Remaining cyber safe while travelling: security recommendations

Purpose

This document is intended to complement cyber security while travelling. It is intended to provide readers with cyber security information to increase their awareness of cyber-based threats that they may face when travelling. This document also provides mitigation advice which may reduce the risk associated with these threats.

Background

Individuals have become increasingly reliant on timely access to digital information, even while travelling. Remote access to business information is generally facilitated through the use of portable electronic devices which can offer the traveller both communications services and access to information, even when this information is stored on internal corporate information technology infrastructure. Devices include personal digital assistants (PDA), cellular and smart phones, laptops and tablets. Employees should be made aware of the risks that they, and the information they take with them, may face while travelling, as well as understand measures that they can take to reduce this risk. This document provides general cyber security information to increase the traveller's awareness of potential risks they face while travelling with electronic devices.

The information that someone travels with, or the data accessed while travelling could be compromised by threat actors and used against the traveller or the organization represented. Potential threat actors include hostile and foreign intelligence services, criminals and competitors. The information targeted by the threat could be technical, political, military, financial, or personal and a compromise of this information could provide the threat with a political, strategic, economic or competitive advantage. The risk associated with the potential information disclosure depends on the nature and/or sensitivity of the information itself.

Consumers and custodians of proprietary and sensitive information need to be aware of the potential for harm should that information become lost or stolen. The risk increases when travelling. The best way to prevent information loss or compromise is not to travel with it in the first place, not to access it remotely; and not to bring back external data files or devices and introduce these to the organization's information systems. These preventative measures may not always be feasible. Therefore, an organizational understanding of the risk travellers face, increased awareness by the travellers themselves, and the implementation of technical and procedural measures to reduce the risk associated with the loss, theft, compromise or corruption of digital information and devices are essential enablers of business or mission objectives.

General security considerations

The following general points have been provided by the Communication Security Establishment Canada (CSEC), the Government of Canada's lead in providing advice, guidance and services to help ensure the protection of electronic information and of information infrastructures of importance to the Government of Canada:

Assessment

The following non-exhaustive list describes eight cyber security activities an organization should considered before, during, and after employee travel.

1.0 Security of portable and mobile devices

When travelling, users may carry multiple computing platforms and devices that if compromised and/or stolen, could result in harm to their organization. There are two popular types of devices that users travel with: phones/smartphones and tablets/laptops.

1.1 Phones/smartphones: There are many types of phones and smartphones available to users that offer a number of options, each with various applications and capabilities. These types of devices are potential targets for physical and data theft. To a threat actor, these devices offer a centralized source of information, both personal and professional, about the owner and the organization they represent. The majority of phones and smartphones have a number of connectivity functions including service provider digital infrastructure (such as CDMA, GSM and LTE networks), wireless, Near Field Communications (NFC) and Bluetooth. These connection options are often available to other computing devices with associated hardware modules such as tablets and laptops.

Wireless access (or "Wi-Fi"): Many devices offer the ability to connect to the Internet using available wireless Internet access points. These Internet connection points offer various levels of security, and users should be made aware that any information sent over a network they connect to may be intercepted by a motivated and capable threat actor. Free Internet access points are sometimes established for malicious purposes, and they are sometimes purposely named to appear as trusted access points.

For example, a hotel may have established an access point called: “HotelABC Internet”. A threat actor could establish a malicious access point in the vicinity of that hotel called: “SecureHotelABC Internet”. This access point may even have higher signal strength than the legitimate one and is, thus, presented to the user as a preferred connection. It is advisable for the traveller to confirm with the accommodations establishment the name of any Internet connection that they provide.

Bluetooth access: Bluetooth is a short range wireless connection protocol to establish connectivity between two devices. One common use of Bluetooth technology is to enable hands-free talking while driving. Some devices allow automatic connection, meaning that other Bluetooth devices can establish a connection without authorization and, then, potentially access exposed information such as contact lists. Bluetooth settings can be managed at the device level to reduce this risk. Ideally, Bluetooth should be disabled prior to travel by the device administrator.

The following precautionary measures should be considered when travelling with phones and smartphones:

Note: Some countries have laws that allow them to monitor the information transmitted over their networks. Users should always be aware of the information they are transmitting using foreign networks and how the compromise of that data may affect them and the organization they represent.

1.2 Tablets/laptops: Tablets and laptops can also be attractive targets for malicious actors. The following tips may help secure these types of devices during travel:

1.3 Loaner devices: It is common practice for travellers to have their organization provide devices that are used specifically for travel purposes. These are “clean” devices that allow the user to continue to perform their duties while travelling. These devices are often older or cheaper assets configured to provide basic computing abilities, and may or may not include the ability to connect to corporate networks. They are exclusively used for travel purposes. After travel, the information on the device is securely deleted and, at times, the device itself is destroyed. Organizations with an advanced forensic analysis capability may choose to examine the device for evidence of compromise.

