In 2014, cybercriminals in the DarkHotel campaign targeted business executives staying at hotels in Asia. The attackers used spearphishing as well as kernel-mode keystroke logger attacks and cracked weak digital-signing keys to steal data from the victims’ devices.
Then in 2015, the hospitality industry suffered a string of point of sale (POS) malware attacks that included the Hilton Hotel properties, Trump Hotel Collection, Starwood, Hyatt Hotels, and Mandarin Oriental Hotel Group.
When employees travel for business, corporate data is at risk as hotels increasingly become targets of and venues for cyberattacks. Here are seven ways to stay secure at the hotel on a business trip.
1. Avoid using public-use terminals.
Many hotels provide computers and printers, or a public-use terminal, for guests to print plane tickets and check email. When you’re on your way in or out of the hotel and in a rush, it’s tempting to use these spaces in a pinch, but doing so could put your organization's data at risk. “Those things are not maintained as well as an organization that would maintain their systems,” says Andrew Hay, CISO for DataGravity and speaker at next week's 2016 Interop Las Vegas.
2. Use a VPN client when connecting to WiFi.
When traveling for business, it’s a given that you’ll need to access the WiFi. That being said, whenever you do connect, it’s important to use a virtual private network (VPN) when accessing your information. You don’t know if the hotel is using an up-to-date firewall or if they’re separating the traffic between you and your neighbors, says Hay. “There’s really nothing stopping someone from sniffing the traffic.”
3. Keep your devices in hand while at breakfast.
The hotel continental breakfast buffet is almost a ritualistic part of traveling on the company dime. Hay, who travels a lot for business, says he’s always surprised by the number of people he sees leave their laptops and devices open as they quickly grab food.
“Physical access trumps all security,” says Christopher Budd, global threat communications manager for Trend Micro. POS malware and sketchy WiFi networks may be making headlines, but it’s always important to keep the hardware out of reach.
“It’s so easy for someone just to walk by, pick up a laptop, and keep walking,” says Hay, adding that someone could also quickly install malware on a thumb drive in the time it takes you to come back from the buffet.
4. Get loaner devices from IT.
An easy way to protect your company data and stress less about all of the files that could be lost if your device is stolen is to ask your IT department for a loaner computer and phone to use while traveling. It can be inconvenient to have all your devices on your person all of the time, especially if you’re having dinner with clients or attending a formal event. It’s handy to just leave your loaner (and secured) hardware in the hotel room and rest assured that nothing of major significance will be lost if the device is stolen or compromised while you’re away.
Device and hardware theft can happen on the way to the hotel, too. “I have heard horror stories of intelligence agencies using Customs to swap out hardware, USB drives, or laptops while special screenings were being conducted,” Hay says. Having loaner equipment can help eliminate the stress of information and hardware theft while making your way through the airport.
5. Don’t swipe your card at sketchy ATMs, gift shops, or hotel restaurants.
Many of the 2015 hotel malware attacks targeted gift shop and restaurant POS systems. “We’re seeing attacks there because they’re older systems, on the periphery of a network security,” Trend Micro's Budd says.
Instead of having your card swiped at these systems, both Budd and Hay recommend asking to have your bill charged to the card on file or your room. “Every time your credit card gets swiped, it broadens the attack surface and possibility for information to get stolen,” warns Budd.
Paying in cash may seem like an obvious way to avoid credit card information theft, but DataGravity's Hay cautions against using ATM machines that are rented by the hotel and not owned by major banks. “They’re in heavily trafficked areas, but not high security areas,” says Hay, adding that he steers clear of them based on research and attacks that have happened, and instead gets cash from his bank before he leaves.
6. Install remote wipe software
If you have to bring with you on the road the company devices you use on a day-to-day basis, Budd recommends installing remote-wipe software on those devices. “Assuming that what you’re bringing with you will get lost or stolen at some point, you want to make it as hard as possible for someone to get what’s on there,” Budd says. Of course, you’ll want to back up all of your files before you leave as well in case you have to remotely wipe your devices for some reason.
7. Avoid using desk and lamp USB ports
A lot of hotel rooms today offer direct USB plugins on desks and lamps as a convenience to their patrons, but Hay and Budd see these as a potential threat. Hay says to completely avoid using these ports because there’s a chance that information could be copied from your device by some mechanism in the lamp. Stick with wall plugs.
“If I’m using a USB based charger, it’s mine,” says Budd, adding that we’re long past days where a phones power cable is just a power cable.