Keeping your kids safe along with your network

Security pros talk about the lessons learned when dealing with kids and computers.


Ah, youth

Corporate IT security pros who have to lecture employees on proper security protocols may feel like they're dealing with recalcitrant children. So imagine how pros who have to deal with actual children -- or at least teens and college students -- feel. We talked with a variety of people who work with teens on tech security issues to find out what's different about this user group. Remember: the children are our future, so we need to learn what we can now.


Young people operate in a specific technical environment

When thinking about a teen-focused security policy, you have to keep in mind that teenagers operate under tech constraints different from most adults. For instance, David Coher, director of compliance and safety at Southern California Edison, runs volunteer classes for teens about law, security, and technology through Southwestern Law School's StreetLaw program; he told me that for most teens, their "personal computer" is their phone. They inevitably regard a PC (almost always a laptop) as a resource that's shared, either with their family or at their school; private material would stay on their phones, and they're pretty good at hiding it from their parents.


They bring the devices, you supply the network

Since they're very attached to those phones, good luck getting them to part with them or exchange them for a corporate-approved device. "Young people love BYOD," says Matthew Nappi, a senior IT security analyst at Stony Brook University. "For many young people, BYOD is all they will know throughout their entire life. Telling them what they can and can't have on their own devices is not totally feasible."

They also expect omnipresent network availability for those devices, and will prefer Wi-Fi connections so as to not strain family data plans. Reg Harnish, CEO of GreyCastle Security, notes that many teens have become accustomed to "free" Wi-Fi, "widely available across high school and college campuses" -- and may be more trusting about connecting to unknown networks as a result.


The confidence of youth

GreyCastle's Harnish says that teens will take risky actions like connecting to dodgy public Wi-Fi networks due to the sense of confidence many of us remember from our youth -- "it would never happen to me"!

According to Paul Kubler, the digital forensic and cybersecurity examiner at cybersecurity firm LIFARS, "the main challenge with protecting teens is learning how to handle their confidence. Often they believe that they are immune to hacking. It is this perception of superiority that allows them to fall into traps, especially those set by illegal file sharing sites. The Nigerian Prince Scam doesn't fool teens, but having eight similar download buttons on a music sharing site may. It is important to stress that teens remain cautious and untrustworthy of the Internet."


Click the shiny buttons

Young people are often the targets of those bewildering download pages where there are multiple blinking buttons and it's not clear what any of them do, or other attempts to get them to click on something that isn't quite right. "Teens are particularly vulnerable to visiting inappropriate sites with malicious links and also to phishing scams," says John Peterson, vice president of enterprise product management at Comodo. "Cybercriminals are becoming extremely clever when crafting their messages and targeting them to specific audiences. They're using well-known applications or social platforms and action-oriented language in the subject lines to entice recipients to open the emails, click the links or attachments and spread the malware." Peterson adds that phishing emails often take the form of "message notification for a popular social network used by teens, like WhatsApp or Facebook."


A matter of trust

Jim Ivers, chief marketing officer at Cigital, points out that "teenagers grew up in a world where Web apps and mobile apps were standard, so they don't carry the natural cynicism and distrust inherent with older generations. While this may not make them susceptible to specific attacks, it does mean that they are more vulnerable to providing personal data."

That trust can also extend to their friends and romantic partners as well, to an extent that might seem strange to adults. Kevin Shahbazi, CEO of LogMeOnce, says "sharing passwords among a group of friends is common. This sometimes leads to bizarre pranks, such as announcing a pregnancy on a social media account, where the actual account owner is not even aware of it.


Security can be (a little bit) fun

LogMeOnce's Shahbazi suggests that "using a password manager is a simple approach to online security by actually protecting your identity. The majority of password management products are capable of rendering such services. If you like to make it fun, you can use a product that does more than passwords."

