Operational Security – Home Rules

A story from a friend of mine about a holiday travel incident reminded me that when it comes to information security, even a single lapse in vigilance can result in painful long-term consequences.   He travels fairly frequently in the U.S., Canada and Europe and in addition to following his company’s travel policies; he’s also asked me for advice and recommendations on how to best protect his informational assets while he travels. I’ve offered some of the standard security industry advice. My suggestions to him were:

  • If possible, don’t travel with your company laptop and primary cell phone to prevent the possibility of data loss via copying or theft
  • If you must carry one or both with you, use your phone’s screen lock, encrypt the phone and any external SD cards, and make sure whole disk encryption and firmware/EMI passwords are active on your laptop
  • If there is any chance your company or personal laptop might be out of your possession for longer than the security line, keep its hard drive in stored separately, and away form the laptop. Preferably, in your pocket.
  • Travel with a loaner/burner laptop with no sensitive information on it, and keep any sensitive data on an encrypted USB stick or in secure, encrypted cloud storage
  • Physically disable external ports (USB, Firewire, etc) on your burner/loaner laptop
  • Use two-factor authentication on ALL connections to company and personal resources
  • Only access sensitive data via VPN to your company’s secure private location or cloud and never save documents locally

The list could go on, but you get the idea. We’ve also talked about physical security and I’ve reminded him about one of the basic tenets of information security; if you can’t provide adequate physical control of your assets and another party can have unfettered access, consider them compromised.

The Story

My friend and his wife and son had made separate trips over the holidays to visit friends and family, and he was in a position to go to the airport to pick up his wife and son when they returned. He met them in the baggage claim and they waited for their bags. His son’s baggage came off the carousel, but unfortunately his wife’s did not. When they went to the airline’s customer service desk to inquire about the missing luggage, the airline representative said they don’t track bags and took her name. The agent assured them that the next flight from Denver would arrive early the next morning, the bag would likely be on it, and they would give her a call once it arrived.

Driving home, he asked what she had in her bag and the first thing she said was her laptop. Surprised, he had asked why she had her laptop as it had sat at home for years. She said she had taken it so she could fill out a financial aid application for their son’s college and all the information she needed was on it.

His wife was a realtor, and he asked her what other information she might have on her laptop. She said her work and personal email, all of the real-estate contracts she had ever written, some personal documents and some family pictures. When it came to the computers in the house, he had never thought to encrypt her hard drive because for years she had used it like a desktop, he never imagined it would leave the house.

They could change all the website passwords she used for banking, social media, shopping, etc., but the contract information was a bit more problematic. Dozens or possibly hundreds of records may be compromised. Granted, much of this information would be public record, but there would also be personal financial information of buyers and sellers. They would have to notify her office and let them decide how to proceed.

I reminded him she needed to change all her email account passwords as well, and suggested that from this point forward she change every password on every site she logs into the next time she visits. I also told him to have her change all her banking and credit card site passwords immediately, based on the assumption that at some point, someone could gather all the passwords on the PC.

He told me his wife called the airline after the first Denver flight came in the next day and no bag. My friend decided to assume the bag was gone for good. He asked his wife to start thinking about everything that was in the bag so they could write it all down on the claim, and she listed a long list of things, such as the original claim form from her son’s recent auto accident, their last year’s tax return, along with his and her last paystubs, and a copy of his and her driver’s licenses, all in the lost bag.

Stunned, he asked her why all those documents were in her bag and she said she needed to complete her son’s financial aid paperwork while she was on her trip, so she grabbed the docs she needed and stuffed them in her bag so she could fill them out before the deadline. Someone with that bag would know everything they needed to steal his, his wife’s and his son’s identities and socially engineer attacks against all the businesses, organizations and government entities they interact with for a very long time. With just paper documents, that person wouldn’t even need specialized computer skills. Information he told me that could be compromised for all three of them:

  • SSN’s
  • Potential access to his son’s medical history
  • His son’s financial and university information and accounts
  • Banking institutions and brokerage account numbers and balances
  • Past and present home addresses
  • Past and present employers, including contact information
  • Income, investments, and sources
  • Email addresses

I told him he should weigh the possibility of all scenarios; that his bag may have just been lost by the airline and sitting somewhere; that someone rifled through it, took the laptop and sold it to someone who has no interest in stealing his information; or that someone took the bag, knew what they had found, and then took steps to leverage the information for personal gain. While the probability of one of the first two occurring outweighed the third, it provided him little comfort.

The best things I could tell him to do were:

  • Call one of the three major credit agencies (Experian, TransUnion, or Equifax), and put a fraud alert on all three of their credit files. Whichever agency you call will alert the other two within 24-hours so you don’t have to call all three. That should prevent anyone from opening any new credit or charge accounts in their names
  • Change all of their email address passwords and consider establishing new email addresses altogether
  • Consider closing any bank or brokerage accounts that may have been listed and open new ones
  • Start going over every bank and credit card statement line-by-line every month for at least the next year and match up receipts for everything
  • Change every password on every website they use
  • Enable two-factor authentication on every website that offers it
  • Enable two-factor authentication on their email accounts that offer it
  • Encrypt every hard drive, every phone and every device they use remaining in their house. Also make sure every device has PIN or password protection turned on

He asked me if he should enroll his family in one of the services that guarantee protection against identity theft. I said that was his decision, but they are potentially very invasive and don’t have a great track record of doing what they promise.

I talked to him again a couple weeks ago and he mentioned some good news. The airline had eventually found the bag six days later and it had been sitting at the destination airport the whole time. The agent at check-in had put the son’s name on both checked bags, which is why they couldn’t find a bag with her name anywhere. When they went to pick it up, she said everything looked exactly as it had when she packed it.

It was a wake-up call for me as well and subsequently I too encrypted everyone’s PCs and laptops, made sure everyone had passwords and PINs in use, and reminded everyone to keep sensitive devices and documents in their control at all times when traveling – including not leaving phones\tablets\laptops unattended and in plain view in a vehicle. What we tell those we advise in business also applies to friends and family; the time you spend preparing now may save you countless hours of worry and expense down the road.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s