Travelling with your security blanket (cross post)

security-blanket-schroeder(Originally posted on the Iron Mountain Information Advantage Blog on October 16th 2013)

Mobile devices are great. I’m sat here in the back of a car in India travelling to a meeting. I’m connected to the internet via my iPhone and using the time to write a blog post on my laptop about the inherent dangers of using mobile devices while travelling. The irony isn’t lost on me.

Much has already been said on the various things that can be done to protect yourself while working on the move. Indeed, just the other day I wrote a piece on exactly how not to do it, and I am sure it is a regular topic of internal security articles at many companies.

The key issue I see is that the security measures are not always seen as ways to protect information. Rather, they are often seen as hoops that people need to jump through to get to the information they need to do their work. When, as is sometimes the case, security measures are poorly designed and/or poorly implemented, then the view of information security as an obstacle should come as no surprise.

Therefore, rather than trying to foist technology or procedures onto people, would we not be better focussing on behaviours that can be reinforced with easy to remember concepts? Here are a few to consider:

Location
Think about where you are sitting with your laptop/mobile phone. Can it be stolen easily (as in this example) or can your screen be viewed easily by people sat nearby? Your data can be both physically stolen as well as “visually” appropriated.

Connection
All internet-based connections should go through a VPN. This might be overkill for some, but it ensures that there is no internal dialogue about the security of a Starbuck’s Wi-Fi versus a BT hotspot or even a hotel Wi-Fi. Always use a corporate VPN to encrypt and tunnel your traffic through any potentially unsafe network. Even when using a personal laptop to do your own work in a cafe, like a bit of banking or shopping, your credentials and details can be stolen, so use one of the many commercial (and sometimes free) VPN products that are available

Observation
Be aware of your surroundings. Is this a high-traffic area such as a cafe or airport lounge, with people moving in and out frequently? Be aware of what is on your screen – is it confidential? Should you really be working on it in a public space? This doesn’t mean you need to be paranoid, but travellers, especially when abroad, can often be spotted easily and are often viewed as vulnerable. Knowing your surroundings and behaving accordingly is an important part of not only keeping your data secure, but of keeping yourself safe also.

Let’s face it, technology is never going to solve everything. I wrote recently about an example which had all the right technology in place, only to be let down completely by a visit to the bathroom. If in doubt, your mobile devices should be your “bathroom buddies” and not left exposed in public!

 


And they say security awareness training is working?

Having been involved in the security awareness debate quite a lot recently I have no desire to bang this drum even further, especially as on the whole I support the concept of security awareness training. However I am constantly having my faith in the training rocked just from observing people’s day to day activities.

I found myself in one of the lounges in Delhi airport at around midnight last night. in a period of less than thirty minutes I found two laptops and an iPad logged in and unattended in plain view. Now, I really do understand that people may consider these kind of environments as ‘safe’ and will therefore let their guard down. What I fear however is that they have blatantly disregarded their security awareness training and policies that will no doubt explicitly state that it is unacceptable to leave mobile devices unattended and unsecured in any environment, possibly including the workplace. Without wishing to become an amateur sociologist I would imagine these are educated, intelligent people because

  1. They are able to afford expensive looking laptops or have been issued an expensive looking laptop
  2. Are flying business class (or similar) and are therefore likely to be working for a company that can afford to pay for this level of comfort (a decreasing number on my experience)

If they are so intelligent and educated, why are they ignoring their training? Why are they putting their company and client data at risk in such a blatant way? It is my belief that the training provided has not effectively put across the reasons and incentives for securing mobile devices in the outside world.

 

Now you see it...

Now you see it…

Can you see it?

Can you see it?

The third offending item was another laptop, but as I was furtively aligning myself to take a picture the owner returned from the toilet It was left in very similar circumstances in a high traffic area.

Given the number of laptops I have seen left in Starbucks and other cafes (and indeed have blogged about elsewhere here) I am seriously considering starting a gallery to showcase these examples and perhaps start using them as a litmus test of the effectiveness of any company’s security awareness programme. Until these cases become exceedingly rare, to my mind the existing programmes are simply not working as they were intended, and until they do, behaviour such as this which smacks of convenience and possibly a little laziness will continue to put data at risk.


We turned around, and there he was… gone!

This is a picture taken in Starbucks, just a few minutes ago. Can you guess what’s missing?
Why the owner felt it was a good idea to go to the toilet (while carefully taking his iPhone with him, because otherwise it might get stolen!), leaving his laptop in a busy room where it could be easily removed is beyond me. It was made worse because when I peeked around the screen, it was also not screen locked.
With so much noise and argument going around the infosec community at the moment around security awareness the lazy conclusion would be that all users are idiots and need their hand holding all the time before they hurt themselves with their private data. Of course it is never that simple but it is no less infuriating to see this kind of attitude in practise. Where do we go from here in trying to avoid these situations?
I have a colleague who likes to highlight that we should consider our laptops and tablets and other various devices as “bathroom buddies”. I didn’t like this term at first (my knee-jerk reaction against the American use of the term bathroom), but it really does make sense. When in a public place such as a cafe, train etc and you need the toilet or a break, take your equipment with you! It is a simple alliterated phrase that sticks in the mind, makes you smile and therefore might actually make someone change their behaviour.
On the subject of humour, there was an XKCD cartoon very recently that summed this up perfectly.
The point is that this individual who left himself logged in could have had untold damage done to his personal and professional reputation if I was so inclined. Facebook posts, Tweets, work emails, Amazon orders etc could all potentially have caused him grief. Sure, after the fact he could probably “tidy up” the mess, but why put yourself in this position?
In the security awareness debates, system design is often touted as the way ahead, and in actual fact I think this may have come to the aid of our hapless coffee drinker, if he was lucky. The laptop itself looks like a new MacBook Pro, possible a Retina given the new style charger. That would mean he would be running Lion or Mountain Lion, which means FileVault is installed, although not enabled by default. If it was enabled and I ran out of the cafe with his laptop chances are when I sat down at the nearest park bench to check my prize the laptop would have locked and required a password. There is a good chance there that his data would be secure and encrypted. The same would be true if it was a Windows 7 or 8 laptop. The problem here though is that the key phrase above is “not enabled by default”. It’s great these operating systems now come with encryption built in, but there aren’t even annoying prompts a la Microsoft that, for instance, I don’t have an anti virus program installed; it is left entirely to the user to be educated and security savvy enough to enable it. I have joked on this blog before that encryption today is at the same level of anti virus of twenty years ago (Dr Solomon’s anyone?). Today, I would wager virtually everyone knows about anti-virus, and in fact it is often bundled and enabled by default on new laptops. (I am not going to take this opportunity to talk about the efficacy of anti virus as an endpoint protector!). When will encryption become such a commodity that you are an oddity if you don’t have it?
This isn’t a particularly racy topic, but it is one that is played out every day in cafes around the world. As every teacher will tell you, when you get the fundamentals right, the rest will follow far more easily. This person really should have known better, but when will we be at a point that he wouldn’t have had to?