Endpoint
4/28/2016
01:20 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

How To Stay Secure At The Hotel On A Business Trip

As POS malware attacks on hotels increase and threat actors target executives, traveling for business puts company data at risk.

In 2014, cybercriminals in the DarkHotel campaign targeted business executives staying at hotels in Asia. The attackers used spearphishing as well as kernel-mode keystroke logger attacks and cracked weak digital-signing keys to steal data from the victims’ devices.

Then in 2015, the hospitality industry suffered a string of point of sale (POS) malware attacks that included the Hilton Hotel properties, Trump Hotel Collection, Starwood, Hyatt Hotels, and Mandarin Oriental Hotel Group.

When employees travel for business, corporate data is at risk as hotels increasingly become targets of and venues for cyberattacks. Here are seven ways to stay secure at the hotel on a business trip.

1.     Avoid using public-use terminals.

Many hotels provide computers and printers, or a public-use terminal, for guests to print plane tickets and check email. When you’re on your way in or out of the hotel and in a rush, it’s tempting to use these spaces in a pinch, but doing so could put your organization's data at risk. “Those things are not maintained as well as an organization that would maintain their systems,” says Andrew Hay, CISO for DataGravity and speaker at next week's 2016 Interop Las Vegas.

2.     Use a VPN client when connecting to WiFi.

When traveling for business, it’s a given that you’ll need to access the WiFi. That being said, whenever you do connect, it’s important to use a virtual private network (VPN) when accessing your information. You don’t know if the hotel is using an up-to-date firewall or if they’re separating the traffic between you and your neighbors, says Hay. “There’s really nothing stopping someone from sniffing the traffic.”

3.     Keep your devices in hand while at breakfast.

The hotel continental breakfast buffet is almost a ritualistic part of traveling on the company dime. Hay, who travels a lot for business, says he’s always surprised by the number of people he sees leave their laptops and devices open as they quickly grab food.

“Physical access trumps all security,” says Christopher Budd, global threat communications manager for Trend Micro. POS malware and sketchy WiFi networks may be making headlines, but it’s always important to keep the hardware out of reach.

“It’s so easy for someone just to walk by, pick up a laptop, and keep walking,” says Hay, adding that someone could also quickly install malware on a thumb drive in the time it takes you to come back from the buffet.

4.     Get loaner devices from IT.

An easy way to protect your company data and stress less about all of the files that could be lost if your device is stolen is to ask your IT department for a loaner computer and phone to use while traveling. It can be inconvenient to have all your devices on your person all of the time, especially if you’re having dinner with clients or attending a formal event. It’s handy to just leave your loaner (and secured) hardware in the hotel room and rest assured that nothing of major significance will be lost if the device is stolen or compromised while you’re away.

Device and hardware theft can happen on the way to the hotel, too. “I have heard horror stories of intelligence agencies using Customs to swap out hardware, USB drives, or laptops while special screenings were being conducted,” Hay says. Having loaner equipment can help eliminate the stress of information and hardware theft while making your way through the airport.

5.     Don’t swipe your card at sketchy ATMs, gift shops, or hotel restaurants.

Many of the 2015 hotel malware attacks targeted gift shop and restaurant POS systems. “We’re seeing attacks there because they’re older systems, on the periphery of a network security,” Trend Micro's Budd says.

Instead of having your card swiped at these systems, both Budd and Hay recommend asking to have your bill charged to the card on file or your room. “Every time your credit card gets swiped, it broadens the attack surface and possibility for information to get stolen,” warns Budd.

Paying in cash may seem like an obvious way to avoid credit card information theft, but DataGravity's Hay cautions against using ATM machines that are rented by the hotel and not owned by major banks. “They’re in heavily trafficked areas, but not high security areas,” says Hay, adding that he steers clear of them based on research and attacks that have happened, and instead gets cash from his bank before he leaves.

