Overseas travel is part and parcel of modern business life, but with data security hazards including the loss or theft of equipment, spyware on PCs in hotels and airports, data theft through WiFi and border or customs officials, (particularly in countries prone to corruption or with illiberal authorities), what do IT security professionals need to consider when developing appropriate policies? Jim Mortleman investigates:
- Real risk in data vulnerability
- Danger hotspots
- Airports present particular risks
- Twin hazards of ideology and corruption
- Practical measures to protect your data
The growth of a globe-trotting mobile workforce equipped with smartphones, laptops and other devices is bringing many benefits to organisations, but travelling with IT equipment also presents considerable risks, from loss or theft of equipment/data to problems with security and customs. While most large firms have policies to guard against these risks, they are often ineffectively communicated or enforced. Many smaller companies have little or no protection in place.
Graham Cluley, senior technology consultant at security specialist Sophos, says: "Clearly the risk is not the cost of replacing a stolen laptop or Blackberry mislaid in the back of a Bangkok taxi. The primary danger is that cybercriminals will be able to access confidential, sensitive information that could be of value to them, be that a laptop containing personal information that could be exploited by identity thieves, sensitive company data, a vector into your corporate network, or usernames and passwords that could lead to corporate espionage. Even a corporate address book will have contact details of your employees, customers and partners that could be exploited in a spear-phishing or targeted malware attack."
But, of course, physical hardware does not need to leave your employee's possession for data to be compromised, particularly when you're using equipment or network connections in public internet cafes, business centres, airports or hotels. "It is not uncommon to find spyware on such PCs. Many users may have plugged USB sticks into such computers to aid data transfer, but this is in itself a possible source of infection. It may come as a surprise to know that a business centre in a hotel can often be less securely managed than a high-street cybercafe. And when it comes to the wireless internet facilities available in hotels ad other public areas, it is easy for anyone to set up a fake WiFi network and encourage people to connect to it to capture sensitive information," says Cluley (see: Video: Hacking at Heathrow airport).
But are there particular global hotspots for IT crime? Cluley says: "It would be short-sighted to label specific parts of the world as particularly dangerous from the point of view of a business traveller. The fact is opportunistic hackers, data stealers and identity thieves are based across the globe. You might be just as likely to have your laptop compromised in central London as Nairobi."
Amrit Williams, CTO at security management provider BigFix, agrees the problem is universal. "All countries present a high risk for carrying IT equipment, especially equipment storing confidential data. Obviously those with lax security or law enforcement, limited intellectual property laws, a history of criminal activity, unfriendly or antagonistic feelings towards the traveller's country of origin, military hotspots or heightened criminal or terrorist activity present increased risk for data loss."
But while it may not be useful to single out particular countries, it is worth noting airports everywhere are renowned hotspots for theft and pick-pocketing. Neil O'Connor, principal consultant at independent security consultancy Activity IM, says travelling staff need to be aware of the need to keep their valuables in sight at all times. "That's not always easy, particularly when you are being frisked at security. I have certainly had an exchange of views with an airport security person in the UK when I was unwilling to come forward to be searched until my bag containing my laptop was through the scanner. And don't put your laptop in hold baggage. An acquaintance of mine was forced to do this by officious check-in staff - and, no surprise, it did not appear at the other end."
Airports can present other problems for those travelling with IT kit. Nick Lowe, regional director of Northern Europe for Check Point, says one of the riskiest countries to enter with a computing device is the USA. "In summer 2008, the US Department of Homeland Security confirmed what some travellers already knew: border agents are allowed to search through files on laptops, Blackberries, smart phones or any other digital device when you enter the country, even when there is no reasonable cause," says Lowe. "Officials can keep data or the entire computer, copy what they want and share this data with other agencies - and can force you to give the password if the data is encrypted. Of course, if the data is not suspicious, guidelines say the copied data should be destroyed - but after what time interval? And how securely will it be stored while it's being assessed?"
Steve Subar, CEO of mobile virtualisation company OK Labs, says border crossings present two main challenges for corporate travellers carrying IT kit. The first arises in countries where importers face high duties (for example India and Brazil), and employees may have to pay if they can't prove equipment is not being imported. The second, more acute, challenge comes when travelling to countries with authoritarian regimes: "Some governments attempt to control access to the Internet and international media and view travellers' mobile devices as leaks in the ideological dikes they would erect around themselves," he says.
Corrupt officials can also present problems. For instance, one IT professional who did not want to be identified said: "When I landed in Russia for a flight connection to China, I had to pay a 'tax' to take my laptop onto the connecting flight. I knew there was no tax, but had no option but to pay and of course I wasn't given a receipt. My boss told me to put it down on expenses as 'airport assistance'."
The bottom line is when travelling anywhere there is an increased danger of equipment and data being stolen, inspected or impounded. While users should certainly be aware of the dangers and what to do in the event of any problems, this should be combined with strict procedures for data transportation, storage and access, supported by appropriate technologies.
Paul Gershlick, a principal at law firm Matthew Arnold & Baldwin, says: "It's best to allow no, or minimal, sensitive data on the device. If data does need to be physically carried, such as for a presentation, secure encryption should be used. However, far better to allow remote access through very secure means such as SSL VPN, coupled with RSA key fobs, so data never resides on the portable device but access is controlled. Remote access sessions should also require complex passwords to log in and inactive sessions should be timed out."
Other technological safeguards include tagging or alarming equipment, multi-factor access authentication, remote data deletion technologies and secure online storage solutions. But Activity IM's Connor cautions that no solutions will work everywhere, so policies will need to be flexible enough to allow for different circumstances. Neither online storage nor encryption are foolproof, for instance. "In practice, in the Europe Economic Area, the use of encryption for commercial use seems to be accepted, but that isn't necessarily the actual legal position. What would you do if a customs officer demands that you decrypt your laptop to look at the contents?" he says.
"Similar considerations arise from the use of VPNs, which use encryption to protect the traffic back to your office in the UK. I would be very surprised if intelligence services, even in friendly countries, didn't note IP traffic going from their networks back to the UK. If they take an interest they might try to intercept the unencrypted traffic. As regards using the cloud, this is okay but all the usual caveats apply. You are relying on a third party to protect your data. There is a lot of data in an accessible place, so it is an obvious target for hackers."
Stuart Barton, senior field engineer at Hughes Network Systems, travelled to more than 50 countries between 2005-2007, installing satellite data systems for the United Nations. He says that, although many tools and some solar panels were stolen in transit, the only problems he had with IT kit was at security and customs. "The biggest pain was Israel. They made me switch my laptop on, then kept me there ages while they checked through the contents of my e-mails and documents."
He also says business travellers need to be wary of officials demanding fees. "In Armenia, they tried to charge me tax to take my laptop out of the country. I knew they were trying it on. But when I said I'd brought it into the country, I had to prove it by firing it up and showing them pictures I'd taken in various other countries."
Fortunately, data security was not an issue. "I only had personal data on my laptop. Because we were contracted by the UN, they insisted all data was transported by their own personnel, who all had diplomatic passports."