5 Security Lessons We Can All Learn From FBI vs. Apple

By now you’re well aware of FBI’s legal demand to Apple Inc. to unlock the iPhone owned by a terrorist in the San Bernardino mass shooting.

The conflict centered around gaining access to an encrypted iPhone by having Apple develop a software that would bypass the encryption technology on that one specific iPhone. Apple refused to comply with the FBI’s request, and in an unprecedented act of transparency made the request public by issuing a letter that clearly stated Apple’s position for defying this request.

Much to everyone’s chagrin, all of this came to an abrupt end when FBI announced that it has successfully accessed the phone and no longer required Apple to comply. The legal case against Apple was dropped. The tables have turned, now Apple is asking the FBI to share the method of this hack to ensure that they can fix the source of the attack.

The battle is symbolic and there is no clear winner, but there is a silver lining and lessons to be learned for both individuals and businesses.  

1. Encryption Still Remains a Key Component of Overall Security

Contrary to what this legal battle may suggest (that FBI bypassed encryption), it was not encryption algorithm that was cracked, but the technology that enabled encryption. A well-known cryptographer, Bruce Schneier, writes that encryption is still the only surefire way to protect data and this specific case should not undermine its use and application.

However, use of encryption is limited to the strength of the algorithm used and its effective implementation. Those who have not yet considered encryption need to think about two primary use cases in cyberspace when conducting business or simply browsing the internet.

Encryption of data-in-transit: Data when it is being transmitted from one platform to the other. This transmission of data can be internal between systems such as flow of data between applications, databases or within multi-tiered systems or can be external where data leaves your organization in the form of emails, web, API or file transfers. Using up-to-date TLS digital certificates and browsers with only secure HTTP enabled are a few ways to ensure security of data transmitted.

Encryption of data-at-rest: When data is sitting in storage, such as databases, file servers, email archives and backup mediums. What’s particularly interesting here is the requirement of such encryption from your third-party provider and/or cloud provider. Given the technological advancement and availability of built-in tools, this feature should be provided by all cloud providers. However, businesses need to work with their cloud providers in order to understand the management of keys that enable this encryption.

Specific questions to ask are:

  1. What is the key size or strength?
  2. Who owns the key to the encrypted data – you or the provider?
  3. Where is the key stored – with you or with the provider?
  4. Who has access to the key and is this access reviewed regularly?
  5. How often the key will expire and a new one generated? This requirement should be driven by considerations of size of data, sensitivity of the data and access to the key for that data.
  6. How will the key be destroyed and will it be virtually irrecoverable?

2. Passwords are Still Your First and Last Line of Defense

The challenge with the shooter’s iPhone was that it was setup with a PIN that would lock and reset the iPhone after 10 unsuccessful attempts. What it goes to show is passwords are still your key to lock your digital properties. Sit back and consider all your applications – financial, health and personal.

What is the first screen that you are presented with to prove your identity? The login screen.

Use utilities like password managers to create and store strong passwords for multiple devices. Integrating with Single Sign On (SSO) capability provided by online businesses will help you centralize and conveniently manage passwords across disparate systems on premise and in the cloud. Do not share the key of your lock with anyone or make it easy for someone to access your key.  A key tip to strong passwords is the length of the password, best practices ask for 14 characters minimum for optimal security.  Using a combination of letters, number and special characters will provide extra protection from password cracking tools.

3. Insist on Using 2-Step Authentication

Add another layer of protection to enhance your authentication process. This method is not new and has been used by us for years when conducting financial banking where a bank card with PIN is required for identification. Similarly, ensure that the online services you are using for sensitive data, such as financial, health or personal data, is protected not just by something you know, as in password, but also with an additional mechanism of something you have or are.

Online businesses provide the ability to identify yourself through many channels. Look for ways such as receiving a one-time PIN on your smartphone, nonce token services such as Google Authenticator or biometric recognition, such as fingerprint scans.

4. Follow Basic Computer Hygiene

With our entire world, work and personal, focused on digital space, it is imperative that we look at keeping our computers safe and secure similar to the routine checkups of other devices in our lives, our car. The Center for Internet Security provides free resource and excellent guide on cyber hygiene practices that business and individuals can follow for effective and immediate defense.

The key takeaways are:

  • Know what is on your machine or network and make a baseline of what is known as good baseline configuration. Any deviation from this baseline should be addressed.
  • Make sure the hardware and software is configured to operate in the manner intended. Follow manufacturer issued guidelines for configuring devices and keep up with news/alerts on updates.
  • Identify who has access to your data, what kind of access they have. Have you explicitly authorized that access?
  • Patch your systems for updates. These updates provide fixes for security holes that may get exploited therefore sooner the patch process the better.
  • Use hardware and software that has been vetted and tried-and-true.

5. Don’t Be Caught Napping

Lastly, there is nothing like being caught unprepared for an event that may cause havoc, monetary loss and brand and reputation damage. Data breaches are on the rise. In a report by Verizon in their annual Data Breach Investigations report, over 2,000 data breaches in 2015 only resulted in approximately 700 million personal records compromised. The threat is real and present. Individuals should identify suspicious actions by regularly monitoring their bank statements, health records and credit checks entitled to you by federal law at annualcreditreport.com. Businesses should develop incident handling and crisis communication policies by working closely with Legal and IT. Purchasing cyber-insurance to defray the cost of breach, educating employees on identifying attacks, having in place legal contracts with service providers on indemnity and liability limitations are just a few of the things that can be done.

Ask yourself questions about what you are protecting, where is this data stored, who has access to it? It will start the process of understanding risk, what is being currently done to mitigate the risk. No one technology or device will bring total security. Security by nature is continually evolving to keep up with the threats that undermine it.

It is a combination of human intelligence, adoption and adaptation of technology to meet our needs that arm us best in our quest for security.