Damage Control
- By Rama Ramaswami
- 01/01/10
OF ALL THE SECURITY responsibilities facing
the campus IT team, handheld-device security may
be the most difficult. Students and staff alike
receive frequent warnings to secure their data and
passwords and report device theft. Yet few mobile
device users take the time to protect their handhelds
on a regular basis, and IT security policies
are hard to enforce, particularly on college campuses
where mobile devices such as cell phones
are not university property and users can't be mandated
to comply with security requirements.
It's a tough problem for IT directors to tackle in
perhaps the most threatening cybersecurity environment
in years. In the study, "Emerging Cyber
Threats Report for 2009," published by the Georgia
Tech Information Security Center (GTISC), IT
administrators from Georgia Tech and other organizations
warn that cybercriminals will unleash
attacks on an unprecedented scale in the coming
years. Malware and botnets, so far largely the
domain of computers, will make their debut in cell
phones and other mobile devices, the report warns.
"Malware will be injected onto cell phones to
turn them into bots," cautions Patrick Traynor, an
assistant professor in Georgia Tech's School of
Computer Science and a member of GTISC.
"Large cellular botnets then could be used to perpetrate
a DoS [denial-of-service] attack against the core of the
cellular network."
Traynor and his colleague, Jon Giffin, recently became the
recipients of a three-year, $500,000 National Science Foundation
grant to research, test, and create guidelines for
mobile phone network security that cell phone companies
can develop. The team will set up miniature cell networks
using femtocells (small mobile phone receivers connected
by broadband) and donated phones, and then will simulate
attacks on the network and try to find ways to repair it.
Facing Stiff Obstacles
The mobile-security project is the first of its kind in the
US, and Traynor readily admits that he's facing some big
challenges. To begin with, it's difficult to secure the handheld
devices themselves. "Security for PDAs is significantly
less mature than that for desktops," he says. "There
are additional risks on these platforms. There are antivirus
programs available, but they're not necessarily the right
solution. Cell phones are battery-constrained devices.
For the user, if the decision is between running an
antivirus program or making one more phone call, the phone call would tend to win out."
In addition, the effectiveness of antivirus programs has
been decreasing over the years, says Traynor. "There hasn't
been widespread exploitation of mobile devices yet, but
there will be in the future," he warns. "Already, we've seen
malware on Symbian OS-based phones that could generate
botnet behavior."
Network separation is one weapon in the war against
cyberattacks. A common practice on campuses is to set up
a secure internal network for faculty and students, requiring
authentication for access, and an unsecured network for
external users. But that won't work for long, in Traynor's
view. "Our ability to argue that we have separate networks
is going out the window as we increase the number of
mobile networks, which are hard to administer on a large
scale," he says. "Also, a mobile device still gives you access
to most things inside the network. For example, my cell
phone has access to e-mail on the internal network. If my
phone is lost, and there's a piece of malware on it, outsiders
can get into the network. Real network separation is
going away."
That's why Traynor and his academic research team are
investigating not so much what can be done to prevent
attacks as how to fix the ensuing damage. The answer, he
thinks, may lie in remote repair. "What do we do when
infection happens? How do we clean up afterward? One
way would be for the cell phone network itself to interact
with the mobile device and bring it back to a safe state. It
would be amazing if a service provider could do this
remotely," he enthuses. "The user may not even be aware of
what's happening. The device may be exhibiting some kind
of behavior that the network picks up. The network can then
'talk' to the device and help figure out the problem."
By not involving the user, remote repair would bypass the
thorny issue of IT-security policy enforcement-- about
which Traynor doesn't mince words. "Compliance is
already very difficult and it is only going to become even
more so," he declares.
A Remote Chance of Remote Control
Remote repair capability, however, is not the same thing as
having remote control over a device, the way some businesses
have, for example, over a company-issued Black-
Berry. Higher ed technologists seem to be in agreement
that remote control of the device is not a likely solution
for campuses that don't provide phones to students and
staff-- which is most campuses. "It would be hard for a
university to say, 'We're not paying for your phone, but
we have control over it,'" Traynor says.
Andrew Korty agrees that "applying direct controls to
devices you don't own is a tough sell." Korty is CIO at Indiana University and also acts as deputy information
security officer in the Office of the Vice President for
Information Technology. He points out there are even
limits to remote-control security: Any mobile-device user
information that IT administrators collect can, if stolen, also
compromise the device's security. "That leaves you with
education and user awareness," he says. "You also can
provide and promote services and software that students
can opt to use. Licensing software that encrypts sensitive
data and passwords, sometimes called a password vault,
is one example."
Educational campaigns have had some positive impact at
the University of Saint Francis (IN), where Randy Troy,
director of technology security and compliance, has
launched a focused initiative to make security-related information
available to faculty and students. "The first thing we
do is that, once we have a policy written, we get that message
out to the campus at large. We do a presentation, we
send e-mails, we hold forums, we get our faces out on campus.
That seems to get most of the people on board with it."
Troy also has put up an extensive amount of information
on the IT department's website. Written for the most part in
non-technical language, the site contains the full text of the
university's security policies along with plenty of examples,
news, alerts, discussion of the legal implications of violations,
and tips for compliance. "I try to write these policies
so they are easy to understand," says Troy. "I don't want to
baffle people with the terminology. Our main goal is that if
users can read it and understand it, they're more apt to
abide by the rules. People are busy and will not follow up if
they don't understand what they're supposed to do."
Troy reports that users have been largely receptive to the
information on the website. Still, he knows that there is no
foolproof way to avoid security breaches, especially for
mobile devices. "The softest link is always going to be the
human element," he notes. Which unfortunately leaves campus
IT directors in a mostly defensive position. "The mindset
now in the IT community is not a question of if a violation
is going to happen, it's a question of when it's going to
happen," he insists. IT administrators have no choice, Troy
suggests, but "to try to get the landscape set" to perhaps
not prevent, but at least mitigate, the effects of what seems
to be the inevitable.