the learning never stops!

Cyber Security

International Operations

It's a scary world out there, especially considering how much of your personal life resides on your personal electronic devices.

One common rationalization for not worrying about it is that you are a small fish in a very large pond. Why would they target you? That used to be valid thinking, in that the attackers were going for the big money payouts. But lately they've realized the little guys are not as well protected and it will be easier to take a little from a lot of targets that aren't as well defended. So you need to be defended.


images

Photo: A virus in a sea of ones and zeros

Click photo for a larger image

Every Day Security

From my trusted sources:

  1. Before entering log in identification, passwords, or any other sensitive information, ensure you are on a secure website.
  2. You can tell it is secure if the address begins with "HTTPS" or has a lock preceding it. (HTTPS is an adaptation of the Hypertext Transfer Protocol (HTTP Secure) that is secured by Trasnport Layer Security. HTTPS uses a short term session key which then encrypts the data between the client computer and the server.
  3. HTTPS can be hacked but my trusted sources say using HTTPS over a name brand hotel's WiFi to a trusted website is more secure than using your cellular phone.

[Cyber Security, pp. 3 - 4]

  • On a daily basis there are things you can do to secure your mobile device. It's highly recommended to take the steps noted below that will add additional safety nets to protect your data, accounts, and devices.
    • Only install applications from the official app store
      • Software from sources other than the official app stores runs a much greater risk of being malicious. Installing a malicious. app is one of the greatest risks to a device
    • Keep the operating system and all applications updated
      • These updates commonly include security patches that are critical to protecting the device
    • Setup a secure login
      • Password, pattern, biometric, 8-digit PIN, etc.
      • Pins less than 8 digits are easier to exploit
    • Encrypt the hard drive
      • iPhones and iPods are encrypted by default, as are the latest android devices
      • Encrypted drives can provide both security and compliance benefits
    • Set your device to lock after a short period of inactivity
      • Helps ensure your device is secure even if the device is lost or stolen
    • Set your device to auto-erase if too many incorrect logins are attempted
      • This may require third-party software
      • This prevents someone from trying infinite password guessing
    • Backup your device configuration and data
    • Ensure endpoint security software and anti-virus is installed and up-to-date
      • This option may not be supported by all vendors (e.g. Apple iOS devices)
    • Enable the find-my-device feature
      • In addition to locating your device, this feature enables you to remotely lock or erase your device through your Google or iCloud account
    • Add a lock screen message with alternate contact information
      • This can be an email address that can be used to reach you if your device is found
    • Know how to disconnect devices from personal accounts
      • Many devices are setup to automatically log into cloud services like Google or iCloud
      • Most services allow you to log in and remove access for previously authorized devices

Before You Travel

From my trusted sources:

  1. Ensure your operating system and anti-virus software is up-to-date before you leave. Both are constantly updated to combat recent threats, but updating these on the road is a problem, since fake update sites may be used in some countries.

[Cyber Security, pp. 4 - 5]

Before leaving on your trip, be sure to review the following items. Several of these steps will make your device a bit less convenient to use, but also make them more secure or significantly reduce the impact if they are stolen or compromised. Be sure you consider the potential risks for any recommendation you do not utilize.

  • Consider using one-time-use travel devices (phones, laptops, etc.) that only have data required for the trip and are wiped after returning
  • Know your company's process for reporting lost or stolen devices
    • Keep the associated phone numbers or email addresses written down where you can locate them if needed
    • Be sure you know how to dial the numbers internationally
  • Log out of any synchronized accounts
    • Google, Yahoo, Microsoft, iCloud, social media, etc
  • Clear saved website passwords from all web browsers
    • If a device is compromised, it is possible for an attacker to gain access to these passwords
  • Turn off Near Field Communication (NFC)
    • NFC is a short-range contactless communication chip on many devices
    • Attacks against NFC can lead to data theft
    • There are risks with any technology that allows other devices to remotely exchange data with your device
  • Disable the Infrared port
    • Disable it in system settings or the BIOS if required
    • Another option is to cover the port with a piece of black electrical tape
    • There are risks with any technology that allows other devices to remotely exchange data with your device
  • Clear "saved" wireless networks that your device will connect to automatically
    • Someone could fake a common network access point and your PC would auto join without you even knowing
  • Remove all locally stored, sensitive data, not required for the trip
    • This minimizes the impact of a lost, stolen or compromised device
  • Encrypt highly sensitive information and store it on a USB drive that you can keep on your person at all times
    • USB drives with built in encryption are potentially less secure than encrypting the data ahead of placing it on the drive, due to proven hardware attacks on native drive encryption
  • Remove stickers or logos that may indicate your organization
  • Organizations should use Mobile Device Management software and individuals should look into consumer versions for personal devices
    • This significantly increases your ability to control lost or stolen devices
  • Test your organization's Virtual Private Network (VPN) and other remote access services

