Maintaining Security in a BYOD School
Keeping your data resources safe and network secure in a bring-your-own-device environment on campus requires applying pressure where it will have the biggest impact.
- By Dian Schaffhauser
- 07/18/12
Duane Baldwin, who has his CISSP certification from (ISC)2 and his CRISC credential from ISACA, has worked in banks, nuclear weapon labs, and higher ed. Although nuclear labs are much more secure than any other environment, ("because after all, if a bank blows up, it doesn't take the city with it..."), Baldwin said colleges and universities face their own travails in attempting to keep up with BYOD security challenges.
In a typical college setting, "you'd notice if I brought a laptop or desktop and tried to set it up," Baldwin pointed out. Not so with a smartphone. "It fits in my pocket, and these devices are incredibly powerful."
Where's the harm in that? A user could outfit an Android tablet with a micro SD or SD card, pop it out when nobody's looking, and plug it into a computer, download information, put it back into the tablet, and "you'd never have any idea that I took anything," he noted.
Or the user could more directly load malware into the computer from the flash card to create a backdoor that provides visibility into resources being accessed by other users on that computer. "If you're just looking at mobile devices as tablets, then you're missing the fact that they're intelligent. They have storage. They're capable of running things off of [memory cards]."
He said he's seen situations where a user has plugged a smartphone near another device and left it there overnight to recharge it. The next day, the user has shown up to reclaim the phone and then disappeared. If the device were connected to Wi-Fi during that period, it could have picked up data traffic and transmitted everything that's gone over the network to some location thousands of miles away.
So just how do you prevent bad things from happening in a BYOD environment? Baldwin, a senior technical manager with expertise in security for Experis, a Manpower company, has plenty of advice.
Remember, Social Engineering Still Works
Imagine this scenario: A student with a job that provides access to the campus email system walks into the local coffeehouse that advertises free Wi-Fi. His or her iPhone "promiscuously" connects to the wireless network. The student has already "jailbroken" the smartphone to gain root access to the operating system in order to download unofficial applications, extensions, and themes not available in Apple's App Store. But what the student may not have done is change the default root password.
The person at the next table checks security on the newcomer's device and discovers that the default root password is still in place. That grants the black-hat hacker access to anything on the phone, including, perhaps, the abilities to read, send, and receive emails posing as the student. "If I can get information, I might be able to bypass security," Baldwin explained. "I may not know the login IDs and passwords, but I may know enough to convince the people who do have them to get the information and send it to me. I never have to come on campus to do it."
For that reason Baldwin said IT needs to pay attention to device configuration in three areas.
Establish Basic Requirements for Granting People Access to the Network from Their Devices
Baldwin suggested putting together simple rules: Don't let users jailbreak their devices; don't let them put anything on there that isn't vetted by an app store. If it's a university-issued device, don't let them install apps that haven't been approved first.
If nothing else, he noted, "It's something you can hang them with later. If they're going to do things they shouldn't do, you can at least say, 'It's not like we didn't tell you about it.'"
Require a Password on the Device
Obvious, right? But the hacker would have a much tougher time breaking into the student's phone if there were even a four-digit PIN set up as a password. Plus, Baldwin added, "If you lose [the device], someone can't get into your information."
Don't Let the Device Connect Automatically
This is a simple idea, Baldwin admitted, but effective too. If the smartphone is sitting in the student's pocket and is set up to connect every time it comes to an open network, it will. "Just the fact that you have to say yes means you're doing something with it at the time, and you may notice something else is going on that shouldn't be."
The challenge, of course, is that an automatic wireless connection is convenient, so a lot of users won't bother to require even a quick confirmation step.
Isolate Your Networks
Since many users won't bother with even these rudimentary conditions in a BYOD setting, Baldwin strongly recommended putting users by default onto a wireless network that doesn't connect to anything related to university operations. University business can then take place on a network that requires an authentication process so that the device can be checked against campus computing policies and managed just like any other type of computer. "If someone isn't willing to buy into your security philosophy, you don't allow them into your network," he stated.
"Everybody wants their campus to be a hotspot," he added. "But do you really want that hotspot to then provide access to any of the information in human resources or in a medical school with health information covered by HIPAA? Do you want users to be able to access the school bookstore and possibly get credit card information from it? Those are all [areas] that have been attacked."
As Baldwin explained, "If users want to do their Facebook and their shopping and check ESPN, and it clogs up that open network, it still leaves the other network available for the real work we're trying to accomplish."
Convince Campus Administration to Find the Money To Fix Problems before They Happen
Baldwin said some organizations only learn about how affordable it is to put in proper security mechanisms after they've suffered a data breach that will cost them many times more than the original solution would have been. Those stories--and they happen in every segment, including higher education--may help IT and security divisions sell campus administration on the idea of providing the funding needed to undertake, for example, the addition of encryption services to campus-issued computing devices, to buy the infrastructure components needed to set up a properly segmented network, and to license software for mobile device management.
Take Advantage When Students Expose Weaknesses in the Network
In his experience, Baldwin said he has found that the top time for hacking into networks in a university is Christmas time. "All the students are on vacation, and all the system administrators are also on vacation." That means the people who should be catching the "bad guys" are out, leaving the students more opportunity to go exploring on the network.
Baldwin referred to a scene in The Social Network, the movie about the creation of Facebook, in which Mark Zuckerberg is brought before a Harvard administrative board for violating numerous university policies including breaching security. In Aaron Sorkin's script, Zuckerberg told the administrators that he deserves "some recognition" for what he's done by pointing out some "pretty gaping holes in your system."
While Baldwin didn't advocate rewarding students for getting into places they shouldn't be on the network, he said he does believe there's value in acknowledging their indirect contributions to security. "Students should be given a way to point out vulnerabilities they find in a non-confrontational way--something along the lines of the old suggestion boxes that were supposed to provide anonymous feedback to management," he said. "If you don't treat the students and their concerns with respect, they may find a way to let the whole world know that you consider your ego to be more important than the security of the university's systems."
Before an Incident Happens, Put Together an Incident Response Plan
When considering the likelihood of a security problem, "It's not a question of if, it's a question of when, especially in a university environment," Baldwin said. Schools need to prepare by understanding what the major risks are to better equip IT to respond appropriately.
That response needs to include a plan for dealing with exposed information that shouldn't have been made public. "Don't even think about a cover-up," Baldwin declared. Those that have fared the best in the public eye, he said, are the ones who have been forthcoming about what took place and why it happened.
Planning also needs to sort out how communication should happen. Leadership should know about the security incident within 24 hours, Baldwin said. As soon as sufficient information has been gathered regarding the extent of the breach and its probable causes, it should be pushed into the hands of people who are on the business side for decision-making. "The CIO shouldn't be making decisions about whether or not the university should be put at risk financially."
Set Your Realm of Control
Ultimately, IT needs to set a marker somewhere between total access and no access for mobile devices. "And both of those are bad situations," Baldwin notes. One extreme may push users to set up their own access points, which others will connect to because they're not properly secured. The other extreme opens up the campus to all kinds of network management challenges.
Although ultimate risk management decisions reside with non-IT decision-makers, IT leaders need to be prepared to define what their realm of control will be in regards to BYOD. "You can't secure everything 100 percent," he said. "So what are you going to allow? Then what are you going to require and what you will give [users] access to? How will you limit your exposure? Decide what you want to support, what you're willing to support, how much you're willing to spend on it, and then do it."
Duane Baldwin will be speaking on the topic of security on iPad and Android tablets at an upcoming conference on mobile and smart device security, hosted by MIS Training Institute.