IT Security Guidelines for Domestic and International Travel

 

General Overview

Travel with electronic devices requires special precautions. Remote devices and the information they contain should be protected while accessing the Internet or not physically under your control.    

Users should not store any Rutgers restricted data on personally owned devices. Restricted data stored on university owned portable devices should be limited based upon business or academic reason and should always be encrypted. Restricted data includes data that Rutgers is required to protect under regulatory or legal requirements. Examples include student or employee identifiable information (i.e., name, SSN, birth date, home address, etc.), medical records, legal records, student records, police records, and credit card information. Restricted data needs to be protected at the same level as required on campus.

Potential Risks

The risks associated with carrying electronic devices while traveling arise from two sources: the likelihood that your device will be compromised and the impact of such a compromise.  These risks fall into two main categories: exposing private information the university is required to protect (i.e., restricted data) and being compromised by malware while traveling.    The likelihood of being compromised by malware is greatest when traveling outside of the US and especially high when governments operate and manage the Internet. The Office of Information Technology (OIT) recommends that at a minimum the following precautions be taken when traveling. These steps reduce the likelihood that your system will be compromised and reduce the impact if it is compromised.

Minimum precautions to protect Electronic Devices while Traveling

At all times Encrypt all information
While traveling Use a Virtual Private Network (VPN) to access Rutgers resources
Upon return Scan for malware and remove if found

Best Practices

If the likelihood of your system being compromised is high (e.g., traveling to a country that is known to infect systems on their networks) or the impact of a compromise is high (e.g., you are carrying a significant amount of restricted information), OIT recommends you take the additional precautions shown in the following chart.  These steps minimize the likelihood that your system will be compromised as well as minimizing the impact if it is compromised.

  Domestic Travel International Travel
Before leaving Remove any information not needed on trip Remove any information not needed on trip
  Image the device Image the device
  Encrypt all information Encrypt all information
While traveling Use a VPN to access Rutgers resources Use a VPN to access Rutgers resources
Upon return   Scan for malware
    Identify and extract information collected on trip
    Wipe the computer clean, reinstall the OS, applications and data
    Change Rutgers password

The chance that your system will be compromised while traveling is small but the impact of a compromise can be significant.  Once Rutgers systems or data have been compromised the exposure can NOT be undone.  Precautions such as those identified above are the best way to reduce the likelihood of an exposure and minimize the impact should an exposure take place. 

Rationale for Recommendations

Remove any information not needed on trip:  This minimizes the exposure should the laptop be lost and while it is not physically under your control.  Please keep in mind that deleting a file does not remove it from your disk and that there are applications that can retrieve deleted files.           

Image the device: Making an image of what is on a device helps when a system has been compromised.  For example, if a laptop is lost, the image is an excellent record of what information may have exposed.    

Encrypt all information: Encryption of restricted data is required and should be used on all portable devices at all times (e.g., laptops, USB drives).  It is extremely important to encrypt data while traveling and often easier and safer to encrypt all information as opposed to identifying the restricted information and encrypting only that information.

Use a VPN to access Rutgers resources: A VPN (Virtual Private Network) assures that all communication between your portable device and a Rutgers application is encrypted.   If a VPN is not used each application must itself properly encrypt all transmitted data.  Relying on multiple applications to each maintain appropriate encryption significantly increases the chance that sensitive data will be exposed.                        

Scan for Malware: Scanning for malware provides critically important information about whether a system has been compromised.   The most problematic malware are key loggers.  Keyloggers reside on your machine and watch every key stroke.  They can easily detect account names and associated passwords.  Once a system has been infected by a keylogger the only remedy is to wipe the system clean and reinstall. 

Identify and extract information collected on trip: This step extracts only the necessary information and makes sure it does not contain malware.

Wipe the computer clean, reinstall the OS, applications, and data: This step erases all information on the computer and reinstalls a clean version of the operating system (OS).   It prevents malware (e.g., keyloggers) that may have compromised your system from infecting other Rutgers systems.  Scans for malware are not perfect.  This step should be performed even if no malware is detected.

Change Rutgers password:  If your account and password have been stolen while traveling the only remedy is to change your password. Anyone clever enough to learn your account and password without your knowledge is also clever enough to access your account and leave very little evidence of their activities.  Changing your password is the best way to assure that Rutgers information and systems are not compromised.

Expanded Guidelines for Domestic Travel

  • While traveling carry only necessary information.  This may mean carrying a "clean" laptop, void of student grades, proprietary information (including unpublished research or articles), and personal information.  
  • If you require your personal or business laptop, back the equipment up in case of loss or theft, use a complex password (or passphrase) to encrypt restricted data and verify that all student, personal and proprietary information is removed.
  • Update your equipment with the latest patches, updates, firewall and antivirus software (i.e., RADS)
  • Use a VPN (Virtual Private Network) to access university resources.
  • Consider purchasing tracking software in case of theft or loss.
  • Assume that any equipment other than your own is insecure.  This includes equipment owned by friends, at cybercafes, libraries, etc. Do not enter sensitive information (credit cards, bank accounts, passwords) in wi-fi hotspots, or other insecure locations. Information sent by Internet may be intercepted.  Look for https:// (the s means the transmission is encrypted) preceding the web address as a sign of a secure web page prior to providing information. 
  • Portable equipment, such as data sticks/flash drives, CDs, PDAs, phones, etc., containing sensitive data must be kept secure, and locked when unattended. These items are vulnerable to theft and loss. When business practices and/or policies mandate, encryption is required. Contact Information Protection and Security for recommended tools and software.

