Wednesday, August 08, 2012

Smug IT Security Guy Fail

I write (gripe) about IT security failures all the time on this blog.  Sometimes pointing fingers and laughing.  Well I had one of my own and it points out a couple of really great points.  1. Even IT security pros make dumb mistakes 2. Always follow your own advice.

Here's what happened.  In my home, my sons and I have this little game where we try to grab each other's devices and make a post Facebook - Twitter - G+ etc.  After being owned a few times I locked down my phone.  Turns out this is a PIA.  When I grab my mobile I want instant gratification not a password challenge.  Also on Android you miss out on some pretty nifty lock screen features if you use a passcode/pattern/face.

So I got a cool app (Perfect App Lock) and setup access for the apps that posed a danger.  Done and done.  You'd think.

What I failed to do however was #1 on the list of developing any security policy.  I didn't do a threat assessment before starting.

I installed and configured the app and setup my "forgot pass code" security question.  I selected a question that was not in any way public information and was quite personal.  Pretty normal for me in my day to day security.  This would have prevented any stranger from being able to use my apps.  Someone that knows me intimately - like say, my sons - however, well, not so much.  My brilliant 13 yr old circumvented the app in seconds.

Facepalm.  I fell into my normal security mode and totally failed to consider the "threat" I was trying to protect against.

Do. Your. Threat. Assessment.

Posted via email from ninjahippie's (pre) posterous

No comments: