Overseas travel is part and parcel of modern business
life, but with data security hazards including the loss or theft of
equipment, spyware on PCs in hotels and airports, data theft
through WiFi and border or customs officials, (particularly in
countries prone to corruption or with illiberal
authorities), what do IT security professionals need to
considerwhen developing appropriate policies?
Jim Mortleman investigates:
- Real risk
in data vulnerability
- Danger hotspots
- Airports present
particular risks
- Twin hazards
of ideology and corruption
- Practical measures
to protect your data
Case study:
The UN globetrotter
Video: Hacking at Heathrow airport
Real risk in data
vulnerability
The growth of a globe-trotting mobile workforce equipped with
smartphones, laptops and other devices is
bringing many benefits to organisations, but
travelling with IT equipment also
presents considerable risks, from
loss or theft of equipment/data to problems with security and
customs. While most large firms have policies to guard against
these risks, they are often ineffectively communicated or enforced.
Many smaller companies have little or no protection in place.
Graham
Cluley, senior technology consultant at security specialist
Sophos, says: "Clearly the risk is not the cost of replacing a
stolen laptop or Blackberry mislaid in the back of a Bangkok taxi.
The primary danger is that
cybercriminals will be able to access confidential, sensitive
information that could be of value to them,
be that a laptop containing personal information that could be
exploited by identity thieves, sensitive
company data, a vector into your
corporate network, or
usernames and passwords that could lead to corporate espionage.
Even a corporate address book will have contact details of your
employees, customers and partners that
could be exploited in a spear-phishing or targeted malware
attack."
Danger hotspots
But, of course, physical hardware does not need to leave your
employee's possession for
data to be compromised, particularly when you're using
equipment or network connections in public internet cafes, business
centres, airports or hotels. "It is not uncommon to find spyware on
such PCs. Many users may have plugged USB sticks into such
computers to aid data transfer, but this is in itself a possible
source of infection. It may come as a surprise to know that a
business centre in a hotel can often be less securely managed than
a high-street cybercafe. And
when it comes to the wireless internet facilities available in
hotels ad other public areas, it is easy for anyone to
set up a fake
WiFi network and encourage people to connect to it to capture
sensitive information," says Cluley (see:
Video: Hacking
at Heathrow airport).
But are there particular global hotspots for IT crime? Cluley
says: "It would be short-sighted to label specific parts of the
world as particularly dangerous from the point of view of a
business traveller. The fact is opportunistic hackers, data
stealers and identity thieves are based across the globe.
You might be just as likely to have your laptop compromised in
central London as Nairobi."
Amrit
Williams, CTO at security management provider BigFix, agrees
the problem is universal. "All countries present a high risk for
carrying IT equipment, especially equipment storing confidential
data. Obviously those with lax security or law enforcement, limited
intellectual property laws, a history of criminal activity,
unfriendly or antagonistic feelings towards the traveller's country
of origin, military hotspots or heightened criminal or terrorist
activity present increased risk for data loss."
Airports present particular
risks
But while it may not be useful to single out particular
countries, it is worth noting
airports everywhere are renowned hotspots for theft and
pick-pocketing. Neil O'Connor, principal consultant at
independent security consultancy Activity IM, says travelling staff
need to be aware of the need to keep their valuables in sight at
all times. "That's not always easy, particularly when you are being
frisked at security. I have certainly had an exchange of views with
an airport security person in the UK when I was unwilling to come
forward to be searched until my bag containing my laptop was
through the scanner. And don't put your laptop in hold baggage. An
acquaintance of mine was forced to do this by officious check-in
staff - and, no surprise, it did not appear at the other end."
