Updated: Jan 30, 2019
We're almost all guilty of it, connecting to some unknown 3rd party network at a restaurant, coffee shop, hotel, or client office, and then proceeding to work as if we're back at your main office. You might wonder for a moment if it's safe but ultimately, you need to get some work done and you're not working on any sensitive information today anyway, so you click 'connect' and start accessing files and logging into online accounts. You've done it a hundred times before and never had a problem, so it must be safe enough, right? Maybe the hotel Wifi offers some encryption, perhaps you use a direct RDP connection over a non-standard port, or maybe you intend to connect your office VPN first - take that you would-be hackers!
I know you're busy, so let's break this down quickly. First, the good news, it is possible for you to work securely, even on sensitive information and even over some unknown open Wifi connection. The bad news is that doing so safely takes some planning and consideration, as well as a measure of user conscientiousness when presented with security popup windows. As such, many of us may have been taking risks, the potential repercussions of which we haven't always been fully aware of. Some may be better served by simply resolving to always use a dedicated cellular mobile hotspot whenever travelling. You should still take steps to ensure that your communications are encrypted from end to end over these connections and you may need to put up with some network performance issues, but doing so will bypass a lot of the threats and concerns discussed below.
If you need to work in locations where cellular is not an option, or otherwise want to know the threats and strategies, please read on. Let's start with the case of the VPN that connects back to the main office firewall or server. I'll begin by recommending that, if you've been using the same VPN connection method for more than a few years, get it checked by a certified cyber-security expert as there are a number of legacy VPN technologies that are no longer safe to use. Even if you are using a modern VPN and/or Remote Desktop technology (RD Gateway or Logmein, etc), there are still some additional concerns to be aware of.
Of chief concern when on someone else's network, is that you may be presented with a popup request to trust a security certificate when you attempt to connect to the internet or your VPN and the reflex reaction of selecting, 'Accept' can quickly undo your carefully considered layers of encryption. Here's how it works, many modern firewalls offer SSL inspection to make sure you are not receiving or transmitting viruses, which may be good for the organization who owns the firewall perhaps, but if you want to use their internet and they require that you trust their security certificate before you can connect to either your VPN or a secure web (https) portal, and if that firewall is being monitored by a bad actor, you could be giving up the keys to your kingdoms.
Beyond that, office VPN connections will often only be configured to route and encrypt communications that are connecting back to the office. Requests for other destinations, like the internet, will go directly out the 3rd party gateway with whatever encryption is left to protect your cloud service and application login credentials, if any. If you have the bandwidth, you could configure your VPN to route all traffic, even for internet destinations, through your main office gateway, or you could add an additional VPN layer like NordVPN to plug that hole in the dyke.
Also, while on a shared guest network, your laptop could be probed for vulnerabilities by someone else on that network. If your applications, operating system, firmware and drivers are all up to date, and you haven't previously opened any ports or installed applications that could be free to respond to those scans, then you shouldn't have too much to worry about from such a scan. Leave a security update uninstalled however, and that scanner could potentially inject commands, or maybe install a keylogger, which could bypass your current and future encryption efforts.
Additionally, your laptop could have your credential session captured and played back to you in the hope that you type your password again, but this time, with the bad guy on the other end collecting your efforts.
And, no such discussion would be complete without cautioning against the old shoulder surfer watching, or even video recording, your every keystroke from the table behind you.
To sum up, either bring your own remote network with you in the way of dedicated cellular internet, tunnel all through your corporate gateway, or be prepared to consider a layered VPN approach with an awareness that you should never accept unknown certificate warnings: