Security Awareness Blog

New iPhone Addresses 2 of top 7 Human Risks

In February of this year we released some initial research highlighting what we believe to be the Top 7 Human Risks. By top human risks, we mean the human risks that are the most commonly shared amongst most organizations, this is where many security awareness programs should start. The new iPhone/iOS release by Apple addresses two of these top human risks.

  1. Updating: Surprisingly, one of the most common human risks we discovered is most people have no idea that updating their operating systems or apps helps keep them secure. If people think of updating at all, they only think in terms of new features or functionality. Updating is becoming more and more critical, especially as people telecommute and organizations support BYOD (Bring Your Own Device). The new iPhone/iOS7 address this human risk by adding automatic updating. Yes, auto-updating may not be the best solution for some organizations (especially where availability is mission critical - such as financial, health care or industrial control systems). However for the millions, if not billions, of ordinary smartphone users around the world, auto-updating is just what they need. People no longer have to worry about this issue as it helps ensure their devices are current, eliminating most known vulnerabilities.
  2. Authentication: The second feature I'm excited about is biometrics, the use of fingerprints. Passwords are one of the most broken authentication methods we have, they continue to bewilder most ordinary computer users, and to be honest even me at times. Apple has attempted to eliminate many of the issues of passwords with a fingerprint reader. Now Apple's implementation of biometrics has developed some controversy as a team of researchers were able to bypass it. Of course they could bypass it, once you have physical control of a device, no security is perfect. The question becomes (and many security professionals seem to forget this point) is the security 'good enough'? For the ordinary computer user who is totally overwhelmed with all the different rules and processes concerning passwords, I feel biometrics is a great option. Marc Rogers has an excellent blog demonstrating actually just how difficult, time consuming and specialized the attacks is. If you are concerned about targeted attacks coming from highly skilled threats, such as nation state, then no, Apple's biometric implementation may not be the security mechanism you want to use (though depending on the password/PIN used, fingerprints still may be more resistant then a password brute force attack). But if you are like millions of ordinary smartphone users around the world, many of whom who have not even enabled passwords, I feel this is a dramatic step forward.

Keep in mind, these features addressing human issues is not just limited to iOS, other vendors are making great strides in this area. One of my favorite is how Google is making two-step verification easy to use and universal in many applications (once again, addressing one of the top human risks). We must always remember that for ordinary computer users, no security will be perfect. But what I'm learning is for ordinary computer users, anything that is simple and/or automatic, is usually good enough. And when you are talking about millions, if not billions of users, that is a big deal.

 

 

 

 

2 Comments

Posted October 9, 2013 at 6:15 PM | Permalink | Reply

HJohn

@: from the linked article:

Posted October 10, 2013 at 3:38 PM | Permalink | Reply

HJohn

Apologies, somehow most of my entire comment didn't go through.
In any case, I was responding to the linked article that said the fingerprint scanner should be avoided because it can be compromised. I disagreed. Just because a security mechanism isn't perfect doesn't mean it has no value.
First, those who broke it physically had the phone, and physically had a fingerprint from a glass. If you can't steal the phone, you can't do this attack. And if you steal or find a lost phone, you may not have the fingerprint.
Second, the methods to bypass security are not going to be easily done by an unauthorized person. They are physical, logistical, and technical requirements that a person who finds your phone may not have.
Third, why is it many apply a standard of perfection to technology but not other areas? Do we decided not to lock our doors because we hear a news story of a thief breaking in through a window? Do we stop locking our cars because locks can be picked? Do we freely disclose our SSN because there are other ways to obtain it? Of course not, because we understand the value in making it more difficult for unauthorized persons. So, why do we not see it that way in the technical world?
If my phone is lost or stolen, I'd rather someone have to jump through a few hoops than just peruse it with ease.