Why share passwords? Southern California Edison's Coher said many kids, who are forming their first deep, adult-style relationships, have a hard time imagining that today's sweetheart or BFF might betray them in six months. He also said that because the practice is sharing passwords on social media accounts is so common, their peers are more likely to accept this as explanation as to why something bizarre or horrifying was posted under their names. He tries to hammer home the concept of "N.E.R.D.: Nothing Ever Really Deletes."


What do they have to lose?

LogMeOnce's Shahbazi points to one potential reason why a casual attitude about security might persist. Most adult and corporate users are worried about threats to their finances or their well-established identity. But teens will perceive "limited threat to their financial assets" -- quite simply because they often have few assets of their own. And when it comes to their social media presence, they feel that "they can leave and quickly build another tent (account) ... and there goes the need for creating strong passwords."


The rich are different

There is one big exception to that last idea, though: the children of the very rich, who cybercriminals see as a potential gateway to their families' wealth. According to Bob Courtemanche, senior managing director, Private Client Practice Leader at Risk Strategies Company, cybercriminals use the usual attack vectors on wealthy teen's online accounts -- "the same passwords used for multiple sites, devices without updated anti-hacking software, sharing credit card data on unsecured sites, and using unsecured Wi-Fi hotspots" -- but there are some kid-specific techniques. "For children particularly, playing online games with a large number of participants they don't know and engaging with a large audience on social media leaves them especially vulnerable."


The best defense: Stop them from offending

Risk Strategies Company's Courtemanche is sometimes called upon to protect kids from themselves, since irresponsible behavior combined with family wealth can invite trouble. "There are risks of lawsuits from damaging social media posts -- either shared in words or pictures," he says. "Posting potentially harmful photographs and words about others online where large populations are viewing and commenting has been leading to personal injury lawsuits claiming libel causing emotional distress and reputational damage. This can very much be an adult issue as well, but parents need to caution their children if they are using these social media outlets to comment or post pictures involving others."


Sussing out the fake teens

Sharon Cichy is the co-founder of psych.E, which aims to be a forum for safe, anonymous peer-to-peer mental health support for teenagers. One of the challenges psych.E faces is making sure its teen users really are teens. "We are looking for ways to have the minors have a code from either a professional like a guidance counselor or a treatment provider, like a therapist or a doctor," explains Cichy. "This gives us an initial layer of protection that the teen is who they say they are. After that we are planning to have anonymous avatars and only certain areas where teens can connect and we will incorporate algorithms to catch anything that could be construed as alarming or dangerous and down the line, monitors tracking the info at all times."


Teach your children well

In the end, there is probably no shortcut other than educating young users about online risks, just as you would with adults. SoCal Edison's Coher says the teens he works with are intrigued when he shows them his separate work and personal phones, and receptive when he explains that you shouldn't text or email anything you don't want someone else eventually seeing.

Stony Brook University's Nappi emphasizes that the goal is to combat the "permissive culture of education and BYOD" and "prevent them from willingly installing malicious software, like peer to peer VPN and file sharing applications that come with inherent risk."


Observe them in their native habitat

If your end users are going to be teens, you need to involve them in your testing process. One company that took that lesson to heart is Cigital, which offers a mobile application security testing suite, among other services. "The Cigital Assessment Center its located in Bloomington," says Jim Ivers, Cigital's chief marketing officer. "We offer a significant number of student internship opportunities to provide them real working experience with our security experts. As a result, we have a large contingent of college age students performing testing on our managed services offerings, providing our security experts real-time access to the habits of this age group, and the experience is integrated into our testing processes."


Teens are not a monolith

Perhaps the biggest mistake you can make in working with teens, says Coher, is that they're all alike when it comes to technology (or, for that matter, anything else). We may think of young people being hopeless oversharers, but Coher says that "there is a contingent who aren't on social media, specifically because of privacy concerns." And there's a larger group who for the most part lurk without posting anything. There are even, he claims, true luddites teens -- and if there's room in the world for luddite teens, then there' room for a lot of tech diversity indeed.