Company Travel Policy Outline
Executive Summary: Companies of all sizes benefit from a well designed International and Domestic Travel (IDT) security policy. This article helps to outline corporate travel strategy and protect company data from compromise.
Public Charging Station at Mayfair Mall, Milwaukee, WI |
Target Audience: Network Administrators and IT Managers responsible for securing network resources.
Assumptions:
- Network administrators configure all managed laptops.
- Minimum precautions are short-term strategies that can be immediately implemented.
- Advanced precautions are long-term recommendations that require additional planning. For example, multi-factor authentication (MFA) is a development process.
1. Personal Devices. Staff are discouraged from using personal devices to connect to corporate resources when traveling. Do not store sensitive company data on personal devices.
2. Managed Laptops. Specially configured corporate laptops and tablets are available for travel. These devices are configured according to IDT policy guidelines. Additionally, store all sensitive data on corporate servers whenever possible.
3. Encryption. Encryption protects corporate data when devices are not in close proximity. Managed resources require self-encrypting drives (SEDs) or Microsoft BitLocker; configured with a minimum AES 256-bit hardware encryption. Laptops and tablets must use Trusted Platform Modules (TPMs) to secure cryptographic keys.
4. Windows Firewall Configuration. Third party networks are not secure mediums. Untrusted physical Ethernet or Wi-Fi hotspots risks the integrity and confidentiality of corporate data.
Client firewalls must be configured with two basic rules: (a) permit outbound secure tunnel to connect with a corporate virtual private network (VPN) or remote desktop (RDP) gateway; and (b) deny all other inbound and outbound traffic.
5. Internet and Remote Access. Secure Socket Tunnel Protocol (SSTP) VPN or Secure RDP communication is mandatory for all external communications. All network traffic, including WWW and Email, forwards through secure TLS tunnels. This process ensures data integrity and confidentiality. N.B., Do not ignore certificate warnings!
Additionally, SSTP and RDP uses TLS over TCP port 443 which passes through virtually all firewalls and proxy servers. In other words, this solution should work at hotels and coffee shops throughout the world.
Advanced Precautions:
1. Preferred Travel Network: MiFi. MiFi is a portable broadband router that extends 4G and 3G mobile broadband Internet to laptops, tablets, and smartphones. MiFi is the preferred Internet service when traveling because it reduces risk of man-in-the-middle attacks (MITM).
a. MITM attacks are less likely to occur on MiFi networks because hackers require expensive (e.g.. ten thousand dollars) base transceiver stations (BTS) to impersonate telecom wireless networks. However, costly BTS equipment does not deter professional criminals nor foreign government espionage.
b. MiFi Password. Change the default MiFi password to a randomly generated complex password.
c. Mifi WAN Mitigation. Protect WAN communication so that the MiFi router configuration is set to automatically connect to an external IPSec VPN. Edit the MiFi firewall to only permit external traffic between itself and the corporate VPN server.
d. MiFi LAN Mitigation. Local devices should connect to the MiFi router via Ethernet or USB cables whenever possible. Physical connections from local devices to the MiFi are secure mediums; whereas the internal MiFi wireless access point (WAP) uses vulnerable wireless encryption protocols (e.g., WEP, WPA, and WPA2).
Enterprise WPA2 is considered secure wireless protocol, however it requires RADIUS authentication. WPA2 (i.e., non-Enterprise) can also be used as long as its password is configured with maximum complexity. Consider changing the WPA2 password at regular intervals to discourage brute-force attacks.
e. Domestic and International MiFi: Domestic MiFi service is available throughout the United States from AT&T, Sprint, and Verizon. Monthly service is between $50 to $100 per month.
XCOM Global provides international MiFi in over 175 countries. XCOM service costs $395 per month and provides access from all serviceable countries. Verizon also offers international phone and data coverage. Their Global Travel program recommends equipment and provides service plans based on destination.
2. Travel Firewall: The travel firewall is for situations when MiFi is unavailable. It protects smart devices and laptops that connect to untrusted networks. The travel firewall has three functions: (a) It connects to an external LAN (e.g., hotel Ethernet wall plate) or wireless LAN; (b) it automatically establishes an IPSEC VPN; and (c) it only permits VPN traffic to local devices (i.e., managed laptops). Travel routers have similar vulnerabilities as MiFi routers. Windows firewall and SSTP VPNs, further reinforce device security.
Recommended travel firewall:
Tiny Hardware Firewall (THF) offers portable firewalls that are ideal for remote workers. THF offers multiple models, all of which are highly portable (i.e., tiny) and are battery and USB powered. The connection process is very user friendly because of its "bare-bones" GUI. These firewalls require a public facing OpenVPN server.
