Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/31/2017
08:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

US Border Policy Shifts May Drive Changes in Laptop Security

In-cabin laptop ban and requirements to unlock devices for border patrol could have enterprises revisiting their on-device data policies.

The new travel ban enacted by the U.S. Department of Homeland Security for laptops in the cabin of flights from certain countries may have corporate risk managers revisiting policies about how road warriors handle data on laptops and mobile devices.

Enterprise employees may find that government actions won't just put a crimp on convenience but could also have heavy implications - from a regulatory and intellectual property protection perspective - when combined with growing powers of US Border Control to demand travelers unlock their devices for inspection. As things develop, large organizations doing international business may be facing a new minefield when it comes to device-based data portability in and out of U.S. soil.

At the bare minimum, experts believe this latest decree by the feds will bolster resolve for existing policies on endpoint security as worries about devices disappearing from checked luggage grows.

"It’s going to force people to actually implement and enforce the policies they have on paper," says George Wrenn, CEO and founder of CyberSaint Security, and a research affiliate MIT's (IC3) Critical Infrastructure Protection Program. He explains that most large organizations already have policies on device encryption, authentication and data storage to plan for loss or theft. "They're just not enforced," he says, "because people will carry their laptops and they're considered to be using other compensatory strategies to prevent the loss of intellectual property and data."

The question now becomes how to effectively enforce policies that have long been ignored, says Jonathan Gossels, president and CEO of SystemExperts.

"This is not rocket science.  We are talking whole disk encryption, good quality passwords or two factor authentication, and key management," he says.  "Blocking and tackling, but it has to be enforced by each company to be effective."

Nevertheless, even with the basic blocking and tackling in place, many organizations may still be squirrely about laptops with corporate secrets or customer data sets being parted from their caretakers into aircraft holds.

"Most organizations won’t feel comfortable with employees packing away their company-owned laptops and other IT equipment into their luggage, even if they are properly secured with encryption and passwords," says Richard Steinnon, Chief Strategy Officer of Blancco Technology Group. "So, I imagine that employees traveling to the countries included in this ban will likely be asked by their employers to not carry these devices with them. If they have to, they will likely be told to remove all non-essential data before they check in their IT assets in their baggage."

In some instances, simply leaving a corporate laptop unattended may already be against company policy. For example, warns Eric O'Neill, national security strategist for Carbon Black and a former FBI counter-terrorism operative, military contractors likely wouldn't be able to bring their laptops on affected legs.

"When traveling internationally, the rule of thumb is to keep all critical devices on your person - especially phones, laptops and tablets that have important information on them, or access to important or sensitive information," he says.

The travel ban is just one part of the equation. Even more troubling are the inspection rights that border patrol have increasingly been asserting with regard to devices, even those locked by their possessors.

"The long-term substantial impact is that key information may be exposed, unpredictably, and for no substantive reason, to inspectors who have no right to that access," says Mark Graff, CEO of Tellagraff and former CISO for Nasdaq. "This development may well open these companies to litigation exposure any inadvertent violation of data security regulations. It is only a matter of time before companies fined for violating federal standards take the federal government to court for forcing that violation with the new order inspection practices."

Both the laptop ban and the requirement of unlocking devices for inspectors throw up data confidentiality and integrity issues, explains Phillip Hallam-Baker, vice president and principal scientist at Comodo. However, the latter is a lot more difficult because there are few compensating controls.

“The laptop ban only affects a small number at present. Laptop searches by border protection is a much broader concern," Hallam-Baker says. "Currently, the main confidentiality control available is full disk encryption, though this does not help if a user can be ordered to unlock the device. And there is a real possibility other governments will follow suit. Whether the U.S. government could be trusted not to abuse data obtained in this manner is irrelevant if your laptop is being searched in Russia."

Many experts believe that this confluence of issues should be enough to convince organizations to update policies and address frequently traveling employees of the risks. Christopher Ensey, COO of Dunbar Security Solutions, urges extreme caution transporting any data at all on laptops, mobile phones or portable media over any border these days.

"The restrictions on what is allowed for inspection and seizure have become nearly impossible to track. The best practice is to take a vanilla device with you that can only connect to sensitive information via secure tunnels and strong authentication," he says. "Latency in faraway lands can be an issue, and frankly the experience isn’t all it’s cracked up to be for the end user. This is, however, the best way to ensure that data isn’t going to be leaked all over the place when crossing a border." 

