I’m very fortunate to have a career that I love, and one of the things that I enjoy about my career trajectory is that it has afforded me the ability to travel and see the world. As the RSA Security Conference in San Francisco approaches, many security folks find their inboxes filling up with emails asking for yet another five minutes of time. The calendars overflow with a deluge of meetings.
But the part that really stands out for me every year isn’t the meeting hopscotch, it is watching conference attendees wandering around the Moscone Center and Union Square with their badges and lanyards hanging around their necks. From an operational security, or OPSEC, point of view this is an unfortunate situation.
Travelers always need to be cognizant of their surroundings when they venture out. Criminals are not shy about seizing an opportunity to make a quick buck or find an easy victim, and providing them with free information is never a good idea. When traveling there are some steps that should be taken to ensure some level of safety. The most basic rule is to always be aware of your surroundings. But this brings up the question of what precautions non-insanely paranoid but cautious people should take when they travel, especially internationally?
Here is a compilation of steps that I would recommend people utilize when they travel to maintain their peace of mind.
A good rule of thumb is to keep it simple when you travel. Don’t need it? Don’t take it with you. A friend of mine would carry a backpack with him on travels that was overflowing with technical gear of all shapes and sizes. There was rarely a need for all of the gear, but we are creatures of habit. All of that unnecessary equipment can create targets of opportunity for a criminal when you set your backpack down in a coffee shop or start rummaging through it in the airport.
Patch All The Things!
When you travel be sure to have your mobile devices, laptops and other devices patched to the current level before you leave your house. Having the most recent version of the OS for all of your devices gives you the best level protection against opportunistic attackers, especially on unfamiliar networks. And don’t ignore your apps, either. Vulnerabilities in older versions of mobile apps can be soft targets for attackers.
Spot checks by border security services in numerous countries around the world are becoming more common and it’s not outside the realm of possibility that your device may be seized for inspection. If that happens, don’t fight or cause a ruckus as this will only cause you further inconvenience and could result in a delay and a more in-depth search of your equipment. The law on border searches of mobile devices is still evolving in the United States and other countries and it can be difficult to know what your rights are at any given border checkpoint.
When you’re going through an airport security checkpoint take the step to power down your devices before you get there. For many laptops and phones, completely powering down the device engages the full-disk encryption, providing a substantial layer of protection against random searches and opportunistic attackers. Just putting a device into sleep mode usually isn’t sufficient, so it’s worth the time to take the extra step of completely powering the device down.
"Keep Your Head Up, Stick On The Ice"
OK, great, now you have made it through you security screening and found your way to the airport lounge. You’ve managed to drop your bags and pick up a cup of coffee. We do tend to be overly trusting, which can open us up to attacks. If I had a dollar for every time I had encountered a laptop that was logged in and left unattended in an airport lounge I’d be able to afford a nice vacation someplace warm. As I mentioned earlier, be aware of your surroundings and never leave any of your devices unlocked and unattended in public. There’s no need to make criminals’ lives easier.
“Is this line secure?"
If you feel compelled to connect to the wifi in a public place, be sure to use a VPN. If you don’t have a corporate VPN solution, you can set up your own personal account. Before you login to your various accounts, make sure that you’ve enabled two factor authentication wherever possible. Solutions such as Duo Security (https://duo.com/) cough or Yubico’s YubiKey U2F hardware can help greatly in this regard.
When in doubt, don’t hit send.
“But wait, there’s more!"
The announcement crackles letting you know it’s time to board your flight. As you slide into your seat, remember that you still need to be aware of your surroundings. Seats on many airlines have a USB charging port available, which may seem attractive, but the problem here is that attackers can install devices on those chargers that grab data from your phone as it charges. As a smart traveller, take the extra step of getting a USB sync stop to avoid having your data copied.
“What are you looking at?"
In addition to to protecting against surreptitious data exfiltration, travelers also need to be aware of prying eyes. When you’re sitting on a plane and you open up your laptop there are multiple parties in the immediate vicinity that could see your screen. A wise choice would be to invest in a privacy screen such as those made by 3M to keep people from seeing what’s on your screen. I was once on a trip from Washington, D.C., to Toronto and I sat across the aisle from a prominent news editor and could see everything on his screen. After we cleared customs in Toronto I caught up to him and explained the situation. He was aghast at first but came to realize what I was trying to tell him. He thanked me and bought a privacy screen online while I turned to head for my cab.
“Checking In vs Check ins”
When traveling it’s wise to exercise some caution when you’re sharing with the rest of the world on social media. For example, sharing a picture of your boarding pass or itinerary can alert thieves and other troublemakers that you’re not going to be home for a while. That information, combined with other data readily available online for many people--such as home address--can provide a blueprint to a home break-in. When in doubt, don’t hit send.
While the aforementioned advice isn’t exhaustive, it will certainly help you stay safe when you travel. Keep your head on a swivel and your mobile devices close. You don’t want to present yourself as a target of opportunity for a bad guy.
Think, think and think again.
Dave Lewis is a global advisory CISO at Duo Security.