In February of this year we released some initial research highlighting what we believe to be the Top 7 Human Risks. By top human risks, we mean the human risks that are the most commonly shared amongst most organizations, this is where many security awareness programs should start. The new iPhone/iOS release by Apple addresses two of these top human risks.
- Updating: Surprisingly, one of the most common human risks we discovered is most people have no idea that updating their operating systems or apps helps keep them secure. If people think of updating at all, they only think in terms of new features or functionality. Updating is becoming more and more critical, especially as people telecommute and organizations support BYOD (Bring Your Own Device). The new iPhone/iOS7 address this human risk by adding automatic updating. Yes, auto-updating may not be the best solution for some organizations (especially where availability is mission critical - such as financial, health care or industrial control systems). However for the millions, if not billions, of ordinary smartphone users around the world, auto-updating is just what they need. People no longer have to worry about this issue as it helps ensure their devices are current, eliminating most known vulnerabilities.
- Authentication: The second feature I'm excited about is biometrics, the use of fingerprints. Passwords are one of the most broken authentication methods we have, they continue to bewilder most ordinary computer users, and to be honest even me at times. Apple has attempted to eliminate many of the issues of passwords with a fingerprint reader. Now Apple's implementation of biometrics has developed some controversy as a team of researchers were able to bypass it. Of course they could bypass it, once you have physical control of a device, no security is perfect. The question becomes (and many security professionals seem to forget this point) is the security 'good enough'? For the ordinary computer user who is totally overwhelmed with all the different rules and processes concerning passwords, I feel biometrics is a great option. Marc Rogers has an excellent blog demonstrating actually just how difficult, time consuming and specialized the attacks is. If you are concerned about targeted attacks coming from highly skilled threats, such as nation state, then no, Apple's biometric implementation may not be the security mechanism you want to use (though depending on the password/PIN used, fingerprints still may be more resistant then a password brute force attack). But if you are like millions of ordinary smartphone users around the world, many of whom who have not even enabled passwords, I feel this is a dramatic step forward.
Keep in mind, these features addressing human issues is not just limited to iOS, other vendors are making great strides in this area. One of my favorite is how Google is making two-step verification easy to use and universal in many applications (once again, addressing one of the top human risks). We must always remember that for ordinary computer users, no security will be perfect. But what I'm learning is for ordinary computer users, anything that is simple and/or automatic, is usually good enough. And when you are talking about millions, if not billions of users, that is a big deal.