6.     Install remote wipe software

If you have to bring with you on the road the company devices you use on a day-to-day basis, Budd recommends installing remote-wipe software on those devices. “Assuming that what you’re bringing with you will get lost or stolen at some point, you want to make it as hard as possible for someone to get what’s on there,” Budd says. Of course, you’ll want to back up all of your files before you leave as well in case you have to remotely wipe your devices for some reason.

7.     Avoid using desk and lamp USB ports

A lot of hotel rooms today offer direct USB plugins on desks and lamps as a convenience to their patrons, but Hay and Budd see these as a potential threat. Hay says to completely avoid using these ports because there’s a chance that information could be copied from your device by some mechanism in the lamp. Stick with wall plugs.

“If I’m using a USB based charger, it’s mine,” says Budd, adding that we’re long past days where a phones power cable is just a power cable. 

Emily Johnson is the digital content editor for InformationWeek. Prior to this role, Emily worked within UBM America's technology group as an associate editor on their content marketing team. Emily started her career at UBM in 2011 and spent four and a half years in content ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
KPierson
50%
50%
KPierson,
User Rank: Apprentice
3/3/2017 | 2:17:16 AM
Stay safe during your business tour
Security of your luggage is of utmost importance when you are away from home. When you are on a business trip it's quite natural to carry your valuable belongings with you. To avoid carrying it everywhere, most of the hotel makes an effort to keep valuables safe by providing hotel room safes(www.hotelsafes.com). As these are under your private area, there are quite few chance for thefts. For more security, you can carry a lock so as to prevent more damage even if safe gets overrided. I hope this hepls!
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/29/2016 | 10:52:15 AM
Re: Get loaner devices from IT.
The potential for VM's is paramount here. Assuming your loaner devices are generic you could use them as a portal to log into a more defined resource.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/29/2016 | 10:50:40 AM
Re: Avoid using public-use terminals
Exactly. To add on to this benefit your machine will still have its local security mechanisms iin place most likely to combat unwanted snooping such as a username and password to log in to your laptop and a timeout to ensure that the activity time is utilized by the owner.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
4/29/2016 | 10:09:13 AM
Secure VPN
VPN works well when it is site-to-site setup. Such as in corporate offices. You can setup VPN server on your corporate server and use a VPN client in your end device, the communication between the end-device and the server would be encrypted so nobody but your corporate can access the data. No privacy but secure. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/29/2016 | 10:07:52 AM
Re: Get loaner devices from IT.
 

"...  loaner device may be generic. ..."

This is also a good point, for a non-techy person another computer may simply mean he/she would not get his/her job done and additional stress.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/29/2016 | 10:06:23 AM
Re: Get loaner devices from IT.
"... I don't see this being a common occurrence ..."

Agree with you. This was the case in the past, there is less likely an option anymore since we do have our own devices anymore in most cases.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/29/2016 | 10:04:43 AM
Re: Avoid using public-use terminals
 

" ... Avoid using public-use terminals ..."

This is a really great tip. Your own laptop is always better, let's say if you are using Gmail on your own laptop it is already encrypted from your laptop to Gmail server. Better than using hotel PC.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
4/29/2016 | 9:52:25 AM
VPN client?
I like the list, quite informative. Just one comment, I love it when I see "use VPN client" option when it comes to secure communication and privacy. Does anybody really think that this is bringing any security or privacy? Every VPN client has a VPN Server which one most likely have no control over so it is not secure or private.
RyanSepe
0%
100%
RyanSepe,
User Rank: Ninja
4/29/2016 | 8:33:19 AM
Get loaner devices from IT.
This is a good idea if your organization has extra devices. I don't see this being a common occurence because in many cases a loner computer isn't completely comprehensive solution for travel. For example, if you have a different role within the organization you may require different access, policies, etc. A loaner device may be generic.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/29/2016 | 8:30:05 AM
Avoid using public-use terminals
This is definitely a good tip. Whenever I visit a hotel I always see someone on the public terminals and knowing the nature of human behavior there are going to be many times that you forget to log out of whatever you were doing...Email, bank, paypal. These sources can provide data that would make it very easier for a snooper to acquire the information they need.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.