Tips for Remaining Connected and Secure While Traveling
Security professionals who travel frequently may struggle to get connected while avoiding the use of cellular networks. Cellular usage in some countries is very expensive. The cost of roaming data and voice can be up to US $100 per day for a typical US cellular plan. This cost usually means travelers are looking for every opportunity to connect to Wi-Fi. However, this strategy usually means that a certain amount of risk has to be accepted. What is this risk and how can it be mitigated?
- Use cellular data—This is the best solution for Wi-Fi security. However, limiting use to cellular in certain countries has the same exact security issues as Wi-Fi. Many have a belief that cellular is secure. In most developing nations, international companies are contracted to establish and run their complete communications infrastructure separate from the country. The company may monitor the infrastructure for economic information that benefits their own national interest. However, if you are a “person of interest” in another country, the country you are in is not above monitoring your transmissions. This is the same problem that you might have connecting to a hostile Wi-Fi access point. If you are not a “person of interest,” then this may not be the case, but there is still the issue of cost.
Recent technologies, such as microcells, allow organizations (e.g., universities and corporate headquarters) to stand up their own cellular systems. These are basically access points for cellular, but the users are only charged fees when they leave the microcell and go into a cellular provider’s network. This is synonymous with an implementation that is normally reserved exclusively for a Wi-Fi implementation. Similar to hostile Wi-Fi access points, these microcells can be hostile and used to monitor all communications.
Internationally, cellular provides the highest level of trust. To overcome cost factors, some carriers provide international roaming for data, but not voice. Others charge a flat rate per day to access accounts in certain countries. With an unlocked phone, purchasing a subscriber identity module (SIM) card provides enough voice and data for up to a week in another country. The costs vary, but are usually around US $30. Unfortunately, most of the connectivity is 3G and requires additional money to upgrade to 4G. Once a user has cellular connectivity, computers can be tethered to the cellular-connected phone to avoid Wi-Fi for the duration of the trip.
- Bring your own Wi-Fi—If users are conducting business that needs to remain confidential, bringing your own Wi-Fi is an ideal solution. These personal hotspots can connect up to 5 users simultaneously. However, remember that the more users that are connected, the slower the performance for all users. This is a modified use of cellular, so when traveling internationally, ensure that the hotspot is international or that it is unlocked so that a new SIM card can be installed.
- Using Wi-Fi—Unfortunately, after all other options are exhausted, users are relegated to using Wi-Fi. Users may be instructed to use a trusted Wi-Fi, but what is a trusted Wi-Fi? From a user perspective, if your company installed and operates the Wi-Fi, then it probably can be considered trusted. Users should view all other Wi-Fi networks as not trusted. However, the statement should not be absolute since users are going to use Wi-Fi. A more accurate way to think of it is all Wi-Fi networks are untrusted, but some Wi-Fi networks are more trusted than others. Consider the following when determining the level of trust for different communication systems:
- Free Wi-Fi—The most popular Wi-Fi is free Wi-Fi. Many times, a hotel or airport will provide this service. The price is right and if it is available, what could possibly go wrong? Hotels and airports are commonly targeted by criminals using hostile Wi-Fi access points. These access points are named and set up around free Wi-Fi areas to get unsuspecting travelers to connect. The criminals will even go so far as to make splash pages and password logins very similar to the hotel’s login page.
- Wi-Fi that requires logins—Whether it is free or a paid service, having to log onto the Wi-Fi actually presents additional risk to the user. The most popular way of hijacking the security of a Wi-Fi connection is through the use of a portal redirect. Users may not know for sure if the login page is just to log on or for hostile intent.
In the end what is one to do? The most important thing is to know where you are in the world and who is providing both the cellular and Wi-Fi connectivity. There are a lot of applications for phones and laptops that will show the security posture of the Wi-Fi being used. These applications detect portal redirects and other known behaviors of hostile access points. Another way to be secure is to encrypt data and then send it, so users do not have to rely on the indigenous communications encryption.
One of the fundamental security applications that one should have is a virtual private network (VPN) application. This has both security and functional benefits. If the encryption algorithm is strong enough, it will protect the data that being transmitted. In addition, the VPN application should be associated with some nominal cost. This provides some assurance that the company is in business to provide VPN services and not compromise communications. Unfortunately, if you experienced a redirect during Wi-Fi login, you could be redirected to a hostile VPN host that is not your intended end point. Once you enter your PIN or password, the hostile VPN host just decrypts everything you send and receive and your VPN has been compromised. This is the classic man-in-the-middle attack. The functional advantage is that by using VPN to communicate, all web sites interactions are as if you are located within the host country.