3. Multi-factor authentication. Multi-factor authentication (MFA) protects against malware, key-loggers, and MITM attacks. Local logons and network communications (i.e., RDP and SSTP VPNs) are more secure with MFA because corporate systems require at least two separate types of authentication. If thieves intercept a user password in transit (e.g., Wi-Fi) the authentication integrity remains secure.
MFA hardens the authentication process, however compromised systems may be vulnerable to NTLM harvesting attacks. Essentially, Windows stores a password hash for all its user accounts; this includes MFA tokens. In certain situations, thieves can collect this password hash and use it to access corporate systems (i.e., pass-the-hash).
4. Application whitelisting. AppLocker uses an application whitelist to prevent the execution of unwanted and unknown applications -including malware. AppLocker is only available on Microsoft Windows 7 Enterprise, and Windows 8.1 Enterprise editions.
5. Certificate Pinning. Microsoft's Enhanced Mitigation Experience Toolkit (EMET) uses SSL certificate pinning to defend against MITM. Certificate pinning validates the authenticity of VPN and RDP servers by verifying certificate thumbprints.
6. Secure DNS. Harden client DNS resources to prevent DNS poisoning and spoofing. Remote client traffic can be redirected if public facing DNS servers are compromised or impersonated. It's essential that client traffic only traverses the corporate VPN. Securing DNS mitigates risk from DNS related threats.
Use a Name Resolution Policy Table (NRPT) policy or edit client host files to prevent changes for all corporate fully qualified domain names (FQDNs). Consider implementing DNSSec (i.e., DNS integrity checks) to further protect domain integrity.
7. Persistent States. Operating systems that boot from read-only media protects clients from compromise. Examples of read-only media includes CDs or USB flash drives with hardware write protection. Persistent state clients are less vulnerable to malware because changes are never saved. Persistent states also prevent hackers from obtaining domain-based password hashes from the local Security Account Manager (SAM). N.B., This assumes domain credentials were not used to create the original system state.
ZuessGard is an example of a Linux distributions designed "to eliminate malware-borne corporate account takeover attack vectors". ZuessGard is sold as a bootable read-only USB flash drive which sells for $25 per device.
Windows may be more appropriate that Linux for corporate solution. TechNet explains how to create a bootable Windows 7 steady state from a differencing VHD disk. This solution can boot from USB and should work with Windows 8.
8. Windows to Go. Windows 8.1 Enterprise includes a portable operating system called Windows to Go. This is a fully managed operating system that can be run from any PC or laptop. This provides employees with an encrypted, local workstation using to work from their personal devices, and provides them local access to Corporate resources; and provides a secure environment.
Smart Phone Precautions:
Corporate Travel Policy Template |
• Treat smart phones as a computers.
• Avoid using public Wi-Fi.
• Disable Wi-Fi, Bluetooth, and GPS when not in use.
• Public USB charging stations are not safe –they can install malware.
• Be wary of text messages from unknown sources– they can install malware.
• Do not jailbreak or root smart phones.
• Enforce VPNs.
• Manage and enforce a strategic Smart Device Policy.
International:
• Use the same precautions per domestic recommendations.
• Remove the smart phone battery when not in use. Foreign governments and criminals can track your movements using your smart phone.
• Smart phones are not as secure as managed computers. Consider using a non-smart phone for all voice communications.
• If smart phones are necessary, consider using a phone that is FIPS 140-2 certified. The phone should be treated as a computer – use encryption, VPN, etc…
• Consider secure VOIP and IM app (e.g., Microsoft Lync) that only connects to corporate servers.
• Verizon’s Global Travel program recommends equipment and provides service plans based on destination.
Conclusion:
All electronic communication can be intercepted. Wireless devices are especially vulnerable. Hotel business centers and phone networks are regularly monitored. Do not use public computers to connect to any company resources. Assume all shared computers have key loggers or other malware that collect account credentials. In some countries, hotel rooms are regularly searched. Corporate and government officials are most at risk, but don’t assume you’re too insignificant to be targeted.
Foreign security services and criminals are adept at “phishing” – that is, pretending to be someone you trust in order to obtain personal or sensitive information.
Store any hardware tokens, battery and subscriber identity module (SIM) card in a separate location from the mobile device. If traveling in a high-threat location, you must assume that hotel rooms have been selected to facilitate electronic or visual monitoring.
Related Websites:
www.onguardonline.gov
www.us-cert.gov/cas/tips
http://www.verizonwireless.com/wcms/global.html
http://www.xcomglobal.com/