People often ask for tips on staying safe in cyberspace while traveling in "real" space. It's odd to think that our physical location affects our digital lives, but various state and non-state threat actors can have a real impact on digital security during business trips or vacations. I'd like to share the following seven tips, written from the perspective of an American who travels overseas.
- Back up your devices before traveling. Should you lose your device or suffer theft of the device, your data will be stored safely elsewhere. Do not store the backup on mobile media (like a USB drive) and pack it with your luggage! Leave the backup at home or at the office in an appropriately locked container.
- Ensure all electronics are encrypted and protected by a passphrase. Should your device fall into unwelcome hands, encryption and passphrases will frustrate casual adversaries. These countermeasures may also reduce or eliminate the need to report the loss to organizations outside the company. Don't store the passphrase with your device.
- When possible, bring a minimum number of devices, and keep them with you as much as possible. The purpose of this tip is to reduce the likelihood of theft or tampering with devices left in hotel rooms or vehicles. Keeping electronics close isn't always possible, depending on the nature of the activity. Do the best you can, perhaps relying on friends for assistance.
- When using cell phones, stay off the local telecommunications network if possible. In high-threat countries, foreign intelligence services may tamper with phones via the telecommunications providers. Avoid roaming on these networks. To make voice calls, consider acquiring a disposable phone in-country, or use Skype or a similar application.
- Be wary of wireless networks. Don't connect to a wireless network you don't recognize. If you aren't sure what's available, ask someone in authority. Connecting to a wireless network can be a risky proposition, but maintaining connectivity on the road is a business imperative.
- When connecting to wireless data networks, activate your VPN as soon as possible. VPN software is available for almost all mobile and laptop platforms. Connect back to your corporate network when doing anything on the Internet.
- Never accept or install software updates of any kind when traveling. Reports indicate some intruders push Trojaned application updates to hotel network users. It's better to update your applications before traveling and then avoid updates until you return home.
Finally, a bonus - if possible, and especially when visiting high-threat countries, bring only "disposable," clean devices. On the road, do the minimum amount of business necessary, using the seven principles above. When you get home, relinquish your loaner devices to your IT or security team. They may wish to perform forensics to determine if you brought home any unwelcome guests, like rogue software or hardware additions.