Travel Securely

With today’s technologies, connecting to Yale resources while traveling has never been easier. However, public wireless networks are major targets for cyber crime. Below is a list of security best practices for before you travel, while you travel, and when you return. 

Before You Travel

WHAT TO DO Why Do It
Reduce SCOPE
1 If you can leave computing devices at home, do so. Limits your exposure.
2 Travel with the least amount of data possible stored on electronic devices. In particular, leave all removeable media (thumb/USB drives, DVDs, portable hard drives) at home. Also limits your exposure. Consider what data is sensitive for you. This might include physical papers or email.
LIMIT EXPOSURE
3 Ensure you have current backups of all data and software you are taking on your trip. If your devices are compromised while traveling, backups make correcting the problem much easier. The potential for theft or confiscation of devices while traveling is also a factor.
4 If possible, take loaner devices on trips and leave your own devices at home. Loaner devices require a fresh, hardened and minimal installation of software, making compromise more difficult. Taking a loaner makes it easier to limit the amount of data, as data copied to the device would then be a conscious choice. Your backups could then be considered your usual device(s) left at home.
5 Ensure all devices are fully encrypted. This includes removeable media. If stolen, encrypted devices have a much greater chance of protecting the information stored on the devices. Please see #12 below as some countries have made encryption illegal or problematic.
6 Ensure all devices are fully patched, both operating system and all installed software. Unpatched applications and unpatched operating systems allow attackers easy avenues to compromise devices, bypassing other safeguards and accessing the data on the devices. Ruthless, automatic, full patching of all installed software and operating system should be considered a must whether traveling or not.
7 Ensure all devices run up-to-date next-generation anti-virus software. Yale has invested in a next-generation anti-virus product known as Cylance, which has been demonstrated in our environment to be significantly more effective than traditional signature-based anti-virus products. In addition to looking for known bad malware, so-called “next generation” anti-virus looks for suspicious patterns of behavior and begins to incorporate machine learning in detection routines.
8 Disable all unnecessary services on your devices, including USB ports, wifi and bluetooth if possible. Disabling unnecessary software and operating system features is a fundamental part of machine “hardening” to limit the possible angles of attack. This can be done by your support professional, and there are industry standard benchmarks available to guide in the detailed steps required. Disabling some features, such as USB ports, wifi and bluetooth, are extreme measures in so far as they are very inconvenient. Do what is possible here, even if it means leaving some of these features on all the time (e.g. wifi) or switching them on and off as needed (e.g. bluetooth).
9 Identify all passphrases saved or cached on your devices, such as those saved by a web browser, as well as all passphrases you manually type into a device. The only scenario that might be worse than unauthorized access to the data on your devices would be the theft of your credentials, so that the attackers could repeatedly access your data without the need to physically be near your machine. Being aware of your passphrases, including cached passphrases, will be necessary so that you can determine which passphrases can be protected by a second factor (aka multi-factor authentication), or which passphrases you should change once returning from your travels.
10 Ensure as many passphrases as possible require two-step / multi-factor authentication, and that the second factor will be available while traveling. The use of multi-factor authentication while traveling requires pre-planning, otherwise you might find your second factor does not work while away, keeping you from vital work. Your support professional can help ensure you have multi-factor options that will work while traveling. There are special one-time use codes and special multi-factor devices available that can work even without reliable internet connectivity or SMS. 
11 Ensure your critical passwords are unique; do not “reuse” these passwords on less sensitive systems or in systems unrelated to Yale. Every single week, Yale security operations receives reports of other non-Yale websites around the world that have been compromised. In a shocking number of cases, people have used their Yale email address as a username, and often they have used their Yale password on these other sites. These other sites often do not know or do not announce when they have been breached.
12 Be aware of export restrictions in the event you may be traveling with export-controlled data.

https://your.yale.edu/sites/default/files/laptop_guidance_
january_2018.pdf

13 Be aware of encryption restrictions in some countries. https://world-toolkit.yale.edu/export-controls/export-controls-and-traveling-abroad-electronic-devices-3

While You Travel 

  What To Do Why Do It
1 Do not enter usernames and passwords on a device that is not your own. You never know when another devices has been incidentially or purposefully compromised in order to steal your credentials. This happens frequently.
2 Take your own chargers; never use chargers that are not your own and kept in your possession. Some chargers, such as for laptops, are power-only and thus are not subject to this requirement. Other chargers are power AND data, such as for phones and tablets. Such chargers can be physically modified to deliver malware to the device when a device is plugged into the charger.
3 Keep your devices and chargers in your possession at all times. Leaving your devices in your unoccupied hotel room does not count as “in your possession”, nor does checking devices, chargers or portable media in your baggage. In addition to the risk of theft of the device, loss of physical control (even for a relatively short period of time) greatly increases the odds that an attacker can bypass controls to gain access to the device or credentials stored/used on the device.
4 If possible, develop the habit of switching off wifi and/or bluetooth if unneeded. Discussed above. Yes, this one is tough. At the very least try and leave bluetooth off unless needed.
5 Use the Yale VPN for all network connections where possible. Protects against some very technical attacks such as eavesdropping, tampering, misdirecting, detouring and other man-in-the-middle attacks.
6 If your physical location for part of the trip will be highly confidential, remove the battery of your cellphone(s) before traveling the the highly confidential location. As incredible as it sounds, cell phones can be used to provide location information even when powered off.
7 Cover cameras and muffle mics on devices during highly confidential meetings. Compromised devices can be used to turn on cameras (even without lighting up any indicator lights) or turn on mics. The temptation will be to leave devices behind and out of your possession, but do not do this. Better: remove batteries, muffle mics, put tape over cameras. 
8 Do not accept or use portable media given to you. Invasive malware/spyware is surprisingly easy to hide on such media, and can silently install itself on your devices merely as a result of plugging the portable media into your device. 
9 Be aware of your surroundings, especially when viewing or entering sensitive information on devices. Cameras and people can be employed to steal information or passwords.

After You Travel

1 If your devices or chargers were not in your possession 100% of the time, consider them compromised. Have the devices professionally re-imaged, including firmware and a physical inspection. Loss of physical possession for even a short period dramatically raises the odds of compromise for a targeted attack on a well-known individual.
2 If you utilized a loaner, return it for inspection, wipe of operating systems and firmware.  
3 From a known-clean device, change all passwords identified in “Before You Travel” step 9. This safeguard helps ensure that any weaknesses in your device’s defensive posture limits potential damage.

More Information

Many other travel resources are also available on the Yale and the World website.