Welcome to the third edition of our monthly series, where we offer time-saving tips for security professionals. This month, we’re focusing on how to stay secure when traveling, in particular when traveling for conferences.
As you may know, Black Hat USA is coming up soon, one of the biggest security conferences of the year. We’ll be exhibiting (catch us at Booth #1000!), and we always think it’s a great time to remind you about basic security hygiene when you are traveling and/or attending conferences.
Below, we’ll provide you with some food for thought, and well as a handy checklist for securing your devices (and even your physical wallet) while you travel.
Ask Yourself: Am I a Target?
Hackers and other ne’er-do-wells are constantly using social engineering techniques to exfiltrate key information or tunnel into organizations. So the first step in better protecting yourself is to understand whether you may be a major target, and if so, what hackers might be looking for among your treasure trove.
If your title or role corresponds to any of the below, there’s a good chance you could be a target:
- Head of HR
- Product manager
- Marketing manager
- Sales manager
Next, think about the types of data you may have access to. If your work privileges provide you with access to any of the below, you need to take extra security precautions:
- Business proposals
- Earnings reports
- Evaluation agreements
- Employees’ personal information
- Tax documents
- Company credit cards
- Product roadmaps
- Source code
- Product vision
- Strategic vision
- Strategic partnership agreements
- Customer lists
- Customer communications
As you may be realizing, far more people do have this type of privileged access than don’t. You can see why security hygiene is a necessity.
At conferences like Black Hat in particular, hackers will often attempt to gather data from competitors’ organizations and look for vulnerabilities in them, and the top targets are always the highest in the ranks at an organization. The most prized data? Roadmaps, business strategy plans, and technical documentation.
Additionally, security teams and individuals often attempt to undermine vendors simply to prove their own skills. Exfiltrated information like pricing sheets, employee details, or partnership agreements can undermine businesses in a major way.
To reduce the possibility of this information leaking, we recommend not storing it on devices when traveling and attending conferences. Instead, move the data off of your local drive and leave it at home or work unless absolutely critical for your purposes.
Know Your Data & Protect It
Now, even if you aren’t at the top of the totem pole, there are plenty of pieces of information that you should take steps to secure. We recommend that you consider what private information you possess that you would not want to lose hold of.
If you use the devices you are traveling with for personal purposes, it’s a good idea to think about whether you have:
- Compromising or sensitive personal information in your browser history
- Compromising or sensitive personal information saved locally to the computer
- Sensitive documents (think: saved receipts, bank statements, or filled out tax forms or invoices) in your documents/downloads folder
- “Accidentally” acquired copyright infringing documents (ahem)
- Your device connected to a personal iCloud, Google Drive, or OneDrive account
- The same password in use for some or all of your most critical accounts
Many people use work laptops for personal purposes, whether that includes accessing your bank account, going on Facebook, or checking personal emails. So it’s a good idea to audit the personal sites you have visited and what information you may have pulled down to your machine.
Hackers are surprisingly deft at exfiltrating personal documents from machines. For example, many people keep a “personal” folder on their computers. Hackers know what’s likely to be in there: scanned pictures of important documents; passwords in a text file; pictures of loved ones; health information; etc. To mitigate the impact of this information being accessed and/or stolen, move it to a personal machine, email, or storage device. Keep it off your work machine.
Beyond these high-level considerations, below we’ll share a handy checklist for securing and protecting your devices when traveling and attending conferences.
A Handy, Dandy Device Security Checklist
If you’re ready to take action, here is a checklist you can use to secure your devices before you head off on that trip or to that conference. We’ve broken these down into the “highly recommended” steps, as well as some bonus points for those who want to go above and beyond and make extra sure their data and devices are secure. If you aren’t sure how to do any of these, a quick Google search should provide you with instructions, based on your type of device.
- Turn off auto-connect to Wi-Fi
- Turn off Bluetooth
- Turn off Wi-Fi calling
- Turn off mobile/personal hotspots
- Turn off NFC
- Turn off phone visibility (e.g. Find My Friends on iPhone)
- Turn off auto-sync features
- Upgrade lock settings: Use a password, swipe, or biometrics instead of a pin number
- Turn on phone tracking and remote disable functions (A reminder: Do not make your remote disable account password the same as your regular phone password.)
- Delete unnecessary applications: “Updates” to random apps and bloatware are often used by hackers as a way to get in to your machine
- Offload pictures, videos, and documents at home
- Encrypt your files or data: If you must keep sensitive information on your phone, consider encrypting it.
- Back up before you leave and restore when you return: This way you know your phone is in a “safe state”
- Use a VPN: If your company doesn’t have one, download one (we like ExpressVPN)
- Disable local accounts
- Turn off auto-connect to Wi-Fi
- Turn off Bluetooth
- Get or enable a VPN: Always use a VPN when connected to Wi-Fi
- Don’t leave your computer turned on or unlocked in your hotel room
- Consider removing sensitive or critical files from your machine prior to the event
- Use a firewall: Get a simple to use firewall and block access to everything (you can always turn it back on as needed)
- Temporarily disable cloud storage services
- Back up before you leave and restore when you return: This may not be possible with corporate laptops, in which case you should focus on removing sensitive or critical files from the machine
- Consider changing your password for the duration of the event
- Check for updates before you leave
- Run firmware and software updates, then disable all auto-updates
- Invest in an RFID wallet
- Bring cash and don’t use ATMs at Mandalay Bay
- Bring only one credit card (or better yet, a debit card) and leave the others in a safe in your hotel room for emergencies
- Don’t open a bar tab (keep your credit card with you at all times)
- Write down your bank customer service number in case you need to cancel your card
- Keep your wallet in your front pocket
- Do a daily audit of charges and payments from any cards you use while traveling
Paranoid? No, Protected.
The list above might seem like a lot! Especially if you are not used to thinking like a security pro. Start with the highly recommended steps and add in the bonus points when you are ready to level up your security posture. While going the extra mile may seem unnecessary, the reality is that hackers get smarter every day, and their methods of accessing and exfiltrating data are highly sophisticated. Especially if you are traveling to a conference like Black Hat, which is chock-full of cutting-edge security researchers and hackers on both sides of the fence, make sure you take appropriate precautions to protect your own and your organization’s sensitive data from theft or misuse.
Where are you headed to this summer, and what security steps do you plan to take before you go? Anything key we missed?