Blog

Dream Firms Talks 04/2023

Topic: Basics / Cyber Security While Traveling

Basic Security

• 12 Character Minimum for all passwords
  • Anything 8 characters or less is vulnerable to immediate brute force attacks
  • Complexity – Must include: 
    • Upper Case Characters (ASDF…)
    • Lower Case Characters (asdf…)
    • Numbers (1234…)
    • Symbols (!#$%…)
  • Last Changed – Change at least Twice a Year best practice
• Businesses should use Premium Business versions of Anti-Malware software
  • Premium Version on every work system
  • BitDefender or Malwarebytes are both good options
  • Make sure it is updated regularly
• Don’t use Gmail as your business email. Businesses should have their own domain
• Employee training is a very important part of your Cyber Security plan. Training frequency should be at least twice a year
• Monitor your internal networks and systems for alerts and changes.

Cyber Security – On the Move

• Mobile Computing takes you and your devices away from your secure, corporate environment and exposes them to a host of dangers. Some best practices will help mitigate the risks

Device Security

• Backups
  • Backup your system before traveling
• Protect Your Screen
  • Prevent unwanted eyes on your screen while working
• Unattended Device
  • Never leave any device unattended
• Lock Your Device
  • Set up lock codes on all devices and don’t leave the screen unlocked when not in use
• Encrypt Your Device
  • All sensitive files should be encrypted at rest
• Use MFA (Multi-Factor Authentication) 

Public WIFI vs Hotspot

• Hotspot – the safer alternative
  • Most cell phones and plans support this now
  • Creates a WIFI signal just for you with a password you create
  • Cellular retailers offer hotspot devices that can be added to your company cellular plan if you want to share amongst travelers
    • Our accounting firm uses these when doing remote fieldwork for audits
• Public WIFI
  • Available in most coffee shops, restaurants, airports and even on mass transit
  • Inherently more dangerous as you are trusting a service you have no control over that was most likely set up by someone with just enough skill to turn it on
  • Always the risk of someone using a wi-fi “pineapple” to preform MITM attacks and gather data from anyone connected to the wi-fi.  
  • If you must use it (no cell service available)
    • Verify the establishment actually offers free WIFI (Could be a scammer)
    • Be very careful when selecting the WIFI connection (Slight spelling difference are a common trick)
    • Use a VPN (Virtual Private Network) to encrypt your connection 
    • Minimize connection time 
      • Bring working files with you
      • Only connect long enough to sync your files then turn off WIFI and/or Bluetooth
      • Don’t auto connect – Turn off auto connect to WIFI and Bluetooth on all devices
      • Keep Bluetooth in ‘hidden mode’ so that other devices can’t find it
  • If you connect to your device to a rental car, the phone’s data may be shared with the car
    • Unpair the device and clear any personal data before turning the car in

Mobile Charging Stations

• USB Charging Stations can be used to install malware and capture your data in transit
  • The danger is similar to ATM and Gas Station Skimmers and is called ‘Juice Jacking’
  • Best alternative is to use a regular power outlet 
  • Alternative is to bring a USB charging brick(battery) and charge that on the USB Charging Station

Policies

• Travel Policy – If you have traveling workers, you need a policy that clearly defines your companies’ expectations and rules for using mobile devices and computers while abroad
  • Should be inclusive of any device used to connect to corporate data (personal devices included)
    • Laptop
    • Tablet
    • Cell phone
    • Smart watch
  • Bottom Line – If you don’t want your personal device limited by your corporate policies, do not use it for corporate business
    • If your device is used at any time to connect to company data, it should always be subject to the company policies (share drive, files, email, Teams/meeting/collaboration software)
  • Our accounting firm has a policy requiring accountants to use a hotspot and to never use public or client WIFI

Resources We Use

• Encryption:
  • EncryptOnClick – https://www.2brightsparks.com/ 
• VPN:
  • HMA – https://www.hidemyass.com/en-us/index
• AntiMalware:
  • Malwarebytes – https://www.malwarebytes.com/
  • Bitdefender – https://www.bitdefender.com/
• MFA:
  • Duo – https://duo.com/product/multi-factor-authentication-mfa
• Wi-fi “pineapple” 
  • https://www.techtarget.com/searchsecurity/definition/Wi-Fi-Pineapple
• Juice Jacking
  • FCC Consumer Alert – Juice Jacking public USB Charging
    • https://www.fcc.gov/juice-jacking-dangers-public-usb-charging-stations
    • https://www.nbcnews.com/tech/security/juice-jacking-why-you-should-avoid-public-phone-charging-stations-n1132046

• Cyber Safe Travel
  • FCC Guidelines for International Travelers
    • https://www.fcc.gov/consumers/guides/cybersecurity-tips-international-travelers
  • Center for Internet Security (CIS) Cyber Safe Travel
    • https://www.cisecurity.org/insights/newsletter/cyber-safe-travel