Agenda  Top 12 security recommendations  Google Android specific recommendations  Apple iOS (iPad and iPhone) specific recommendations  General Fermilab comments Official Support Recommendations 12/08/20112

1. Activate the password lock (screen lock) for accessing the device. Please use some sort of unlock process; be it a password, a PIN, or at a minimum, use the simple pattern unlock. 2. Don’t use simple passwords.  While using a Fermi-grade password (complex) is the best for security, remember that virtual keyboards can make entering a complex password more difficult.  Use passwords that cannot be easily guessed (i.e., NOT birthday, anniversary, address, phone number, etc.) Top 12 Security Recommendations 12/08/20113

Top 12 cont. 3. Don’t share your device with others.  The mobile device market is not mature enough to allow for a “multi-user” environment.  Android and Amazon Marketplaces and iTunes can be linked to bank accounts so any users of your device can purchase items without your knowledge.  Any accounts you have synced with your device ( , calendar, Facebook, Twitter, etc.) are accessible to other users. 4. Don’t leave your device unattended.  Mobile devices are easy to set down and lose track of them. Thieves are now actively targeting users with mobile devices. They wait for a user to set down their device and look away. Once they are stolen, they are easy to hide.  Look for applications that may be used to track your device if it is lost or stolen. 12/08/20114

Top 12 cont. 5. Encrypt device, if possible.  Many times the device can be accessed via USB cable or remove of memory cards; even with a device with a decent password lock. Encrypting the device can make that process more difficult to provide anything useful to unauthorized people. 6. Back up the device content regularly.  Devices can be misplaced or stolen so backup your device. This will reduce the hardship of losing a device.  If the device has to be reset to factory or wiped, vendors many times advise data be backed up. 12/08/20115

Top 12 cont. 7. Don’t use the device to store passwords, login information, or personal information.  The loss of a device can be specially disturbing if you store passwords to other accounts (bank, , Fermi systems). Remember, it is against Fermi policy to have Fermi related passwords stored on any device.  While having a list of all your (and family’s) personal information may be convenient, having it on a easily misplaced/stolen device means thieves will have all the information necessary to steal your identity (credit card numbers, social security numbers, birthday). If you feel it is worth the risk, use an encrypted application such as KeePass (256-bit AES). 8. Don't alter device’s default security settings.  Vendors spend a great deal of time researching the optimal settings to secure your devices. Be very careful altering these settings. If you DO change the default settings, please do so by increasing the security. Also realize that increased security may change the performance and battery life of your device.  Some applications may “require” you to change settings. This can open security holes in your devices. Read the fine print to verify this is really necessary and worth tpotentially the reducing security. 12/08/20116

Top 12 cont. 9. Make sure your device is up-to-date. (Operating System & Applications)  Be it Android or Apple; install updates when they become available. These can provide critical security patches and may also provide performance enhancements and new features.  Android and Amazon Marketplaces, and iTunes all notify you when an application you have installed has a patch available. Patches can be vital to keeping the application stable, improve performance, or patch a security hole. 12/08/20117

Top 12 cont. 10. Don’t jailbreak/hack/root your device.  While many might consider modifying the default OS to allow for more freedom or access to features not available with the stock OS, this opens your device to greater access for applications to do things you might not be aware of.  Rooting a device usually voids any warranty the vendor may offer. Many of these devices are offered at a reduced cost for new customers or as part of a contract. If your device breaks and you have to replace it, you may be forced to pay full price for the device ($500+). 11. Be aware of public wireless networks.  The words “free” and “open” should warn you to be cautious. Open and free means no security. All traffic between your device and the wireless access point are not encrypted and could be intercepted. If a service set identifier (SSID) is provided and you are required to enter a password, then odds are you are getting some security. Still be wary of the data you are transmitting. 12/08/20118

Top 12 cont. 12. Use SSL encrypted applications, if possible.  To go along with free and/or open wireless, if you have the option to encrypt transmitted data, do so to help assure your personal data is not intercepted.  and web browsing can be secured using SSL encryption. Web pages that start with are using SSL encryption. This is not foolproof but better than no encryption. 12/08/20119

Google Android Specific  Be careful what you install and what files you open. ○ #1 method of infection can be traced to applications installed from Android Marketplace and applications installed directly from webpages. Android Marketplace is really good at dropping infected applications as soon as they are reported. Do your research before installing applications. ○ Amazon Marketplace and your device/vendor’s custom Marketplace, at this time, are not seeing much, if any, infected applications. This can change so be diligent in your research. ○ #2 method of infection is from files such as PDFs. Use the same caution we ask of you here at Fermilab. Only open files from people you know and when you are expecting the file.  Anti-Virus Application ○ Use reputable vendors and really research the application. “Free” may not be the best. 12/08/201110

 Wipe after 10 failed login attempts ○ This is a good option to enable if you are the only user and really want some extra assurance that no one can steal your data. ○ Backup often just in case it IS wiped. ○ May not be a good idea if around kids because 10 attempts can be used up in about 7.4 seconds by the average 4 year-old.  Anti-Virus Application ○ iOS uses a segregated (sandbox) structure where applications cannot directly interact with each other. This, for now, protects the device for the most part. AV is a fairly new concept in iOS and will be better supported by iOS going forward as will the AV applications will get better over time. ○ Use reputable vendors and really research the application. “Free” may not be the best  Turn off picture frame ○ Nothing worse than having pictures start displaying that you NEVER intended to show everyone. You know what I mean. {wink} Apple iOS Specific 12/08/201111

General Fermilab comments  Service Desk Assistance ○ setup (Exchange) Configuring Exchange will enable the ability for you and Fermi Exchange Admins to remotely wipe your device. ○ Network Registration (MISCOMP)  Technology Store will be offering tablets (iPad & Android) in the near future.  Android and iOS Baselines are in the process of being approved. ○ Lab owned devices will be required to follow baselines requirements. ○ Cloud based storage is prohibited for Fermilab data. Data generated on Fermilab equipment/property must be managed with Fermilab resources Freedom of Information Act Law Enforcement request for information  Report Stolen or lost devices to Security promptly ○ As with any Fermilab owned items, the quicker the item is reported missing the quicker it may be recovered. 12/08/201112

Quote: “The form factor of these devices makes them easy to lose and misplace,” explained Nicholas Arvanitis, principal security consultant at South African IT infrastructure giant Dimension Data. “They're also attractive targets for theft -- consider that most consumers control a lot of their lives from these devices and often store credentials (usernames and passwords) for many services on them.” “Unfortunately, theft or loss of these devices is inevitable,” he added. “The most prudent approach is to configure the device and maintain it with the assumption that at some stage it will be lost or stolen.” 12/08/201113

The End…  Questions? 12/08/ Illustration by Andrew DeGraff