This time around, a reader wrote in with a very common question:
Q: “A member of my management team is about to go on a business trip to a country with known cyber-spying capabilities. She wants to take her phone, tablet and laptop so she can be productive on the road. What can I do to make this safer for her and our organization without restricting her work capability on the road in an unreasonable manner?”
Adam Hostetler opened with:
The standard here is don’t bring anything electronic, if you can help it. In most cases, that’s not probable so don’t bring your normal personal phones or laptops, no smartphone at all is advisable. Bring loaner devices that have only exactly what they need and can be burned when they get back. Only connect through a VPN, and have that account monitored on the other end. Don’t leave phone or laptop in a hotel room, even in the safe, and don’t talk business there either.
Jim Klun added:
There is likely no way to do this without restricting – or at least significantly changing – the way she works.
It has to be assumed that any information on her personal devices will be compromised.
It also can be assumed that any information flowing between her devices and the outside world will be compromised.
I would recommend two things:
1. Take only what you can afford to lose. Communicate only what you can afford to lose.
So – take a small number of devices (e.g. phone, laptop) minimally configured with only that information absolutely required for this trip.
Better to have corporate staff respond to email requests from her rather than to allow access to critical corporate resources from suspect location.
If internal connectivity to corporate resources must be allowed ( e.g VPN) it should be ideally require 2-factor auth of some sort, use strong encryption, and grant access only to a limited subset of resources.
All credentials can be assumed to be lost – hence the utility of two-factor. All of the employees credentials should be changed on return.
All devices brought back should be assumed to be compromised and will need complete re-imaging.
2. Consider creating “go-kits” and well-defined repeatable processes for employees who travel to such locations.
A special set of devices ( laptop, phone, etc) that are minimally configured and can be wiped on return. No personally owned devices should be allowed.
Connectivity for those devices – if absolutely needed – that allows access only to a tightly restricted and monitored subset of internal corporate resources.
Most importantly – training for employees who make these trips. The employee must understand the special risks being incurred and be aware of their responsibility to protect the company and the companies existing customers.
As above – all of the employees credentials should be changed on return.
Bill Hagestad summed it up with this:
This one is near and dear to my heart…I call these rules of counter cyber espionage the 李侃如的中國旅遊規則 (Lieberthal’s China Travel Rules)
Cellphone and laptop @ home brings “loaner” devices, erased before he leaves home country & wiped clean immediately upon returns;
In China, disable Bluetooth & Wi-Fi, phone never out of his sight;
In meetings, not only turn off his phone but also remove battery, microphone could be turned on remotely;
Connect to the Internet only via encrypted, password-protected channel, copies & pastes his password from a USB thumb drive;
Never type in a password directly, “the Chinese are very good at installing key-logging software on your laptop.”
The article can be found @ http://www.nytimes.com/2012/02/11/technology/electronic-security-a-worry-in-an-age-of-digital-espionage.html?pagewanted=all
Brent Huston closed with:
Any electronic items they do take on the road with them should be current on patches, AV signatures and detection capabilities. All data, drives, systems, etc. should be strongly encrypted when possible to do so (Pay special attention to export restrictions on crypto depending on where they are going.) Also, turn and burn EVERYTHING when they come back. Treat all media and data obtained during the travel as suspicious or malicious in nature. Trojans of data and documents are common (and usually they scan as clean with common tools). This is especially true for high value targets and critical infrastructure clients. Trust us! Safe travels!
(Lieberthal’s China Travel Rules)