Apple-focused device management and security vendor Jamf today published its Security 360: Annual Trends report, which reveals the five security tends impacting organizations running hybrid work environments. As it is every year, the report is interesting, so I spoke to Michael Covington, vice president of portfolio strategy, for more details about what the company found this year.
First, here’s a brief rundown of some of the salient points in the report:
- In 2022, 21% of employees were using devices that were misconfigured, exposing the device and the employee to risk.
- 31% of organizations had at least one user fall victim to a phishing attack.
- 7% of Android devices accessed third-party app stores, which often provide versions of legitimate apps that have been tampered with to include malicious code that infects user devices, compared to 0.002% of iOS devices.
- New malware infections dropped from just over 150 million to about 100 million, with malicious network traffic continuing to be more prevalent.
The report confirms that some of the most well-known bad security habits continue. For example, 16% of users are regularly exposing confidential or sensitive data by sharing it via unsecured Wi-Fi hotspots.
Security 360 also gives a good set of insights into how important privacy is to overall enterprise security.
The report points to a range of ways in which privacy, once broken, creates security instability, including nation states that subvert device security to watch, photograph, and record what people do in order to blackmail or otherwise exploit victims.
Another threat is poor data lifecycle management, when companies that do gather private information don’t protect that data well enough. The company continues to invest in approaches to challenge all of these. There’s a host of additional information available in the report, which you can explore here.
An interview with Michael Covington
Covington has extensive experience in tech. A published computer science researcher and IT pro, he has held leadership roles at Intel, Cisco Security, and Juniper Networks.
At Jamf, he oversees the blending of the company’s security and management solutions into a cohesive platform and has a self-described passion for working on products that “sit at the intersection of security, privacy and usability.”
Here’s what he had to say:
Why typically do business employees have misconfigured devices? What can a business do to manage these, particularly when using employee-owned devices? “Misconfigurations occur when organizations choose not to manage, or under-manage, the devices their employees use for work. This could be a result of limited IT staffing, poorly defined standards, or a desire to operate an unrestricted IT program. Regardless of the reasons, these misconfigurations significantly increase the risk organizations face.
“Many organizations look at security in the context of an ‘incident;’ they want to stop bad things from happening, so they focus on threat events like malware detection and phishing blocks. What they fail to realize, however, is that the best risk management begins by practicing good security hygiene. Organizations need to do more to ensure that every device meets the company’s baseline standards — regardless of whether it is company-owned, contractor-operated, or a personal device used under a BYOD program — before it is allowed to access sensitive business data.
“Beyond basic management controls, organizations must also look to their users to maintain proper device configurations over time. Users should be part of the security solution, and that includes actioning updates to the operating system or applications in a timely fashion, when prompted.”
What is the consequence of a phishing attack? Do they typically lead to further breaches? What is the average consequence to a user? “Successful phishing attacks inevitably lead to consequences down the road. A worst-case scenario occurs when work credentials are stolen by an attacker who uses them to subsequently steal valuable business data, to blackmail the organization, or pivot to the next system or social engineering exploit. Other side effects can include misinformation campaigns launched against the business or its partners, personal data loss, and financial exploitation.”
How can you tell a legitimate software store from an illegitimate one? What can be done to protect users? “The best software stores have well-documented processes in place to vet incoming applications and monitor for abuses over time. The iOS AppStore and the Google Play store are great examples of where a defined process helps eliminate a lot of the risk up-front, before users download the apps.
“But there are plenty of examples of where this isn’t always possible or desirable. As organizations adopt more applications that are distributed by third parties outside of the app stores — a scenario that is quite common with macOS, for example — they also need to have processes in place to manage the lifecycle around those applications.
“Best practices include assessing the permissions each app requests to ensure the developers respect end user privacy, maintaining regular checks to ensure the most stable and secure version is distributed to devices, and monitoring known vulnerabilities for each application to understand the organization’s risk exposure.”
What is the difference between malicious network traffic and malware? Are they seeking different things? “All malware is built with an intended purpose. Some malware was designed to deliver advertisements. Some malware encrypts data so the attacker can demand a ransom. And some malware steals intellectual property. Most modern malware is connected to infrastructure that is used to facilitate distribution, implement command & control, and receive exfiltrated content.
“Malicious network traffic refers to the network-based infrastructure that supports malware campaigns and data theft. Network-based indicators of compromise can serve as a strong indicator of malicious activity on a device, even when a specific malware has not yet been identified on the device.
“Jamf Threat Labs recently discovered a malicious cryptomining campaign that was targeting macOS devices through compromised pirated software; the software used network communication to send mined cryptocurrency to the attacker.”
Isn’t using a virus checker enough? (No is the answer, but why?) “No, a virus checker is not enough. Organizations should be thinking holistically about their endpoint security solutions. Good security on the device begins with secure baselines that are established and maintained over time. Best practices include regular checks on OS patch levels and application versions.
“And when it comes to malware detection, organizations must be using solutions that go beyond signature detection. Data-driven heuristics and machine learning have reached a level of maturity that result in more accurate detections and far fewer false positives. It’s time to embrace these technologies.
“Finally, device security should include tools to help prevent user-introduced risk. This includes protections against sophisticated phishing attacks and social engineering exploits that trick users into installing malicious code on the device.
“Organizations should avoid thinking in security silos. Malware detection, for example, is only minimally useful in isolation. IT and security teams should start looking for an overall assessment of endpoint health that can be communicated to other tools and infrastructure so that intelligence can help provide better protections for the organization’s most sensitive applications.
How can employers/employees better protect themselves against social engineering-based attacks? “Organizations invest in tools and employee training that protect corporate data. To take this a step further, organizations can and should help employees improve security and privacy in their personal life, as when workers are educated on personal security risks, they are more likely to help improve their habits when dealing with those same risks at work.
“Employers should have a multi-pronged approach.
- First, start with education. Some ways organizations can help employees is by implementing a regular “data privacy hygiene day,” offering workshops and training on improving their personal data privacy and providing bite-sized tutorials and warnings on a regular cadence through already-utilized tools.
- Second, invest in tools that prevent users from making mistakes. Organizations need to do more to ensure that every device meets the company’s baseline standards — regardless of whether it is company-owned, contractor-operated, or a personal device used under a BYOD program — before it is allowed to access sensitive business data. Beyond basic management controls, organizations must also look to their users to maintain proper device configurations over time. Users should be part of the security solution, and that includes actioning updates to the operating system or applications in a timely fashion, when prompted.
- Third, go back again to educate! Don’t shame mistakes, instead share learnings to encourage best practice and sharing of phishing attempts so users know what to look for. Employee training must go beyond the annual classroom requirements and include a cultural element that places security at the top of every employee’s job responsibility list.”
What should employers look for when sourcing employee security training? “Most critically, employers should ensure that their employee security training has been modernized. Content should cover on-premises use cases, remote/anywhere work scenarios, a combination of desktop, laptop, and mobile form-factors, plus include references to cloud applications. Users should feel like they are the first line of defense and not be ashamed to report incidents they have observed.”
What can an enterprise do to protect against the weak links in their security chain (human or otherwise)?
- “Implement a comprehensive security program with transparency.
- Do not blame/shame users who fall victim to social engineering.
- Share details (within reason) on where mistakes have been made.
- Encourage sharing.
- Talk about the “wins” and the attacks that were successfully thwarted so users feel bought into the solutions.
- Don’t compromise personal privacy.
- Don’t implement draconian policies.
- Focus on productivity, not blocking users.”
Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.
Copyright © 2023 IDG Communications, Inc.