Campus Security Awareness Campaign 2018
This post is part of a larger campaign designed to support security professionals and IT communicators as they develop or enhance their security awareness plans. View all 12 monthly blog posts with ready-made content by visiting our security awareness resource page.
Recycled or donated computers containing the confidential information of the prior owner continue to be a source of embarrassment or identity theft. Many still believe that dragging a file to the recycle bin removes the data from the machine, or that all computer drives write and overwrite data in the same way. Help your community improve their individual and collective security by sharing these tips.
Get the Word Out
Newsletter or Website Content
As you upgrade your personal devices to the newest options, do you recycle the old equipment? Being green shouldn't make you blue. Take steps now to remove anxiety later that forgotten sensitive files on your last laptop could become a source of embarrassment or identity theft. Trying to securely delete data at the time you decommission equipment can turn into a multihour chore and a source of stress, but it doesn't need to be that way.
Make sure saved copies of your tax filings, personal photos, and other sensitive files can't be retrieved by the next person with access to your computer's drive by making the drive unreadable to anyone else. Dragging files to the trash or recycle bin doesn't remove data—it just removes the retrieval path to the file and marks that storage space available for other data to occupy sometime in the future. Your pirate treasure is still buried, but the map is missing. "Secure file deletion" functions go a step further to overwrite the data in those locations with random bits immediately.
The introduction and growth of solid state drives in consumer electronics, however, makes overwriting the data in these spaces less dependable than in the standard hard drives of the past. Today's "delete/overwrite" protection comes most reliably from full disk encryption (aka whole disk encryption), which encrypts all data on the machine—including the operating system and temporary files you weren't even aware you created. Follow the motto of a famous infomercial to "set it [full disk encryption] and forget it [the password/key]!" Even if someone removes the drive and puts it into a different machine, the encryption remains in place.
- Plan A: Encrypt the full disk now using built-in functionality. Create a strong passphrase or password, since this becomes the decryption key! Everything will be encrypted, including the operating system, so you will have to "unlock" the encrypted drive with your personal passphrase every time you start or boot up your computer. Save the generated recovery key somewhere secure (like a password manager or printout stored in a secure office), in case you forget your password and need to access the data on that machine. Here are instructions for some of the most common built-in encryption functions:
- FileVault2 (Mac OS)
- BitLocker (Windows 10 and Windows 8 Professional)
- BitLocker (Windows 7 Ultimate)
- Plan B: If full disk encryption wasn't a built-in option, find a free or fee version of full disk encryption software that works with your operating system and personal capability. Check your favorite review sites or try Slant for recommendations.
- Failsafe: Hammer time! Remove and destroy the drive (Geek Squad offers a three-minute tutorial [https://youtu.be/dYcPT-xrLBM] on hard drive disposal). Most retail stores that accept computer donations for safe recycling will remove the drive and give it to you for secure destruction—just ask them to do that. Smash it, drill it, or hold onto the drive until there's a secure shredding event at work or in your community.
Figure 1. Use this image to support your message
Social Posts
Note: These are Twitter-ready, meeting the 140-character length restriction.
- Full disk encryption is the new deletion! #Encryption #CyberAware
- Set it and forget it! #Encryption #CyberAware
- Lock it and throw away the key. #Encryption #CyberAware
- Hammer time! [https://youtu.be/dYcPT-xrLBM] #Encryption #CyberAware
- Be green, not blue—encrypt disks before recycling computers or laptops! #Encryption #CyberAware
E-Mail Signature
Ask staff members to add a tip to their e-mail signature block and link to your institution's information security page.
Example:
Jane Doe
Information Security Office
XYZ College
Use full disk encryption and stop stressing about secure deletion. Learn more. [Link "Learn more." to your institution's information security department page or EFF's overview of encryption [https://ssd.eff.org/en/module/what-encryption].]
Embed or Share Videos
How to Set Up BitLocker Drive Encryption in Windows 10 (1:46 min)
Disposing of Your Hard Drives: A Geek Squad 2-Minute Miracle (3:06 min) [https://www.youtube.com/watch?v=dYcPT-xrLBM]
How to Remove the Drive in Your MacBook Air or Pro (3:08 min)
Resources
Share these resources with end users or use them to inform your awareness strategy:
- Review the Electronic Frontier Foundation's Surveillance Self-Defense guide for overviews on a variety of topics, how-to tutorials, and detailed briefings for specific situations.
- Do a Digital Spring Cleaning and Clear Out Cyber Clutter: A few simple steps from the National Cyber Security Alliance and Better Business Bureau will help you stay cybersafe and protect your personal data and identity all year round.
- See our previous Campus Security Awareness Campaign blogs on encrypting and backing up devices: December 2017: Your Mobile Devices Won't Secure Themselves! and July 2016: What's Your Personal Backup Plan?
Brought to you by the Awareness and Training Working Group of the EDUCAUSE Higher Education Information Security Council (HEISC).