Fear, Uncertainty and Doubt.  I still see security professionals – especially vendors – trying to use that tired old technique.  Even with lay audiences it’s lost effectiveness, and it has absolutely no place in the CISO’s office, inbox, or voice mail.  Fear based selling is a cop-out, and a sure way to not get a second meeting with a CISO.  So what do we talk about instead?

My day job is leading the pre-sales security architect program for one of the largest security vendors*.    We begin not by talking, but by listening.  We listen to their strategy and goals for the security program, and how they are leveraging it to support and align with the business strategy.  We interact and talk about pragmatic challenges facing security programs – drowning in data, difficulty in converting data to actionable information, staffing challenges, budget limitations, regulatory compliance with unclear requirements and irrational implementation deadlines and so on, yet always in the context of their goals.  We share information from peers (without attribution), and across industries about best practices, emerging trends and challenges.  We’re all in the war together, and sometimes the immediate value we bring as a vendor is brainstorming about a particular challenge, or validating that the customer is on a common track with their peers.

That almost invariably leads to great conversations about strategy and vision.  Yet, we are chartered to sell, which CISO’s well know.  So while engaging in that value-focused conversation, as a vendor we need to honestly ask ourselves how we can help.  In my team’s case, given the breadth of solutions we represent, we almost always can help with some part of the strategy, though it may different than our original impression.  That’s where the art of the architect comes in – we dynamically build a candidate architecture based on their strategy and our solutions, and work together to create a shared vision for the future.

As an aside, even when I speak on secure thinking to non-security professionals, FUD doesn’t get very far – we’re becoming numb to the breach reports – 50 million, 100 million, 175 million are all just statistics.  Instead, I tell real stories about breaches and victims – not about the retailer who lost 25 million credit cards, but about my wife getting a call from our credit card company wondering if she’d ordered Internet Viagra.  Not about ransomware shutting down a worldwide shipping company, but about my friend losing thousands of dollars in their small business, and another one who lost all their family photos.  It works well with those audiences, and captures their attention for the rest of my talk.  But there’s no way I’d use those with a CISO – they live them every day.

 

*just a reminder, these thoughts and opinions are my own.

There are a number of media reports out that Israeli firm Cellebrite is now able to unlock iPhones even running the latest version of iOS, including the iPhone X.  Should you be worried?  Let’s look at some potential threats.

One rumor, via Bruce Schneier indicates that it only defeats the password limitation mechanism, rather than move the data off the phone to run an offline password cracker.  The defense against that is to use a strong passcode – six digits may be enough, as long as you avoid meaningful patterns (e.g. birthday, anniversary, etc) to force an exhaustive search.  I prefer a full 8-character alpha/numeric/special passcode myself, especially now that it’s used as an actual encryption key rather than just a device unlock code.  I’ve written about why I prefer TouchID over FaceID before – part of the reason is that it makes using a robust passcode more user friendly (less lockouts).  Net is that you can mitigate this threat.

Other speculation is that they’re directly reading the memory chips, and then performing an offline crack.  That makes it an error prone (e.g. frying the phone), expensive, and highly targeted attack.    Again, using a long, robust passcode is a defense against this – and I’d look at using as long a passphrase as iOS allows if you’re in that situation.  Otherwise, this isn’t an scalable option.

The last option is a software bug.  Apple’s been in the news a lot lately for security blunders, and there’s been widespread discussion of the decline in software quality over the past few years.  It appears that message has been heard, as Apple’s now moving towards a ‘when it’s ready’ rather than ‘when it’s scheduled’ model for feature releases.  Part of that includes this year’s releases as focusing on bug swatting – a ‘Snowy High Sierra’ release if you will.  I’ve no doubt that Apple will close any known bugs that allow device bypassing as quickly as they can.

In the end, while this is technically impressive, and certainly of interest, it’s not something the average person needs to worry about.  Use a strong-enough passcode to protect not only the data on the device, but the data that it can access via email or cloud services.  Turn on the escalating timeout lock, and the wipe-after-attempts options.  Make sure you have Find My Phone turned on, so you can remote wipe it, and most importantly, use a robust passphrase (or 1Password random string) for your AppleID.  That’ll keep you safe from all but a deep pocketed threat.