Integrating Jamf Protect with Microsoft Sentinel
Month: August 2023
Author: August 24, 2023 by Thijs Xhaflaire
Source: https://www.jamf.com/blog/integrating-jamf-protect-with-microsoft-sentinel/
Jamf Protect, our leading endpoint security solution for Mac and mobile devices, has recently announced its integration with Microsoft Sentinel, a cloud-native security information and event management (SIEM) solution. This integration enables organizations to seamlessly monitor and protect their Mac fleet through the Microsoft Sentinel platform, providing a unified view of security events across all endpoints and facilitating a more effective response to threats.
The Jamf Protect data forwarding integration with Microsoft Sentinel makes it easy for organizations to implement and configure the integration. With this integration, we’ll discuss the newest features found in the latest version, 3.0.0, such as the new:
- Playbooks
- Hunting queries
- Parser
Not to forget updated Workbooks and Analytic rules that help organizations to leverage the strengths of both solutions to gain better visibility into security events while streamlining and automating incident response.
What are the benefits of Jamf Protect SIEM integration with Microsoft Sentinel?
One of the key benefits is the ability to centrally manage and monitor Mac endpoints alongside other devices, such as Windows and Linux machines. Microsoft Sentinel provides a unified view of security events across all endpoints, allowing security teams to identify threats and respond to them quickly and effectively. By integrating with Jamf Protect, organizations can also gain additional insight into their Mac endpoints and protect against threats specific to those devices.
The integration also enables organizations to automate incident response workflows, reducing the time it takes to detect and respond to threats. For example, if Jamf Protect detects malware on a Mac device, it can automatically trigger an alert or incident in Microsoft Sentinel, which can then initiate a response, such as suspending a user in Microsoft Azure AD in case malicious activity has been detected. This integration streamlines the incident response process and reduces the risk of human error.
Another benefit of the Jamf Protect SIEM integration with Microsoft Sentinel is the ability to leverage Microsoft’s threat intelligence capabilities. Microsoft Sentinel ingests threat intelligence from various sources, such as the Microsoft Intelligent Security Graph, and can use this information to identify and respond to threats more effectively.
Which new features are included in v3.0.0 of the integration?
The Jamf Protect SIEM integration with Microsoft Sentinel is a powerful solution for organizations looking to secure their Mac endpoints and gain better visibility into security events across all devices. By integrating Jamf Protect with Microsoft Sentinel, organizations can automate incident response workflows, leverage threat intelligence and gain a unified view of security events, all while streamlining the management and monitoring of their Mac fleet.
That said, here’s a rundown of the new and updated features available since its inception earlier this year.
Playbooks
Say goodbye to manual intervention during threats!
Explained by Microsoft as being “collections of procedures that can be run from Microsoft Sentinel in response to an entire incident, to an individual alert, or to a specific entity.” The Playbooks feature provides an automated response that runs after an incident has been created or another condition has been met. With it, security teams effortlessly define customized sequences of actions, empowering them to automate swift and effective responses to mitigate security incidents quickly using the power of the Jamf API.
Some examples of Playbooks included are:
- Remote lock a computer with Jamf Pro
- Based upon the host entities in the Microsoft Sentinel incident, it locks the device using a remote command
- Workflow generates a randomized, 6-digit passcode which will be stored within the incident itself
- Update alert statuses in Jamf Protect
- Mirrors the Microsoft Sentinel incident state and once set to active, will change the status to in progress
- Automatically resolve alerts in Jamf Protect
- Mirrors the Microsoft Sentinel incident state and once set to closed, updates it to resolved
Hunting queries
Proactively discover potential threats across your endpoints by combining Jamf Protect’s Alert, Telemetry and Network event data and Microsoft Sentinel’s Hunting Queries. Doing so allows security researchers to hunt for threats retrospectively in time, ensuring that threats nor malware did not occur before they became known.
For example, you will find two samples that hunt for DazzleSpy and JokerSpy respectively, with coverage already provided by Jamf Protect, but allow security researchers to run this query at a previous point in time, checking for a prior existence of the threat.
Parser
Experience enhanced data parsing capabilities with the newly added parser that matches fields to the Advanced Security Information Model (ASIM). Data extracted and interpreted from an expanded array of sources enables comprehensive threat detection and analysis. Make better, more informed decisions using accurate and real-time information gleaned from a holistic view of your environment’s security landscape.
Map events from the following streams:
- Jamf Protect Alerts
- Including Threat Prevention
- Including Analytics
- Including Device Controls
- Jamf Protect Telemetry
- Jamf Protect Web Protection
- Network Traffic Stream
- Threat Event Stream
Workbooks
Visualize complex data effortlessly with updated Workbooks. The intuitive interface transforms raw information into actionable insights through dynamic charts, graphs and metrics. Empower your security and IT teams to quickly assess, interpret and respond to threats, bolstering your defense strategy with a user-friendly, data-driven approach.
Workbooks already existed in previous versions of the solution, but have received a significant update that adds more value, such as:
- Utilizes the newly added parser for querying
- Added system performance metrics to granularly review performance across all endpoints
- Log Parsers are now able to review not only the jamf.log but others as well
Analytic rules
Stay ahead of emerging risks and stay in control of your cybersecurity posture with Analytic rules. The earlier version of Jamf Protect for Microsoft Sentinel contained Analytic rules for automated incident creation, allowing responders to act up on that.
Updates to the Analytic rules have refined them to be more precise while also making use of the newly added parser feature.
Where can admins get this integration?
If you’re interested in implementing the Jamf Protect SIEM integration with Microsoft Sentinel, it’s as easy as visiting the Azure Marketplace listing and following the installation and configuration steps. With this integration, you can protect your Mac endpoints alongside other devices and gain better insight into security events across your entire organization.
Additionally, you can find Jamf Protect for Microsoft Sentinel in the Government Marketplace and Microsoft Sentinel Content Hub.
Security teams’ finger on the pulse of your security posture
Embrace the future of cybersecurity – where automation, proactive discovery, deep data insight and visual clarity converge to create an unparalleled defense against digital adversaries.
Jamf Protect seamlessly integrates with Microsoft Sentinel using native data forwarding to Log analytics, maximizing the power of both solutions. Strengthen your security posture by combining the robust capabilities of Microsoft Sentinel with the advanced Apple endpoint security features of Jamf Protect.
Already using Jamf Protect for Microsoft Sentinel? Upgrade to version 3.0.0 from within the Microsoft Sentinel Content Hub today to unlock more value and increased functionality!
Demonstration of features
For a walkthrough of the features and use of this integration, get in touch with us.
