You are ultimately responsible for your travel security, be it physical or technical. But this is a tall order. You are most vulnerable when you move and travel because you operate outside of your daily pattern of life, including connecting to the Internet via a third-party service provider with which you may not be familiar.
There is no shortage of unscrupulous competitors or straight-up criminals who have decided you have information that they desire, and they could have you in their cross hairs. You don’t get to choose whether you are targeted, but you do get to control if you are a soft or hard target.
Is Your Hotel Room Secure? Probably Not
If you hold meetings in a hotel room, you may wish to familiarize yourself with the experiences of the CEO of Porsche. In 2008, Porsche scheduled a meeting in a hotel suite. A day prior to the meeting, the team setting up the suite discovered a baby monitor sitting under the sofa. It was innocuous enough that the Porsche team chalked it up to a previous guest having forgotten the monitor when they checked out.
To their credit, they engaged the hotel staff and found that this particular suite had not been used for many weeks, let alone by a family who would have used a baby monitor. The culprit was never determined, but one can glean a few facts from this: the use of the baby monitor put the listener in relative proximity, the culprit had foreknowledge of the meeting locale and the individual used a device that, if found, could easily be explained away by the target. Porsche no doubt did a review of who knew of the meeting locale and its purpose and tightened up the discussions.
Realize the hotel room is only a semisecure space, even if you lock the door. Items you leave in your room should not be considered secured. The hotel safe is to keep items from being lifted by an individual passing down the hallway or staff. Anyone who has ever forgotten the four- or six-digit code on the hotel room safe has had hotel personnel come to the room and open the safe using a commercially available device in seconds.
What Should You Do?
Understand that you don’t control your hotel room and that it may be under surveillance. Similarly, your room is not a safe locale for storing your devices. If you must leave your device in the room, ensure you always lock it down to an immovable object with a cable lock.
Is the Wi-Fi Secure? Almost Never
The hotel industry is focused on putting heads in beds, not information security. Many hotel Internet networks are open. In late 2014, Kaspersky Lab reported on Darkhotel, an advance persistent threat (APT) that targeted senior corporate or state visitors in various hotels in the Far East. The methodology was as much social engineering as it was technical implementation.
Travelers want and need Internet access, so they connect to the hotel network and then fire up their virtual private network (VPN). But what made Darkhotel so effective is that once the hotel network was penetrated by attackers, it allowed man-in-the-middle (MitM) placement of bogus pages to select targets. When targets powered up their laptops, they would be told that, in order to use the hotel network, they’d first have to download an app or widget — thus engaging the device prior to the VPN being put in place.
In June 2015, three hotels hosting the Iranian nuclear talks had their networks targeted and infected with the Duqu 2.0 virus. The variant was found by Kaspersky Lab to have been similar to the virus that had previously attacked Kaspersky’s own infrastructure. Kaspersky estimated the cost to develop this application to be more than $50 million. Nations invest in development of espionage tools at that level of funding — the individual thinking of travel security is no match.
What Should You Do?
With all due respect to hotel Internet connectivity, business travelers should avoid connecting to those networks. As detailed above, an open hotel network is ripe for exploitation. If you must use your laptop, tether it to your mobile device and connect to your company VPN, completely bypassing the hotel infrastructure.
Implement a Travel Security Program
Travel security is an investment in intellectual property and revenue preservation. Having a travel security program takes a large step forward in ensuring all personnel are protecting data in the manner that also best protects the company.
You should ask hard questions regarding your enterprise’s travel security regulations. The following examples are drawn from the author’s book, “Secrets Stolen, Fortunes Lost: Preventing Intellectual Property Theft and Economic Espionage in the 21st Century.”
- Do you have a travel security program?
- Does this program include a list of countries posed as high-risk or extreme-risk to those employees or executives who travel or work outside the country of origin?
- Does your travel security program require these risk countries to be communicated to the executive team and the personnel responsible for travel?
- Does your travel security program identify expatriates working in high-risk countries?
- Do you have a traveler briefing program required before every trip to a high-risk environment?
- Do your employees understand never to leave confidential material unattended and to keep devices with them while traveling?
- Does your travel program monitor and debrief personnel having traveled to high-risk environments?
- Does the company’s security awareness and education program include a segment on travel?
- Does your travel program brief on the data aggregation capabilities of social networks? What about how the sharing of an itinerary can permit an adversary to document and collate travel plans?
- Does your travel program implement a sterile device program for high- or extreme-risk locales (i.e., throwaway mobile phones, sterile laptops, etc.)?
- Are these sterile devices reviewed for compromise upon the traveler’s return?
- Are all travelers issued cable locks and laptop privacy screens for their devices?
Travel is often an unavoidable aspect of business. Traveling in a manner in which the company’s assets are protected, however, is within reach of every company.