Attacks/Breaches
3/31/2017
08:00 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

US Border Policy Shifts May Drive Changes in Laptop Security

In-cabin laptop ban and requirements to unlock devices for border patrol could have enterprises revisiting their on-device data policies.

The new travel ban enacted by the U.S. Department of Homeland Security for laptops in the cabin of flights from certain countries may have corporate risk managers revisiting policies about how road warriors handle data on laptops and mobile devices.

Enterprise employees may find that government actions won't just put a crimp on convenience but could also have heavy implications - from a regulatory and intellectual property protection perspective - when combined with growing powers of US Border Control to demand travelers unlock their devices for inspection. As things develop, large organizations doing international business may be facing a new minefield when it comes to device-based data portability in and out of U.S. soil.

At the bare minimum, experts believe this latest decree by the feds will bolster resolve for existing policies on endpoint security as worries about devices disappearing from checked luggage grows.

"It’s going to force people to actually implement and enforce the policies they have on paper," says George Wrenn, CEO and founder of CyberSaint Security, and a research affiliate MIT's (IC3) Critical Infrastructure Protection Program. He explains that most large organizations already have policies on device encryption, authentication and data storage to plan for loss or theft. "They're just not enforced," he says, "because people will carry their laptops and they're considered to be using other compensatory strategies to prevent the loss of intellectual property and data."

The question now becomes how to effectively enforce policies that have long been ignored, says Jonathan Gossels, president and CEO of SystemExperts.

"This is not rocket science.  We are talking whole disk encryption, good quality passwords or two factor authentication, and key management," he says.  "Blocking and tackling, but it has to be enforced by each company to be effective."

Nevertheless, even with the basic blocking and tackling in place, many organizations may still be squirrely about laptops with corporate secrets or customer data sets being parted from their caretakers into aircraft holds.

"Most organizations won’t feel comfortable with employees packing away their company-owned laptops and other IT equipment into their luggage, even if they are properly secured with encryption and passwords," says Richard Steinnon, Chief Strategy Officer of Blancco Technology Group. "So, I imagine that employees traveling to the countries included in this ban will likely be asked by their employers to not carry these devices with them. If they have to, they will likely be told to remove all non-essential data before they check in their IT assets in their baggage."

In some instances, simply leaving a corporate laptop unattended may already be against company policy. For example, warns Eric O'Neill, national security strategist for Carbon Black and a former FBI counter-terrorism operative, military contractors likely wouldn't be able to bring their laptops on affected legs.

"When traveling internationally, the rule of thumb is to keep all critical devices on your person - especially phones, laptops and tablets that have important information on them, or access to important or sensitive information," he says.

The travel ban is just one part of the equation. Even more troubling are the inspection rights that border patrol have increasingly been asserting with regard to devices, even those locked by their possessors.

"The long-term substantial impact is that key information may be exposed, unpredictably, and for no substantive reason, to inspectors who have no right to that access," says Mark Graff, CEO of Tellagraff and former CISO for Nasdaq. "This development may well open these companies to litigation exposure any inadvertent violation of data security regulations. It is only a matter of time before companies fined for violating federal standards take the federal government to court for forcing that violation with the new order inspection practices."

Both the laptop ban and the requirement of unlocking devices for inspectors throw up data confidentiality and integrity issues, explains Phillip Hallam-Baker, vice president and principal scientist at Comodo. However, the latter is a lot more difficult because there are few compensating controls.

“The laptop ban only affects a small number at present. Laptop searches by border protection is a much broader concern," Hallam-Baker says. "Currently, the main confidentiality control available is full disk encryption, though this does not help if a user can be ordered to unlock the device. And there is a real possibility other governments will follow suit. Whether the U.S. government could be trusted not to abuse data obtained in this manner is irrelevant if your laptop is being searched in Russia."

Many experts believe that this confluence of issues should be enough to convince organizations to update policies and address frequently traveling employees of the risks. Christopher Ensey, COO of Dunbar Security Solutions, urges extreme caution transporting any data at all on laptops, mobile phones or portable media over any border these days.

"The restrictions on what is allowed for inspection and seizure have become nearly impossible to track. The best practice is to take a vanilla device with you that can only connect to sensitive information via secure tunnels and strong authentication," he says. "Latency in faraway lands can be an issue, and frankly the experience isn’t all it’s cracked up to be for the end user. This is, however, the best way to ensure that data isn’t going to be leaked all over the place when crossing a border." 