Migrating to Jamf in 3 easy steps
Month: August 2023
Author: August 22, 2023 by Jesus Vigo
Source: https://www.jamf.com/blog/easy-migration-to-jamf/
Business, education and life all seem to run online. As newer technologies emerge that turn complex processes and practices into simpler workflows, users choose to rely more and more on their devices to make life easier.
This increased usage results in greater reliance on devices. With that comes, of course, additional challenges. When managing devices, admins must ensure that their configurations and baseline security requirements secure devices, users and data. Adding to the challenge is the rise in distributed workforces, the critical nature of upholding user privacy and the increased user demand for using personally-owned devices at work. With all of that, the waters are a whole lot murkier.
But they don’t have to be. After all, that’s the beauty of the MDM model — it allows organizations to effectively extend security and management to all endpoints that access enterprise resources. The key is finding the right device management solution that meets the unique requirements of your organization and grows to meet changing requirements and evolving technologies.
But what happens when your provider doesn’t offer the type of support you require? What options, if any, are available to migrate your existing fleet? And how will that impact your business?
Rest assured, I’ll answer all of these questions here.
Why would organizations change providers?
“Because one of these things is not like the others.” — Taylor Swift
Many companies use an MDM solution to manage their end-user devices. However, changing requirements and new technologies can trigger a change in providers. Another important reason for the change is support or lack thereof. Let’s take Apple for example. They design their devices to adhere to frameworks that govern security and privacy, among others. These frameworks act as blueprints for developers to let them know how to best implement security and privacy practices into the apps they create and run on Apple hardware. Doing so ensures that hardware, software, users and data are all protected from issues that might otherwise compromise security and privacy.
Apple integrates security and privacy into its overall design philosophy and, as such, prioritizes them within its frameworks for developers to adhere to. When Apple announces a new feature, it too is baked into its frameworks and made available to MDM providers. This allows them to support the newest security feature within their respective MDM solutions.
However, while a few provide true same-day support of Apple’s latest and greatest, some do not. This delay impacts any organizations that rely on the newest security and privacy protections to stay protected against ever-evolving threats. Because these MDMs don’t support these features yet, this prevents organizations from deploying these critical protections.
The result? Impacted organizations must make the difficult decision to delay the deployment of the latest patches —leaving devices and, by extension, their infrastructure— vulnerable to risk.
Another solution is to minimize risk factors by migrating to a solution that does meet your organizational needs. While there are challenges inherent to migrating from one solution to the other, organizations are best served when taking a risk assessment approach to determine if the challenges to migration exceed the risks of being unable to mitigate threats in a timely manner.
What challenges make migrations difficult?
First and foremost, one of if not the greatest challenges is the impact on productivity. Tied closely to the first is time. Both productivity and time are impacted directly by the downtime required to get each device migrated, multiplying that by the total number of devices to migrate. The larger the number, the greater the time that is displaced to complete the project.
Regarding downtime, typically devices enrolled in one MDM solution require these devices to be wiped and reenrolled within the new MDM solution. While the re-enrollment process itself isn’t terribly time-consuming, other factors such as:
- the size of your IT staff
- employee location: onsite vs remote
- data backup and restoration
- device reprovisioning
- types of devices being migrated
all play a significant role in determining the level of impact that downtime affecting your users during the migration process. Consider these to be on a sliding scale of sorts. A large IT staff managing centralized, on-site employee devices that are the same model MacBook Pro laptop, without the need to physically back up or restore data, may be able to handle this. A large staff and identical devices will result in decidedly less of an impact on project time than if your organization has no dedicated IT staff or employees work remotely, for example. This will cause downtime to grow disproportionately.
While the hurdles for changing MDM providers have historically appeared to be high, they don’t have to be…
Migrations as easy as 1-2-3
Jamf has developed an elegant solution that solves migration challenges by streamlining the process to:
- eliminate administrative headaches
- minimize the impact on end users
- automate migration workflows
What manner of wizardry do we speak of? Nay, ‘tis not wizardry, but merely a workflow that allows administrators to “work smarter — not harder.” This workflow performs the necessary commands on devices managed by another MDM provider that:
- copies files necessary to automate migration
- uninstalls the old management profile
- installs the Jamf Pro management profile
- renews encryption password (if FileVault is enabled)
- performs clean-up processes
When executed as a management command, the workflow will query the device and determine what resources are needed. These will deploy from your origin MDM and, once downloaded, execute on-device. A wizard will display that runs through each step of the process, such as the removal of the old management profile.
Next, the Jamf Pro management profile will install. For devices with FileVault currently enabled, the next step will prompt the device to renew the encryption key so that it may be stored securely in Jamf Pro’s database (this also makes it a breeze to retrieve in the event that users lock themselves out of their Mac). It is recommended that users be logged onto their Macs, as they will be prompted to enter their credentials during this phase and granted access to unlock FileVault upon authenticating.
Last, the final step performs some basic housekeeping to remove any files and scripts used during the migration process.
The workflow can be started at a time that works best and completes in a few minutes. The best part? The migration process doesn’t require wiping devices or backing user data prior to re-enrollment. Just a few minutes per device —over any network connection— is all that’s required to seamlessly migrate from your previous MDM provider to Jamf Pro.
1. Simple configuration
Regardless of your existing MDM provider, a few minor configurations are necessary to prepare it to deploy the files that will kick off the migration process across your entire macOS fleet.
2. Jamf Migrate
The secret sauce, if you will. Jamf Migrate is a lightweight package that is configured and uploaded to your existing MDM provider. It is this package that then deploys to your devices and begins the migration process. It orchestrates each phase of migration, ensuring that the next process doesn’t execute until the previous one is complete.
3. There is no step #3.
That’s it! Once Jamf Migrate completes its workflow, your devices will have removed the previous management profile and been successfully enrolled into Jamf Pro. Congratulations, the migration project is now complete. Future management workflows can be found within the easy yet powerful Jamf Pro administrator’s console.
Ready to migrate to the best-of-breed Apple management solution?
Contact Jamf or your preferred reseller today to schedule support for your migration project.
How-to: On-Device Content Filtering with Jamf Safe Internet
Month: August 2023
Author: August 25, 2023 by Anthony Darlow
Source: https://www.jamf.com/blog/how-to-on-device-content-filtering-with-jamf-safe-internet/
Step into the cybersecurity of the future.
Jamf Safe Internet has recently added On-Device Content Filtering (ODCF).
Apple provides this technology as part of iOS and iPadOS. ODCF enables network filtering directly on the device, which makes it a much more comprehensive filter.
