Security Standard 03: International Travel

Summary

For members of the campus community, a trip to a foreign country presents unique data security challenges.  The nature of international travel requires you to use your device  (laptop, tablet or smartphone) in various unfamiliar places that may expose your data and device to malicious people and software.  Beyond the physical loss of your device, staying digitally connected often means that you will connect your devices to public networks in hotels, airports, train stations, and conference halls, which employ minimal security measures.  These public networks often harbor malware from cyber criminals looking to steal your data for identity fraud, as well as nation state actors targeting academic and business travelers for intellectual property.   In some cases, education networks are broadly targeted by government agencies for the benefit of data theft.

To protect your data and device, whether it’s for work or personal, the rest of this KB article will outline a list of data security safeguards you should add to your travel checklist before, during and after your trip.

In addition, please review the FAQ for International Travel with Encrypted Mobile Devices.

If you have any questions about securing your data on your trip, please send an email to IWU-ITSecurity@indwes.edu.

Outline

1. BEFORE YOU LEAVE
    
   1. If you are an employee, notify the Information Security Office (IS) and IWU Risk [risk@indwes.edu] at least 7 days prior to leaving for your trip. 
      1. Once notified IS will add rights to your IWU ID that will allow for added VPN security while on the road.  This is extremely important so please contact us at
         IWU-ITSecurity@indwes.edu. and supply: your name, email address, dates of travel.
          
   2. Leave your data and/or device at home.
      1. The best way to safeguard your data or device is to not bring them on the trip.  If you don’t need to access data stored on your computer, leave your computer in a secure location at home and bring along a loaner computer instead. 
      2. Employees: Request a loaner laptop by emailing visiting the IT Support Center loaner request form.  By default the loaner laptop will include: Microsoft Office, VPN, Microsoft Edge, Firefox, Chrome. Please allow 5 business days for delivery.
          
   3. Backup your data
      1. Whether you are traveling with a loaner computer, your regular computer, tablet or smartphone, you should always backup your data.  In case you lose your data along with your device or some malware corrupted your data during the trip,  you can be sure you have a good copy from which you can recover your data.  The best way to back up your data is to do so via IWU's OneDrive feature.  Learn how to setup OneDrive File Protection to backup your data.
   4. Install and configure encryption software. - In the unfortunate scenario where your device is lost or stolen, disk encryption software can help encode your data such that only you and people you authorized can decode and read the encrypted data.
      1.   If you are utilizing an IWU laptop it comes preloaded with full disk encryption and there is no further action required.

      2. If you have your personal laptop, Full disk encryption software, which is freely bundled with recent Microsoft Windows and Mac OS X operating systems, is easy to use and setup.  Some foreign countries do restrict the use of encryption software, so please research the software import laws of your destination country.  If you are not able to use encryption software at your destination, please strongly consider leaving your data and device at home, and bringing a loaner device instead.

   5. Configure device according to minimum security standards. - The following requirements are especially critical for foreign travelers:

      1. Update your operating system and application software to the latest versions possible

      2. Install and update anti-malware software

      3. Choose strong passwords

      4. For laptops, setup and use a personal account that does not have superuser (root, administrator) privileges
          

2. WHILE TRAVELING
    
   1. Use a VPN after connecting to any public or hotel hotspot. 
      1. For employees this means using the Global Protect client on your IWU issued device.
      2. For your personal device there are a number of providers out there that can provide VPN software but be sure you do your homework on the most recommended software by reliable security researchers. 
          
   2. Do NOT leave your device unattended.  Physically having control of your device is the easiest way for someone to access your data.
      1. Do not leave your device unattended, lend it to someone you just met or leave it in your checked bag on your flight.
      2. If you ever leave your computer, make sure to turn it off instead of just hibernating it or putting it to sleep.
          
   3. Do NOT plug in un-trusted accessories. Untrusted accessories, those that came from questionable sources, can be infected with malware intended to steal your data. 
      1. Avoid plugging in any untrusted accessories (flash drive, charging cable, SD cards, etc.) to your device.
      2. Plan ahead and take all the necessary accessories with you, but if you must purchase an accessory abroad, make sure it is from a reputable source.
          
   4. Do NOT enter your credentials into public computers. 
      1. Public computers such as hotel business center workstations and internet cafe computers are often poorly managed and provide minimal security protection for its users.  If the need to use public computers arises during your travel, avoid entering your credentials at these public computers. 
          
   5. Connect only to known WiFi networks.
      1. Anyone can create a network and give the network a legitimate sounding name, hoping to lure unsuspecting travelers to connect while capturing personal information transmitted through the network. This is especially prevalent at public cafes, hotel lobbies and airports.  When connecting to a network, find out the correct network name from the staff at the business and connect to it.
   6. Turn off your WiFi when not in use.  Attackers can easily spoof WiFi network names to connect to devices within range for eavesdropping.  To help you avoid accidentally connecting your device to rogue WiFi networks at a later time,  once you are finished using the network, turn off WiFi on your device

   7. Use a non-privileged account.

      1. Just as software installation requires elevated privileged accounts, malware often requires elevated privileges to infect your computer.  Use a non-privileged account and only elevate privileges when necessary on your device. This will provide additional protection against malware infection. 

   8. Clear browsing session information when using devices that do not belong to you.  Some web applications do not log you out entirely, even when clicking the logout button or closing the browser.  Such behavior allows the next person who uses the device to browse to the same page or click the back button to access your data as if you are still login.

      1. To prevent others from accessing your account and data, clear all the web browser session information following steps outlined for each type of browser here:  CHROME - INTERNET EXPLORER - FIREFOX - SAFARI

   9. Take note of credentials you are using during the trip.

      1. Regardless of whether you are using them on your device or public computer, they may be compromised.  To be safe, take note of the credentials you used so you can change them on a trusted and secure device once you return.
          

3. AFTER YOUR TRIP
    
   1. Reset credentials you used during the trip.  As noted above consider credentials you used during the trip to be compromised. 
      1. Use a trusted computer, whether it’s your own or one provided by your IT support staff, to reset credentials that were used during the trip.

         1.  For example, if you use your Indiana Wesleyan credentials during the trip, go to the IWU password reset portal, once you return, to reset your IWU password.

   2. Re-image your devices. All of these measures are extreme and can be construed as over protective, but they will ensure that your devices are free from any potentially harmful hidden software/viruses that may have made their way onto them during your trip. 
      1. Upon returning, if you were required to bring your IWU device, immediately open a support case to have it re-imaged with a fresh OS image. 
      2. This can be done by filling out the IT Support Center Reimage Request Form.
      3.  Prior to this you will need to make sure any data you wish to be retained is copied to your IWU network personal share or OneDrive. 
      4. It also may be wise to reset your mobile devices to their factory defaults

Import Restrictions on Encryption Software 

Encryption software is a very effective tool to strengthen the protection of your data.  However, a number of foreign countries do not permit encryption software to be imported or used without prior approval.  For example, China requires foreign travelers to apply for a license to use encryption software prior to arrival.  To learn more about background information and details of import restrictions on encryption software, follow the links below to external websites:

• Wikipedia article discussing restrictions on encryption software import (link is external)
• Crypto Law Survey website with a list of countries and their respective encryption software import restrictions. (link is external)

If you are not able to use encryption software at your destination, it is strongly recommended to leave your data and device at home, and bringing a loaner device instead.  If your information is sensitive and it is illegal to secure your devices/data and communication, contact the IWU IT Security office for advice.

Please review the FAQ for International Travel with Encrypted Mobile Devices for more detailed information.

Publication Tracking