During the summer months many of us look forward to a couple of weeks away from the office. However, in reality, complete radio silence from those left behind is not always an option. Easily affordable technology, such as smartphones and tablets, means keeping in touch while away is not just expected, but increasingly the norm.
According to our recent survey conducted by OnePoll, 41% of respondents said they’d be taking their phone with them. While that might seem a fairly normal event given the technology age we live in, those phones are unlikely to be supervised 100% of the time – leaving them vulnerable to theft. With just 50% protected by a password or other security controls, many could be revealing confidential personal or business information.
Here are a few simple things to keep in mind while out and about:
Often, it is all too tempting for holiday makers to pull out an electronic device and check a few things from the hotel’s poolside free Wi-Fi service. Unfortunately, convenience doesn’t always equate to security. That’s why it is very important to use a secure connection when accessing sensitive information, especially if it is on the corporate network.
When sending an email, think of it as sending a postcard – everyone can read it. If unauthorised eyes shouldn’t be reading your message then standard email is perhaps not the best method to send the information. Instead, either use an encryption solution or call the information through.
Establishing a VPN before utilising free Wi-Fi is also highly recommended. The secure SSL tunnel created helps to secure the session and keep corporate network resources safe.
But remember that, even when using a secure connection, make sure to always and completely log out of sensitive sites. While it might seem all a bit James Bond – including the shaken not stirred martini, it is possible for an attacker to hijack a session that has been left open. Of course, some sites will perform an automatic log-out after a period of inactivity, or when the browser closes, but those few moments still present attackers with a window of opportunity to get in if the session hasn’t been purposefully terminated.
Closing down other, non-related Web browser tabs is not a bad idea either. Wi-Fi utilises radio waves to communicate; these waves are accessible to anyone who wants them. It is for this reason Wi-Fi can be so dangerous.
If set up properly, private Wi-Fi connections can be a viable remedy to surfing Wi-Fi spots. And at the very least, WPA2 encryption should be used.
Additional security measures that can be put into place include MAC address filtering (though this can be a bit advanced and can lead to device lockout if not done correctly) and users certainly can’t count on the encryption being provided when using a public network.
Mobile’s on Tour
The mobile market has grown exponentially with two major mobile operating systems leading the way in the smartphone market, iOS and Android. Back in the day when every phone had its own operating system it was usually a less than fruitful endeavour for malware authors to bother targeting any one of them. But now that we’ve narrowed down the playing field, mobile devices have become a much more appealing target.
One simple rule of thumb everyone should heed is safe browsing habits regardless of network or device. Remember, the same dangers that exist on the Web (i.e. black hat SEO poisoning, social media, email and SMS) can also exploit a mobile device.
SMS and voicemail are common vectors of attack for phishing scams today. That’s why it is so important for users to first reach out directly to an institution, organisation or individual and verify information before responding to a questionable voicemail or text. Or, simply delete suspicious messages since responding to them can end up in text charges or possibly even more.
Another rule for safe mobile device usage is security on the device itself. As our survey found, only half of the people questioned had any type of security on their phone, meaning many are at risk of losing more than their device if it goes AWOL – whether at home or abroad. In fact, 12% confirmed their devices contain sensitive information with just 23% able to wipe the device were it lost or stolen.
The functionality of phones today means many are likely to contain personal information (such as stored logins to banking or social media sites) and could provide someone access to sensitive information were the device to be lost or stolen. To minimise this threat, something as simple as activating a password means this information is afforded at least some protection.
However, while a password will thwart the opportunistic thief, someone who is targeting the device because of what it might offer a stronger defence is needed. For those who carry confidential business material, or who are serious about their privacy, additional security needs to be deployed. Encryption software on the device will help protect data in the event that the device becomes lost or stolen. Using a remote wipe to brick the device completely is one way to ensure sensitive information doesn’t fall into the wrong hands.
Finally, while launching a favourite app or trying out some new games may keep us, and even the kids, entertained, it isn’t without some risks. Always make sure these applications come from a reputable source, while keeping aware of the permissions they ask for during the install. Read reviews and learn what others say about them before downloading.
Just like we need to take precautions with our skin – or pay the price with painful sunburn the same applies to CyberSecurity. A little thought before we travel can avoid a holiday becoming far more expensive than first planned.
Fred Touchette | www.appriver.com| @phreadphread
Fred Touchette joined AppRiver in February 2007 as a Senior Security Analyst. Touchette is primarily responsible for evaluating security controls and identifying potential risks. He provides advice, research support, project management services, and information security expertise to assist in designing security solutions for new and existing applications. During his tenure at AppRiver, Touchette has been instrumental in accessing critical IT threats and implementing safeguard strategies and recommendations.
Touchette holds many technical certifications, including CCNA, COMP-TIA Security+, GPEN – GIAC Network Penetration Tester and GREM – GIAC Reverse Engineering Malware through the SANS initiative. He is highly regarded as an expert on email and Internet-based cyber threats, and has been referenced in several top technology publications including USA Today, Forbes.com, Dark Reading and more.