Secure students and devices with On-Device Content Filtering.
Newest Jamf Safe Internet release
With this release, ODCF has added the ability to filter IP addresses on top of domain names— which Jamf Safe Internet has always done. However, the scope for ODCF technology is much broader than this.
It’s now possible to filter full URLs, ports and identify traffic that originates from specific apps. ODCF is also lower in the network stack than VPN, which means even if students install a VPN, their device will still filter content before going through the tunnel.
This technology is also very privacy-preserving. A huge amount of sensitive data is stripped from requests, and since ODCF evaluates the traffic data on-device, it doesn’t need to go to Jamf’s security cloud for evaluation.
This release didn’t just add the ODCF capabilities to Jamf Safe Internet. It also changed the default vectoring method to Apple’s “DNSSetting” payload, moving from a VPN-vectoring method. It’s this “DNS over HTTPS” (DoH) that enables Jamf Safe Internet to continue to provide web-based threat prevention.
It’s now done by making the most of Apple’s native frameworks.
New To Jamf Safe Internet?
This release has been optimized for devices running iOS and iPadOS 16+.
Jamf Pro
- If you are a new Jamf Safe Internet customer and have devices running iOS or iPadOS earlier than version 16, you will need to ensure that you deploy the legacy profile to these devices.
- If you are using Jamf Pro to deploy Jamf Safe Internet and have devices running iOS or iPadOS earlier than 16, you will need to need to follow the Getting Started with Jamf Safe Internet in Jamf Pro section of our Jamf Safe Internet documentation.
Where the guide says: “Download the relevant configuration files and complete the Jamf Pro instructions,” you will need to select the configuration profiles from the Jamf Safe Internet console under “iOS and iPadOS unsupervised (or supervised earlier than 16).”
Follow the rest of the guide, but be sure to scope this configuration profile only to devices with iOS or iPadOS earlier than iOS 16. You can do this using Smart Groups. For environments using both iOS and iPadOS 16+ as well as earlier, repeat the process but choose the configuration profile under “iOS and iPadOS supervised (16 or later).”
Jamf School
If you are using Jamf School to deploy Jamf Safe Internet and have devices running iOS or iPadOS earlier than 16, you will not be able to use Jamf School’s built-in single-click connection. Instead:
- Log into the Jamf Safe Internet console and select the default activation profile.
- Under “Select your UEM,” choose “Jamf School.”
- Under “Select your OS,” choose “iOS and iPadOS unsupervised (or supervised earlier than 16).”
Then, download the configuration profile from the console.
Once you have this profile, upload it to School Jamf as a custom profile and scope it, along with the Jamf Trust app, only to devices with iOS or iPadOS earlier than iOS 16. You can do this with Smart Groups.
For environments using both iOS and iPadOS 16+ as well as earlier versions, use the built-in single-click connection for devices 16+, and use the above method for devices with an iOS or iPadOS earlier than 16.
Already have Jamf Safe Internet?
If you already have Jamf Safe Internet deployed to your devices prior to the release of ODCF, all of your devices will be using the legacy profile.
- If you have devices that are running an iOS or iPadOS version earlier than iOS 16, you will not need to take any action. Jamf Safe Internet will continue to run in its legacy form (using a VPN vectoring method and without ODCF capabilities.).
- If you have devices running iOS or iPadOS 16+ and would like to make use of the new DoH and ODCF capabilities, you will need to migrate your devices from the legacy deployment.
The migration has a number of steps and is a simple process. However, it’s extremely important that you follow all the steps as outlined here. Otherwise, there is the risk that your devices may not filter content in the expected way.
Step 1: Create an activation profile that has the new DoH and ODCF configuration populated.
- Log into your Jamf Safe Internet console and navigate to Devices → Activation Profiles → and select “Create Profile.”
- Name the profile according to your environment’s needs. I would suggest something that includes DoH and/or ODCF so that you know that this is the new profile and it’s using the new method over the older legacy profile you used before.
- Select “Save and Create.”
- In the next window, do not change any settings and select “Save.”
Step 2: Create a Jamf Safe Internet profile in Jamf School.
- Log into your Jamf School console and navigate to Profiles → and select “Create Profile.”
- Create the profile by selecting “iOS” → “Device Enrollment.”
- Name the profile according to your environment’s needs. I would suggest something that includes DoH and/or ODCF so that you define the new profile when deploying.
- Select “Finish.”
- Scroll down to the “Safe Internet” payload and select “Configure.”
- From the dropdown menu, select the activation profile that you created.
- Select “Save.”
Step 3: Remove the legacy deployment from your devices.
Before deploying Jamf Safe Internet with the new DoH and ODCF capabilities, first:
- Remove the legacy vectoring method from devices.
- Remove the device record from Jamf Safe Internet. This is very important.
Here’s how to do it:
- In Jamf School, un-scope the current Jamf Safe Internet profile from the devices. This will be unique to each environment depending on how you configure groups and settings, but be sure to only un-scope the Jamf Safe Internet profile.
- Un-scope the Jamf Trust app from devices. This will be unique to each environment depending on how you configure groups and settings, but be sure to only un-scope Jamf Trust. At this point, please be aware that the devices are no longer filtered by Jamf Safe Internet.
- Move over to the Jamf Safe Internet console and navigate to Devices → Device groups.
- Select the devices or group of devices that you are migrating (ensuring that you’ve already removed the profile and Jamf Trust from them within Jamf School) by selecting the checkbox next to the devices.
- Click “More actions” and select “Delete devices.”
- In the next window, read the information and select “Delete.”
Step 4: Deploy Jamf Safe Internet using the new profile created in step two.
Now that your devices have fully been removed from the legacy deployment, you can re-deploy Jamf Safe Internet to the devices using ODCF.
- In Jamf School, scope the profile with the DoH and ODCF configuration created in step two to devices. Remember that DoH and ODCF are suitable for iOS and iPadOS 16+.
- Scope Jamf Trust to the devices (it doesn’t require a managed app config.)
At this point, devices are once again protected by Jamf Safe Internet and you will see devices start to appear in the Jamf Safe Internet console.
How to check that devices are using DoH and ODCF
Regardless of if your deployment is new or you have migrated from the legacy method, you can check on the device to ensure that it has a DoH and On-Device Content Filter payload.
- On a device, navigate to Settings → General.
- Find and select VPN, DNS and Device Management. This option will only say VPN and Device Management if a device does not have a DoH and ODCF payload.
- Under “Restrictions and Proxies,” you will see entries for “DNS” and “Content Filter.”
