International Travel Guidelines
International travel has unique risks compared to domestic travel. The difference in legal statutes between nations and the process of crossing international borders can frequently render typical security controls we use to protect sensitive data unworkable.
U.S. Customs and Border Protection, for example, has been searching through and copying the contents of laptops for several years, compelling users to divulge credentials and encryption keys as necessary in order to do so. Such acts have been upheld by U.S. courts repeatedly. Other countries are following our lead in this area. Refusal to comply may result in a number of negative consequences, such as the seizure of the device or being denied entry into the host country. Even assuming that border protection agents of any given nation could be trusted to safeguard the data they copy from additional exposure (don't bet on it), this might still constitute a violation of any contracts or laws governing unauthorized disclosure of the specific data. The mere presence of encryption is now seen as suspicious. In fact, many countries restrict the importation and use of cryptography tools within their borders. This then leads to additional risks from other areas. If encryption cannot be used to protect data, then the risks and likelihood of disclosure from physical theft or loss increase significantly.
Once in the country, risks to sensitive data continue from other areas besides physical loss. Digital espionage is a growing concern and researchers are often the target. The goal isn't always the data you have on you at the time, but also what you may have access to when you return. As a result, many attackers will lay low even after compromising their target so you may not have any indication you've been hacked until much later. The U.S. Chamber of Commerce learned this the hard way when the F.B.I. informed them that servers in China had been stealing information from four of their Asia policy experts, who frequently travel to China, for months.
Because of our proximity to Mexico, "international travel" includes activities performed when University employees practice medicine south of the border. Travelers must take extreme care not to keep sensitive protected health information (PHI) on any device that may be lost, stolen, confiscated, or copied. Customs and Border Protection officials currently have the right to inspect electronic devices entering and leaving the United States, including the authority to confiscate and/or copy the contents of those electronic devices. In this case, any PHI stored on those devices would be outside the control of the employee and in the possession of someone without a legitimate need to possess that data. This would constitute a data breach, which would generate a great deal of trouble for the employee, the University, and most of all the affected patients.
The previous paragraphs point out that sensitive data is at risk both while out of the country and while entering and leaving the United States. The choices of what data and devices to carry should be based on a personal risk assessment of what you actually need to have with you and what you can afford to do without, should your devices be lost, stolen, or confiscated.
This guide is intended to provide employees engaging in international travel and the Technical Service Representatives (TSRs) and Information Technology Service Management (ITSM) team supporting these employees with some recommended precautions and measures that can be taken in order to protect sensitive University data. Sensitive data is defined as:
- protected health information (PHI)
- student identifiable information (SII)
- personally identifiable information (PII)
- Social Security numbers (SSNs)
- credit card information
- sensitive research information
Note that you should not travel with or access export-controlled (e.g. ITAR) data from the T5 export controlled countries, which are: Iran, Syria, Sudan, North Korea, and Cuba.
Before leaving for international travel
- Check to see if the country you're traveling to has any encryption import restrictions. Some countries do not allow cryptography tools to be imported or used within their borders without a license, or in some extreme cases, at all. For example, China, Israel, and Russia all have restrictions on the import and use of encryption tools. A listing of the encryption import and export restrictions for some countries can be found at https://en.wikipedia.org/wiki/Restrictions_on_the_import_of_cryptography. If the import of encryption tools is restricted, and there is no personal use exception, follow the other recommendations in this guide to secure any sensitive data you may be taking with you. We strongly recommend the use of loaner laptops when traveling to countries where the import of encryption tools are restricted (see next bullet).
- Whenever possible, arrange to use loaner laptops and handheld devices while traveling. While not always easy, this is perhaps the single most significant and effective step you can take. It vastly reduces the likelihood that theft or compromise will expose historical or archived data not relevant to the current trip. It also means that upon your return, the device can be easily erased, helping mitigate the risks of advanced persistent threats. If obtaining a loaner device is not possible, some other effective options include:
- Purchase a new hard drive and swap it with the one currently in the device. Install a fresh copy of the operating system and only the applications that will be necessary on your trip. Store the old hard drive securely on campus and put it back in when you return.
- For extended-duration trips, utilize a Self-Encrypting Drive (SED) with a BIOS password. It's possible that over time you will accrue local copies of any sensitive data you work with in the form of temporary files, backups, cached data, etc. even if you don't intentionally save sensitive data to your device. Using a SED with a BIOS password allows you to quickly enable and disable the password protection to go through border checkpoints while still keeping the data encrypted at rest.
- Live CDs (bootable operating systems on a CD or USB) are freely available for many distributions of Linux. This can provide a pristine, unchanged operating environment at every boot up - and if something does happen, fixing it is as simple as rebooting again.