Employees will lose the ability to access and work on information without internet access, but Morey Haber, vice president of technology for BeyondTrust, believes that this is the best policy for all organizations to adopt. He says that users and admins need to be mindful of managing connection configurations and security after an interaction at the border to be sure to keep the set-up fully secure.

"Whether the mobile device uses VPN or accesses the cloud to retrieve the data, being online to retrieve it and not store it locally, is critical to mitigating these risks introduced by the US government," he says. "In addition, if the device is accessed or copied, organizations need a prompt method to change VPN keys and passwords on those devices to mitigate the image compromised being leveraged against them as well."

Experts say that many organizations may already have derivations of this for travel to certain parts of the world. Wrenn explains that the practice of 'shaking' devices by shady authorities is a well-known practice.

"Companies should already be anticipating these scenarios," he says. "So I think there just may be a need to edit policies to make sure this new use case (at the U.S. border) is factored in."

Steinnon agrees.

"It has long been a best practice when heading to hostile environments to issue clean devices to traveling employees," explaining that organizations typically overwrite memory and load machines with fresh images both before and after travel to certain parts of the world. "Look for this practice to become more common and even for special device services to be built around this new need."

Related Content:

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
newday2017s
50%
50%
newday2017s,
User Rank: Apprentice
4/7/2017 | 3:20:23 AM
Good reading post.
Hi Ericka,

This is a great reading post. I've learn many new things here. Thank for share it here!
newday2017s
50%
50%
newday2017s,
User Rank: Apprentice
4/7/2017 | 3:18:20 AM
Good reading post
Hi Ericka,

This is a great reading article. I've learn many new things from your post. Thank for your time.
marting123
50%
50%
marting123,
User Rank: Apprentice
4/6/2017 | 11:48:04 PM
Amazing article.
Really amazing article, although I am a newbie, but you shared me the best messages. Ericka, looking forward to your update :)
marting123
50%
50%
marting123,
User Rank: Apprentice
4/6/2017 | 7:58:19 PM
Great article.
Hi Ericka, every time I back for your article, I got many much very useful messages and knowledge from your posts, in this great platform, you shared me so many much information and kind information, haha, i am sorry i am not the expert of the subject, but I interest in it :) Looking forward to your great update again, thanks much!
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/6/2017 | 4:19:34 PM
Security
I'm with George Wrenn on this.  It'll force companies to do what they already should be doing.

At the same time, however, while I appreciate the security risks of people hacking into on board systems, I am not convinced this is the best way to solve the problem (especially because what can be done on a laptop can be done on a jailbroken mobile device).  I'd rather see better InfoSec in this environment, even to the point of lack of connectivity.  If the cost is no Wi-Fi for the two to four hours it takes to get to Atlanta, that to me is better than "you can't bring your laptop/device."
marting123
50%
50%
marting123,
User Rank: Apprentice
4/5/2017 | 10:54:23 PM
Amazing and professional article.
I really appreciate your great article here, very informative and useful, I am a newbie here, but I am very glad and pleasure to get your amazing post here, have you updated any articles else? I will be very glad to enjoy again...
marting123
50%
50%
marting123,
User Rank: Apprentice
4/5/2017 | 5:36:12 PM
Thanks for your great article.
Hi Ericka, I really appreciate your great article here, very informative and useful, I am a newbie here, but I am very glad and pleasure to get your amazing post here, have you updated any articles else? I will be very glad to enjoy again...
marting123
50%
50%
marting123,
User Rank: Apprentice
4/4/2017 | 8:55:54 PM
Great job.
Sure, i agree with you, the blogger shared us amazing and professional messages, great!
Shantaram
50%
50%
Shantaram,
User Rank: Ninja
4/4/2017 | 4:38:27 AM
Re: 192.168.1.1
Nice answers! Thanks guys, for your job
jenshadus
50%
50%
jenshadus,
User Rank: Strategist
4/3/2017 | 8:57:34 AM
Catch 22
Besides tunneling to a VDI, or corporate data...which requires an Internet connection, other options include:

1.  thumbdrive...however there are many corporations disabling this option

2.  Removable encrypted hard drive, which still may require a USB connection (I don't know of any maker that allows removing the hard drive in a laptop anymore)

Both these option allow the passenger to carry their data with them, while checking in their laptop. 

Does this policy include checking tablets?  A person might still be able to VPN to a VDI using tablets nowadays.
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.