As a side note, unless you have also deployed a VPN, selecting “VPN” should show no configuration.
What will my users see when ODCF or DoH blocks them?
Jamf Safe Internet keeps students and teachers safe in three ways:
- It prevents students from accessing inappropriate content by blocking certain categories.
- It can also enforce Google Safe Search so that only suitable search results and images appear.
- It keeps students and teachers safe by protecting against web-based threats, such as phishing links or spam websites.
What the end user sees on the device will depend on what content is blocked. If blocked by a category, the user will see the OS block message that is standard for the ODCF protocol.
However, if the blocked content is a web-based threat prevention, such as a phishing site, the user will be presented with a Jamf-branded block page.
How do I block IP addresses?
First, you must add them to your policy as a custom rule.
- In the Jamf Safe Internet console, navigate to Policies → Content policies and ensure you are editing the policy at the correct level (OU) for your needs (Root, Lead or Group).
- Select “Custom Rules.”
- Enter the IP address(es) you wish to block into the “Add custom rules” box.
- Choose “Block.”
- Select “Add Custom Rules.”
- You will then see your custom rules in the list.
- Make sure to select “save and apply” so that these changes are delivered to devices.
Remember, IP address filtering is possible thanks to ODCF and is only available for devices with iOS and iPadOS 16+.
What does On-Device Content Filtering do for my school?
This release of Jamf Safe Internet is super exciting as it brings more features in line with Apple’s native technologies; it is also more comprehensive and robust. While IP address blocking is great for those who need it, being lower in the network stack allows you to filter even with a VPN on the device. This is a much-needed addition; ODCF is bringing us the feature set of the future.
Yes, there’s a bit of work to migrate to make sure your devices are using DoH and ODCF. However, if clever students have bypassed filtering using IP addresses or VPNs, the benefits outweigh the work.
If you’ve never had this happen in your school, now would be a great time to move to DoH and ODCF before it does. This is the future of Jamf Safe Internet, so why wait?
Try Jamf Safe Internet for free.
Security in small business with Jamf Now
Month: August 2023
Author: August 18, 2023 by Hannah Hamilton
Source: https://www.jamf.com/blog/security-in-small-business-with-jamf-now/
As a small business owner, you have to wear many hats: manager, CEO, accountant, marketer, front-desk worker—the list goes on. And yet there’s one more hat to don: security specialist.
As complicated as the security world is, keeping the growing business you worked hard to build safe and secure doesn’t have to be. Jamf Now can help the smallest teams manage work devices while helping to keep them secure.
Learn about the basics of Apple Device management for small businesses.
Does my small business need security?
Short answer: definitely! Cybersecurity threats are not just for large companies—in fact in 2021, according to StrongDM, 46% of all cyber breaches affected businesses with less than 1000 employees. And 61% of small businesses were targets for a cyber attack; that’s more than 3 in 5 businesses!
Cyber attacks come with a price. Businesses can lose valuable customers and opportunities as their technology is disabled while recovering from an attack. Intellectual property, customer information and company data can be stolen. Companies can take financial hits upwards of tens or hundreds of thousands of dollars. Not to mention that if appropriate action isn’t taken after an attack, they can happen again and again.
But maybe you’ve already looked into security measures to protect your investments. And indeed, most small businesses have implemented firewalls, antivirus protection and backups. Certainly, these practices are good to have. But are they enough?
Building a cybersecurity strategy
The National Institute of Standards and Technology (NIST) puts out what many consider the “gold standard” for cybersecurity frameworks. This framework breaks down a cybersecurity strategy into these parts: identify, protect, detect, respond and recover. Let’s briefly dive into these pillars and examine how Jamf Now can help your small business.
Identify
To defend your company data, it’s critical to identify:
- Who has access to your business information
- What devices and apps are connected to your resources
- Who is accessing your information at a given time
Jamf Now helps you keep a device inventory of all company-owned devices, and gives you insight about device settings and their security status. Shared devices running iOS or iPadOS can even be locked into Single App Mode, preventing any devices from being used for purposes other than for work. For Macs, the Self Service and app deployment features allow you to allocate company-approved apps, reducing the risk of employees downloading unapproved software and other shadow IT practices.
Another feature of Jamf Now that helps enable security is Password Sync for macOS. This feature for Azure AD and Okta keeps accounts that access your company resources secure by requiring multi-factor authentication and strict identity verification—in other words, it keeps your information in the right hands while keeping track of who is granted access.
Protect
One of the simplest and effective ways to keep your devices secure is to stay on top of software updates. These updates don’t just include the latest software innovations; they can also include critical updates to address vulnerabilities that can compromise your security posture. Jamf Now can deploy updates to any or all of your devices.
Beyond updates, Jamf Now can:
- Configure Wi-Fi, email, calendar and contacts so there’s no guessing accounts are set up correctly
- Encrypt device data
- Ensure passcodes and passwords meet security requirements
- Remotely lock, unlock and wipe devices in case they get lost or stolen
Detect
Even organizations with large security teams can fall victim to a cyber attack. When prevention falls short, reliable detection of threats mitigates or minimizes the impact. Jamf Now includes built-in malware prevention and detection software to identify threats. This software relies on expert research and third-party feeds about the latest malware.
Respond and recover
Jamf Now’s malware detection feature also quarantines any potential malware, allowing for appropriate action to be taken. This built-in functionality helps prevent malicious software and other threats from running on your Macs.
Getting started
Even though Jamf Now offers complex features, setting up your application doesn’t have to be complicated. Jamf Now offers quick setup and ease of use without requiring an IT team. You also start with built-in Blueprints to help you configure your systems right out of the box; you also have the flexibility to create custom Blueprints to meet your business needs.
Your first three devices are free—give Jamf Now a try.
Fake Airplane Mode: A mobile tampering technique to maintain connectivity
Month: August 2023
Author: August 17, 2023 by Jamf Threat Labs
Source: https://www.jamf.com/blog/fake-airplane-mode-a-mobile-tampering-technique-to-maintain-connectivity/
Research led by Hu Ke and Nir Avraham.
Has your Airplane Mode been tampered with?
As the name suggests, Airplane Mode is designed to allow passengers to safely use a mobile device during flight, turning off the wireless cellular features to avoid interference with critical flight equipment.
However, the use of Airplane Mode has expanded beyond travel and is used by some to preserve battery, and for others as a way to disconnect from our always connected world. It has even been suggested as a meditation technique.
For those with cyber-paranoia and technophobia, putting your phone on Airplane Mode may be a useful psychological trick to help achieve peace of mind and a feeling of additional privacy.
