Many of you have to travel for work. That makes you an attractive target to cyber criminals that want to steal trade secrets, customer information, or even infect your system in a way that puts your network at risk when you return to the office. You can, however, work on the road in a much more secure way, armed with some basic precautions and awareness.
There’s a cottage industry in devices that attackers can use to target peoples’ laptops and phones in public spaces. These devices are purchased and used by legitimate security professionals to test networks, but they are also commandeered by criminal attackers. Open wireless network connections can be intercepted and manipulated, and physical access to computers and phones can be used to install malicious software that allows for remote control and theft of data. These attacks can happen quickly and leave little physical evidence. In target-rich environments like airports and hotels, a single criminal can compromise many potential victims at once—you included. Targeted attacks against specific individuals and organizations can be even easier.
Here are a few pieces of advice to remain secure and protect yourself and your organization against these mal contents:
- Protection begins with situational awareness and physical control over your devices. It pays to have your head “on a swivel”. Be aware that people behind you, or cameras above you, may be able to watch you type in your passwords or see the contents of your screen. Dual-factor authentication — that makes use of a physical token or a fingerprint scanner in addition to your password — can reduce the usefulness password exposure. Be aware of the information you’re viewing on your screen in public spaces, and consider investing in a privacy screen for your laptop. That will reduce possible viewing angles. Even with a privacy screen, understand that those directly behind you will still be able to read over your shoulder.
- Never allow your system to leave your line of sight in a public space. In a matter of moments, an attacker can insert a device into a USB port on your computer that will infect your system and begin extracting sensitive data. This can occur even if you have “locked” your laptop, requiring a password to log back in. Mobile devices can be easily stolen, so have your IT staff implement full-disk encryption on any systems that travel. While it is more convenient to simply close the lid on your laptop, the most secure state for an encrypted system is to be completely “shut down”.
- When on the road, avoid Wi-Fi networks that are not managed by your IT staff. Wireless networks in public spaces are targets for data collection, and it can often be done completely passively. Active attacks may also pose as secure access points that you may be conditioned to connect to out of habit. Make use of cellular networks when possible (using cellular hotspot devices for your laptop), and make a connection back to your office network via Virtual Private Networking (VPN) for an additional layer of security.
Ultimately, you should also have a third party take a look at your traveling workers’ operational security — much like you should be performing offense-oriented testing of your company’s networks. A team that is qualified to conduct penetration tests and red teaming engagements can be tasked with examining common remote work scenarios that you and your employees will engage in. The clever tricks attackers use to compromise your mobile devices may surprise you. Be sure to harden your technology and practices so you can confidently work from anywhere.