Technical advice for travelling overseas with electronic devices
Download ACSC Protect: Technical advice for travelling overseas with electronic devices (PDF), December 2012
Published December 2012
- This product has been developed to assist IT security staff to secure agency devices and information before employees travel overseas. It should be read in conjunction with the advice provided in Travelling overseas with an electronic device. Additionally, this document should be considered in conjunction with an agency-developed risk assessment for high-threat travel situations and with Department of Foreign Affairs and Trade travel advice. For devices carrying classified information, consult the Australian Government Information Security Manual (ISM).
- Government employees travelling overseas face additional information security risks. The following advice provides steps IT security staff should take before agency employees travel in order to maximise the security of devices and the information held on them. This is general advice which may not be applicable to every device.
- Update the operating system and all software application installed on the device before the trip and while away. It is important to note most updates are fixes for identified vulnerabilities and should be applied as soon as they become available. If using a Windows operating system, automatic updates should be used. However, if using automatic updates, this should be done through connection to a virtual private network (VPN) back to the agency.
- Minimise administrative privileges on the device to only users who need them. You should restrict the user's rights in order to permit them to only execute a specific set of predefined functions as required to complete their duties.
- Enable application whitelisting to only allow approved programs to run, while all other programs are blocked from running by default. Solutions include Microsoft AppLocker. For tablets and smartphones, use mobile application management to specify which applications are allowed to be used.
- Install an agency-approved antivirus product on the device. Virus pattern signatures should be checked for updates several times per day and installed as soon as they become available. All storage should be regularly scanned for malicious code. This will reduce the risk of the device being compromised by malicious software.
- Where possible, install a firewall to protect against malicious or unauthorised incoming network traffic, preferably one from ASD's Evaluated Products List.
- Disable unnecessary features or software. Minimising software on the device reduces opportunities to exploit and gain access to the device through software vulnerabilities.
- For all hardware and software, implement passphrase policies as per the ISM or, if available, a device-specific ASD hardening guide (as passphrase policies may differ from the generic advice in the ISM). This includes preventing the user changing their passphrase more than once a day.
- Use the data execution prevention functionality, preferably hardware, which will run additional checks to ensure that certain types of vulnerabilities are harder to exploit.
- Baseline the device prior to departure and again no return to look for any signs of compromise. This involves auditing what is installed and running on the device and how it is configured prior to and after travelling. Ensure that any changes to the device have been approved and authorised. If you note anything of concern, report the incident to the Cyber Security Operations Centre, who will advise of further action you can take.
- Once you have baselined the device upon return, it is important to wipe or reset the device. This should be done even if nothing suspicious is noted.
- ASD recommends that information on all mobile devices be encrypted. Refer to the ISM for evaluated products and approved algorithms.
- Encryption at rest. All mobile devices should be encrypted in order to mitigate the risk of unauthorised access to information. Agencies using encryption to secure data at rest should implement evaluated products and approved algorithms and should use either:
- full disk encryption, or
- partial disk encryption, where the access control will only allow writing to the encrypted partition.
- Full disk encryption provides a greater level of protection than file-based encryption. While file-based encryption may protect individual files there is a risk that unencrypted copies of the file may be left in temporary locations used by the operating system. Full disk encryption also allows operating system and software files to be more easily protected from an adversary with physical access.
- It is important to ensure that the device's data is protected when traversing a network. Ensure your browser supports only approved SSL cyphers as specified in the ISM. Ensure that appropriate network security settings are implemented and are consistent with ISM requirements.
- Configure wireless security settings so that the device is not allowed to connect to ad hoc wireless networks.
- Devices should not be allowed to connected to wireless networks, except where temporarily connecting to facilitate the establishment of a VPN. All web browsing and email should be conducted through the agency's VPN.
- Disable split-tunnel VPNs. These can allow access to internet systems via an unsecured connection while connected to your agency's network through a VPN. This can bypass the normal security controls implemented by your agency on its internet connection and increase the risk of the VPN being attacked from unsecured networks.
- Disable Bluetooth pairing by default. This can be enabled if required but should be done prior to departure.
- The Australian Government Information Security Manual (ISM) assists in the protection of official government information that is processed, stored or communicated by Australian government systems.
- ASD's Strategies to Mitigate Cyber Security Incidents complements the advice in the ISM.
- ASD publishes hardening guides for specific devices including Apple iOS and BlackBerry.
- Organisations or individuals with questions regarding this advice can contact the ACSC by emailing email@example.com or calling 1300 CYBER1 (1300 292 371).