Travel security risks are nothing new. Evolving technologies and trends, however — such as the rise of on-demand Wi-Fi and the proliferation of mobile devices — are changing this risk landscape. Consider the case of Chris Roberts, a security researcher who claimed he hacked the in-flight entertainment (IFE) system and caused the plane to climb, or more recent instances of incredibly poor in-flight Wi-Fi security.
The result? Travelers are now faced with the prospect of both physical and mobile device risks thanks to new threat vectors, necessitating a change in overall security strategy. Are passengers better served with a carry-on solution that requires constant oversight, or should they opt for a checked baggage scenario in which travel security naturally makes the trip?
My Way or the Wi-Fi?
When it comes to empowering mobile device users on the road, companies face an uphill battle. While employees don’t actively try to sabotage security efforts, they’re naturally resistant to corporate oversight, leading some organizations to back off and allow even limited access from less-than-secure phones and tablets.
But according to Robert Patey, director of demand generation at Fiberlink, “The onus for securing data doesn’t change depending upon device, operating system, time or location. The CIO and CISO are responsible to ensure data security.” This typically takes the form of enterprise mobility management (EMM) applications that allow IT staff to monitor device use and ensure security requirements are met before allowing access. As for employees, Patey argues they “need to release a bit of their Big Brother apprehensions and allow for EMM apps to be housed on their devices.”
Patey compares Wi-Fi access points — in coffee shops, office buildings or even in flights — to wide-open highways complete with bad drivers and shady rest stops. EMM tools act as built-in navigation systems, helping users avoid the wrong turnoff or anticipate a collision. In addition, mobile security solutions ensure that all data is encrypted to keep others from overhearing conversations or peering in the windows.
For Patey and Fiberlink, travel security is something every user needs to carry with them no matter where they’re headed. Combined with solid security training — for example, ensuring users don’t fall for insecure Wi-Fi hotspots, always connect using a virtual private network (VPN) and understand that not all countries view digital privacy the same way — it’s possible to limit the chance of exposure when getting from point A to point B.
This Is Your Captain Speaking
But what happens if the plane, or train or car being used is the victim of an attack? This risk speaks to the need for built-in security that addresses problems at the most basic level to deal with everything from distributed denial-of-service (DDoS) attacks to more sophisticated hack-and-control attempts. According to Chris Poulin, research strategist with IBM Security X-Force, the biggest thing companies can do to protect onboard computers or central access hubs is encrypt data. This doesn’t come as a surprise, and most companies already have a solid strategy in place to handle data in motion using TLS encryption over HTTPS connections.
When it comes to data at rest, however, enterprises often struggle with the trade-off between protection and access. While techniques such as full-disk or on-the-fly encryption offer maximum defense, they also make on-demand access more difficult. Complicating the problem further is that many companies haven’t invested in asset list or data discovery tools, in turn limiting total visibility.
Poulin offers a compromise: monitoring. Even if companies can’t always encrypt data over their network, using the right analysis tools, it’s possible to detect the majority of attacks during their initial phase rather than when attackers have wrested control from pilots or drivers. In most cases, these tools aren’t inherent to workstations and must be leveraged through third parties, which speaks to the need for vendor vetting; IT security is only as strong as the weakest partner.
Consider the example of requirements set by the Health Insurance Portability and Accountability Act (HIPAA). Under this law, if more than 500 reports are stolen or compromised, companies are obligated to disclose this information to the relevant authorities. This is in the hope that effective monitoring will reduce the chance of high-volume document loss and give companies the upper hand in fighting cybercriminals.
In-Hand or Onboard
Are companies better served by equipping employees with EMM tools and VPN gateways, or by baking in tech security at the systems level to limit the chance of malicious attacks to core business function? Ultimately this is a two sides, same coin argument; Patey and Poulin don’t offer conflicting advice, but a road map for companies looking to safeguard data in motion and at rest. Bottom line? Both travelers and their means of transportation are possible attack vectors. Better to check one security solution and carry on another rather than risk either being left behind.