One of the most frequent questions we are asked by global executives and their security teams is how to protect their information and technology systems while traveling abroad.
With this in mind we built this reference with an eye towards serving the OODA members who travel abroad for business, especially those who will operate in a nation that is NOT a Western style liberal democracy. Of course, these tips also apply to individuals traveling abroad for non-business purposes or who just want to improve their overall individual security posture.
Understand the Threat
Your security team should be dynamically tracking the threat to your enterprise and your executives as well as the general threat issues associated with your travel destination. Executives should be provided with a tailored threat briefing prior to high risk travel, but in general they should understand that:
Foreign governments target traveling business people and government employees to steal information of use to the government and will often share captured intellectual property with internal businesses.
If you are traveling for business purposes, you can assume that you are of interest to a hostile foreign government.
Since these governments control the physical space they can use their authority to separate people from their equipment. When there is physical access to a device the likelihood of a potential penetration increases significantly.
Some governments will also compel travelers to log into their devices for inspection, which raises the likelihood of compromise of the device by malware which can be controlled by the government.
Criminal groups and governments operating overseas can also control networks, including hotel networks and WiFi. This can raise the possibility of intercepting sensitive information.
Some governments will force individuals to NOT use VPNs so the communications can be monitored. This also introduces risk.
In some high threat countries, there is also a risk of very high resolution cameras being trained on keyboards to capture login credentials.
Background information for future attacks can also be gathered by people around you during travel, including people who pose as travelers themselves but also hotel staff, business associates, drivers, guides, translators and other assistants.
Even “safer” travel destinations are not safe as hostile governments often conduct intelligence and espionage operations on foreign soil.
You can assume that intelligence and espionage operations are being conducted at all major industry events and conferences, regardless of their host location.
If your organization does not have a threat intelligence team, reach out to OODA and we can help produce a more tailored threat briefing.
Raise Your Defenses
Given these threats, how can you protect your digital information and electronic devices while you are traveling? Our recommendations are broken down into three distinct categories depending on the location of travel and the assessed threat level.
Tier 1: The minimum essential cybersecurity best practices that should be incorporated into every trip and an executives’ daily cyber hygiene.
Tier 2: Additional protections that should be put in place for travel to some countries or by organizations that want to adopt a more robust security profile.
Tier 3: Advanced security practices for travel to high risk countries or for highly targeted executives.
Tier 1 Cybersecurity Practices:
Enable two-factor authentication for all cloud services.
Use secure encrypted messaging services instead of SMS or other insecure chat services. Additionally, many of these services also allow for encrypted voice and video calling. It is very hard for even hostile intelligence services to break communications to or from reputable secure messaging systems. We recommend Wickr Pro given its robust encryption, group chat, secure file sharing, and enterprise management features.
Use mobile devices that have a track record for robust security patch implementation or provide additional security features as part of their standard offering. You should prioritize the use of mobile devices from these manufacturers:
Apple
Google Pixel phones
Blackberry
Samsung
Essential
Utilize password management tools to track and manage passwords. Enable two factor authentication for access to your password manager. We recommend Dashlane and 1Password as solutions.
Use a portable USB device with hardware based encryption. We recommend the Aegis Secure Key (Link).
Ensure your laptop and other devices are patched and that all applications are patched as well. If you are bringing a laptop, make sure you enable hard drive encryption. This will not stop a dedicated hostile intelligence service, but may slow them down a bit, and may stop lower level criminals.
Do not use USB charging ports offered in hotels, airports, or other locations. Always use your charging brick or utilize a special USB data blocker. A data blocker will prevent the USB connection from being used for data purposes and prevents a USB compromise of your device (referred to as Juice Jacking). We recommend the PortaPow Data Blocker (Link).
Only connect to cloud services and applications using SSL/HTTPS connections.
Tier 2 Cybersecurity Practices:
Only travel with essential devices. Consider using an Apple iPad or mobile phone instead of bringing a laptop.
If you must bring a laptop, make sure your IT department has wiped all extraneous data from the hard drive and that you are only bringing information essential to the trip. Keep in mind that governments have access to forensic tools that will let them recover most data from hard drives, even those that have been erased via traditional deletion methods. If you cannot confidently state that no sensitive data has ever been stored on that device, considering buying a new one before traveling.
Enable a self destruct password for your encrypted USB key. We recommend you use a self-destruct password that might be easily guessed by someone who gets physical access to the device. For example, if they try your phone number as the PIN, the device will erase all contents. Use of your phone number as a self-destruct code is also easier to remember under duress.
Use a hardware based solution for two-factor authentication and keep the device on your person at all times. These devices support one-time passwords, public key encryption, and authentication and are considered by the security community to provide the highest level of security for authentication purposes. Yubikey (Link) and Google’s Titan Security key are recommended solutions.
Create a separate user for password management solutions and share only essential passwords with that account. When traveling, use your “travel user” account and not your primary password manager account.
Never let your device leave your control. This includes never leaving it in the hotel room. The hotel safe is NOT safe. In fact, you should assume that it is designed to let hostile intelligence services get in fast.
Utilize VPN technologies to mask and protect communications.
Use a secure cloud browser for required web service access. We recommend Authentic8 (link) as a solution.
Obtain a travel safety briefing detailing particular risks for the travel destination, highlights recent security incidents, and “in case of emergency” recommendations that includes contact details for the local embassy or consulate.
Tier 3 Cybersecurity Practices:
Disable biometric authentication for your electronic devices and require a robust passcode for each login.
Remove cached two-factor authentication logins for cloud and enterprise applications requiring the two-factor PIN or hardware token to be used for each login.
Enable Wickr Open Access which uses a series of globally deployed proxies and protocols to help avoid censorship protocols that might restrict communications.
Utilize “burner” mobile devices that will be discarded or re-purposed after travel. We recommend wiping them clean and donating them to specialized non-profit organizations.
If email is required, use trip specific and non-enterprise secure email solutions. Create a dedicated account for travel and instruct colleagues and assistants to direct urgent messages to that account.
Only use dedicated VPN hardware to obtain internet access over untrusted locations like hotel WiFi, preferably hardware that will also intercept and process captive portal access controls.
A Concluding Scenario:
Consider an executive who travels to nations with hostile intelligence services but needs to stay in touch with HQ while on the go. This executive has decided to travel with her iPad and use it exclusively during travel. She downloads the Wickr Pro application to her iPad and instructs her team to direct all communications to Wickr Pro. She also has her IT department provide her with a Yubikey (or buys one herself) and connects it to the iPad via a Lightning to USB connector. She uses iCloud and/or Google Docs and turns on multi-factor authentication on both using the Yubikey.
When this executive needs to send and receive email she interfaces with her corporate email via the mail app on her iPad (she will use multi factor login to send, receive and read the mail). She uses Wickr for all messaging, including voice conversations. She takes notes using a cloud synced service like Google Docs, Apple Notes, or Microsoft OneNote.
Our hero in this story also does NOT allow her iPad out of her sight. It is with her at all times. When she charges it she uses a USB data blocker cable or adapter so that only power it flowing through to the device.
Guess what? There is still some risk in this scenario, but the risk has been significantly mitigated. Even the Chinese Ministry of State Security will need to think through how much of an effort they will want to mount to penetrate the operations of this savvy executive.
This OODA Network Content is the work of OODA LLC co-founders Matt Devost and Bob Gourley; two executives with years of experience in cybersecurity, enterprise IT, data analytics and artificial intelligence.
