Mastering Mobile Security
- By Joseph C. Panettieri
- 12/27/06
How can you address security challenges when your data is always
on the move? Here are five secrets for success in 2007.
IS YOUR MOST vital information walking out the door or
sneaking off campus?
That’s the question you must address in the age of mobile
computing. A decade ago, most university information was
safely protected in data centers or tucked away on departmental
servers. But e-mail, FTP software, USB thumb drives,
smart phones, notebook computers, and other mobile
devices mean your data is always on the move.
Sure, mobile technology and ubiquitous networks improve
productivity and keep us all connected. But they also introduce
new security challenges that universities must address.
Consider this startling piece of information: More than 2.6 billion
mobile devices now access online services, yet only 30
million of those devices have basic security safeguards in
place, according to McAfee, the antivirus
software maker.
Without proper security, mobile devices are easy targets
for worms, viruses, and so-called robot (“bot”) networks.
Hackers increasingly use bot networks to launch massive
attacks against eCommerce websites—potentially targeting
your online tuition payment or fundraising/financial
development systems. How can you defend your mobile
systems against such threats? There isn’t a single magic
bullet solution, but the path to mobile security involves five
basic steps for success.
Step 1: What’s Your Policy?
Most universities have security policies in place for desktop
PCs, notebooks, servers, and overall network access. Progressive
universities post these policies on their websites.
Through automated e-mails and network alerts—typically
sent once each semester—universities can prompt students,
faculty, and staff to read and adhere to the
written policies. Those policies, coupled with regular
electronic software distribution, ensure that systems
receive timely software patches and antivirus
updates.
Still, a review and revamp of your security policies
(to include smart phones, voice over IP devices, and
other emerging mobile technologies that connect to
your university network) may be overdue. Be sure to
determine and communicate:
- Which smart phones and VoIP devices are
approved for use on your network?
- What are the terms associated with using these
devices?
- What specific security solutions must users
embrace to safeguard these devices?
Although attacks directed at smart phones and
VoIP devices have been minimal so far, you’ve got to
remain proactive. VoIP devices and WiFi networks
will increasingly come under attack in 2007; for
instance, hackers are now flooding the web with new
tools, such as the Metasploit Project, that specifically target WiFi systems.
Overseen by an Austin, TX-based programmer,
Metasploit is an open source, point-and-click attack
tool that can wreak havoc on WiFi systems.
Your wireless LAN experts should look at Metasploit to
get a feel for the types of wireless attacks your university
may face in 2007. Meanwhile, it’s time to polish your written
security policies, post them on the university website, and
take steps to enforce the policies across your user base.
Step 2: Plug Information Leaks
So-called “information leakage” is another big concern facing
CIOs today. Whether it’s financial data, student information,
or faculty research, you have to ensure that intellectual
property d'esn’t leak from your network onto the internet or
mobile devices.
Some information leakage—such as an errant e-mail—can
be accidental. But a great deal of leakage can be traced to
unscrupulous staff, disgruntled employees, or students with
too much time on their hands. USB storage devices, CDROMs,
FTP software, fax machines, e-mail systems, and
instant messaging software all are prime avenues for information
leakage. With a few clicks of a mouse, gigabytes of
data can easily be copied or stolen.
To combat such threats, companies such as Symantec and Websense are developing software that prevents information
leakage. Websense, for one, has partnered with the startup
PortAuthority Technologies to
develop “deep content control” technology that helps control
how sensitive data can leave an organization and under
what circumstances. PortAuthority’s software monitors internal
and outbound traffic, and detects when users attempt to
make specific data available outside a university’s designated
IT borders. In the first half of 2007, Websense plans to
ship software—developed in partnership with PortAuthority
—that prevents such leakage.
Websense isn’t alone. In October, Symantec introduced
Mail Security 8300, an appliance with integrated content
filtering that helps universities comply with internal policies
related to e-mail content. The appliance also features antispam
and antivirus capabilities, along with newly written
code that mitigates information leakage.