How To Secure Wireless Devices In Public Settings: As Told by the NSA

Hackers love public Wi-Fi. That’s because, for most wireless device users, convenience vastly overshadows the need for security. In fact, this desire for convenient access to web services exposes millions of people every year to cyberattacks. But Wi-Fi is far from the only problem, as the mobile devices we use are further exposed to risks via Bluetooth and Near Field Communication (NFC) connections. And with a growing need to work remotely, while carrying sensitive information and credentials with us, the opportunities for malicious actors to gain access to our private data have never been greater.

So the NSA’s recently published official guidance on how to protect mobile devices in public settings comes at the perfect time. 

The report, published on July 29, 2021, covers everything from wireless device security best practices to a comprehensive list of Do’s and Don’ts when using Wi-Fi, NFC, and Bluetooth connections. And while NSA’s cybersecurity guidance is directed at National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) teleworkers, the information outlined is applicable to all users of wireless devices – especially those who work with sensitive data. So below, we’ll extract some key insights, as well as provide additional recommendations.

Wireless Security Do’s and Don’ts

For starters, NSA’s wireless device security guidance highlights a number of useful Do’s and Don’ts that all stakeholders within your organization can implement on a company and personal level for better overall cybersecurity. Outside of some of the usual suspects referenced, like keeping your software and operating systems updated and using anti-virus/anti-malware software, there are also lesser-known, yet extremely valuable tips given. 

Here are the NSA’s key Do’s for wireless device security:

• Whenever possible, disable Wi-Fi, Bluetooth, and NFC on devices when not in use, reboot devices after using untrusted wireless connections, and delete unused networks.

• Disable Wi-Fi auto-connect and at a bare minimum only connect to networks with WPA2-encryption.

• Use Multi-Factor Authentication whenever possible, which can help with the defense against password hash captures.

• Use an allowlist or denylist of applications/devices that can use your device’s Bluetooth connection.

• Use an IPsec VPN and HTTPS browsing protocols.

And here are the NSA’s key Don’ts for wireless device security:

• When using public networks, avoid accessing sensitive personal or company data and avoid things like bank (or crypto) transactions.

• Avoid plugging mobile devices into public USB charging stations including those found in airports and shopping centers.

• For laptops, do not browse the web using the administrator account.

• Avoid using Bluetooth to communicate passwords or sensitive data and never accept uninitiated pairing attempts.

• Do not set public Wi-Fi networks to be trusted networks.

Of course, the NSA’s security recommendations go even deeper, highlighting the use of virtual machines (VMs), disabling Netbios Name Service (NBTNS) for Windows laptops, using firewalls to restrict connections by applications, and much more.  

We also recommend using mobile data coupled with a VPN rather than public Wi-Fi connections whenever possible, as the signal sent from your cellular provider comes with at least some degree of encryption.

Evolving Threats and Staying Ahead

The NSA is quick to point out that nothing is 100% safe from cybercriminals when using the internet and that the methods used to compromise devices and data are constantly evolving. 

This reality is further accentuated by the fact that cyberattacks cost companies trillions of dollars globally.

So how do you and the people within your organization stay ahead of evolving threats? Here’s a great way to start: as a first defense, make security an easy option.

How much responsibility an organization has for the personal cybersecurity of their employees and project stakeholders is debatable; however, personal security habits often bleed into the professional environment. So helping stakeholders stay as safe as possible at all times is advantageous and this can be facilitated by the following actions:

• Give employees access to a VPN each year.

• Provide a YubiKey for company use, that can also be used to secure personal accounts.

• Provide secure devices for work (phone, laptop, etc) that can come preinstalled with secure apps such as multi-factor authentication, reminders for critical OS and app updates, and can be wiped clean remotely in the event that a device is compromised or stolen.

• Have clear guidelines for traveling with work-related devices and what to do in situations where devices might be confiscated (eg. when going through customs at the airport). 

Additionally, consider periodically training those in your organization who have access to sensitive data, as well as working with experienced cybersecurity firms that can help safeguard your sensitive data. 

And if you want to explore maximizing your cybersecurity to help ensure your organization and sensitive data are protected from cybercriminals, reach out to our experts at halborn@protonmail.com.