While Traveling

From my trusted sources:

  1. Never plug your phone into your computer, it is an easy way for a intruder to gain access to your computer.
  2. Never plug your devices into free charging stations; these can be set up to install sleeper programs through USB ports.
  3. Never use free give away USB memory sticks.
  4. Never use free WiFi from anything except a reputable hotel or other source that you are sure about.

[Cyber Security, pp. 5 - 8]

The following best practices will help protect your device, accounts and data while traveling. They are more stringent, but will help protect you from the increased risks that travelers face.

  • Do not update your devices OS or applications
    • Fake updates notifications are a common traveler exploit technique
  • Turn off your device's Bluetooth feature when not in use
    • Bluetooth vulnerabilities like BlueBorne can allow remote hacking of a device
  • Use privacy screen covers to prevent others from shoulder surfing your screen
    • Privacy filters use micro louvers that prevent screen viewing at sharp angles
  • Turn off your devices when not in use
  • Do not use public mobile device charging stations
    • Charging stations can be data-harvesting points (e.g. Juice Jacking)
    • If you have to use a public charging station:
      • Consider carrying USB data blocking adapter like those from PortaPow Data Blocker available on Amazon
      • Turn your device completely off first as this reduces the chances of data compromise
      • Travel with your own backup battery
  • Do not use any USB storage device that you find and be wary of those you are given
    • This is a known method of deploying malware to infect devices
  • Screen lock your device if you have to step away from it
  • Do not use publicly accessible computers to access any online accounts or for anything other than casual web browsing
    • There is no way to know if these have been compromised or what data they may collect
  • While traveling, do not use passwords or PINs that match any other accounts you already have
    • Password re-use is one of the leading causes of multi-account compromise
  • Do not loan your device to anyone else
    • Remember that physical control of a device equals full control
  • Avoid using public access points whenever possible
    • These open networks can expose your device to a number of attacks
    • Wireless hotpot spoofing can lead to someone seeing all your communications
    • Fake updates or other communications can be pushed to your device in an attempt to install malware
  • Consider using cellular data connection or mobile device hot spotting to access the Internet
    • It can be slower than the hotel network, but cellular networks are somewhat less risky
    • Cellular GSM and CDMA networks do have security risks, but may be less frequently targeted than traditional wireless networks
  • Use caution when using Automated Teller Machines (ATMs) overseas. Stick to hotel and bank locations.
    • ATMs can be compromised or rogue ones can be placed for use - Stick with trusted locations
  • Beware of distract and grab attacks in public areas
    • This is a common technique used to steal phones and laptops

After the Trip

[Cyber Security, p. 8]

When you get back home, take a few moments to ensure your information and accounts remain safe.

  • Turn in any loaned devices so that they can have their hard drive wiped
  • Wipe, reload or factory reset the device
    • This is the most secure option, but will mean restoring and reconfiguring the device
  • Non-wiped devices:
    • Virus scan any devices that will not have the hard drive wiped
    • Check for and run any updates you did not do while traveling
    • Change any passwords you used during the trip, including voicemail

References

Cyber security planning for domestic and international travelers, Universal Weather ∓ Aviation, Inc., TSS-CV084, March 2018

Revision: 20180407
Top