Mastering Mobile Security
- By Joseph C. Panettieri
- 12/27/06
How can you address security challenges when your data is always
on the move? Here are five secrets for success in 2007.
IS YOUR MOST vital information walking out the door or
sneaking off campus?
That’s the question you must address in the age of mobile
computing. A decade ago, most university information was
safely protected in data centers or tucked away on departmental
servers. But e-mail, FTP software, USB thumb drives,
smart phones, notebook computers, and other mobile
devices mean your data is always on the move.
Sure, mobile technology and ubiquitous networks improve
productivity and keep us all connected. But they also introduce
new security challenges that universities must address.
Consider this startling piece of information: More than 2.6 billion
mobile devices now access online services, yet only 30
million of those devices have basic security safeguards in
place, according to McAfee, the antivirus
software maker.
Without proper security, mobile devices are easy targets
for worms, viruses, and so-called robot (“bot”) networks.
Hackers increasingly use bot networks to launch massive
attacks against eCommerce websites—potentially targeting
your online tuition payment or fundraising/financial
development systems. How can you defend your mobile
systems against such threats? There isn’t a single magic
bullet solution, but the path to mobile security involves five
basic steps for success.
Step 1: What’s Your Policy?
Most universities have security policies in place for desktop
PCs, notebooks, servers, and overall network access. Progressive
universities post these policies on their websites.
Through automated e-mails and network alerts—typically
sent once each semester—universities can prompt students,
faculty, and staff to read and adhere to the
written policies. Those policies, coupled with regular
electronic software distribution, ensure that systems
receive timely software patches and antivirus
updates.
Still, a review and revamp of your security policies
(to include smart phones, voice over IP devices, and
other emerging mobile technologies that connect to
your university network) may be overdue. Be sure to
determine and communicate:
- Which smart phones and VoIP devices are
approved for use on your network?
- What are the terms associated with using these
devices?
- What specific security solutions must users
embrace to safeguard these devices?
Although attacks directed at smart phones and
VoIP devices have been minimal so far, you’ve got to
remain proactive. VoIP devices and WiFi networks
will increasingly come under attack in 2007; for
instance, hackers are now flooding the web with new
tools, such as the Metasploit Project, that specifically target WiFi systems.
Overseen by an Austin, TX-based programmer,
Metasploit is an open source, point-and-click attack
tool that can wreak havoc on WiFi systems.
Your wireless LAN experts should look at Metasploit to
get a feel for the types of wireless attacks your university
may face in 2007. Meanwhile, it’s time to polish your written
security policies, post them on the university website, and
take steps to enforce the policies across your user base.
Step 2: Plug Information Leaks
So-called “information leakage” is another big concern facing
CIOs today. Whether it’s financial data, student information,
or faculty research, you have to ensure that intellectual
property d'esn’t leak from your network onto the internet or
mobile devices.
Some information leakage—such as an errant e-mail—can
be accidental. But a great deal of leakage can be traced to
unscrupulous staff, disgruntled employees, or students with
too much time on their hands. USB storage devices, CDROMs,
FTP software, fax machines, e-mail systems, and
instant messaging software all are prime avenues for information
leakage. With a few clicks of a mouse, gigabytes of
data can easily be copied or stolen.
To combat such threats, companies such as Symantec and Websense are developing software that prevents information
leakage. Websense, for one, has partnered with the startup
PortAuthority Technologies to
develop “deep content control” technology that helps control
how sensitive data can leave an organization and under
what circumstances. PortAuthority’s software monitors internal
and outbound traffic, and detects when users attempt to
make specific data available outside a university’s designated
IT borders. In the first half of 2007, Websense plans to
ship software—developed in partnership with PortAuthority
—that prevents such leakage.
Websense isn’t alone. In October, Symantec introduced
Mail Security 8300, an appliance with integrated content
filtering that helps universities comply with internal policies
related to e-mail content. The appliance also features antispam
and antivirus capabilities, along with newly written
code that mitigates information leakage.
Step 3: Find the Magic Touch
After several false starts, biometric technology is moving
from military and financial organizations into the mainstream
market. Lenovo, for one, continues
to enjoy growing demand for ThinkPad laptops that feature
integrated fingerprint readers.
Within the next three years, I expect the vast majority of laptops
to come equipped with fingerprint readers, and for good
reason: Fingerprint readers will eliminate the need for students
and faculty members to memorize numerous computer
passwords. With the swipe of a finger, a student will be able
to use his laptop to automatically log on to networks, applications,
financial websites, and other services that previously
required a hodgepodge of usernames and passwords.
Still, biometric technology isn’t perfect. Current fingerprint
readers don’t always work as advertised; for instance,
sometimes oils from a person’s skin can interfere with the
readers. And some low-end readers may misidentify users
based on the length and width of their fingerprints—rather
than checking the fingerprints’ actual patterns.
Step 4: Master Identity Management
From CA to Novell,
numerous software vendors offer identity management
software. When properly configured, the software ensures
that users can access only the network resources for which
they are approved. For instance, identity management
allows your Office of Alumni Relations to check contact
information for alumni, but blocks the office members from
viewing things like student transcripts.
Several Silicon Valley startups are working on new innovations.
For instance, A10 Networks has developed an IP-to-ID service that allows university
help desks to quickly determine network user identities.
Imagine that a notebook computer is transmitting worms or
viruses onto a network, or attempting to access confidential
university information. Using A10’s software, the
school’s help desk can match the notebook’s IP address to
its user’s name. It’s similar to a police officer checking a car
license plate to determine the car’s registered owner.
Step 5: Fire Your Vendors
During a recent technology conference in California, the
CIO of a major university told me the most effective way to
deal with security software companies is to fire them. At first
I was confused. Why would you “dismiss” a company, especially
if you were satisfied with its products and services?
That’s when the CIO reminded me that new customers—
rather than established customers—frequently receive the
deepest discounts to deploy new products. One antivirus
vendor, for instance, may undercut another antivirus vendor’s
price just to gain account control at your university.
But once you’ve standardized on a security platform, you
no longer have multiple vendors competing with each other
on price. So instead of merely renewing annual software
licenses, be proactive and force vendors to compete for
your business every year! Tell them they’re fired unless they
return to the negotiating table and give you the same price
that they offer to their new customers.
Shop around and hunt for the best solutions—year in
and year out. Hackers may perpetually keep you on your
t'es, but it’s time for you to keep your security partners on
their t'es as well.
