Although separating work and play activities is becoming more challenging (is anyone not guilty of checking work email by phone while vacationing?), we can adapt lessons learned on childhood playgrounds to how we approach adult paygrounds. The US National Institute for Standards and Technology (NIST) recently published its draft User's Guide to Telework and BYOD Securityi. Implementing these five top takeaways will help you work—and play—more safely.
Don't talk to strangers.
Bluetooth is a chatty protocol that eagerly shares your device information with others. Disable it when not it's not in use (e.g., for private music listening or hands-free talking). As 802.11 technology has improved, so has the range for Bluetooth-enabled and other near-field communication (NFC) devices (like proximity cards). The signaling range for Class 1 Bluetooth devices (e.g., laptops) can extend to 100 meters, and for Class 2 devices (e.g., mobile phones and headsets), the range can extend to 10 meters. Protect other wireless devices (e.g., routers) from broadcasting too much information by changing manufacturer default names and passwords to.
Don't take candy from strangers.
Free charging stations at airports and other public venues are so tempting: resist! Such stations can be compromised and juice-jack your phone, installing malware through the phone's USB port and enabling remote control, banking and other credential theft, and eavesdroppingii. In addition to being wary of what you plug your computing device into, beware of what you plug into your device. The dropped drive hack (e.g., leaving infected USBs in a commercial or government parking lot) is a low-cost technique for spreading malware. In one US Department of Homeland Security test, 60% of those who picked up a USB plugged it iniii.
Don't share your gum (or toothbrush).
Beware of untested USBs shared by colleagues, especially if your device is not current on anti-virus software. The American Dental Association (ADA) packaged malware payload along with its 2016 annual manual of CDT procedure codes in an estimated 10% of the flash drives it distributed to about 37,000 membersiv. Encrypt confidential files stored on your own USB to avoid inadvertently sharing in case you lose it somewhere. It's highly likely that the finder will plug it in!v
Do not use play equipment improperly.
Jailbreaking or rooting your phone will also disable the OEM-installed security mechanisms. For iPhones, you will also void standard warranties and Apple Care insurance. Read the fine print for product-specific insurance you purchase. Is saving $.99 for a good tune worth the risk?
Don't wander off.
Reconfigure browsers, email clients, and instant messaging apps to block or stop at-risk behavior. Reserve one specific browser for financial transactions and exit the browser immediately after completing a transaction. Use a different one for social media and Internet surfing. Encrypt content that you really do not want to share—and use a passcode that will be memorable and not easily reverse engineered.
The NIST guide offers a much deeper dive into the "hows" of hardening your telework environment than my simplified five takeaways, but they are a good start. Be safe out there!
iMurugiah Souppaya and Karen Scarfone (14 March 2016), " User’s Guide to Telework and Bring Your Own Device (BYOD) Security." Draft NIST Special Publication 800-114, Revision 1. Retrieved from http://csrc.nist.gov/publications/drafts/800-114r1/sp800_114r1_draft.pdf
iiWilliam Jackson (8 August 2013), "Phun with Phones: 3 Ways to Phreak Android, iOS," GCN Magazine. Retrieved from https://gcn.com/articles/2013/08/08/smartphone-phreaks.aspx
iiiBruce Sterling (29 June 2011), "The Dropped Drive Hack,"Wired. Retrieved from http://www.wired.com/2011/06/the-dropped-drive-hack/
ivJessica Davis (29 April 2016), "The American Dental Association Sends Malware-Infected USB Drives to Its members," Healthcare IT News. Retrieved from http://www.healthcareitnews.com/news/american-dental-association-sends-malware-infected-usb-drives-its-members
vLisa Vaas (8 April 2016), "Almost Half of Dropped USB Sticks Will Get Plugged In," Sophos. Retrieved from https://nakedsecurity.sophos.com/2016/04/08/almost-half-of-dropped-usb-sticks-will-get-plugged-in/