Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Recently, there was a very public example of how not to do a tablet deployment. The Los Angeles Times reported that the Los Angeles Unified School District had been forced to suspend a program to provide iPads to students because several hundred students had figured out ways to remove security restrictions put in place by school administrators.

    As it turned out, the LAUSD did not use sophisticated tools to manage their iPads. They merely used ActiveSync accounts, which students were able to “hack” by simply deleting them from their tablets. This allowed the students to gain control of their iOS devices and use them to stream music and visit social media sites. (The school district has since taken back all of the issued iPads.)

    This incident highlights the many pitfalls of trying to deploy and manage mobile devices in any large, organized setting. A more sophisticated device management solution may have been needed, but it would have raised costs (both up-front and in the long term). So instead, they relied on a relatively simple and easy to maintain solution – which, unfortunately, was easily defeated. From a purely technical perspective, solutions for this problem were available, but were not chosen.

    However, what’s more interesting – and what we can learn from – is the why. The technical issues can probably be resolved without too much difficulty. Why did students feel the need to hack their devices? One student said it best: they took the devices home and “they can’t do anything with them.”

    Simply put, the students viewed these iPads as personal devices, with their data, and theirs to do as they wished. That, in and of itself, is a valuable lesson for enterprises trying to secure and protect their employee’s devices.

    Despite the rise of consumerization, divisions should still exist between “personal” devices and “work” devices. Mobile device management attempts to bridge this divide, but it does add complexity and cost. Just as importantly, user mindsets about what’s “personal” and what’s “work” still exist. That means that corporate data can be placed at risk due to exposure on “personal” devices.

    What might be more important than technical solutions is to change and understand mindsets. Part of the strategy for dealing with consumerization is the understanding that “work” information on “personal” devices means that behavior has to change, too. You can’t, say, hand off a tablet with your work email to your child to play Candy Crush – that would just be silly. Employees have to understand that more than technical limits, behavioral limits apply, too.

    Conversely, enterprises have to understand that imposed limits on “personal” devices have to be reasonable. Here, the limits were so strict that students had plenty of motivation to go around them.  Enterprises have to be careful that their own limits aren’t similarly evaded – either by either “hacking” authorized devices or just using unauthorized ones.

    In dealing with consumerization, we’ve always said it was important to have a strategy. Obviously, different organizations will have different strategies depending on their needs, capabilities, and potential threats. What this incident teaches us is that in order for that strategy has to be sensible, reasonable, and perhaps most of all: enforceable.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • Lenny

      Excellent observation and conclusion as well as point made on the need for behaviour modification when using what are preceived to be “personal devices.” The pervasive impediment to learning and ethical conduct is learned behaviour starting in a home-family environment and later affected to varying degrees by peer pressure which seems to always be tipped in favor of negative behaviour choices.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice