TechRepublic met with Kroll cybersecurity and investigations senior managing director Alan Brill to discuss what travelers can do to protect themselves from cyberattacks while on-the-go.
Brill:I think the biggest problem with the CERT Advisory is who gets it and who doesn’t get it? Who understands and who operationalizes it? What I said was it’s your responsibility. I think there’s a couple of things you can do.
First, before you leave, do a couple of things. One, get a VPN, a virtual private network both for your laptop or tablet, whatever you’re bringing, and, most importantly, for your phone. We think of these things we carry as a phone. I guess because historically that’s what we called them. They’re really not phones.
They’re really computers that can handle audio and video, but they can also store gigabytes of information–that information may be sensitive, that information may be something you don’t want to get out there. When it comes to communication, probably the best single thing you can do, not terribly difficult or terribly expensive thing, is to install VPN software. What that does is it creates an encrypted tunnel from your machine back through a VPN provider, or through your corporation, where you have a trusted connection that’s encrypted. So that even if somebody is listening in along the way, all they see is data, but it’s encrypted.
The second thing you can do is think to yourself, “What data do I really need with me during my trip?” You may want to take that data, but you don’t want to take everything that may be in your computer. If you don’t take it, it’s not at risk of being lost or stolen.
If you do take it, there’s a couple of things you want to do. Again, not terribly difficult. One is you may want to store the data on an external storage device, a memory stick, something like that that you can actually take with you all the time. The second thing that you probably want to do is have the data on your computer encrypted, so that even if the computer is lost or stolen, you’re not losing the ability to say, “Nobody got to my data.” Even when you’re in a hotel and you take that computer, or that laptop or whatever you’re using, and put it in that safe in the room and lock it up with your secret code, remember those are not the most secure safes that ever existed.
SEE: Travel and business expense policy (Tech Pro Research)
If you’ve ever gone into a hotel and discovered that the safe was locked by a previous guest, you call and you notice it’s not all that difficult for them to open the safe to let you use it. If they can do that in that circumstance, people can do it in other circumstances. Leaving things even in that safe may not be everything you’re hoping for, or everything you should do.
The other thing is there are two deadly words that, I think, every traveler, whether you’re traveling to the Olympics or whether you’re traveling for business anywhere else in the world, should remember. Those two deadly words are: Free WiFi. People love free WiFi. They think it’s the greatest thing ever. During the Brazil World Cup a few years ago, we decided to run some tests. We did a little bit of warwalking and wardriving, and we discovered that outside some restaurants, outside some hotels, there were vans that were emitting WiFi signals that looked like the real ones from the venue, but they weren’t. They were being run by bad guys. If you did not have the right security, you’re suddenly now connecting not to a safe network, but to the bad guys’ network directly.
What we recommended a few years ago was maybe instead of using WiFi, use cellular. Unfortunately, that’s not perfectly secure either. There are things that are typically referred to as stingray devices. Stingray device generates a cell site that looks real and acts real, but is under the control of somebody not the phone company. Again, if you’re hooked up to one of these inadvertently, and it can happen automatically, you may find that your signal is going through some third party’s channel.
Again, that’s why we say, “Encrypt, VPN, and consciousness.” That if it’s too good to be true, that’s because it’s probably too good to be true. If you think about these things in advance and if you do just a little bit of preparation, certainly there’s no such thing as 100% security, but you can materially significantly reduce the risk not just to you, but to whatever you’re carrying if it belongs to your company, whether it’s data or plans or anything else. It’s not hard, but you got to do it.