Employees will lose the ability to access and work on information without internet access, but Morey Haber, vice president of technology for BeyondTrust, believes that this is the best policy for all organizations to adopt. He says that users and admins need to be mindful of managing connection configurations and security after an interaction at the border to be sure to keep the set-up fully secure.

"Whether the mobile device uses VPN or accesses the cloud to retrieve the data, being online to retrieve it and not store it locally, is critical to mitigating these risks introduced by the US government," he says. "In addition, if the device is accessed or copied, organizations need a prompt method to change VPN keys and passwords on those devices to mitigate the image compromised being leveraged against them as well."

Experts say that many organizations may already have derivations of this for travel to certain parts of the world. Wrenn explains that the practice of 'shaking' devices by shady authorities is a well-known practice.

"Companies should already be anticipating these scenarios," he says. "So I think there just may be a need to edit policies to make sure this new use case (at the U.S. border) is factored in."

Steinnon agrees.

"It has long been a best practice when heading to hostile environments to issue clean devices to traveling employees," explaining that organizations typically overwrite memory and load machines with fresh images both before and after travel to certain parts of the world. "Look for this practice to become more common and even for special device services to be built around this new need."

Related Content:

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
jenshadus
50%
50%
jenshadus,
User Rank: Strategist
4/3/2017 | 8:57:34 AM
Catch 22
Besides tunneling to a VDI, or corporate data...which requires an Internet connection, other options include:

1.  thumbdrive...however there are many corporations disabling this option

2.  Removable encrypted hard drive, which still may require a USB connection (I don't know of any maker that allows removing the hard drive in a laptop anymore)

Both these option allow the passenger to carry their data with them, while checking in their laptop. 

Does this policy include checking tablets?  A person might still be able to VPN to a VDI using tablets nowadays.
Shantaram
50%
50%
Shantaram,
User Rank: Ninja
4/4/2017 | 4:38:27 AM
Re: 192.168.1.1
Nice answers! Thanks guys, for your job
marting123
50%
50%
marting123,
User Rank: Apprentice
4/4/2017 | 8:55:54 PM
Great job.
Sure, i agree with you, the blogger shared us amazing and professional messages, great!
marting123
50%
50%
marting123,
User Rank: Apprentice
4/5/2017 | 5:36:12 PM
Thanks for your great article.
Hi Ericka, I really appreciate your great article here, very informative and useful, I am a newbie here, but I am very glad and pleasure to get your amazing post here, have you updated any articles else? I will be very glad to enjoy again...
marting123
50%
50%
marting123,
User Rank: Apprentice
4/5/2017 | 10:54:23 PM
Amazing and professional article.
I really appreciate your great article here, very informative and useful, I am a newbie here, but I am very glad and pleasure to get your amazing post here, have you updated any articles else? I will be very glad to enjoy again...
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/6/2017 | 4:19:34 PM
Security
I'm with George Wrenn on this.  It'll force companies to do what they already should be doing.

At the same time, however, while I appreciate the security risks of people hacking into on board systems, I am not convinced this is the best way to solve the problem (especially because what can be done on a laptop can be done on a jailbroken mobile device).  I'd rather see better InfoSec in this environment, even to the point of lack of connectivity.  If the cost is no Wi-Fi for the two to four hours it takes to get to Atlanta, that to me is better than "you can't bring your laptop/device."
marting123
50%
50%
marting123,
User Rank: Apprentice
4/6/2017 | 7:58:19 PM
Great article.
Hi Ericka, every time I back for your article, I got many much very useful messages and knowledge from your posts, in this great platform, you shared me so many much information and kind information, haha, i am sorry i am not the expert of the subject, but I interest in it :) Looking forward to your great update again, thanks much!
marting123
50%
50%
marting123,
User Rank: Apprentice
4/6/2017 | 11:48:04 PM
Amazing article.
Really amazing article, although I am a newbie, but you shared me the best messages. Ericka, looking forward to your update :)
newday2017s
50%
50%
newday2017s,
User Rank: Apprentice
4/7/2017 | 3:18:20 AM
Good reading post
Hi Ericka,

This is a great reading article. I've learn many new things from your post. Thank for your time.
newday2017s
50%
50%
newday2017s,
User Rank: Apprentice
4/7/2017 | 3:20:23 AM
Good reading post.
Hi Ericka,

This is a great reading post. I've learn many new things here. Thank for share it here!
Page 1 / 2   >   >>
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.
CVE-2019-16761
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
CVE-2019-16762
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.