Loaner devices may offer a false sense of security. No matter the state of the device, awareness of the risk while travelling is important. If the loaner device connects back to the organizational network, or the organization's information is processed on the device, risk of compromise remains. Loaner devices may therefore be restricted in from accessing critical or sensitive networks.

2.0 Wireless access points: publicly available wirelss Internet access points

Travellers will encounter various Internet wireless access points, some of which are free to use. Examples of such services include free Internet provided during conferences, in hotels, in airports, or in other public locations. These access points are often unsecure networks that can be accessed by anyone. A network that requires a password to connect to may not be secured. While any wireless communication faces the risk of interception, the use of strong encryption can reduce the risk of information disclosure.

As a best practice, avoid connecting to public wireless Internet and avoid transmitting information that you do not wish to be disclosed to an undesired or unauthorized party.

3.0 Internet café kiosks and other public Internet access points

Many facilities offer travellers devices that they can use to connect to the Internet. This service is often available in business centres at hotels and airports. These devices should not be considered to be trusted access points. They are subject to the security practices and management of the providing organization. Malicious software and hardware may be inadvertently installed on these devices and made undetectable by its users and the provider. One example is that of a keylogger. A keylogger records information typed by the user on the computer, such as passwords and credit card numbers. They can be either covert software applications, or physical devices attached to computers. Travellers should not use these publicly accessible devices to view or transmit information that, if disclosed, could harm either the traveller or the traveller's organization.

4.0 Data encryption: protecting your digital assets

When travelling, users may also employ encryption mechanisms to protect their data. In short, encryption transforms data in order to make it unreadable without a decryption key (generally a passphrase or token). Encryption may be used by travellers to send emails, or to secure the content of storage media such as laptop hard drives and USB memory sticks. When properly implemented, encryption protects information against theft and interception. Email and file encryption software is available commercially from a number of reputable vendors. PGP, or Pretty Good Privacy, is an example of a commonly used tool for effective email and hard drive encryption. Travellers should consult their IT department regarding supported encryption options for their organization.

Encryption is a very powerful and can be a somewhat unforgiving method of data protection. Depending on the nature of the encryption, should the decryption key required to unlock the encrypted data be lost, the data may not be retrievable.

Note: Some countries have laws that limit the use of and presence of encryption software. Prior to travelling to a foreign country, users are advised to consult the laws and regulations related to encryption that may apply in that specific country. For more details, consult the references provided below.

5.0 Password security while travelling

With the increased risk inherent in travelling, travellers are advised not to use the same passwords that they use at their place of employment when travelling. In today's computing environment, users often have multiple accounts that require password authentication. This may lead to password reuse, where the same password is used for a number of accounts. Should the password be compromised, there is the potential that a threat actor may then be able to gain authenticated access to multiple user accounts. Therefore, employees should be advised that a different and unique password be used while travelling. If it is suspected a password has been compromised, all passwords belonging to the user should be reset and the associated user accounts be monitored for suspect activity.

6.0 Be aware of event-related targeted emails

Targeted email attacks, or spear phishing, rely on exploiting the trust of the intended recipient. Before, during, and after travelling to a scheduled event, a traveller may be subjected to targeted email attacks. These emails are designed to appear authentic and may entice the recipient into providing sensitive information, or may unknowingly install malicious software on their device through a malicious attachment or web link. Travellers attending international conferences on topics of strategic and economic significance such as energy, environment, finance and military, are common targets of spear phishing attacks. Many of these attacks have reportedly been associated with advanced persistent threat (APT) actors. For more information on the mitigation of APT and tactics used in spear phishing attacks, please review the materials provided in the reference section.

7.0 Data backup: backup pertinent data files prior to departure

Prior to departure, travellers are advised to back up pertinent data files to a device that they will not travel with. Equipment is sometime subject to various rigours and inconveniences that are associated with travel. These can range from loss of baggage, theft of equipment and damage in transit to hardware failure and even search and seizure.

Individuals should never travel with data that they are not prepared to lose. In addition, individuals should not travel with information in a manner that violates their employer's policies or applicable laws.

8.0 Conference give-aways: Take precautions

While attending conferences and training events, software and hardware may be offered to participants. These materials can either be free of charge, or part of the paid content for course delivery. Even when provided during the course of a planned activity, it is possible that these materials may inadvertently or purposely contain malicious software. For example, a recent conference on computer security mistakenly distributed USB sticks that contained viruses that were installed during the manufacturing process.

Travellers need to be conscious of all storage devices that they attach or load into the devices they carry. This diligence should not only persist while travelling, but should remain upon return to the office. Do not attach or access any device that was received as a result of travel until it is properly evaluated by the organization's information technology team.

