QPC Security - Breakfast Bytes
Technology
Laptops have transformed to mobile devices (phones and tablets)
Risk was more contained with laptops, but the impact is much higher with mobile phones. A lot of nuances around "was the password revealed?"
Biometrics are convenient but quite dangerousBiometrics are a proxy for a numeric passcode on a mobile device.
Physical compromise is a 5-alarm fire situation.
Physical loss when it is not compromised is not that big of an issue as long as authenticators are backed up.
Must have erase after 10 bad password attempts. Turn off notifications on screen lock. Do not have notifications turned on to display on the lock screen.
Avoid banking apps.
The first things that the baddies go after are Venmo, Apple Pay, Cash apps.
Out of band SMS for MFASIM swapping risk, or eSIM embedded in the phone
Put a PIN on your physical SIM.
MySudo – Can clone that instance to other phones.
Password manager on phoneDisaster if this is based upon your biometric. You can use a different or secondary PIN. You can use Yubikey.
Password manager helps you recover.
Segmentation strategiesThey can see all the emails on your phone and change passwords or password reset is typically done via email
Screentime on Apple can be helpful, but there are weaknesses there. The only way to really secure the device is to use a MDM. You still need to be concerned about MFA and account takeovers.
Need to have an out of band mechanism to receive alerts and ability to remove kill the device.
Microsoft Authenticator and Google Authenticator do not have a separate PIN.
Authy is free. It has its own separate PIN.
Yubikey is great but assumes that you can manage controlling the physical access to that. Do not store on your key chain.
Diversification strategy with inventory.
MDMhttps://www.darkreading.com/application-security/okta-flaw-involved-mgm-resorts-breach-attackers-claim
https://arstechnica.com/security/2023/09/a-phone-call-to-helpdesk-was-likely-all-it-took-to-hack-mgm/amp/
Create your
podcast in
minutes
It is Free