Mastering Mobile Security
By Joseph C. Panettieri
Is your most vital information walking out the door or sneaking off campus? That’s the question you must address in the age of mobile computing. A decade ago, most university information was safely protected in data centers or tucked away on departmental servers. But e-mail, FTP software, USB thumb drives, smart phones, notebook computers, and other mobile devices mean your data is always on the move.
Sure, mobile technology and ubiquitous networks improve productivity and keep us all connected. But they also introduce new security challenges that universities must address. Consider this startling piece of information: More than 2.6 billion mobile devices now access online services, yet only 30 million of those devices have basic security safeguards in place, according to McAfee, the antivirus software maker.
Without proper security, mobile devices are easy targets for worms, viruses, and so-called robot (“bot”) networks. Hackers increasingly use bot networks to launch massive attacks against eCommerce Web sites – potentially targeting your online tuition payment or fundraising/financial development systems. How can you defend your mobile systems against such threats? There isn’t a single magic bullet solution, but the path to mobile security involves five basic steps for success.
Step 1: What’s Your Policy?
Most universities have security policies in place for desktop PCs, notebooks, servers, and overall network access. Progressive universities post these policies on their Web sites. Through automated e-mails and network alerts – typically sent once each semester – universities can prompt students, faculty, and staff to read and adhere to the written policies. Those policies, coupled with regular electronic software distribution, ensure that systems receive timely software patches and antivirus updates.
Still, a review and revamp of your security policies (to include smart phones, voice over IP devices, and other emerging mobile technologies that connect to your university network) may be overdue. Be sure to determine and communicate:
- Which smart phones and VoIP devices are approved for use on your network?
- What are the terms associated with using these devices?
- What specific security solutions must users embrace to safeguard these devices?
Although attacks directed at smart phones and VoIP devices have been minimal so far, you’ve got to remain proactive. VoIP devices and WiFi networks will increasingly come under attack in 2007. For instance, hackers are now flooding the Web with new tools, such as the Metasploit Project, that specifically target WiFi systems. Overseen by an Austin, TX-based programmer, Metasploit is an open source, point-and-click attack tool that can wreak havoc on WiFi systems.
Your wireless LAN experts should look at Metasploit to get a feel for the types of wireless attacks your university may face in 2007. Meanwhile, it’s time to polish your written security policies, post them on the university website, and take steps to enforce the policies across your user base.
Step 2: Plug Information Leaks
So-called “information leakage” is another big concern facing CIOs today. Whether it’s financial data, student information, or faculty research, you have to ensure that intellectual property d'esn’t leak from your network onto the internet or mobile devices.
Some information leakage – such as an errant e-mail – can be accidental. But a great deal of leakage can be traced to unscrupulous staff, disgruntled employees, or students with too much time on their hands. USB storage devices, CDROMs, FTP software, fax machines, e-mail systems, and instant messaging software all are prime avenues for information leakage. With a few clicks of a mouse, gigabytes of data can easily be copied or stolen.
To combat such threats, companies such as Symantec and Websense are developing software that prevents information leakage. Websense, for one, has partnered with the startup PortAuthority Technologies to develop “deep content control” technology that helps control how sensitive data can leave an organization and under what circumstances. PortAuthority’s software monitors internal and outbound traffic, and detects when users attempt to make specific data available outside a university’s designated IT borders. In the first half of 2007, Websense plans to ship software – developed in partnership with PortAuthority – that prevents such leakage.
Websense isn’t alone. In October, Symantec introduced Mail Security 8300, an appliance with integrated content filtering that helps universities comply with internal policies related to e-mail content. The appliance also features antispam and antivirus capabilities, along with newly written code that mitigates information leakage.
Step 3: Find the Magic Touch
After several false starts, biometric technology is moving from military and financial organizations into the mainstream market. Lenovo, for one, continues to enjoy growing demand for ThinkPad laptops that feature integrated fingerprint readers.
Within the next three years, I expect the vast majority of laptops to come equipped with fingerprint readers, and for good reason: Fingerprint readers will eliminate the need for students and faculty members to memorize numerous computer passwords. With the swipe of a finger, a student will be able to use his laptop to automatically log on to networks, applications, financial Web sites, and other services that previously required a hodgepodge of usernames and passwords.
Still, biometric technology isn’t perfect. Current fingerprint readers don’t always work as advertised; for instance, sometimes oils from a person’s skin can interfere with the readers. And some low-end readers may misidentify users based on the length and width of their fingerprints – rather than checking the fingerprints’ actual patterns.
Step 4: Master Identity Management
From CA to Novell, numerous software vendors offer identity management software. When properly configured, the software ensures that users can access only the network resources for which they are approved. For instance, identity management allows your Office of Alumni Relations to check contact information for alumni, but blocks the office members from viewing things like student transcripts.
Several Silicon Valley startups are working on new innovations. For instance, A10 Networks has developed an IP-to-ID service that allows university help desks to quickly determine network user identities. Imagine that a notebook computer is transmitting worms or viruses onto a network, or attempting to access confidential university information. Using A10’s software, the school’s help desk can match the notebook’s IP address to its user’s name. It’s similar to a police officer checking a car license plate to determine the car’s registered owner.
Step 5: Fire Your Vendors
During a recent technology conference in California, the CIO of a major university told me the most effective way to deal with security software companies is to fire them. At first I was confused. Why would you “dismiss” a company, especially if you were satisfied with its products and services?
That’s when the CIO reminded me that new customers – rather than established customers – frequently receive the deepest discounts to deploy new products. One antivirus vendor, for instance, may undercut another antivirus vendor’s price just to gain account control at your university.
But once you’ve standardized on a security platform, you no longer have multiple vendors competing with each other on price. So instead of merely renewing annual software licenses, be proactive and force vendors to compete for your business every year! Tell them they’re fired unless they return to the negotiating table and give you the same price that they offer to their new customers.
Shop around and hunt for the best solutions—year in and year out. Hackers may perpetually keep you on your t'es, but it’s time for you to keep your security partners on their t'es as well.
Joseph C. Panettieri has covered Cisco, the networking industry, and Silicon Valley since 1992.