2. ► More and more organizations are sending employees to
countries that are suspected of eavesdropping and
corporate espionage
► Espionage is a fact of life - accept it.
► Giving away your data without a fight? Not so much.
► I travel a lot, to many different countries, and have seen
some of this activity myself - the need is real
► I have helped Fortune 20 companies develop travel
security programs, and here’s a short synopsis of what
you should prepare for.
Introduction
3. ► Absolutely.
► State and commerce officials have reported hacking
efforts (mobile/laptops) for the past 5-6 years
► Many reports of “travel hacking” and illicit device access
in 2011-2012
Does this really happen?
4. ► At one point, I carried a Blackberry.
► It was password-protected.
► I took out the battery regularly in certain countries.
► It still got hacked.
► Monitoring malware was installed…
somehow.
► How did I notice?
► Strange behavior.
► What did I do?
► Bought an iPhone.
Yes, it’s happened to me, too.
6. ► Everyone thinks “China”…but this type of activity is
pervasive
► Hong Kong, India, Israel, UAE, and of course the US
should be considered risky as well
► There are many others - a significant number of
countries are interested in you and your data
► Monitor news and threat intel sources to keep up with
changing political and economic scenarios, or particular
targeting of you or your organization
Countries of Interest
7. ► Lots of general threat intelligence sources:
► http://scan.ujcfedweb.org/local_includes/downloads/1815
0.pdf
► OSAC.gov
► Dept. of State Travel Warnings:
http://travel.state.gov/travel/cis_pa_tw/tw/tw_1764.html
► US-CERT
► ISACs
Include travel in threat intelligence
9. ► Encryption:
► File/folder encryption should be mandatory for certain critical file
types, if transported
► Full-disk encryption: yes
► Recovery credentials stored in AD or elsewhere
► All remote connectivity uses VPN
► Strong encryption strength (best possible)
► Some countries forbid/restrict encrypted devices
► Antimalware:
► Update requirements and ensure “no disabling” is explicit
► Email
► Limit what is acceptable and not while abroad
Policy Updates
10. ► Acceptable Use
► Explicitly disallow online banking, social media, access to
specific sensitive internal sites while abroad
► Authentication
► Mandatory multifactor authentication
► Copy/paste credentials from USB, preferably biometric
► Smart card/client-side cert protection
► Mobile Devices
► “Loaner” devices are vastly preferred
► Wireless
► Disable wireless/bluetooth if possible
Policy Updates (2)
12. ► Check US Dept. of State at travel.state.gov (or related in
your country)
► Understand what items can and cannot be brought in
► Write down passport number and keep separately
► Get contact information for embassies
► Only carry essential forms of communication
► No employee ID
► No building passes
► Nothing that could be altered or leveraged
Prior to Departure
13. ► Assume hotels have surveillance devices
► Don’t look for them, act normal, report to Embassy and Infosec
► Avoid unnecessary conversations
► Especially personal ones, or with strangers
► Assume personal luggage may be searched
► Report to authorities if it happens
► Be aware of “wrong number” reconnaissance
► Be wary of hotel staff and guides/interpreters
While Abroad (High-risk Countries)
15. ► If possible, use a hardened Linux or non-Windows
platform
► Install:
► File/folder encryption tools
► Full-disk encryption
► Tracking software
► Antivirus, preferably whitelisting
► Host IDS/IPS
► Consider a local Virtual Desktop using VMware View or
Citrix XenClient
► Remote VDI is also a solid option, with better centralized control
► All laptops must be examined and wiped upon return
Laptop Recommendations
16. ► Require 10+ character PINs/passwords for access
► Employ MDM software with remote wipe capabilities
► Encrypted containers are useful, as well
► Disallow personal devices with corporate data or
connectivity
► All mobile devices must be examined and wiped upon
return
► Devices with batteries that can be removed are preferred
► Removal may help prevent tracking/eavesdropping
Tablet/Phone Recommendations
17. ► Check mobile devices and laptops prior to travel
► Encryption and security software
► MDM and remote wipe
► Separate SIM card
► Provision secure USB drives with passwords,
certificates, etc.
► Set up remote or local VDI images if possible
► Set up a separate, temporary user account with strict
multifactor authentication for use while traveling
► Ensure paperwork and emergency contacts are in order
Travel Plan
18. ► Travel, especially to certain countries, is much riskier
today
► Sensitive business and other data is a high-priority target
for attackers
► Organizations need to create and maintain a travel
security program including:
► Policies
► Technology changes for mobile devices
► Threat intelligence and preparedness
► Monitoring and response processes
Conclusion