From Ryan Groom,
Your Guide to Business Security.
FREE Newsletter. Sign Up Now!

Introduction

I have spent a fair amount of time travelling. The job of a security advisor is one of airplanes, different cities and numerous clients. The one common link is that while travelling you will invariably spend time in hotels. Almost all hotels now provide wireless access which makes sitting on the bed checking your email while watching the Home Shopping Network that much easier. The fact that many travelling business people forget is that the hotel is not your corporate network. The service is provided as a convenience, not a security measure. Within a hotel, there are many different kinds of people with varied intentions when it comes to your laptop. Remember the 10 laws of Security? If a bad guy can gain access to your system, it is no longer your system.

In a hotel, you are essentially in a hostile environment; well outside the comfy environ your systems administrator provides at your corporate workplace. So what do you do? You have to remain functional on the road. Sitting in the bathroom wearing a tinfoil hat to keep the “Bad People” from reading your thoughts is not the answer either. Taking a little precaution and educating, educating and educating your users is paramount.

This guide will take you through the three biggest tools and techniques you can use to protect yourself in an unknown environment such as a hotel. Microsoft has a great start guide for road Warrior Security listed here:

Microsoft 10 Laws of Security

So, before we even start the guide here, you should take a look. I won’t tell you here that your users should have strong passwords and a cable lock to prevent theft. That is a given. Even the most casual user would probably not intentionally leave a laptop unattended in a busy lobby. So the first stop on our trip is Encryption.

Encryption

If your files are garbled to an intruder, it makes it that much more difficult for them to retrieve information from your laptop. Windows XP comes with EFS (Which is the Encrypted File System) which works well. If you require a little more functionality and robustness I would suggest a full drive encryption and boot block encryption such as that offered by Drive Crypt. You can use TrueCrypt to protect files and set up dummy partitions on your laptop as well. Check out our review of true Crypt here. Whatever tool you use, Encryption is essential if your laptop is travelling the country.

Wireless Security Awareness

When you connect to a strange network, it opens a whole host of issues. One instance I find repeatedly in hotels is users who travel with their own wireless router. They use it in hotels that haven’t been configured for wireless connections. To the user, it is a convenience tool. To the malicious hotel guest, it can be access to your system. Many users do not properly configure their wireless routers as they work perfectly out of the box. Unfortunately they are not secure out of the box. More times I have been in hotels and inadvertently picked up someone else’s wireless router (often with the default manufacturer name as the name of the network...A sure fire way to bet that the user has not configured the security options). Many people say “What’s the big deal?” However, if you haven’t taken steps to secure your computer via Encryption and strong passwords, you could be setting yourself up for an unwanted visitor.

If you are going to set up a wireless router in your hotel room, secure the connection. Do not broadcast the SSID and use WEP (Wired Equivalency Protocol) or even better WPA (WiFI Protected Access) to keep your data secure and those pesky intruders off of your network.

POP/FTP/Telnet - Clear Text Passwords

Just because your computer puts asterisks in place of characters when you type in a password, doesn’t mean that those characters are secure when traversing a network. Email clients that use POP, FTP clients and Telnet sessions all pass your passwords in plain text. Sitting in a hotel running a password grabbing utility, easily provides a bountiful collection for a malicious user. So, if you are going to do any of those three, use a VPN session to your company so that the traffic is encrypted. For email, you can use Outlook Web Access (OWA) if you are running an ISA firewall and Exchange. You can also use RPC over HTTP as a secure method. Many organizations provide webmail as well, which uses an SSL session to protect credentials as they traverse the network. Remember if you are not using an encrypted session, your passwords could open up your computer to an attack, especially since many user’s passwords are the same as the passwords they use to access the corporate network.

Conclusion

Users taking a little precaution and a common sense approach to security will fare well when staying in a hotel. Taking on a layered approach to security and applying the steps in this document will help the Road Warrior remain safe, when the last thing on his mind is security.