Every so often during dinner engagements or casual conversation, the topic of kid safety and teen and pre-teen monitoring on the Internet comes up. I should not be surprised since I am in the information security industry and I am privy to many stories, both in the corporate world and home.
But once my chosen career path is conveyed to my audience, volleys of questions begin to fly in order to glean a quick fix or solution. I try to be a good representative of the security industry during these discussions, but the conversation normally ends with either a sigh of despair or complete surprise in the tactics available to our kids in subverting detection.
During one of the most recent conversations, I decided to take off my corporate information security hat and try to become a true D.A.D (Dumb as Dirt) on the topic of home-based solutions to protect our kids on the Internet. With my background and exposure to the elements, I have always felt I had an inside track to keep my house in check on the Internet. In this case, I decided to step back and begin to look at the landscape of products and services from a parent's viewpoint as a measure to meet two basic requirements: ease in implementation and effectiveness in prevention and alerting me to dangers. It was a true learning experience.
Before we dive into the discoveries I made, I wanted to level-set this experience with you with one observation I learned about myself. I began this challenge by wanting to place myself in a standard parental role. Yes, I am a parent but I rely on my ability to be somewhat self-sufficient in regards to security. I really attempted to strip away this crutch in order to learn what the market had to offer a non-technical parent. In doing so, I realized two important points that the security industry has missed in educating parents: the ability to think like your kid and understanding the characteristics of Internet dangers to detect.
The main thing I learned about myself was that it was easy to think of a hacker being the teenager in the basement, but I really had to struggle to pretend it was my teenager. I, as many other parents, have forgotten how to be a teenager and to think and operate like one. Let's face it, when we were teenagers, we may have attempted to bypass detection on things in our life that may have been against our parents' policy. We may have even rationalized why it was important to do so, due to peer pressure or just trying to be cool. Now that we are parents, we sometimes get tunnel vision in communicating our expectations vs. learning why they may not be working. It's the "do it because I said so" approach that I seem to rely upon on certain occasions. That is why I feel that it is important to place yourself in your kids' shoes when you are trying to offer them protection.
Here are some tactics that I have been able to re-learn:
Cool neighbors creating an escape route
As a kid, we always had that neighbor's parent that we thought was great. We always wanted to spend the night or just hang out since it was a cool place. We knew they would let us stay up later than we could at home or play games on the commodore 64 (or TRS 80). This was due to the fact that they had a different policy for their home and it provided inches of additional freedoms that we used to our advantage. Well, the cool neighbors are still around, this time providing a way for your inquisitive kid to once again escape your home network policy altogether. You can build the best security in the world for your kid but that neighbor down the road with the wide open wireless network is the cool place to be now. Today's computer systems are so helpful that they can attach to everything other than the place you want to attach.
A little attention to turning off auto attaching networks and configuring the machines so that only you can join other networks can help make sure that your kids ask for permission first. Be sure to change the default configurations on wireless devices in your house so you accidentally do not become that cool neighbor as well. Having the RIAA knocking on your door, wanting to discuss the thousands of music downloads you just made might cause your kid to be wrongly punished while Jimmy down the street has his iPod full.
Spending the night means spending the next day as tech support
Do you remember getting to stay the night over at your friend's house? Remember the freedom you felt as you entered your friend's house, being able to shed a little boredom by the simple change in scenery? Well, when it's time for bed for your kids and for you to regain your sanity, you wander into your room for the night for that quality alone time that all parents need. The kids, on the other hand, are now contained in your kid's room (for the most part). They can watch TV, listen to radio, talk on the phone and completely trash your kid's computer. They will experiment with every last option, feature, and test what can and can't be accessed on your Internet connection. They will see if that cool neighbor I discussed above is around to expand the reach. They will even teach each other how to do things that subvert your policy. Hey, they have the perfect excuse that it was the other kid so why not try? While you are enjoying the break and relaxing, you kid's room breaks into a scene from the "War Games" movie and the real work begins.
A little prevention can go a long way once you learn what is going on behind closed doors. It will save you time and money on repairing a machine by containing the activity to what you will allow. Turning off the "cool neighbor" access, changing the default configuration on your wireless connections and only allowing the administrator (that is you) to any make further changes will allow you to recover from the night without having to also worry about resurrecting your kid's computer.
'We needed to access that Myspace page'
Kids know how to social engineer parents. They can sometimes cry and whine long enough to make the most resilient parent cave in, for the promise of piece and quiet. As kids fine-tune those skills, it seems that they have the uncanny ability to manipulate one parent while the other one is away. When it comes to Internet access or expanding their capabilities online, what better way to gain access than to social engineer the parent into asking the other parent for that access? Hey, if Mom or Dad need access who will question that, right? Here's how it can go:
"Mom, you have got to check out Jimmy's Myspace page. He has told so-and-so that so-and-so is cheating on her." When mom sits downs with the kid to check it out, they are blocked. Mom then calls Dad and says, "Hey, I need to see something but it's not allowing me to get there. How can I fix that?"