Airports can present other problems for those travelling with IT
kit. Nick
Lowe, regional director of Northern Europe for Check Point,
says one of the riskiest countries to enter with a computing device
is the USA. "In summer 2008, the
US Department of Homeland Security confirmed what some
travellers already knew: border agents are allowed to search
through files on laptops, Blackberries, smart phones or any other
digital device when you enter the country, even when there is no
reasonable cause," says Lowe. "Officials can keep data or the
entire computer, copy what they want and share this data with other
agencies - and can force you to give the password if the data is
encrypted. Of course, if the data is not suspicious, guidelines say
the copied data should be destroyed - but after what time interval?
And how securely will it be stored while it's being assessed?"
Twin hazards of ideology and
corruption
Steve
Subar, CEO of mobile virtualisation company OK Labs, says
border crossings present two main challenges for corporate
travellers carrying IT kit. The first arises in countries where
importers face high duties (for example India and Brazil), and
employees may have to pay if they can't prove equipment is not
being imported. The second, more acute, challenge comes when
travelling to countries with authoritarian regimes: "Some
governments attempt to control access to the Internet and
international media and view travellers' mobile devices as leaks in
the ideological dikes they would erect around themselves," he
says.
Corrupt officials can also present problems. For instance, one
IT professional who did not want to be identified said: "When I
landed in Russia for a flight connection to China, I had to pay a
'tax' to take my laptop onto the connecting flight. I knew there
was no tax, but had no option but to pay and of course I wasn't
given a receipt. My boss told me to put it down on expenses as
'airport assistance'."
Practical measures to protect
your data
The bottom line is when travelling anywhere there is an
increased danger of equipment and data being stolen, inspected or
impounded. While users should certainly be aware of the dangers and
what to do in the event of any problems, this should be combined
with strict procedures for data transportation, storage and access,
supported by appropriate technologies.
Paul
Gershlick, a principal at law firm Matthew Arnold &
Baldwin, says: "It's best to allow no, or minimal, sensitive
data on the device. If data does need to be physically carried,
such as for a presentation, secure encryption should be used.
However, far better to allow remote access through very secure
means such as SSL VPN, coupled with RSA key fobs, so data never
resides on the portable device but access is controlled. Remote
access sessions should also require complex passwords to log in and
inactive sessions should be timed out."
Other technological safeguards include tagging or alarming
equipment, multi-factor access authentication, remote data deletion
technologies and secure online storage solutions. But Activity IM's
Connor cautions that no solutions will work everywhere, so policies
will need to be flexible enough to allow for different
circumstances. Neither online storage nor encryption are foolproof,
for instance. "In practice, in the Europe Economic Area, the use of
encryption for commercial use seems to be accepted, but that isn't
necessarily the actual legal position. What would you do if a
customs officer demands that you decrypt your laptop to look at the
contents?" he says.
"Similar considerations arise from the use of VPNs, which use
encryption to protect the traffic back to your office in the UK. I
would be very surprised if intelligence services, even in friendly
countries, didn't note IP traffic going from their networks back to
the UK. If they take an interest they might try to intercept the
unencrypted traffic.
As regards using the cloud, this is okay but all the usual caveats
apply. You are relying on a third party to protect your data.
There is a lot of data in an accessible place, so it is an obvious
target for hackers."
Case study: The UN
globetrotter
Stuart Barton, senior field engineer at Hughes Network Systems,
travelled to more than 50 countries between 2005-2007, installing
satellite data systems for the United Nations. He says that,
although many tools and some solar panels were stolen in transit,
the only problems he had with IT kit was at security and customs.
"The biggest pain was Israel. They made me switch my laptop on,
then kept me there ages while they checked through the contents of
my e-mails and documents."
He also says business travellers need to be wary of officials
demanding fees. "In Armenia, they tried to charge me tax to take my
laptop out of the country. I knew they were trying it on. But when
I said I'd brought it into the country, I had to prove it by firing
it up and showing them pictures I'd taken in various other
countries."
Fortunately, data security was not an issue. "I only had
personal data on my laptop. Because we were contracted by the UN,
they insisted all data was transported by their own personnel, who
all had diplomatic passports."
Video: Hacking at Heathrow
airport
Top five mobile working issues >>