But should you use Airplane Mode to protect your security and privacy?
Today we’re going to dive into the technology underlying Airplane Mode on iOS to demonstrate an approach that would allow a malicious actor to maintain a cellular network connection for an application, even when the user believes they have enabled Airplane Mode.
The underlayer
We start by analyzing how Airplane Mode works. Two daemons carry the main task of switching Airplane Mode. SpringBoard takes care of changes on the UI, and CommCenter is responsible for operating the underlying network interface. Note that CommCenter is also responsible for managing the feature that allows users to “Block cellular data access for specific apps”.
As you can see, under normal conditions, when the user turns on Airplane Mode, the network interface pdp_ip0 (cellular data) will no longer display IPv4/IPv6 IP addresses. The cellular network is disconnected and unusable, at least to the user space level.
Creating an artificial Airplane Mode
In this section, we’ll show how we created an artificial Airplane Mode, keeping UI changes while preserving cellular connectivity for a selected application (which in an attack scenario would be the attacker’s malware they installed as part of a device exploit).
We start by following the console logs. Notice that when you switch on the Airplane Mode, the earliest relevant log appears to be the one found below, “#N User airplane mode preference changing from…”
We use this string to locate the code that references it in the disassembler. It’s a symbol-less C++ function found here:
Hoping that this function was early enough in the chain of calls that enable Airplane Mode, we successfully hooked and replaced it with an empty/do nothing function. The result was a fake Airplane Mode. Now, when the user turns on Airplane Mode, the device will not be disconnected from the cellular network and internet access will be uninterrupted.
Preserving the expected user experience
Additional UI tweaks are required to make the attack look like the typical Airplane Mode experience. One small example was to dim the cellular icon and to prevent the user from interacting with it.
To accomplish this, we hooked two Objective-C methods and injected a piece of code that adjusts the cellular icon to pull off the intended effect. –[SBStatusBarStateAggregator _noteAirplaneModeChanged] and -[CCUIModularControlCenterOverlayViewController _beginPresentationAnimated:interactive:]
Appearing to disconnect the internet
After enabling Airplane Mode without a Wi-Fi connection, users would expect that opening Safari would result in no connection to the internet. The typical experience is a notification window that prompts a user to “Turn Off Airplane Mode”. To achieve this effect, we will utilize the aforementioned CommsCenter feature to “Block cellular data access for specific apps,” and disguise it as Airplane Mode through the hooked function below.
The screenshots below show the spoofed user experience with the message that normally occurs from the “Block cellular data access for specific apps” feature on the left, and the result of hooking the notification window to look like the typical Airplane Mode message on the right.
Replacing the alert window is one thing, but how did we disconnect the internet for Safari without actually turning on airplane mode and affecting the entire device? After all, this is the most significant sign that airplane mode is on.
How does the “Cellular Data is Turned Off” alert window work?
Similar to the earlier icon manipulation, we discovered that the system UI Manager SpringBoardprompted the alert window after being notified by the CommCenter. Looking one step deeper, we concluded that CommCenter was notified by the kernel through a registered observer/callback function.
CommCenter`CellularUsagePolicyController::createNEConfigurationStore_sync
-> NetworkExtension.framework`-[NEPathEventObserver initWithQueue:eventHandler:]
-> libnetwork.dylib`network_config_cellular_blocked_observer_create
These network_config_* functions internally call socket()/ioctl() to interact with the kernel:
network_config_cellular_blocked_observer_create
-> network_config_policy_observer_create
-> __network_config_policy_observer_create_block_invoke
-> network_config_setup_policy_event_watcher
-> socket(32, 3, 1)
-> ioctl(…)
We leveraged `fsevents`, and observed that the CommCenter daemon also manages a SQL database file /private/var/wireless/Library/Databases/CellularUsage.db. This database records the cellular data access status of each app.
The value of “flags” will be set to 8 if an application is blocked from accessing cellular data. This is useful as we can read a list of application bundle IDs from this SQL database file and obtain their preset value.
Using this database of installed application bundle IDs we can now selectively block or allow an app to access Wi-Fi or cellular data using the following code. When combined with the other techniques outlined above, the fake Airplane Mode now appears to act just as the real one, except that the internet ban does not apply to non-application processes such as a Backdoor Trojan.
Jamf Executive Threat Protection can identify sophisticated attacks to keep your users safe.
User Privacy + Private Relay
Month: August 2023
Author: August 17, 2023 by Jesus Vigo
Source: https://www.jamf.com/blog/byod-security-solutions-private-relay-jamf/
There was a school of thought behind IT management that admins always had to lock everything down. Just completely button it all up for a device (and its data) to be considered “secure”. I put secure in quotes because this iron-fisted approach often came at the cost of system usability, and almost always at the cost of the end-user experience.
This was long before the modern-day computing landscape we have today. The iPhones of today – and for that matter, most of the iPhones released – have more computing power than most computers twenty-plus years ago, pound for pound. Something else the devices have today that wasn’t really a thing back then is metadata. Specifically, all the various bits of data recorded, timestamped, and cataloged about the user when using cameras, microphones, taking photographs or sharing data across the Internet, such as through social media platforms. This metadata can be and is used by several sources the instant it’s recorded to answer many of the following questions about the user:
- When was something done?
- Who did it?
- What are their individual characteristics?
- Are there ties between this person and other data bits?
- Can a profile be created from this data?
- How can the profile be used to link the person to ‘XYZ’?
The questions are endless. The result though is straightforward, however, to be able to use this privacy data against you, the user, in some way, shape or form. Regardless of whether it’s something as seemingly benign as curating advertisements to target your interests to maliciously assembling all this data to steal your identity.
How do you balance that? Do you lock the device down so tightly that it can barely even be used? Or do you leave it as open as possible and permit users to take control over the dissemination of data in all forms? The answers to that are beyond the scope of this blog because, at its core, it really depends on your organization’s policies, how much and what types of data users share of their own volition and the risk appetite of both entities.
Here we’ll address:
- The different ways IT can address privacy vs security in mobile devices
- Some features of iOS/iPadOS 15 to protect privacy
- Resolve some of the issues that pertain to BYOD programs
- Use Jamf Pro’s recent additions to strike a balance between company-owned and personal devices
BYOD privacy concerns got you feeling blue?
Learn more about reaping the benefits of enhanced security without compromising user privacy with our technical paper on balancing privacy and the user experience.
User Privacy and Private Relay
Privacy data, as explained in the previous paragraph, but to recap, is essentially any data that can and does personally identify a user and/or can be used to build profiles about the user, including shopping habits, interests, web history and so on.