Bingo, social engineering at it's best. I do not know how you deal with those situations but in my home, the short-term solution is a granted exception with a late night reversal of the access. Your mileage may vary so be careful with exceptions to the rule. Yes, it may increase the calls you will receive and may even invite crying or whines, but it's better to bring the issue up so you know to fix it when you get back. It is the path to least resistance, but we have to balance this with the right amount of armchair risk analysis before it is allowed or the next two areas below can happen easily.
Admin for an hour, headaches for weeks
This point normally occurs when the parent that has been socially engineered does not know how to make the changes to open up an exception, or no one in charge has time for this nonsense. In either situation, administrative access (that is your access) is given to the ones that are supposed to follow the home policies for Internet access (kids). This can happen very quickly, especially since most parents are very busy with managing the house. Once again, it is the path to least resistance. If the keys to security are handed over and forgotten about, then your perception of security quickly becomes out of synch with reality.
To help yourself and reduce the headaches, be sure to change passwords in the house regularly. Do not make the passwords easy to learn such as address, zip codes, phone numbers, cat's name, etc., since they will be easy targets when you have the "Spending the night means spending the next day as tech support" above to contend with. If administrator access has been given out to your kids, I would always go back through your network and make sure that something has not slipped in like a new administrator account, a new firewall rule or changes in the kid's machine. It will be painful, but if you keep the administrator account sealed up, you will not get slapped with this "auditing" as much.
No ATM 2-foot rule
When you go to your ATM machine to get money, do you expect to have that 2-foot personal bubble between you and the person waiting in line? Ask yourself why you expect that and you may answer that it is a courtesy and it offers some protection with your PIN number. Now what happens if you're administering systems in your house and your kids are watching your every move? Being at home, the last thing you would want to expect is shoulder surfing, but let me tell you, it happens. If you are not aware of it happening, you could let your kid accidentally become admin for an hour and that is when the headaches can begin.
Be sure to keep your passwords at home safe - both in storage and in use. Do not access your administrative accounts while your kids are watching what you do so they can learn. If you feel that your passwords have been used without your knowledge, change them. Try to politely enforce the ATM 2-foot rule at home whenever you are pouring over the access rules, configuring settings for computers in the house, etc. When you are done at the ATM, I am sure you expect to take your card with you. You would never leave the card in the ATM, logged in with your PIN number and expect anyone using the system behind you to not be a little curious at a minimum, right? Remember that when you finish changing your systems at home to log out. Do not allow your account to become a place where kids can explore without boundaries.
I am anonymous
There are two sides to this argument that need to be understood when thinking about your kids safety on-line: the anonymity before something happens and the anonymity after something happen. Kids are taught and misinformed that the Internet is based on anonymity, which can cause them to do certain things they may not normally do. Out of the box, the Internet connection in your house and all the computers that use it normally "live" at one address. It's the same as your home address in regards to the postman delivering mail. Your mail, your kid's mail, and even junk mail are delivered to your one home address even though there are many people there. When your kids think anonymity, they think of it in terms of the Internet community as a whole. They not worried about your address, only that they are not known in the greater community. They are protected by being an address among other addresses out there, so who is going to know it is them? I never really thought about this but it is a dangerous way to live online.
As parents, we are responsible for everything that goes on at our home address whether we are physically there at the time or not. Same thing goes for our Internet address. For example, your kid knows that if they have a party at home and the music is too loud, the police can show up and they will contact mom and dad. The kids know that they will deal with mom and dad's wrath afterwards. Ironically, your kid does not have this same though or concern when it comes to the Internet. We need to make sure that they understand the same thing applies and that the notion of anonymity is really more theory than reality today. A little coaching in this department can put things in perspective for them.
The penny test is not always effective
I remember my parents used to place a penny on something to see if it was moved by me. This test was effective, especially when I moved the item in question, loosing the penny. As time passed, I began to notice the penny and strategically place it back after snooping around or moving something. When you set up your Internet connection at home, using the penny test will not work very well. Part of security is to make sure that you keep your equipment in a place that will prevent accidental or purposeful changes. If you keep the equipment in the family room, then your best laid plans for securing the Internet are reduced considerably. Look at where you have all of your network gear in your house. Where is your wireless access point? Where is your router? Switch? How about those places where everything eventually connects together? If it is easy for the family to access, it is easy for your kids or the neighbor's kids to change. Make an attempt to keep the equipment isolated from the rest of the house so changes are controlled by the admins (that's you again).
There are many other tactics kids use to work their way on to the Internet that we have not covered, but the basis remains the same. As parents, we have to change with the way our environment changes around us and this includes new technologies and services we use on the Internet. Online games, such as Wii and Playstation, provide ways for your kids to not only play games, but chat and send each other information. Parents must take the time to learn about these capabilities and determine what is best for our homes and our family. Learn to think like the teenager you once were and start figuring out how your can avoid yourself. It will help you see things from your kid's perspective and build the best security possible for your kids at home.
Rick Lawhorn, CISSP, CISA, has over 18 years of experience in information technology which includes an extensive security, compliance, privacy and legal background. Rick has served as the CISO for GE Financial Assurance and Genworth Financial and served in information technology leadership roles within the Hunton &Williams law firm and the National White Collar Crime Center. He has been published in numerous international and domestic security magazines and currently serves on several advisory boards for new, innovative security products. He can be reached at firstname.lastname@example.org.