Expanded Guidelines for Overseas/International Travel

Travel with electronic devices requires special precautions. International travelers should take extra precautions in addition to the Guidelines for Domestic Travel.

Information, technology, software, and equipment you take with you may be subject to U.S. export control laws. You must ensure that all the information and software on your laptop can be safely and legally transported to another country. Check the Export Administration Regulations (EAR) and International Traffic and Arms Regulations (ITAR) laws concerning any software on your computer that may be non-exportable or require licensing to take it out of the country.  It is recommended that you carry memory sticks instead of a laptop. Remove all files containing controlled information or information involving restrictions.  Keep your devices in your control whenever possible. Consider keeping your data only on a university server and accessing it only through a secure VPN connection. We suggest traveling with a "clean" (wiped) laptop or remote device, containing only necessary applications and information for the trip. 

  • If possible, take only the information which you will present or discuss at the conference or other event. Back up your data and leave a copy in a safe and secure location. Encrypt all information.
  • Be aware that your belongings maybe searched multiple times and electronic media copied.
  • If you have sensitive intellectual property that might have research or commercial value, avoid bringing it.  Do not copy sensitive information onto a computer that has been overseas and has not been “wiped” by a security expert upon return.  Visit http://travel.state.gov for travel advisories for specific countries.
  • When you return, scan the device for malware; then save the information you wish to retain, and wipe the device clean. 

Understand that foreign universities, governments, and companies are often linked. Any inquiry may have an ulterior motive, such as stealing intellectual property. Not all conference attendees with whom you come into contact are there for the same reason; they may be enquiring on behalf of another country or researcher. Be cautious of unsolicited requests and questions about your research or other sensitive information.

It is advisable to not speak about or comment on the status of research and development being conducted by others at the institution. Defer questions to those individuals directly.

Export Control Guidelines

Information, technology, software, and equipment you take with you may be subject to U.S. export control laws. You must ensure that all the information and software on your laptop can be safely and legally transported to another country. Check the Export Administration Regulations (EAR) and International Traffic and Arms Regulations (ITAR) laws concerning any software on your computer that may be non-exportable or require licensing to take it out of the country.  It is recommended that you carry memory sticks instead of a laptop. Remove all files containing controlled information or information involving restrictions.  Keep your devices in your control whenever possible. Consider keeping your data only on a university server and accessing it only through a secure VPN connection. We suggest traveling with a "clean" (wiped) laptop or remote device, containing only necessary applications and information for the trip. ‚Ä®For any questions regarding U.S. export control laws , please contact Robert Phillips at robert.phillips@rutgers.edu
Export Control Guidelines website

Best practices for Cell/Smartphones


When using a cell/smartphone, create a strong password (numbers, upper and lower case letters, special characters – at least 6 characters long). Never store passwords, phone numbers, or sign-on sequences on any device or in its case. If your phone has a password lock-out threshold, set this to a reasonable number so as to avoid unintentional locking yourself out.

Be wary of text messages coming in from unknown numbers which can install malware and spyware onto your cell.  Malware can gather information that is transmitted through your phone as it goes from application to application.  Not only can this include information about your call history and messages, but also financial information if any mobile apps are linked to a credit or debit account.

Keep your applications and smartphone operating system up to date.  Do not "jailbreak" or "root" your phone as this removes protections against unauthorized apps. 

Avoid using public Wi-Fi networks for online shopping, banking or accessing other sensitive information.

Be sure to disable broadcast services including Bluetooth, Wi-Fi, and Global Positioning Information if not necessary. These services can used to potentially launch attacks against your device, and can be used to locate and introduce malware.

Additional Considerations for Traveling Abroad

All information you send electronically – by fax machine, personal digital assistant (PDA), computer, or telephone – can be intercepted. Wireless devices are especially vulnerable. Hotel business centers and phone networks are regularly monitored in many countries. In some countries, hotel rooms are often searched. Corporate and government officials are most at risk, but don’t assume you’re too insignificant to be targeted.

Security services and criminals can track your movements using your mobile phone or PDA and can turn on the microphone in your device even when you think it’s off. To prevent this, remove the battery.

Foreign security services and criminals are adept at “phishing” – that is, pretending to be someone you trust in order to obtain personal or sensitive information.

Likewise, avoid using public charging stations.  It can be nearly impossible to tell if a charging station is also accessing your phone’s data.  If unavoidable, one precaution is to power off your phone completely before connecting it to the charging station.

Store any hardware tokens, battery and subscriber identity module (SIM) card in a separate location from the mobile device.  If traveling in a high-threat location, you must assume that hotel rooms have been selected to facilitate electronic or visual monitoring.

Seek official cyber security alerts from: www.onguardonline.gov and www.us-cert.gov/cas/tips