Private Relay on the other hand is a new technology from Apple introduced in iOS/iPadOS 15 that, when enabled, limits the amount of private data that is leaked to websites and services when establishing connections to them over the Internet. Acting like a shield of sorts, Apple Private Relay works by routing your requests through Apple’s servers first where your DNS records are encrypted to hide the name of the website you’re requesting to access. The encrypted request is then sent to a second relay, which generates a temporary IP address, masking your real IP address before connecting you to the site you requested.
Over management = Underserving users
So how do user privacy, privacy relay and managing users and their devices tie together? That’s a good question and I’m glad you asked. See, in the larger security scheme, device management just doesn’t apply to updating the apps and patching the OS. While that’s a big part of it, securing access, what users can and cannot do is another part of it, but how to go about balancing both so that your users are free to use their BYOD devices for their own personal uses while still ensuring that the device is secured against security threats ultimately means that some compromises will need to take place on both sides.
Locking a personally owned device down to a state where it is largely unusable outside of company-provided apps and services is an easy way to foster discord among your users. Furthermore, while the device is technically configured for work, this approach can also backfire in a big way given that mobile devices will still collect some form of personally identifiable information (PII). Without a way for users to manage this themselves, the organization may very well run afoul of laws and regulations that are in place to protect users from these very practices.
Similarly, there’s a saying that a former supervisor would say to me during my years as a Sysadmin. “You touch it, you own it.” Intended as words of caution when considering working on certain projects that didn’t technically fall within our wheelhouse to support. The concern is that even though it’s not our problem to solve, sometimes in providing assistance for a problem we inadvertently create another in the process – that of taking on responsibility for the issue moving forward – despite our best intentions. This is very much the case with over management in this case, by taking upon yourself to turn management of privacy data exclusively into an IT function, end-users are left with no choice but to turn to IT for every single privacy-related matter – whether it pertains to work-related tasks or not. Not only is this a very slippery slope to skate on for IT, but may very well also present difficulties for HR, regulatory compliance concerns, worker’s unions and the organization itself, alongside the users as well.
Making mobile device programs work
Hence the “iron-fisted” approach written about above simply doesn’t work in this day and age. The sheer variety of users, their needs, different types of mobile devices, use cases, and the disparity in distance between each user and the office for remote and hybrid work environments all mean that one size most definitely does not fit all. Oh, and adding BYOD into the mix means that the devices are personally owned, so it wouldn’t be exactly fair nor sustainable to lock a user out of their device due to BYOD security risks. After all, users can simply “opt out” of management at any time when enrolling personal devices in company MDM solutions.
So, what’s the answer then? You might be asking. Well, that’s tough because each organization is different with varying needs. BYOD security solutions ensure the security of corporate data while keeping a balanced, “hands-off” approach to safeguard user privacy matters, which is a solid goal to aim for.
Luckily, there are several models available that may be a better fit for your organization. They each offer their own trade-offs, of course, but may provide the solid foundation to move forward with developing a management plan that works to the benefit of all stakeholders.
BYOD
(Bring Your Own Device): The user owns the hardware and is free to use it as they see fit. Device management offers control of the user-based functions of the device, but not full control by design. This is the least costly option for organizations. It is important to note that while BYOD limits what your employer can see on your device, it does allow IT to focus solely on managing the apps/services/data that are tied exclusively to securing company resources. Users retain control of their devices and their use, while corporate data – which they do not govern – is still safeguarded to company standards and adherence to corporate policy.
CYOD
(Choose Your Own Device): The company owns the hardware and provides it to employees to use for work-related purposes. This is the costliest model as it requires the company to purchase and manage the devices and infrastructure. With this model, IT may opt to restrict devices as they see fit in theory, but as mentioned before that doesn’t really work out so well in practice if devices are so locked down users simply cannot use them. Instead, users feel forced to carry a secondary mobile device that is more flexible in terms of allowing them to do their work and use it for personal uses. A big downside to this is, if corporate data is not being managed appropriately in the backend, users will figure out quickly that they can use their personal device to meet their needs, eschewing the corporate-owned device altogether. This represents not only a waste of funds for the organization but potential security risks as IT will have no insight into the personal device, meaning company data may be open to compromise at any point.
COPE
(Corporate owned, Personal Enabled): The company owns the hardware in this model as well, which keeps the costs up for both devices and management infrastructure. However, the biggest delineation between COPE and CYOD is that the former shares more flexibility with BYOD than with CYOD’s locked-down model. In other words, the ability for companies to own the hardware means they can secure corporate resources as needed without compromising security. However, the user-based policies provide the ability for users to utilize the mobile device for personal tasks in addition to work, without one infringing on the other. Company data remains protected and personal data remains with the user.
Lastly, there is one piece to this equation that we’ve only touched upon: the MDM component. Specifically, the software used to manage the mobile devices regardless of which deployment model is chosen. In this case, the new additions Apple has incorporated into iOS/iPadOS 15 have a heavy focus on security and privacy. Jamf has also adopted these features into the latest version of Jamf Pro to streamline user enrollment and provisioning access to company resources while maintaining user privacy on their personal device.
Leveraging Apple’s Account-Driven user Enrollment, Jamf Pro allows organizations to take advantage of the onboarding workflow to allow end-users the ability to securely enroll their personal or corporate-owned devices by authenticating with their cloud-based credentials and utilizing both personal and managed Apple IDs to keep personal and corporate data respectively separate.
Frankly, it’s the best of both worlds, having two Apple IDs allows users able to keep privacy data linked to their personal Apple ID; while company data is linked to their organizationally provided managed Apple ID. Furthermore, personal devices allow limited IT management without allowing access to commands that may be considered too heavy-handed, such as viewing personal data, location tracking or collecting privacy data from the device. Conversely, It can still lock devices that are reported lost or stolen, install/update corporate apps & data and apply configurations to secure corporate resources, like VPN or Email remotely.
The end result is a mobile device management strategy where all stakeholders win: users can benefit from a unified experience, blending personal and professional from just one device with transparency into IT management capabilities, protection of privacy data and access to corporate resources. Organizations strike the all-too-important balance between security and end-user privacy by keeping employees protected and productive while allowing for flexibility to use devices for personal tasks that are secured, without infringing on the privacy of their users.
Protect end-user privacy while achieving parity with security across your network
company-owned and personal devices you support as part of your BYOD program with Jamf Pro.