- Do not store sensitive data on any internal or external local media. Thieves target travelers and, because of legal issues surrounding the use of encryption as well as customs and border checkpoints, you might not be able to utilize encryption to protect data stored on physical media as you would be able to inside the U.S.
- Do not store any credentials to services or accounts on the device outside of applications designed to securely store and handle credentials (e.g. do not use Notepad). Some applications that are suitable for this are 1Password, Lastpass, and KeePass.
- Configure your web browser to not save credentials. Use the private browsing features in modern web browsers to prevent data and credentials from being cached locally by your web browser. IE, Chrome, Firefox, Edge, and Safari all support private browsing; click here to see how.
- Leave sensitive data stored securely on University servers and access it remotely via secured communications (e.g. use the VPN ). This requires planning in advance, but there are a number of services available on campus, such as leased mass storage (LMS), that might be suitable. Make sure that the service you use is appropriate for the quantity and sensitivity of the data that you will be working with. Note: Remember, sensitive University data CANNOT be stored on any public cloud service (Dropbox, Box, etc.), and can only be stored on University servers and services.
- The VPN provides a secure and encrypted way of connecting to University services remotely, and all traffic and transactions performed while using the VPN travel through the University's network and firewall, and are subject to all University policies regarding usage and monitoring.
- If you need to use specialized software or access large data sets that you have access to on your local workstation, remote desktop may be a viable option. This would let you connect to and interact with your desktop from a remote location as if you were here. Remote desktop requires the use of the VPN and two-factor authentication (2FA).
- Make sure the operating system and all applications are fully updated for security patches. Uninstall unnecessary and unused applications - these only serve to present a larger attack surface. Configure the applications you do require to automatically update and/or notify you of available updates, if such features are present. Special concern should be given to ensuring that applications used to interact with web services, such as web browsers (Firefox, IE, Chrome), Adobe Acrobat and Flash, Silverlight, Java, etc., are fully up-to-date. These applications are increasingly being targeted by malware authors over operating system vulnerabilities because so many users fail to patch them consistently.
- Configure all devices to meet the minimum requirements as stated in University Information Security policies. All devices used to perform work on behalf of the University must meet the requirements mentioned in the Handbook of Operating Procedures (HOP) 5.8.8 (Information Resource Security Configuration and Management) and/or HOP 5.8.12 (Mobile Device and Personally Owned Computing Policy). Basics include current backups, updated patches, up-to-date anti-malware protection, etc.
While you are traveling
- Follow the principle of least privilege. While traveling you will likely be connecting to many new, probably poorly managed, and potentially unsafe networks (e.g. in airports and hotels). Expect to be targeted by malicious users on these networks. Do not use an administrator account as your primary user account. A surprising amount of malware and browser exploits can be defeated by something as simple as running as a non-administrative user account.
- Be careful what networks you connect to. Anybody can bring up a wireless network and call it whatever they want, hoping to lure unsuspecting travelers into connecting. This is especially an issue at airports and hotels, where people have come to expect wireless connectivity. Ask an employee at the place of business if they provide WiFi and, if so, what the network name is. Don't connect to rogue networks - this can make it easy for someone to intercept and even alter your communications. In some cases, simply connecting to a rogue wireless network can be enough to compromise your computer and load malicious software on it. As a general rule, both at home and abroad, minimize the amount of sensitive transactions you make while connected to public wireless network; you never know who's watching.
- Turn off wireless when your device is not in use or when network connectivity isn't required. This keeps your device from broadcasting its presence looking for available networks, as well as associating with an unauthorized network that may share the name of one you have connected to in the past. It also reduces wear and tear on your battery.
- Do not automatically join any wireless networks from laptops, tablets, or cell phones. Manually pick the specific network you want to join.
- Turn off Bluetooth when it's not actively being used. This makes your device less visible to nearby computers, and also preserves battery life.
- Keep track of what credentials you use to interact with services, any services. You'll want to change these as soon as you return. As a general good security practice, do not use the same password for multiple services; this way, if one account is compromised, it does not lead to the compromise of others. And again, any services, personal or professional.
Upon returning from international travel
- Very simply, assume that you have been compromised while traveling abroad and act accordingly. It can be very difficult to determine if a device has been compromised. Don't trust the applications on your device and do not use the device to do work or connect to services on campus.
- If you didn't travel with a loaner device or a new hard drive, format and reinstall the operating system and applications.
- If you installed a new hard drive in your laptop before traveling, remove it and put your original hard drive back.
- Change all credentials that you used to access any services. Refer to the list you made while traveling to make sure you change them all. Remember to pick strong, complex passwords and do not reuse the same password for multiple services.
- Restore your devices to their pre-travel state. Namely, turn off any services that you enabled specifically to facilitate your work while traveling (e.g. remote desktop).