An Impromptu Lesson on Passwords ..
I was reading the other night, which since I've migrated my library means that I was on my iPad.
My kid (he's 11) happened to be in the room, playing a game on one console or another. I'm deep in my book, and he's deep in his game, when he pipes up with "Y'know Dad?"
"Yea?"
"You should enable complex passwords on your tablet"
(Really, he said exactly that!  I guess he was in Settings / Security and wasn't playing a game after all ! )
"Why is that?" I said - (I'm hoping he comes up with a good answer here)
"Because if somebody takes your tablet, it'll be harder for them to guess your password" (good answer!)
"Good idea - is there anything else I should know?"
"If they guess your password wrong 10 times, your tablet will get wiped out, so they won't get your stuff" (Oh - bonus points!)
So aside from me having a really proud parent moment, why is this on the ISC page? It's really good advice, that's why !
It's surprising how many people use the last 4 digits of their phone number, their birthday, or worse yet, their bank card PIN (yes, really) for a password, or have no password at all. And yet, we have all kinds of confidential information on our tablets and phones - mostly in the form of corporate emails and sometimes documents.
As is the case in so many things, when we in the security community discuss tablet security, it's usually about the more advanced and interesting topics like remote management, remote data wipe or forensics. These are valuable discussions - but in a lot of cases, basic (and I mean REALLY BASIC) security 101 advice to our user community will go a lot further in enhancing our security position. Advice like I got from my kid:
- Set a password !
- Make sure that it's reasonably complex (letters and numbers)
- Make sure that it's not a family member name, phone number, birthday, bank PIN or something that might be found on your facebook page
- Set a screen saver timeout
- Set the device to lock when you close the cover
- Delete any documents that you are finished with - remember, the doc on your tablet is just an out of date copy
This may seem like really basic advice, and that's because it is. But in the current wave of BYOD (Bring Your Own Device) policies that we're seeing at many organizations, we're seeing almost zero attention put on the security of the organization's data. BYOD seems to be about transferring costs to our users on one hand, and keeping them happy by letting them use their tablets and phones at work (or school).
Good resources for iPad security (as well as Android and other tablets also) can be found in the SANS Reading Room ( http://www.sans.org/reading_room/ )
Vendors also maintain security documentation - Apple has some good (but basic) guidance at ==> http://www.apple.com/ipad/business/docs/iPad_Security.pdf
NIST has guidance for Android and Apple (though both are  bit out of date):
http://web.nvd.nist.gov/view/ncp/repository/checklistDetail?id=403
http://web.nvd.nist.gov/view/ncp/repository/checklistDetail?id=398
 
Please, use our COMMENT FORM to pass along any tablet security tips or links you may have.
=============== 
Rob VandenBrink 
Metafore
 
              
Comments
https://benchmarks.cisecurity.org/en-us/?route=downloads.show.single.iphone.140
Alex
Apr 30th 2012
1 decade ago
Jason
Apr 30th 2012
1 decade ago
Or another thing people do is change from FooBar1 to FooBar2, which the algorithms recognize as different, and yet isn't substantially different from the original password, and is easily guessable if one were to crack the original.
It seems that the rules about frequently changing passwords could really only help with the case where the password is inadvertently disclosed somehow. But I guess the question I have is whether the rules about frequently changing passwords is still good advice or not.
Jack Russell
Apr 30th 2012
1 decade ago
-Beau
Beau
Apr 30th 2012
1 decade ago
If you do not protect your physical machine, you have no secuirty anyway (there are many ways to take over a computer when given physical access).
I consider the hidden Post-It the best solution for the unskilled low-tech employees.
PHP
May 3rd 2012
1 decade ago
Dirk
May 3rd 2012
1 decade ago