Verizon expands Jamf partnership for enhanced MDM and security
Month: August 2023
Author: August 11, 2023 by Laurie Mona
Source: https://www.jamf.com/blog/verizon-expands-jamf-product-offerings-for-enhanced-device-management-and-security/
Hybrid work is here to stay in the modern workforce. As businesses support a remote workforce, they must figure out how to securely manage their devices and data, no matter where their employees work.
With Jamf’s zero-trust cloud security through Verizon, businesses can enable remote workers to safely connect to business applications, get protections against sophisticated threats, and effectively control data usage while promoting productivity.
Verizon and Jamf Partnership
Read on to learn more about how your business can benefit.
Why Jamf and Verizon?
The expanded partnership between Jamf and Verizon offers businesses a modern cybersecurity service for your remote operations. This includes benefits beyond baseline device security, including visibility and management of mobile data across both cellular and wi-fi networks.
If your organization is looking to enhance and secure your device ecosystem, you can take advantage of unique benefits offered by these two industry-leading partners.
Verizon offers:
- Reliable Network: Verizon network provides fast and reliable coverage across the country. Ranked first in network quality for the 31st time in a row across all six U.S. regions.
- Customer Service: Verizon’s customer service is the best in the business, awarded number one in customer satisfaction according to J.D. Power’s 2023 U.S. Business Wireline Satisfaction Study.
Jamf offers:
- Streamlined Management: Solutions from Jamf provide a user-friendly interface that allows businesses to easily manage their devices, with features such as app deployment, security configurations, and remote support.
- Customization: Jamf can be customized to meet the specific needs of each customer, allowing businesses to tailor their device management to their unique environment.
By taking advantage of the Verizon and Jamf partnership, you can access:
- Zero-Trust Network Access – secure remote access with device checks and risk assessments
- Effective threat defense – mobile endpoint protection
- Content filtering – intelligent, rules-based dynamic filtering of content
- Unified security solution – one solution for remote access, threat defense and in-network security
- Industry integrations and deployment options – Ecosystem offering the right solution for each use case
- Seamless security – cloud-enabled security for compatible laptops, tablets and smartphones
“Verizon’s expanded partnership with Jamf is a testament to their commitment to providing the best device management and security solutions for their customers. With more Jamf products now available, Verizon is empowering organizations to streamline their operations and maximize the potential of their devices.” – Justin Smith, Jamf Senior Channel Manager of Channel Sales
Jamf and Verizon: better together
Verizon and Jamf began working together after Jamf’s acquisition of Wandera in the summer of 2021. The expansion of this partnership offers small to enterprise-sized organizations a consistent and seamless security experience for remote users. Check out Verizon and Jamf solutions that can help defend the users, devices and applications that keep your business running.
Get more details about the Verizon and Jamf partnership.
Understanding Security Frameworks: Guide for IT Security Professionals
Month: August 2023
Author: August 9, 2023 by Jesus Vigo
Source: https://www.jamf.com/blog/security-frameworks-guide-for-infosec-pros/
The modern threat landscape is different today from what it looked like five years ago, ten years before that and twenty years prior. Cybersecurity, much like the technology that it seeks to protect is ever-evolving. Combined with the needs unique to your organization, as well as applicable compliance requirements, IT and Security teams have their work cut out for them when mitigating risks to the infrastructure while also maintaining a balance between data security and user privacy.
Thankfully, just like Maverick had Goose in Top Gun, organizations can leverage Security Frameworks to strengthen their security posture by:
- streamlining procedures
- minimizing risks
- achieving compliance
- enforcing best practices via policies
What is a Security Framework?
Webb cites Secureframe when answering the question above, “A security framework defines policies and procedures for establishing and maintaining security controls.”
Put simply: security frameworks act as a detailed guide that aids organizations in building and maintaining their security plan. Not unlike how blueprints help contractors build a home to specifications.
Importance of security frameworks in today’s digital landscape
As mentioned previously, security is constantly changing and the needs, tools, strategies, practices and procedures to continue protecting devices, users and data within your organization need to adapt to these changes or risk being susceptible to threat actors, including potential data breaches and the dire consequences that come with it.
The role of a security framework in an organization is an easy one to explain: security frameworks provide a systematic approach to securing your organization against myriad risk factors by determining which policies, procedures and controls should be implemented – including how they should be configured – to provide the greatest level of protection across the enterprise.
Webb also goes into greater detail explaining how security frameworks fall into several categories and that within each category there exist several different ones, each providing a specific level of protection to match the unique needs of your organization. Furthermore, while some frameworks may provide more generalized protections against threats, other frameworks are designed to specifically address the needs of specific industries, for example, HIPAA for healthcare or FINRA for financial institutions.
Why are Security Frameworks important?
Security frameworks play a significant role in mitigating cyber threats by making the path to implementing security controls, policies and procedures easier. It eliminates the “guesswork” by answering commonly asked questions, such as:
- Which tools should we use?
- Why should we use these tools?
- What configurations should we use?
- How can these tools be used to achieve compliance?
Cybersecurity poses a difficult challenge for many an organization. The fact that security is a path, not a destination, does nothing to lessen the challenge of keeping endpoints safeguarded nor organizations compliant. But frameworks greatly reduce the burden placed on organizations by making determinations as to what to prioritize their focus on by establishing a system of sorts that IT and Security teams can utilize throughout the entire endpoint lifecycle.
For example, let’s consider a financial institution that provides investment services to its clients. Because the finance sector is the highest-regulated industry, the importance of adhering to security frameworks for businesses that identify as financial centers cannot be underscored. As part of the regulatory requirements, governance over communications, including the cipher strengths used in communication platforms, what devices are restricted, which platforms can be used and by whom make up a small yet critical part of complying with financial regulations.
In the example scenario above, an employee utilizing their personal mobile device to communicate protected financial transaction data over an unsecured app can trigger an investigation into business processes, possibly resulting in steep fines of millions of dollars. While this may sound like perpetuating fear, uncertainty and doubt (FUD), the “imaginary scenario” above was actually the result of an industry-wide investigation last September, resulting in 16 fintech firms being fined $1.1 billion for failure to comply with federal securities laws in the U.S. This event is just one of the many case studies that exemplify the criticality for organizations to choose the right security framework and adhere to it to maintain business continuity without compromising endpoint security and privacy or be impacted by productivity.
Choosing the right security framework for your organization
Before an organization can begin working on adhering to security frameworks, it must first select one. More to the point, it must first select the right one. When choosing a security framework, some important factors to consider are:
- Improving operational efficiency
- Industry requirements for compliance
- Mitigating security risks
- Organization size may require more than one framework
- System and data sensitivity needs
The process of implementing a security framework is not one that should be taken lightly. That said, the benefits of choosing the right framework(s) are multifold. From hardened security configurations to convergence between management, identity and security to form a holistic, comprehensive solution that is purpose-built for your supported ecosystem – all working together to protect against the latest security threats while enforcing compliance through standardized procedures, policies and practices.
