Endpoint

4/28/2016
01:20 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

How To Stay Secure At The Hotel On A Business Trip

As POS malware attacks on hotels increase and threat actors target executives, traveling for business puts company data at risk.

In 2014, cybercriminals in the DarkHotel campaign targeted business executives staying at hotels in Asia. The attackers used spearphishing as well as kernel-mode keystroke logger attacks and cracked weak digital-signing keys to steal data from the victims’ devices.

Then in 2015, the hospitality industry suffered a string of point of sale (POS) malware attacks that included the Hilton Hotel properties, Trump Hotel Collection, Starwood, Hyatt Hotels, and Mandarin Oriental Hotel Group.

When employees travel for business, corporate data is at risk as hotels increasingly become targets of and venues for cyberattacks. Here are seven ways to stay secure at the hotel on a business trip.

1.     Avoid using public-use terminals.

Many hotels provide computers and printers, or a public-use terminal, for guests to print plane tickets and check email. When you’re on your way in or out of the hotel and in a rush, it’s tempting to use these spaces in a pinch, but doing so could put your organization's data at risk. “Those things are not maintained as well as an organization that would maintain their systems,” says Andrew Hay, CISO for DataGravity and speaker at next week's 2016 Interop Las Vegas.

2.     Use a VPN client when connecting to WiFi.

When traveling for business, it’s a given that you’ll need to access the WiFi. That being said, whenever you do connect, it’s important to use a virtual private network (VPN) when accessing your information. You don’t know if the hotel is using an up-to-date firewall or if they’re separating the traffic between you and your neighbors, says Hay. “There’s really nothing stopping someone from sniffing the traffic.”

3.     Keep your devices in hand while at breakfast.

The hotel continental breakfast buffet is almost a ritualistic part of traveling on the company dime. Hay, who travels a lot for business, says he’s always surprised by the number of people he sees leave their laptops and devices open as they quickly grab food.

“Physical access trumps all security,” says Christopher Budd, global threat communications manager for Trend Micro. POS malware and sketchy WiFi networks may be making headlines, but it’s always important to keep the hardware out of reach.

“It’s so easy for someone just to walk by, pick up a laptop, and keep walking,” says Hay, adding that someone could also quickly install malware on a thumb drive in the time it takes you to come back from the buffet.

4.     Get loaner devices from IT.

An easy way to protect your company data and stress less about all of the files that could be lost if your device is stolen is to ask your IT department for a loaner computer and phone to use while traveling. It can be inconvenient to have all your devices on your person all of the time, especially if you’re having dinner with clients or attending a formal event. It’s handy to just leave your loaner (and secured) hardware in the hotel room and rest assured that nothing of major significance will be lost if the device is stolen or compromised while you’re away.

Device and hardware theft can happen on the way to the hotel, too. “I have heard horror stories of intelligence agencies using Customs to swap out hardware, USB drives, or laptops while special screenings were being conducted,” Hay says. Having loaner equipment can help eliminate the stress of information and hardware theft while making your way through the airport.

5.     Don’t swipe your card at sketchy ATMs, gift shops, or hotel restaurants.

Many of the 2015 hotel malware attacks targeted gift shop and restaurant POS systems. “We’re seeing attacks there because they’re older systems, on the periphery of a network security,” Trend Micro's Budd says.

Instead of having your card swiped at these systems, both Budd and Hay recommend asking to have your bill charged to the card on file or your room. “Every time your credit card gets swiped, it broadens the attack surface and possibility for information to get stolen,” warns Budd.

Paying in cash may seem like an obvious way to avoid credit card information theft, but DataGravity's Hay cautions against using ATM machines that are rented by the hotel and not owned by major banks. “They’re in heavily trafficked areas, but not high security areas,” says Hay, adding that he steers clear of them based on research and attacks that have happened, and instead gets cash from his bank before he leaves.

