When traveling overseas, there is already plenty of work to do in terms of planning, packing and then actually traveling. When we travel, the data we carry and our Internet habits can put our individual privacy and data security at risk. As an example, the U.S. State Department's Bureau of Consular Affairs 2014 Sochi Olympics advisory states: “Travelers should be aware that Russian Federal law permits the monitoring, retention and analysis of all data that traverses Russian communication networks, including Internet browsing, email messages, telephone calls and fax transmissions.” This article addresses some best practices that can be taken before, during, and after travel to secure data – both your personal data and corporate data – and protect your individual privacy.
Before Traveling:
1) Limit or minimize any data taken to include removable media such as CDs, DVDs and thumb drives.
2) Consider a company-owned “loaner” cellphone, laptop and/or tablet to limit the loss of both corporate and personal data if the device is lost, stolen or confiscated by officials.
3) Perform a full device back up and secure with a strong password. Store it in a secure location while you are away.
4) Inform banks and credit card companies of travel plans to include dates, locations and any special instructions. International transactions are typically flagged as fraud, and purchases may be delayed or your card cancelled without advanced travel notice.
5) Consider using virtual credit card numbers that offer one-time use and are disposable, yet will display on the credit card bill.
6) Pack only essential ID, credit and debit cards. Leave the others in a secure location.
7) Update data protection software such as operating systems, anti-malware, anti-virus, security patches and others prior to departure.
8) Install full-disk encryption on laptops.
9) Use the U.S. State Department website (www.state.gov) to prepare and familiarize yourself with:
a. Information on the country of travel.
b. Export control laws concerning sensitive equipment, software and technology (that includes encryption).
c. Security testing/hacker tools are also forbidden and illegal in some countries.
10) Update or configure device passwords by:
a. Configuring the use of at least four-digit passwords (longer if supported).
b. Changing all passwords on all devices and use different passwords on each.
c. Configuring automatic wiping settings to wipe the device’s data after a pre-determined number of passcode entry failures.
While on Travel:
1) You have no reasonable expectation of privacy in some countries.
a. Phone calls, electronic communications and even hotel rooms may be monitored as a standard practice. Sensitive or confidential conversations, transactions or data transfer should be kept to a minimum until you return home.
b. Be prepared to turn on and off devices, and present all removable media for customs officials. You may be asked to decrypt data for inspection at international borders. In some countries, withholding your password is a criminal offense.
2) Use the same rules for your personal and company devices to separate acceptable social networking communications versus sensitive transactions. Understand there is a difference between sharing a photo on social networking versus connecting to your bank or credit card company.
3) Use safe ATMs in public areas during daylight. Cover PIN entry and cash output as much as possible.
4) Determine the availability and cost of purchasing a local cellphone, or buy local SIMs. Prepaid local phones limit costs by not working after exceeding a maximum number of minutes. They are cheaper for local calls and have better connectivity. Buying local SIMs, especially PAYG, adds a level of anonymity, which may be good for privacy/security.
5) Use trusted VPN connections as much as possible. If you don’t have a VPN available, use HTTPS connections as much as possible.
6) Connections in cyber cafes, public areas and hotels can be safe with a VPN, but should otherwise be considered insecure and probably monitored by unsavory agents. Physical PCs in such places may contain keystroke logging or other malicious methods to gather your information.
7) Do not loan your device to anyone, or attach unknown devices such as thumb drives. Thumb drives are notorious for computer infections.
8) Disable device illicit access via wireless technologies by:
a. Using airplane mode to disable or suspend all connectivity.
b. Disabling Wi-Fi when not in use. Wi-Fi ad-hoc mode or unsecure file sharing enables direct access to devices.
c. Disabling Bluetooth when not in use (or set it to “hidden,” not "discoverable”). Consider rental car Bluetooth PBAP (Phone Book Access Profile) functionality loads the entire address book, while Bluetooth (Personal Area Network) functionality enables connections with other Bluetooth devices.
9) Report lost or stolen devices as soon as possible to whomever it concerns. This might include your company, mobile provider, hotel, airline, insurance company and/or local authorities. Local authorities have a better chance to find stolen property if it is reported stolen as soon as you know it is missing.
Upon Returning Home:
1) Return the loaner device(s).
2) Have all devices, media and thumb drives reviewed for malware, unauthorized access or other corruption. Do not connect it to a trusted network until you have tested it for malware.
3) If the device is found to be compromised, reformat it and rebuild it from trusted sources/media. Then restore data from backups taken before the trip.
4) After ensuring your devices are secure and not compromised, change all business and personal passwords. If possible, change the passwords for things like corporate accounts, banks, etc., using a device other than the one you traveled with.
5) Inform your bank or credit card companies of your return and review transactions.
6) Continue to monitor your business and personal financial institution transitions for unauthorized or unapproved use.
These practices may seem cumbersome, but they provide essential protections to ensure data security and privacy while traveling abroad. Depending on the industry, company or affiliations, there could be even more restrictions, so it is best to check with your company’s legal or IT department before travel. Regardless of business or personal travel, protect all of your electronic devices with the same level of vigilance because there are no reasonable expectations of privacy in many countries today.
About the Author:
Edward P. Yakabovicz, CISSP, CIPP/IT, CIPM, is a Principal Information Assurance Engineer for the Center of Cyber Security Innovation at Lockheed Martin Corporation. He has 25 years of business experience within top five financial corporations, the U.S. Government, and Lockheed Martin global customers. As a subject matter expert in cybersecurity and privacy, he currently holds a master’s degree in Information Assurance from Norwich University and is currently an Information Assurance Doctorate student at Capitol College in Maryland. Yakabovicz’s most recent experience includes being a co-author of the International Association of Privacy Professionals (IAPP) Certified Information Privacy Manager (CIPM) certification textbook.
