Protect sensitive information during business travel

By Dwayne E. Smith (USASAC Cybersecurity Officer)February 1, 2016

Protect sensitive information during business travel
(Photo Credit: U.S. Army) VIEW ORIGINAL

Security assistance, a national program administered by the State Department, is a major component of U.S. foreign policy. The U.S. Army Security Assistance Command was created to support the Army's Foreign Military Sales program serving more than 150 foreign partner nations. The USASAC mission -- like so many others -- often requires employees who directly coordinate FMS to travel to the country they are supporting. This exposes the travelers' personal and government information to risk.

These travelers can become the target of a foreign country's efforts to obtain information or technologies in order to increase their market share, build their economies or modernize their militaries. USASAC employees must frequently take their information technology system with them to access the enormous quantity of regulatory guidance and other documentation required. This information can be a target of opportunity for many foreign intelligence, corporate intelligence and other operatives.

The cybersecurity concerns include not just the laptop and the traveler, but now must consider all risk avenues such as the phone, programmable watches, computerized pedometers, computerized calculators and even gaming systems. Most of these devices can be connected to a laptop USB port to charge, program or download information. This is a potential attack avenue into the laptop computer which holds sensitive information. The information could be stolen from the laptop by introducing malware, hacking or by monitoring transmissions. Malware can be uploaded into small electronic devices and transferred to the laptop when connected.

Before you go, reduce the exposure risk by leaving behind any personal electronic devices or government information that is not required for the mission. Ensure there is a backup of all data; Information Assurance Vulnerability Alerts and antivirus are up to date; and BitLocker full drive encryption is functioning before departing. Establish a secure backup site that will synchronize when a VPN connection is established. Do not announce your trip details on social media or in personal emails. Hackers who make a living out of collecting and selling information and secrets have automated tools that browse the web and harvest information on potential targets.

Clear your Internet browser of history files, caches, cookies and temporary Internet files. Have the traveling information system passwords and PINs changed before departing to the high risk environment so they are not the same as the home network. Set full drive encryption and a strong password on all digital devices including phones and tablets.

Mobile devices, like laptops, must be kept up to date and free from malicious software. Mobile devices have a greater risk of being lost, stolen or infected by malicious software because they are rarely updated or secured with an antivirus application. The smartphone is a small device but can hold a large amount of information and should be carefully protected. Smartphones have a greater risk exposure than a regular cell phone because of its expanded capabilities such as surfing the Internet, watching movies, emailing and even online banking.

During the mission, always maintain positive control of electronic devices and keep all radios (WiFi, Bluetooth and Near Field Communications) disabled when not in use. These wireless connections are always active even when the phone is not and can connect and transfer information from your device without the owners' knowledge or permission. Be aware of your surroundings and lines of visibility while operating your devices.

Do not use USB adapters that are not issued to you by the home office to charge any devices. Community USB charging kiosks look promising and convenient, however the USB connection allows for data transfers from the device into a storage unit for future information harvesting, and could also upload a virus to the device being charged. For this reason it is best to use only personal charging devices or one issued by the office. It would be extremely difficult to recognize a modified device of this type without disassembling the charging station or wall plug.

Do not use community or open WiFi services to connect to the Internet and do not download anything to the computer unless it is on a VPN connection to the home network. Open WiFi connections are often established in community areas as a means of monitoring and capturing information being transmitted through the WiFi connections. Types of captured sensitive information may include bank account name, account numbers and passwords.

Be cautious when conversing or emailing, as all communications should be considered as being monitored. Hackers will take advantage of crowded areas to shoulder surf or listen in. A crowded environment makes their closeness appear normal and will not cause any concerns for the targeted person.

If the cell phone is not vital for daily activities it should be turned off until needed. Active cell phones will automatically connect to the nearest phone tower and start exchanging information and linking to program services. These transmissions can be intercepted and stored for analysis and in some cases malware has been uploaded from some cell towers.

Some countries' customs inspectors will not allow encrypted information systems into the country until they are inspected. If you turn over your tokens, passwords or PINs, there would be a strong possibility of information being copied or devices tampered with. Your organization and security manager should be notified immediately if this occurs.

Laptops and mobile devices should remain with the traveler at all times. Do not consider them secure because they are locked inside a hotel safe. When devices are not in use they should be fully shut down, not put into sleep or hibernation mode. Logging off the system and shutting down ensures the drive is fully encrypted and inaccessible until the BitLocker PIN is provided at boot-up.

Upon return to the home office, provide the laptop to the G6 help desk for a complete scan. Notify the G6 help desk which files should be saved to disk or transferred through a secure file transfer protocol. The laptop will need to be sterilized and reimaged before reconnecting to the production environment. These actions ensure any needed information is scanned and saved for later use while eliminating the risk of a potentially compromised system being connected to the network. This extreme action is needed to prevent unknown malicious code or previously unseen viruses from getting into the operational network. Scanning a laptop will only locate known virus signatures from malicious code that has been previously discovered.

Every organization should establish a comprehensive cybersecurity policy for traveling information systems, electronic devices and personnel. This policy should be followed with a standard operating procedure that is read and utilized by all personnel who travel and the IT support staff that maintains systems and devices.

International travel poses risks that organizations may never have encountered during the course of normal business operations. Given this elevated risk, organizations must take additional steps to mitigate threats through implementing formal international travel policies and procedures. By providing secured devices and educating employees on how to protect data and equipment, organizations will help their employees make more informed decisions.

Related Links:

U.S. Army Cyber Command

Protecting Your Online Identity