The holidays are coming and your kids are getting older. Maybe this is the year you gift them that device they’ve been clamoring for. Maybe your little kid wants an iPad or Kindle. Or your tween is ready to have a phone. Or you want the whole family to graduate to a game console that’s connected to the web. You’re excited to buy new tech (because who isn’t), but your finger hesitates over the “Add to Cart” button. You wonder if you’re spending a lot of money just to buy yourself a ton of headaches (and, maybe, heartaches too). You know you’ll need to consider security, but how does device hardening for kids work?
Handing a kid a new device can feel like opening Pandora’s box. There’s a lot to consider in terms of information security and emotional safety. We can’t say whether or not an escalation of the tech in your kid’s life is right for them or your family. But we do have some advice on how to harden that device once you’ve taken the plunge to purchase it.
What Does Hardening Mean?
There are a couple of ways to think of hardening when it comes to devices. The first is understanding that attacks are going to come and damage is going to be sustained. But with proper preparation (hardening), the damage can be minimized and survived. Let’s use an analogy: when you gave your kid a bike for his birthday, you were certain he was going to fall off of it, right? There’s no riding without falling. So you gave him a helmet and made sure he wore it. (And if he was more klutzy than average, you threw in some knee pads too.)
When that same kid gets a little older and wants a personal device, you should be aware that he’s going to “fall” with it too. He’s going to click on a malware containing link, search for something you’d rather him not see, and communicate with “friends” who might not have his best interests in mind. Just like you accepted the risks associated with the bike, you need to be realistic about the risks associated with a phone or tablet.
The second way to think about hardening is minimizing attack surface. The bike analogy doesn’t really hold here since a bike is a simple machine with one purpose and your shiny new device contains a world of capabilities. Take the time to ask yourself why you are giving your child a device. And place limits on its capabilities that fit your “why.” You can minimize the risk by minimizing the capabilities.
In professional information security and compliance, smart security managers know that people matter. You can have all the physical and digital safeguards in the world, but if your users are careless with passwords and clicks, your organization is still at risk. As a parent handing a kid a new device, you need to train that child to be as good as the best employee.
Before purchasing any device, determine why your child is receiving it and limit the capabilities to those ends. In enterprise security, we call this the “principle of least privilege.” Least privilege simply means giving a user access to only the applications and data they need to do their job. For your kid, this means being crystal clear that their phone is only for calls and texts (no Snapchat or TikTok). Or this tablet is for playing offline games only–you can only join the wifi network when a parent is with you. The possibilities are endless and will be specific to your personal preferences and your child’s readiness. Your rules will change over time. But be sure to start with really clear guidelines and get your spouse and/or co-parent(s) on the same page.
Provide your child with clear instructions on what to do if something fishy happens. Like an employee with a chain of escalation for phishing emails, your kid needs to know the protocol. If someone sends you an email purporting to be Grandma but you don’t think Grandma knows how to use a computer, what do you do? If a number you don’t recognize calls or tries to share an image with you, what’s the plan? If they receive an oddly worded message or calendar invitation that contains a link, should they click it?
Unlike most adult employees, however, kids need some Internet 101 lessons. They need to be taught, explicitly, not to trust everything they read and everyone they interact with online. And, while their brains might not be ready to fully comprehend, it’s important to try to impart the lesson that anything they say or post could follow them forever. There are plenty of books out there to assist you in this monumental task. Read reviews, check age ranges, and find the one that suits your situation. And remember that one lecture about safety on the web is not enough. You’ll need to check in with your child regularly and do “refresher courses.”
Hopefully, by now, you’ve considered all the soft skills your child will need to have in place before you hand her a new device. Now let’s get into the digital controls that you can set up to help you maintain your sanity and your kids’ safety.
Debloat. Remove any applications that are unnecessary to your stated reason for its existence in your life. Every app represents a new attack surface. So embody that minimalist philosophy and cut back as far as you can bear. iPhones can be configured to prevent kids from installing or removing apps. Consider enabling this feature if you are concerned about what your child might install.
Enable automatic software updates. Both your device and any apps you allow to live on it will need to be updated periodically. Since you as the parent may not be handling your child’s device much or at all, you should enable updates to be installed automatically. Updates frequently contain security patches that you need to have in place to ensure safety.
Set up two-factor (or multi-factor) authentication for all accounts. Any application from Google to all of the social media giants offers this form of authentication. This feature only allows a computer to access an account once the user has verified their identity via two or more mechanisms–often a password and a code sent via text.
Set the device to lock when it’s not in use. Kids walk away from devices all the time. If they’re out in public (or even around friends in their homes or at school), you don’t want their device open and susceptible to either data theft or pranks. Set the device to open with either a PIN, fingerprint, or retina scan. (And teach the kid what makes a good password and why they should never share it with anyone.)
Enable remote wipe. The chances are high that if a device leaves home in the hands of a child or teen it will be lost or stolen. You’ll want to remotely wipe all data even if it’s set to lock when not in use.
Use full disk encryption. This is standard for iPhones but will need to be turned on for Android devices.
For Android, use the built-in VPN configuration. For other devices, install a high-quality, paid VPN service if the device will be used on public wifi.
Disable auto-joining networks. Most devices are set this way by default. But you should check your child’s just to be sure. Auto-joining a network puts you at risk everywhere you go. Public wifi and hotspots can expose your data and increase your security risk.
For iOS devices, turn AirDrop receiving off. Sadly, nefarious users have found that AirDrop is a simple way to engage in cyberflashing (yes, like that kind of flashing) and they do not discriminate when choosing their targets.
Install parental controls, locks, and/or monitoring software. You’ve decided to give your child a device to call their own, so you trust them on some level. But you may want some hard controls on their activity for your own peace of mind. Apple offers a range of settings on iPhones. You can disable purchases and built-in apps (turning off the camera, for example) as well as limit web and Siri search results. For Android devices, consider enabling Google’s parental control software, Family Link. Family Link can set device “bedtimes,” set usage limits on individual apps, and more. A service like Bark can monitor multiple devices, apps, and accounts across all family members for mentions of violence, self-harm, drugs, alcohol, sexual content, and more.
Install anti-virus software if applicable. Since game consoles are not susceptible to malware in the same way that other computers are, anti-virus software doesn’t apply there. But if you purchase any type of Android device or PC for your child, you need to invest in quality anti-virus software. There are dozens of options at every price point. For iPhones, you really cannot buy a true anti-virus product. Apple prevents their sale in the app store and for good reason: they built the device OS with security as a central feature. Plus code is closely reviewed for every app in the store to prevent malware from entering the ecosystem. Your Macbook is another story. While still minor compared to PC attacks, Mac-based malware is out there and growing. You need to install AV software.
The Bottom Line
The principles that apply to employee users on an enterprise computer system are pretty handily applied to your kids. The principle of least privilege is important to keep in mind, as well as the idea that you must prepare the human end user at least as much as you prepare the device itself.
In a recent New York Times parenting advice column, the Editors tackled the topic of tablets for the 5 and under set. They tapped David Hill, assistant professor of pediatrics at the UNC School of Medicine for his advice. He said, “I think the parent remains the best parental control. There’s no technology that replaces your own eyes and ears.” This is a rare case where the best practices of IT security and parenting overlap. The human element matters!
At Asylas, we value the human element! We are an empathetic, relational information security firm. Our customers love to work with us and say we make security fun. Contact us at firstname.lastname@example.org or 615-622-4591 if you need a consultation.