HOW TO GET IT RIGHT

When traveling overseas, the standard approach is to provide โ€œburnerโ€ laptops and phones, then remove and destroy the drive upon return to the US. Agio understands the US government does not allow mobile devices and laptops to be used by officials traveling to a number of regions including China, Russia, and parts of Africa. The following recommendations have been compiled by our cybersecurity team and are meant to act as a best practices reference for you and your users.

 

Phone Considerations

Mobile devices have inherent vulnerabilities associated with their software and hardware. Foreign countries often leverage their security apparatus, especially airport security and customs, and connections to the tourism industry, to conduct physical attacks on mobile devices. Also, in many foreign countries, the government has direct or proxy control of the commercial cellular infrastructure, which gives them a remote conduit to attack connected mobile devices. Cellular-borne attacks are particularly damaging, as most mobile devices, as designed, trust the low-level communication from the cellular network.

Successful exploitation can allow adversaries to remotely activate microphones and cameras, geolocate and track specific devices, and steal the information processed by or stored on the device. A compromised device can also be used as a vector to attack networks to which it later connects.

  • Keep all software (operating systems and apps) up to date.
  • Use strong lock-screen PINs/passwords (minimum 6-character length).
  • Set displays to automatically lock after 5 minutes or less.
  • Set password attempts to 10 or less.
  • Disable lock-screen notifications.
  • Encrypt data stored on devices.
  • Use a VPN and encrypted VoIP applications whenever possible. Ensure that all VPN/VoIP providers are reputable and US-based.
  • Connect devices only to authorized computers and peripherals.
  • Cover all cameras with opaque tape and disable in settings whenever possible.
  • Install applications only from trusted sources.
  • Do not charge your devices by connecting them to charging stations, computers, televisions, DVRs, etc. Use only issued chargers or those acquired with sufficient OPSEC.
  • Do not open any unknown email attachments.
  • Do not click on any unknown web links sent via email or text messaging.
  • Do not circumvent restrictions on company-issued devices.
  • Report suspicious device behavior to your IT department as soon as possible.
  • Prepare dedicated devices with limited contacts and emails for the exclusive purpose of your imminent travel.
  • Acquire and install new SIM cards for the destination service area. Using international SIM cards purchased domestically is preferable; however, if this is not possible, make sure to utilize good operational security (OPSEC) by purchasing SIM cards from standalone stores and not from a store or kiosk at the airport.
  • Maintain positive physical control of devices at all times (e.g., do not leave in hotel safe).
  • Turn off unused wireless communications (e.g., Bluetoothยฎ1, NFC, Wi-Fi).
  • Disable GPS and location services (unless required).
  • Do not connect to open Wi-Fi networks.
  • Do not connect personal devices with official devices.
  • Regularly inspect devices for signs of tampering.
  • Avoid surrendering devices to foreign customs officials.
  • Physically inspect your travel devices.
  • Wipe and reload your travel devices.
See also  Switching Gears: A Technical Guide to Switching MSPs for CTOs & Director of Infrastructure

 

Laptop Considerations

Take proactive steps to secure your devices and your personally identifiable information before you travel. Leave at home any electronic equipment you don’t need during your travel, and if you take it, protect it. Be sure you:

  • Back up your electronic files.
  • Remove sensitive data.
  • Install strong passwords.
  • Use full disk encryption. (Be advised that there are some export/import restrictions on encryption technology.)
  • Ensure antivirus software is up to date.
  • Do not configure auto-connection or automatic login for any applications.
  • Use a host-based firewall and configure it to allow a small set of defined trusted outbound connections.
  • Do not type in usernames or passwords while using the laptop โ€“ store them on an encrypted USB drive and copy/paste them into login forms. This will keep key loggers from being able to see your credentials.
  • Update all software before you leave. Do not perform any software updates while traveling. Some malware disguises itself as common software updates.

 

Be vigilant about where and how you use your devices, and don’t be lulled into a false sense of security. Make sure you:

  • Keep your devices secure in public places such as airports, hotels, and restaurants.
  • Be aware of your surroundings and take care that nobody is trying to steal information from you by looking at your device screen when you use it.
  • Consider using a privacy screen on your laptop.

 

Admin Credentials
  • Ensure the administrators setting up the laptop use different credentials than their normal admin credentials. If physical access to the device is gained, the cached/local admin credentials can be compromised.
  • Use a unique, complex password to log in.
  • Do not configure the laptop to use the same login as your normal laptop.
  • Disable Bluetooth and wireless and leave them off permanently โ€“ no Bluetooth keyboards, etc. If possible, physically remove the
  • Install only necessary applications โ€“ keep things to the absolute minimum necessary to conduct business.
  • Disable microphone and camera when not needed and place a piece of dark tape over the camera lens(s).
  • Remember that commercially available anti-malware applications/programs will not catch nation-state malware.
  • If your users must connect via VPN, have them note connection times to check against VPN logs (Agio would check all access logs for our clientโ€™s user upon return).
  • Change all user account credentials when they return.
See also  Switching Gears: A Technical Guide to Switching MSPs for CTOs & Director of Infrastructure

 

Other Considerations

Some threats โ€“ device theft, for example โ€“ are obvious, but others will be invisible, such as data thieves trying to pick off passwords to compromise your personally identifiable information or access your accounts. You may be especially vulnerable in locations with public Wi-Fi, including internet cafes, coffee shops, bookstores, travel agencies, clinics, libraries, airports, and hotels. Some helpful tips:

  • Don’t use the same passwords or PIN numbers abroad that you use in the United States.
  • Do not use the public Wi-Fi to make online purchases or access bank accounts.
  • When logging into any public network, shut off your phone’s auto-join function.
  • While using a public Wi-Fi network, periodically adjust your phone settings to forget the network, then log back in again.
  • Try purposely logging onto the public Wi-Fi using the wrong password. If you can get on anyway, that’s a sign that the network is not secure.
  • Consider using a VPN with robust encryption for connection to the Internet; this will ensure your web traffic is appropriately encapsulated and will allow you to circumvent any internet censoring that may be in place. China has recently restricted some VPN software, but several VPN options still work.ย  Set these up before you leave.
  • China restricts access to many popular sites (Google, Gmail, etc.). Think about workaround options before you leave if a site you normally access is unavailable.
  • Do not sign in to your accounts on public computers at internet cafes, hotel business centers, or other locations. Do not use colleaguesโ€™ devices if you can avoid it. Even if you trust them, you cannot control what happens to their device before or after youโ€™ve used it.
  • Restart your phone before going through customs so a PIN is required to unlock vs. thumbprint or Face ID. If possible, do not allow customs to take the device(s) to a location out of direct view or into another room.
  • Do not leave your phone, laptop, or any storage device unattended. If left unattended (even in your hotel room or hotel safe), assume it has been tampered with.

 

When You Arrive Home
  • Wipe your phone, remove and recycle the battery, and securely dispose of the phone (shred if possible).
  • Do not connect the computer or phone to the corporate (or your home) network.
  • Treat the laptop as if itโ€™s fully infected with malware โ€“ maintain strict isolation, remove/securely dispose of, and/or aggressively wipe the hard drive.

 

Note: Traditional disk sanitization methods do not work for solid-state drives. Any SSD should be shredded, magnetic disks may be overwritten using a common utility like DBAN and/or degaussed.