Light Dark
September 16, 2015 By Douglas Bonderud 3 min read
Data Protection

Travel security risks are nothing new. Evolving technologies and trends, however — such as the rise of on-demand Wi-Fi and the proliferation of mobile devices — are changing this risk landscape. Consider the case of Chris Roberts, a security researcher who claimed he hacked the in-flight entertainment (IFE) system and caused the plane to climb, or more recent instances of incredibly poor in-flight Wi-Fi security.

The result? Travelers are now faced with the prospect of both physical and mobile device risks thanks to new threat vectors, necessitating a change in overall security strategy. Are passengers better served with a carry-on solution that requires constant oversight, or should they opt for a checked baggage scenario in which travel security naturally makes the trip?

My Way or the Wi-Fi?

When it comes to empowering mobile device users on the road, companies face an uphill battle. While employees don’t actively try to sabotage security efforts, they’re naturally resistant to corporate oversight, leading some organizations to back off and allow even limited access from less-than-secure phones and tablets.

But according to Robert Patey, director of demand generation at Fiberlink, “The onus for securing data doesn’t change depending upon device, operating system, time or location. The CIO and CISO are responsible to ensure data security.” This typically takes the form of enterprise mobility management (EMM) applications that allow IT staff to monitor device use and ensure security requirements are met before allowing access. As for employees, Patey argues they “need to release a bit of their Big Brother apprehensions and allow for EMM apps to be housed on their devices.”

Patey compares Wi-Fi access points — in coffee shops, office buildings or even in flights — to wide-open highways complete with bad drivers and shady rest stops. EMM tools act as built-in navigation systems, helping users avoid the wrong turnoff or anticipate a collision. In addition, mobile security solutions ensure that all data is encrypted to keep others from overhearing conversations or peering in the windows.

For Patey and Fiberlink, travel security is something every user needs to carry with them no matter where they’re headed. Combined with solid security training — for example, ensuring users don’t fall for insecure Wi-Fi hotspots, always connect using a virtual private network (VPN) and understand that not all countries view digital privacy the same way — it’s possible to limit the chance of exposure when getting from point A to point B.

This Is Your Captain Speaking

But what happens if the plane, or train or car being used is the victim of an attack? This risk speaks to the need for built-in security that addresses problems at the most basic level to deal with everything from distributed denial-of-service (DDoS) attacks to more sophisticated hack-and-control attempts. According to Chris Poulin, research strategist with IBM Security X-Force, the biggest thing companies can do to protect onboard computers or central access hubs is encrypt data. This doesn’t come as a surprise, and most companies already have a solid strategy in place to handle data in motion using TLS encryption over HTTPS connections.

When it comes to data at rest, however, enterprises often struggle with the trade-off between protection and access. While techniques such as full-disk or on-the-fly encryption offer maximum defense, they also make on-demand access more difficult. Complicating the problem further is that many companies haven’t invested in asset list or data discovery tools, in turn limiting total visibility.

Poulin offers a compromise: monitoring. Even if companies can’t always encrypt data over their network, using the right analysis tools, it’s possible to detect the majority of attacks during their initial phase rather than when attackers have wrested control from pilots or drivers. In most cases, these tools aren’t inherent to workstations and must be leveraged through third parties, which speaks to the need for vendor vetting; IT security is only as strong as the weakest partner.

Consider the example of requirements set by the Health Insurance Portability and Accountability Act (HIPAA). Under this law, if more than 500 reports are stolen or compromised, companies are obligated to disclose this information to the relevant authorities. This is in the hope that effective monitoring will reduce the chance of high-volume document loss and give companies the upper hand in fighting cybercriminals.

In-Hand or Onboard

Are companies better served by equipping employees with EMM tools and VPN gateways, or by baking in tech security at the systems level to limit the chance of malicious attacks to core business function? Ultimately this is a two sides, same coin argument; Patey and Poulin don’t offer conflicting advice, but a road map for companies looking to safeguard data in motion and at rest. Bottom line? Both travelers and their means of transportation are possible attack vectors. Better to check one security solution and carry on another rather than risk either being left behind.

 |  |  |  |  |  |  | 
Douglas Bonderud
Freelance Writer

More from Data Protection
March 27, 2024

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

March 12, 2024

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

March 5, 2024

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature