Cyberattacks on handheld devices are a matter of when, not if, say campus IT pros. Their advice: Focus on minimizing loss and containing the damage.

Damage Control

• By Rama Ramaswami
• 01/01/10

OF ALL THE SECURITY responsibilities facing the campus IT team, handheld-device security may be the most difficult. Students and staff alike receive frequent warnings to secure their data and passwords and report device theft. Yet few mobile device users take the time to protect their handhelds on a regular basis, and IT security policies are hard to enforce, particularly on college campuses where mobile devices such as cell phones are not university property and users can't be mandated to comply with security requirements.

It's a tough problem for IT directors to tackle in perhaps the most threatening cybersecurity environment in years. In the study, "Emerging Cyber Threats Report for 2009," published by the Georgia Tech Information Security Center (GTISC), IT administrators from Georgia Tech and other organizations warn that cybercriminals will unleash attacks on an unprecedented scale in the coming years. Malware and botnets, so far largely the domain of computers, will make their debut in cell phones and other mobile devices, the report warns.

"Malware will be injected onto cell phones to turn them into bots," cautions Patrick Traynor, an assistant professor in Georgia Tech's School of Computer Science and a member of GTISC. "Large cellular botnets then could be used to perpetrate a DoS [denial-of-service] attack against the core of the cellular network."

Traynor and his colleague, Jon Giffin, recently became the recipients of a three-year, $500,000 National Science Foundation grant to research, test, and create guidelines for mobile phone network security that cell phone companies can develop. The team will set up miniature cell networks using femtocells (small mobile phone receivers connected by broadband) and donated phones, and then will simulate attacks on the network and try to find ways to repair it.

Facing Stiff Obstacles

The mobile-security project is the first of its kind in the US, and Traynor readily admits that he's facing some big challenges. To begin with, it's difficult to secure the handheld devices themselves. "Security for PDAs is significantly less mature than that for desktops," he says. "There are additional risks on these platforms. There are antivirus programs available, but they're not necessarily the right solution. Cell phones are battery-constrained devices. For the user, if the decision is between running an antivirus program or making one more phone call, the phone call would tend to win out."

In addition, the effectiveness of antivirus programs has been decreasing over the years, says Traynor. "There hasn't been widespread exploitation of mobile devices yet, but there will be in the future," he warns. "Already, we've seen malware on Symbian OS-based phones that could generate botnet behavior."

Network separation is one weapon in the war against cyberattacks. A common practice on campuses is to set up a secure internal network for faculty and students, requiring authentication for access, and an unsecured network for external users. But that won't work for long, in Traynor's view. "Our ability to argue that we have separate networks is going out the window as we increase the number of mobile networks, which are hard to administer on a large scale," he says. "Also, a mobile device still gives you access to most things inside the network. For example, my cell phone has access to e-mail on the internal network. If my phone is lost, and there's a piece of malware on it, outsiders can get into the network. Real network separation is going away."

That's why Traynor and his academic research team are investigating not so much what can be done to prevent attacks as how to fix the ensuing damage. The answer, he thinks, may lie in remote repair. "What do we do when infection happens? How do we clean up afterward? One way would be for the cell phone network itself to interact with the mobile device and bring it back to a safe state. It would be amazing if a service provider could do this remotely," he enthuses. "The user may not even be aware of what's happening. The device may be exhibiting some kind of behavior that the network picks up. The network can then 'talk' to the device and help figure out the problem."

By not involving the user, remote repair would bypass the thorny issue of IT-security policy enforcement-- about which Traynor doesn't mince words. "Compliance is already very difficult and it is only going to become even more so," he declares.

A Remote Chance of Remote Control

Remote repair capability, however, is not the same thing as having remote control over a device, the way some businesses have, for example, over a company-issued Black- Berry. Higher ed technologists seem to be in agreement that remote control of the device is not a likely solution for campuses that don't provide phones to students and staff-- which is most campuses. "It would be hard for a university to say, 'We're not paying for your phone, but we have control over it,'" Traynor says.

Andrew Korty agrees that "applying direct controls to devices you don't own is a tough sell." Korty is CIO at Indiana University and also acts as deputy information security officer in the Office of the Vice President for Information Technology. He points out there are even limits to remote-control security: Any mobile-device user information that IT administrators collect can, if stolen, also compromise the device's security. "That leaves you with education and user awareness," he says. "You also can provide and promote services and software that students can opt to use. Licensing software that encrypts sensitive data and passwords, sometimes called a password vault, is one example."

Educational campaigns have had some positive impact at the University of Saint Francis (IN), where Randy Troy, director of technology security and compliance, has launched a focused initiative to make security-related information available to faculty and students. "The first thing we do is that, once we have a policy written, we get that message out to the campus at large. We do a presentation, we send e-mails, we hold forums, we get our faces out on campus. That seems to get most of the people on board with it."

Troy also has put up an extensive amount of information on the IT department's website. Written for the most part in non-technical language, the site contains the full text of the university's security policies along with plenty of examples, news, alerts, discussion of the legal implications of violations, and tips for compliance. "I try to write these policies so they are easy to understand," says Troy. "I don't want to baffle people with the terminology. Our main goal is that if users can read it and understand it, they're more apt to abide by the rules. People are busy and will not follow up if they don't understand what they're supposed to do."

Troy reports that users have been largely receptive to the information on the website. Still, he knows that there is no foolproof way to avoid security breaches, especially for mobile devices. "The softest link is always going to be the human element," he notes. Which unfortunately leaves campus IT directors in a mostly defensive position. "The mindset now in the IT community is not a question of if a violation is going to happen, it's a question of when it's going to happen," he insists. IT administrators have no choice, Troy suggests, but "to try to get the landscape set" to perhaps not prevent, but at least mitigate, the effects of what seems to be the inevitable.