Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

An Impromptu Lesson on Passwords ..

Published: 2012-04-30
Last Updated: 2012-04-30 01:10:21 UTC
by Rob VandenBrink (Version: 1)
6 comment(s)

I was reading the other night, which since I've migrated my library means that I was on my iPad.

My kid (he's 11) happened to be in the room, playing a game on one console or another.  I'm deep in my book, and he's deep in his game, when he pipes up with "Y'know Dad?"

"Yea?"

"You should enable complex passwords on your tablet"
(Really, he said exactly that!  I guess he was in Settings / Security and wasn't playing a game after all ! )

"Why is that?" I said - (I'm hoping he comes up with a good answer here)

"Because if somebody takes your tablet, it'll be harder for them to guess your password"  (good answer!)

"Good idea - is there anything else I should know?"

"If they guess your password wrong 10 times, your tablet will get wiped out, so they won't get your stuff"  (Oh - bonus points!)

So aside from me having a really proud parent moment, why is this on the ISC page?  It's really good advice, that's why !

It's surprising how many people use the last 4 digits of their phone number, their birthday, or worse yet, their bank card PIN (yes, really) for a password, or have no password at all.  And yet, we have all kinds of confidential information on our tablets and phones - mostly in the form of corporate emails and sometimes documents.

As is the case in so many things, when we in the security community discuss tablet security, it's usually about the more advanced and interesting topics like remote management, remote data wipe or forensics.  These are valuable discussions - but in a lot of cases, basic (and I mean REALLY BASIC) security 101 advice to our user community will go a lot further in enhancing our security position.  Advice like I got from my kid:

  • Set a password !
  • Make sure that it's reasonably complex (letters and numbers)
  • Make sure that it's not a family member name, phone number, birthday, bank PIN or something that might be found on your facebook page
  • Set a screen saver timeout
  • Set the device to lock when you close the cover
  • Delete any documents that you are finished with - remember, the doc on your tablet is just an out of date copy

This may seem like really basic advice, and that's because it is.  But in the current wave of BYOD (Bring Your Own Device) policies that we're seeing at many organizations, we're seeing almost zero attention put on the security of the organization's data.  BYOD seems to be about transferring costs to our users on one hand, and keeping them happy by letting them use their tablets and phones at work (or school).

Good resources for iPad security (as well as Android and other tablets also) can be found in the SANS Reading Room ( http://www.sans.org/reading_room/ )

Vendors also maintain security documentation - Apple has some good (but basic) guidance at ==> http://www.apple.com/ipad/business/docs/iPad_Security.pdf

NIST has guidance for Android and Apple (though both are  bit out of date):
http://web.nvd.nist.gov/view/ncp/repository/checklistDetail?id=403
http://web.nvd.nist.gov/view/ncp/repository/checklistDetail?id=398
 

Please, use our COMMENT FORM to pass along any tablet security tips or links you may have.

 

===============
Rob VandenBrink
Metafore

Keywords:
6 comment(s)
Diary Archives