Recommendations

Threats to the cyber security, both physical and technical, can increase significantly when travelling. A user is normally taken from a known and relatively secure environment to one that is open, unknown and, in some cases, where threat actors have the power of government behind them. A heightened sense of cyber security awareness is required when travelling to protect personal and corporate assets.

A set of best practices while travelling was recently published by the Communications Security Establishment Canada and is provided in the reference section below.

The following checklist summarizes a number of these best practices as well as those introduced previously in this document. This checklist is for use by both the traveller and information technology support staff:

 

Before travel

 

Completed

If you can travel without the device, do so. If you must take a device, use one minimally configured for travel.

 

Be suspicious of emails received prior to the travel, especially if they are related to large international events. These emails may have links to malicious compressed archive or executable files, other malicious attachments, or web links.  Verify the source to the extent possible.

 

Consider the impact to your organization if the information on the travel device was lost or stolen. Remove unnecessary information from the travel devices and ensure backups of this information are made and left at your local facilities. Consider whether using encryption to protect files is allowed in the visited country.

 

Install up-to-date anti-virus protection, spyware protection, operating system security patches, and a personal firewall. Set the web browser to the highest security setting possible. Ensure that the user cannot disable these features.

 

Configure devices to run anti-virus software on storage devices on access (e.g. USB) upon installation and explain the procedures to the traveller.    

 

Limit and restrict administrative privileges. Have the traveller change passwords prior to travelling. Ensure any passwords meet the organization’s security policy requirements for password complexity.

 

Ensure that proper network security settings are implemented for all devices. Disable unnecessary connection capabilities such as Bluetooth, Infra-Red, NFC and Wi-Fi.

 

Verify that mobile devices are not able to access the Internet at the same time that the user is accessing the organization's internal network.

 

Ensure proper security settings are implemented for Virtual Private Network (VPN) access (if applicable).

 

Be prepared in case of an incident:

  • Increase logging and monitoring capabilities (when applicable).
  • Install a mobile device management (MDM) application to assist with the identification of security compromises. MDMs allow organizations to compare device images before and after travel to identify discrepancies, and
  • Ensure that the traveller is provided with contact information for the IT Service Desk and is familiar with incident reporting procedures.

 

 

During travel

 

Completed

Maintain physical control of the device at all times. Do not check the device with checked baggage or secure in airport, train or hotel storage lockers. If you must store the device, remove the battery, memory expansion and SIM card and keep them with you.

 

Avoid connecting via public Internet access point and open wireless access point.

 

Avoid connecting untrusted or unknown digital devices such as USB keys, media cards and USB chargers to your own devices. Avoid connecting your USB keys, etc. to untrusted devices.

 

Be aware of your surroundings and who might be able to view your screen/keyboard especially in public areas (e.g. shield passwords from view) and terminate connections when you are not using them.

 

Empty your “trash” and “recent” folders after every use. Clear your browser after every use (delete history files, caches, cookies, URL, and temporary Internet files).

 

Remain cautious when browsing the web for personal use. This could expose your personal information and or financial information to risk of compromise (e.g. online banking). Do not use the “remember me” feature on websites: retype your password every time.

 

Where appropriate for security teams, maximize monitoring capabilities for devices that are associated with international travel and look for unusual activity and anomalies, such as:

  • unauthorized connection attempts;
  • connection attempts which occur at unusual times; and
  • unusual and unauthorized VPN activity (e.g.: split tunnels).

 

Have the IT service desk available to respond to user questions and concerns (e.g. lost device, security concerns, etc.).

 

 

After travel

 

Completed

Reset all credentials including both remote and local accesses and other accounts, including personal accounts, even if not accessed during the travel, which have similar username and/or password. These may include banking, social networking and webmail accounts.

 

Consult the user to obtain information about any reported issues, unusual device behaviour, or any other security concerns.

 

Apply due-diligence and handling procedures prior to reusing the traveller's device:

  • Examine the device for the presence of malicious software before connecting to the corporate network.
  • Continue to monitor for unusual behaviour, including the remote access accounts of employees who returned from travel to ensure unauthorized accesses are not occurring.
  • Compare the current image with the baseline image (if available) to identify signs of compromise.
  • Re-image the device before returning it to the travel inventory.
  • Test removable memory devices such as CD-ROMs, DVDs and USB sticks that were received during travel before plugging them into the corporate network.
  • Handle and report suspected incidents in line with organizational procedures and policies. Canadian Critical Infrastructure operators and owners may also report incidents to the Canadian Cyber Incident Response Centre (CCIRC)at cyber-incident@ps-sp.gc.ca

 

Consider the use of devices exclusively used for travel that are preconfigured with authorized security settings and reimaged upon return.

 

Related links
Additional resources
Date modified: