GPG encryption software installed as well as generated key pairs. There are OpenPGP implementations for Windows, Linux and macOS. If you would like to use GPG to encrypt files and need expert advice on key generation management and distribution, then please open a ServiceNow request.

3.10 - Encrypt Sensitive Data in Transit

Data is in transit when it is sent over a network. Some common examples are:

  • Sending email
  • Sending text messages
  • Entering data into website forms
  • Uploading files to a website

Two common implementations for encrypting sensitive data in transit are Open Secure Shell (OpenSSH) and Transport Layer Security (TLS).

OpenSSH is an open-source version of Secure Shell (SSH) used for remote login using the SSH protocol. Using SSH encrypts all traffic between clients and servers to prevent data hijacking, snooping, and other cyberattacks such as man-in-the-middle (MitM) attacks. It’s a more secure way to remotely control or transfer files between computers.

Transport Layer Security (TLS) is an encryption protocol that keeps data secure as it’s being transferred over a network.

Using OpenSSH for Windows

The following instructions apply for Windows Server 2022, Windows Server 2019, and Windows 10 (build 1809 and later).

Verify Prerequisites
  1. Open an elevated PowerShell session by running it as an Administrator.
  2. Validate that your environment meets the OpenSSH prerequisites.
    1. Type winver.exe and press Enter to verify that the device is running at least Windows Server 2019 or Windows 10 (build 1809).
    2. Run $PSVersionTable.PSVersion to verify that your PowerShell version is at least 5.1.
    3. Run the command below. If the output returns True, then you’re a member of the built-in Administrators group.
(New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
Installation
  1. Run PowerShell as an Administrator.
  2. Verify that OpenSSH is available by running the following cmdlet:
Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'

If already installed, the command will return the following output:

Name  : OpenSSH.Client~~~~0.0.1.0
State : NotPresent

Name  : OpenSSH.Server~~~~0.0.1.0
State : NotPresent
  1. Install the server or client components as needed:
# Install the OpenSSH Client
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

# Install the OpenSSH Server
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Starting an OpenSSH Server
  1. Run PowerShell as an Administrator.
  2. Run the following commands to start the sshd service.
# Start the sshd service
Start-Service sshd

# OPTIONAL but recommended:
Set-Service -Name sshd -StartupType 'Automatic'

# Confirm the Firewall rule is configured. It should be created automatically by setup. Run the following to verify
if (!(Get-NetFirewallRule -Name "OpenSSH-Server-In-TCP" -ErrorAction SilentlyContinue | Select-Object Name, Enabled)) {
    Write-Output "Firewall Rule 'OpenSSH-Server-In-TCP' does not exist, creating it..."
    New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
} else {
    Write-Output "Firewall rule 'OpenSSH-Server-In-TCP' has been created and exists."
}
Connecting to an OpenSSH Server
  1. Run PowerShell.
  2. Run the following command, replacing domain with your domain or username with your username and servername with the OpenSSH server name.
ssh domain\username@servername
  1. If a message similar to the following one is outputted, typing yes will add the server to the list of known SSH hosts on your Windows client. Typing no will abort the connection.
The authenticity of host 'servername (10.00.00.001)' can't be established.
ECDSA key fingerprint is SHA256:(<a large string>).
Are you sure you want to continue connecting (yes/no)?
  1. When prompted, enter your password. What you type will not appear in the terminal window for security purposes.

Using OpenSSH for Ubuntu

Client Installation

sudo apt install openssh-client

Server Installation

sudo apt install openssh-server
OpenSSH Server Configuration

The server configuration is located at /etc/ssh/sshd_config. For more information regarding server configuration options, refer to the OpenSSH manual by typing man sshd_config.

It’s good practice to make a copy of the configuration file before editing it. To make a copy and protect it from being edited, run the following commands:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original
sudo chmod a-w /etc/ssh/sshd_config.original

Once the configuration file is ready, restart the ssh service to apply changes:

sudo systemctl try-reload-or-restart ssh
OpenSSH Resources

Encrypting Sensitive Files

Two common implementations for encrypting sensitive data in transit are Open Secure Shell (OpenSSH) and Transport Layer Security (TLS).

  1. Put the data into a file.
  2. Encrypt the file using one of the file encryption methods described in section 3.9.
  3. Attach the encrypted file to an email, or place the encrypted file in your VT Google Drive.
  4. If you used a password for encryption, call the recipient on the phone and provide the password or share the password with the recipient via LastPass.

If you are entering sensitive data into a website or uploading files, ensure the website is using HTTPS by looking at the URL in your browser. Most browsers will also show a lock symbol next to the URL to indicate it’s safe.

3.11 - Encrypt Sensitive Data at Rest

Sensitive data is easiest encrypted at rest via storage-layer encryption, otherwise known as server-side encryption (SSE). SSE is currently enforced by default in most applications, such as in Azure disks and newer Amazon S3 buckets.

However, using SSE only meets the minimum requirement of this safeguard. To better protect sensitive data at rest, one could additionally implement client-side encryption (also known as application-layer encryption), use double encryption at rest, or use end-to-end encryption.

Azure

By default, Azure OS and data disks are encrypted at rest. This does not include temporary disks unless encryption at host is enabled. For further information on server-side encryption, how to enable end-to-end encryption, or using double encryption at rest, consult the Azure disk encryption documentation.

Amazon S3

All Amazon S3 buckets since January 5, 2023 have server-side encryption enabled by default. To manage encryption keys or set up custom encryption, please refer to the AWS Key Management Service Developer Guide. For more information on Amazon S3 bucket encryption, see the Amazon S3 User Guide.

Oracle

Oracle buckets and objects are encrypted by default. Object Storage allows for a specified Master Encryption Key to be used instead. To manage encryption keys or specify a master key to be used, refer to the Oracle Cloud Infrastructure Documentation on encrypting data.

3.12 - Segment Data Processing and Storage Based on Sensitivity

The Virginia Tech Risk Classifications define the different types of sensitive data, where they originate from, and how they are protected. Additionally, they establish the order of which assets should be processed and prioritized based on sensitivity.

Each asset classification has a recovery time objective (RTO). The RTO is the maximum amount of time that can be spent on recovering the asset in the event that it is disrupted, malfunctioning, or misused.

Critical-priority assets are crucial to organizational operations, assets, or individuals. The disruption of access or use of data or IT resources via these assets or the unauthorized destruction of data would result in severe adverse effects. The RTO of critical-priority assets is < 12 hours.

Essential-priority assets are important to day-to-day operations but can be temporarily worked around for up to a week in the event of asset loss. Eventually the asset must be restored to continue organizational operations. The RTO of essential-priority assets is between 12 and 72 hours.

Non-essential-priority assets are assets whose loss will have an insignificant to limited adverse effect on organizational operations, assets, or individuals. Operations can continue for an extended - although perhaps finite - period of time, where alternatives can be identified. The RTO of non-essential-priority assets can be undefined.

Other

If you have questions that are not covered in these procedures, please contact the VT IT Security Office itso@vt.edu for a consultation.