NSA to National Security Employees: Avoid Working on Public Wi-Fi

The agency offered best practices for remote work using wireless technologies. 

The COVID-19 pandemic changed what work looks like, and for some, telework remains an essential part of daily business. While most teleworkers connect via secure home networks, those that opt for public networks like those in hotels or coffee shops are putting their data at risk, according to the National Security Agency. 

The NSA on Thursday released guidance for National Security System, Defense Department, and defense industrial base users describing how to identify vulnerable connections and protect common wireless technologies when working on public networks. US-CERT on Friday shared the guidance as well. 

The first best practice, according to NSA, is to simply avoid connecting to public Wi-Fi at all. 

Instead, it’s best to connect using personal or corporately-owned hotspots—just not open Wi-Fi hotspots. Hotspots should feature strong authentication and encryption, too, according to the guidance. 

But when it can’t be avoided, work on a public Wi-Fi network should be conducted over a corporate-provided virtual private network, or VPN. That way, traffic can be encrypted, and data traversing public Wi-Fi will be less vulnerable to theft. Users should also stick to Hypertext Transfer Protocol Secure—https://—websites whenever possible. For laptops, users should also turn off the device file and printer sharing features on public networks. If possible, laptop users should use virtual machines, according to NSA. 

It’s also best to avoid entering sensitive passwords, conducting sensitive conversations, or accessing personal data like bank and medical information. Online shopping and other financial transactions should be avoided, too. 

Leaving devices unattended in public settings is a no-no as well. And when naming a device, users should avoid putting their own name in the title, according to the guidance. Instead, devices should be updated with the latest patches and secured through multi-factor authentication whenever possible. 

NSA also detailed risks posed by Bluetooth and near field communication, or NFC, technologies. According to the guidance, malicious actors can find active Bluetooth signals and potentially gain access to information about devices it finds in its scans. That information can then be used to compromise a device. So it’s best to disable Bluetooth and make sure it’s not discoverable in public settings due to this and other cyber risks, according to the guidance, and users should never accept Bluetooth pairing attempts they didn’t initiate. 

And while the fact that NFC tech facilitates device-to-device data transfers, like the kind that allow for contactless payment, which are limited in range, NSA said it’s best to disable the function when it’s not in use just in case. Users should also make sure not to bring a device near other unknown electronic devices because it might trigger automatic communication via NFC. Users should also never use NFC to communicate passwords or sensitive data, according to the guidance.