In the end, communication security is about understanding the environment and minimizing attack vectors. Know who is providing the cellular or Wi-Fi connectivity and the importance of your data. It is critical that users determine if the communication infrastructure can be trusted.
Bruce R. Wilkins, CISA, CISM, CGEIT, CRISC, CISSP, is the chief executive officer of TWM Associates Inc. In this capacity, Wilkins provides secure engineering solutions for innovative technology and cost-reducing approaches to existing security programs.
ISACA Annual General Meeting to Take Place in Chicago
The ISACA Annual General Meeting (AGM) takes place to instate the Board of Directors. Those who attend this meeting will also be able to review fiscal information from the past year. Attendees will have the opportunity to receive ISACA’s annual report, which will be posted on the ISACA web site after the meeting. The AGM will take place on 25 June at the Langham Hotel in Chicago (Illinois, USA). This meeting will begin at 8AM. CDT (UTC -5 hours).
To register to attend the meeting, email your name and member number to firstname.lastname@example.org. To learn more about the meeting, visit the ISACA Annual General Meeting page of the ISACA web site.
New ISACA Chapter Formed in Fayetteville
ISACA is pleased to announce the formation of a new chapter in Fayetteville, Arkansas, USA. The chapter has more than 95 members. ISACA Fayetteville President Stanley R. McBride, CISA, CRISC, said the Fayetteville area has a large contingent of employees in the IT field that will benefit from the chapter. “We created the chapter to ensure we had a community of ISACA members who could support one another and provide a venue for professional development,” McBride said.
Officers of the ISACA Fayetteville Chapter include:
- President—Stanley R. McBride, CISA, CRISC
- Vice President—Alvin Edward Videtto
- Treasurer—Andres Edward Arriaza, CISA
- Secretary—Cathy Gibbs
- Membership Director—Cynthia Ragan, CISA
- Certification Director—Ronald McGeath, CISA, CRISC
- Communications Marketing Director—Jason Pluenneke, CISA
To learn more about the 214 ISACA chapters around the world, visit the Local Chapter Information page of the ISACA web site.
Encryption in the Hands of End Users
While encryption can provide substantial security benefits for enterprises, many systems and process may not provide all of those benefits in practice. ISACA Journal volume 3 author Eric H. Goldman, CISA, Security+, discusses some of the challenges associated with user-to-user encryption in his article, “Encryption in the Hands of End Users.”
In theory, encryption is just a matter of applying some math on bits of data before and after sending a file or message. However, there is a vast ecosystem of encryption technologies, algorithms, configurations, tools and file formats. Complicating matters, end-user encryption tools are notoriously unfriendly from the end user’s perspective. Management and transfer of encryption keys and/or passwords, and ensuring secure storage are daunting requirements to place on end users.
Even if the best, most seamless tools and training are implemented, there is still the issue of compatibility with partners. If one partner is on a different platform, deploying that platform requires additional investment and implementation efforts. Given that organizations have multiple partners, the overhead from purchasing and supporting multiple tools can quickly escalate. Failure to support the tools that internal users need to make their business partners happy will result in end users seeking creative solutions and workarounds.
In addition to providing the “right” tools, it is also important to block unauthorized encryption solutions. Whitelisting is part of the solution, but today’s user is likely to go searching for solutions in the cloud, and users may end up at some fly-by-night web site. This is problematic because a site’s usage cannot be monitored or controlled; furthermore, the services may not be properly secured or may be outright malicious. For example, that tool may offer to encrypt uploaded files but may, unintentionally or purposefully, retain the original unencrypted copy. The user’s attempt to improve security unfortunately could result in a data exposure.
Even within an approved application list, there are many tools that can provide some form of encryption as a side feature. For example, many compression tools allow a widely accepted, but woefully outdated and weak form of .zip file-extension encryption. Allowing or encouraging users to use such tools is ill advised. Using weak or outdated encryption provides no real security value, and employing such tools could negatively impact an organization's reputation because partners may perceive a lack of knowledge or willingness to invest in security.
Read Eric H. Goldman’s full article, “Encryption in the Hands of End Users,” in the current issue of the ISACA Journal, in which you will also find additional coverage of timely and relevant issues affecting the ISACA professional communities.