Mobile Device Security Tutorial

• By Paul Timm
• 07/01/14

Security for mobile devices differs in different kinds of organizations. Enterprise organizations, for instance, must protect intellectual property, personally identifiable information and proprietary competitive data. IT security standards at most companies would likely require among other things wiping data from lost smart phones, tablets or laptops.

By contrast, K-12 school districts that control access to Internet and network sites and what is stored on mobile devices may not have proprietary concerns. “Typically, this material will be open source — coursework and research in math, history, English and so on,” says Eric Green, director with Atlanta, Ga.-based Mobile Active Defense, a company that develops software to secure mobile devices. “Security for primary and secondary schools has to do with controlling access through username resolution, managing and monitoring how students and staff use devices and ensuring that the devices capable of accessing the district’s network conform to district policies.

“This involves making the devices tamper resistant and creating a system of content filtering that students can’t turn off or change — that’s important because students make up the primary group of cyber attackers in K-12 schools.”

A school IT department should also build a public key infrastructure with certificate authentication, set comprehensive policies and manage the policies carefully, continues Green.

The mobile security structure for the district network should include content filtering that might for instance include blocking hacker sites, gambling sites and pornography sites. Green calls these three good examples of the types of sites that must be blocked — for the network generally. “These three kinds of sites tend to be sites with malicious stuff,” he says.

Management goes beyond blocking and filtering technologies. Green recommends personal intervention with positive and negative reinforcement.

Negative reinforcement might involve calling a student in and telling him or her: You tried to go around a network policy and security precaution that blocks an Internet site. This policy is important to your safety and the safety of other students and teachers using the network. Our security system recorded what you did and reported it. You must change your behavior and abide by security policies or you won’t be able to use the network to access the Internet anymore.

On the positive side, you might tell students that they are moving up a grade and so qualify to access more Internet content. If you handle these new privileges appropriately, we’ll expand access again. “Positive reinforcement gives students incentives to comply with policies,” Green says.

The BYOD variable

Schools that rely on students to bring their own mobile devices have different security challenges. According to Green, one key BYOD policy involves requiring mobile users to access the school’s WiFi instead of using their own mobile and cell networks — IT, of course, can’t block and filter those networks without significant device level controls in place.

“Risks and vulnerabilities arise from the characteristics of particular devices,” Green notes. “For example, Apple iPhones and iPads allow users to delete management controls, while Samsung devices provide real security controls, allowing an administrator to lock devices down and prevent certain actions. In other areas, however, Samsung has fewer management capabilities.”

Bandwidth management

Green also urges IT security directors to track usage throughout the day and evaluate it in terms of available bandwidth. “You can use the content filter and mobile firewall to manage bandwidth, too,” he says. “The risk here is that you use all of your tools to manage security, and the network still goes down because all the kids decide to watch television on permitted sites one afternoon.”

It is beyond the scope of this article to provide a comprehensive treatment of mobile device security, but public key infrastructure, blocking and filtering, comprehensive policies and careful management of online activities as well as bandwidth stand out as key issues to consider.

This article originally appeared in the issue of .