Things to be aware of when planning a trip
This information will help prepare travelers on University related business who use personal or university-owned equipment, and reminds faculty, staff and students of their security responsibilities/best practices for protection of both physical assets and data.
Faculty, staff and students are encouraged to carefully review the material below to better understand security regulations and policies and to facilitate them in the successful performance of their University related travels.
Whether using a personal computing device or a university provisioned resource, individuals are required to fully understand the risks associated with working with University of Rhode Island owned and personal data, while off campus.
Before you depart
Whenever possible, arrange to use loaner laptops and handheld devices while traveling. While not always easy, this is perhaps the single most significant and effective step you can take. It greatly reduces the likelihood that theft or compromise will expose historical or archived data not relevant to the current trip. It also means that upon your return, the device can be easily erased, helping mitigate the risks of advanced persistent threats. If obtaining a loaner device is not possible, some other effective options include:
- Purchase a new hard drive and swap it with the one currently in the device. Install a fresh copy of the operating system and only the applications that will be necessary on your trip. Store the old hard drive securely on campus and put it back in when you return.
- For extended-duration trips, utilize a Self-Encrypting Drive (SED) with a BIOS password. It’s possible that over time you will accrue local copies of any sensitive data you work with in the form of temporary files, backups, cached data, etc. even if you don’t intentionally save sensitive data to your device. Using an SED with a BIOS password allows you to quickly enable and disable the password protection to go through border checkpoints while still keeping the data encrypted at rest.
- Live CDs (bootable operating systems on a CD or USB) are freely available for many distributions of Linux. This can provide a pristine, unchanged operating environment at every boot up – and if something does happen, fixing it is as simple as rebooting again.
Do not store sensitive data on any internal or external local media. Thieves target travelers and, because of legal issues surrounding the use of encryption as well as customs and border checkpoints, you might not be able to utilize encryption to protect data stored on physical media as you would be able to inside the U.S.
- Back up your Blackberry to your local work computer. Once you have a complete backup, you can arrange to have your Blackberry wiped clean, by contacting the URI Help Desk. Contacts can then be added back to your Blackberry.
- Do not set up any email accounts on your Blackberry and make sure Bluetooth is turned off. See the Email Section below for email instructions.
- Upon return from your trip, contact the URI Help Desk to have your Blackberry wiped clean and then restored from the backup you made prior to travel.
All other Smartphones
- Back up according to your manufacturer’s instructions and then factory reset your phone. If needed then only sync your contacts.
- Do not set up any email accounts and make sure Bluetooth is not enabled.
- Upon return from your trip, perform another factory reset and restore from your backup.
- Set up a free email account for use only for this trip. Use a password that has not been used previously. Once the account has been set up, you can then have people email you at your temporary account.
Other Helpful Information
- Leave sensitive data stored securely on URI Servers and access it remotely via secured communications (e.g. use the URI VPN). Please contact the Information Security Office to obtain VPN access.
- The URI VPN provides a secure and encrypted way of connecting to university resources remotely, but only traffic destined for URI is encrypted.
- Do not store sensitive data with any cloud services (e.g. Dropbox, Google Drive, Skydrive etc.). These cloud services are fine for files that do not contain any sensitive data.
- Make sure all applications are fully updated for security patches. Uninstall unnecessary and unused applications. A general rule of thumb is “if you don’t use it, lose it.”. These applications only serve to present a larger attack surface. Configure the applications you do require to automatically update or notify you of available updates. Special concern should be given to ensuring that applications used to interact with web services, such as web browsers (Firefox, IE, Chrome), Adobe Acrobat and Flash, Silverlight, Java, etc., are fully up-to-date. These applications are increasingly being targeted by malware authors over operating system vulnerabilities because so many users fail to patch them consistently.
- Follow the principle of least privilege. While traveling you will likely be connecting to many new, poorly managed and potentially unsafe networks (e.g. airports and hotels). Expect to be targeted by malicious users on these networks. Do not use an administrator account as your primary user account. A large amount of malware and browser exploits can be defeated by something as simple as running a non-administrative user account.
- Be careful what networks you connect to. Anybody can bring up a wireless network and call it whatever they want, hoping to lure unsuspecting travelers into connecting. This is especially an issue at airports and hotels, where people have come to expect wireless connectivity. Ask an employee at the place of business if they provide WiFi and if so what the network name is. Don’t connect to rogue networks – this can make it easy for someone to intercept and even alter your communications.
- Turn off wireless when your device is not in use or when network connectivity isn’t required. This keeps your device from broadcasting its presence looking for available networks, as well as associating with an unauthorized network that may share the name of one you have connected to in the past.
- Do not automatically join any wireless networks from laptops or cell phones. Manually pick the specific network you want to join.
- Turn off Bluetooth when it’s not actively being used.
- Keep track of what credentials you use to interact with services. You’ll want to change these when you return. Do not use the same password for multiple services so that if one account is compromised it does not lead to the compromise of others.
- On your laptop make sure you have the basics, such as a working backup, up-to-date anti-virus, software firewall, etc.
Upon your return
- Very simply, assume that you have been compromised while traveling abroad and act accordingly. It can be very difficult to determine if a device has been compromised. Don’t trust the applications on your device and do not use the device to do work or connect to services on campus. Make sure to format your laptop upon returning from your travels
- If you didn’t travel with a loaner device or a new hard drive, format and reinstall the operating system and applications.
- Change all credentials that you used to access any services. Refer to the list you made while traveling to make sure you change them all. Remember to pick strong, complex passwords and do not reuse the same password for multiple services.
- Restore your devices to their pre-travel state.
The following links provide additional information to protect your physical assets and data while on university-related business travel:
Contact firstname.lastname@example.org with any questions or concerns about information security and travel.