6.     Install remote wipe software

If you have to bring with you on the road the company devices you use on a day-to-day basis, Budd recommends installing remote-wipe software on those devices. “Assuming that what you’re bringing with you will get lost or stolen at some point, you want to make it as hard as possible for someone to get what’s on there,” Budd says. Of course, you’ll want to back up all of your files before you leave as well in case you have to remotely wipe your devices for some reason.

7.     Avoid using desk and lamp USB ports

A lot of hotel rooms today offer direct USB plugins on desks and lamps as a convenience to their patrons, but Hay and Budd see these as a potential threat. Hay says to completely avoid using these ports because there’s a chance that information could be copied from your device by some mechanism in the lamp. Stick with wall plugs.

“If I’m using a USB based charger, it’s mine,” says Budd, adding that we’re long past days where a phones power cable is just a power cable. 

Emily Johnson is the digital content editor for InformationWeek. Prior to this role, Emily worked within UBM America's technology group as an associate editor on their content marketing team. Emily started her career at UBM in 2011 and spent four and a half years in content ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
KPierson
50%
50%
KPierson,
User Rank: Apprentice
5/12/2017 | 6:44:37 AM
Thank you for sharing the blog
Your blog is really very helpful.We use to prefer some of the tips like close the windows, use of trackers for computer and mobile, use hotel room safe for valuable belongings, anti-theft bag. Your blog has some many nice tips for traveler security in hotels. Thank you for sharing.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/29/2016 | 10:52:15 AM
Re: Get loaner devices from IT.
The potential for VM's is paramount here. Assuming your loaner devices are generic you could use them as a portal to log into a more defined resource.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/29/2016 | 10:50:40 AM
Re: Avoid using public-use terminals
Exactly. To add on to this benefit your machine will still have its local security mechanisms iin place most likely to combat unwanted snooping such as a username and password to log in to your laptop and a timeout to ensure that the activity time is utilized by the owner.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
4/29/2016 | 10:09:13 AM
Secure VPN
VPN works well when it is site-to-site setup. Such as in corporate offices. You can setup VPN server on your corporate server and use a VPN client in your end device, the communication between the end-device and the server would be encrypted so nobody but your corporate can access the data. No privacy but secure. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/29/2016 | 10:07:52 AM
Re: Get loaner devices from IT.
 

"...  loaner device may be generic. ..."

This is also a good point, for a non-techy person another computer may simply mean he/she would not get his/her job done and additional stress.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/29/2016 | 10:06:23 AM
Re: Get loaner devices from IT.
"... I don't see this being a common occurrence ..."

Agree with you. This was the case in the past, there is less likely an option anymore since we do have our own devices anymore in most cases.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/29/2016 | 10:04:43 AM
Re: Avoid using public-use terminals
 

" ... Avoid using public-use terminals ..."

This is a really great tip. Your own laptop is always better, let's say if you are using Gmail on your own laptop it is already encrypted from your laptop to Gmail server. Better than using hotel PC.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
4/29/2016 | 9:52:25 AM
VPN client?
I like the list, quite informative. Just one comment, I love it when I see "use VPN client" option when it comes to secure communication and privacy. Does anybody really think that this is bringing any security or privacy? Every VPN client has a VPN Server which one most likely have no control over so it is not secure or private.
RyanSepe
0%
100%
RyanSepe,
User Rank: Ninja
4/29/2016 | 8:33:19 AM
Get loaner devices from IT.
This is a good idea if your organization has extra devices. I don't see this being a common occurence because in many cases a loner computer isn't completely comprehensive solution for travel. For example, if you have a different role within the organization you may require different access, policies, etc. A loaner device may be generic.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/29/2016 | 8:30:05 AM
Avoid using public-use terminals
This is definitely a good tip. Whenever I visit a hotel I always see someone on the public terminals and knowing the nature of human behavior there are going to be many times that you forget to log out of whatever you were doing...Email, bank, paypal. These sources can provide data that would make it very easier for a snooper to acquire the information they need.
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Oracle Product Rollout Underscores Need for Trust in the Cloud
Kelly Sheridan, Associate Editor, Dark Reading,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.