Want to understand how security frameworks can help your organization?
Stuttgart Chamber Orchestra moves from paper to iPads
Month: August 2023
Author: August 4, 2023 by Ivna O’Neill
Source: https://www.jamf.com/blog/digital-tranformation-in-art-with-apple-jamf/
Bridging the gap between tradition and technology
For a 75-year-old orchestra in Germany, a digital transformation journey had to be threefold: customized, sustainable and seamless.
Jamf partner Spirit/21’s task was to bridge the gap between tradition and technology, enabling musicians to perform their best. They worked with the Stuttgart Chamber Orchestra to replace their music sheets with digital versions on mobile tablets. To give musicians the best experience possible, iPads were the tool of choice.
This was no classic implementation project.
For the team, the priority was to listen to the client and understand the requirements of a bespoke solution to suit users and admins. As the first to take the leap into iPad sheet music, it was important for the orchestra to demonstrate that the iPads were capable of simplifying work so that the experienced chamber players did not miss paper sheets.
The iPad project for SKO focused on three main areas:
- Managing devices for access to tools, apps and resources remotely as the orchestra regularly travels to perform
- Protecting devices through a robust set of baselines to defend against threats and data loss
- Working with the orchestra to implement the requirements for their unique needs.
With Jamf Pro as a baseline, the project took a closer look at the user experience and the customer’s pain points.
Embracing the digital age
Stuttgart Chamber Orchestra has never been shy about innovating and seeking new ways to transform their performance and the audience’s experience. The group has dabbled in holograms, AI and augmented reality— maintaining a constant hunger for cutting-edge technology.
The idea of digital music sheets started a few years ago, and so did the hunt for a solution that could fulfill the orchestra’s functional and sustainable requirements. SKO became the first climate-neutral orchestra in Germany in 2022, a recognition that coincided with the transition to iPads.
A mobile solution for a mobile orchestra
As one of the world’s oldest chamber orchestras, tours and performances all over the world are a regular occurrence. Ensuring that relevant material is always available made a lot of sense. Instead of carrying several paper sheets, and running the risk of leaving any behind, having an individual device for each musician helped build a consolidated, mobile music library.
Fostering collaboration with iPads
While improving mobility was a compelling argument for digitalization, for artistic director Markus Korselt the most crucial use case for switching to iPads was the ability to foster collaboration among the group.
Making notes to music sheets is a regular occurrence. Once, a comment from the conductor would result in a lot of pencils coming out and members writing individual notes. The devices changed this: a note can now be easily and quietly shared for the benefit of all members. For minimal disruption, pedals are used to change pages and keep hands free during rehearsals and performances.
Educating the end user is key
These practical aspects were essential to bring the musicians on board and ensure that they welcomed the devices. SKO provided a series of workshops to help the transition and to demonstrate the advantages of using iPads.
While at first orchestra members feared missing the romantic side of paper sheets, they soon became convinced by the practicality and scalability of the solution. Emanuel Wieck, a violist with the orchestra. “This is a quantum leap. Very clear. It’s a real practice-oriented innovation,” said Wieck. “I think it’s great with the iPad. It totally convinces me and it’s really a relief.”
Learn more about Jamf!
What are the security risks of AI?
Month: August 2023
Author: August 3, 2023 by Jesus Vigo
Source: https://www.jamf.com/blog/security-risks-of-ai/
What is AI?
Artificial Intelligence, or AI for short, refers to the intelligence of software and computers to resolve problems and make decisions by leveraging the advanced data processing prowess made possible by computing devices. AI functions are not unlike human intelligence, only at levels that go far beyond human capabilities.
How does AI benefit businesses?
The promise of AI to revolutionize business functions is vast and nearly infinite. While the extent of what’s capable is not known, some of the possibilities that are available at the onset are helping industries, like supply chain, healthcare and finance sectors – among many others – from developing processes for getting products from point to point seamlessly to processing volumes of health data to identify patterns and anomalies in diagnosis and provide better treatment to more intelligently detect fraud and block fraudulent transactions to keep financial assets safe…and that’s just the tip of the iceberg.
Some examples of AI
AI acts as an umbrella term that includes variations of the technology, each providing a benefit to business and society et al. Examples of the different types of AI technology are:
Machine Learning (ML): Machines are able to discover their own algorithms, or models by being fed data to ‘learn’ about the problem they are trying to solve. The more data points they learn from the greater the potential of the results. Initially, the learning process may require human labelers to identify correct results, as time goes on the human element will be less necessary as more accurate results are produced.
Large Language Model (LLM): Based on deep learning, which is a broader subset of ML, LLMs are pre-trained and rely on neural networks made up of tens of millions of parameters that process large volumes of data in parallel. Whether operating in self-supervised or semi-supervised learning modes, their aim is to not only obtain knowledge but embody contextual facets of knowledge, such as syntax, semantics, and ontology pertaining to humans, such as the way we think and communicate.
Generative AI: A technology that is capable of generating media, such as text and images, in response to prompts by learning the structures of input training data. By receiving input data from users and applying ML techniques by processing the data via neural networks, the resulting media is generated by AI and can be used in multiple applications, such as creating inspired works of art, developing code used in software design or writing documentation, likes articles and reports, complete with cited text – and so much more.
Security risks associated with AI
For all the talk of benefits to organizations around the globe, AI poses an equal and significant risk to each industry. And while cybersecurity risks are nothing new per se, the impact that AI currently has on risk and how that will evolve as AI continues to push into businesses in novel ways certainly is.
This is not just a belief held by a few or the plot of a blockbuster film detailing how AI’s rise will lead to the demise of humanity. In fact, the general consensus among the majority of cybersecurity professionals is that not only will AI be weaponized to a scale and speed that is far beyond what we understand and know today, but in a twist of irony, AI-enabled defenses will be necessary for organizations “to fight these advanced attacks with advanced tactics that detect, interpret, and respond to the threat before it has a chance to make an impact.”
And what exactly are the AI-based risks that organizations are facing to keep resources safe?
Thanks to OWASP and their Top 10 for Large Language Model Applications project for 2023, a comprehensive report dedicated “to educate developers, designers, architects, managers, and organizations about the potential security risks when deploying and managing Large Language Models (LLMs).” The listing includes:
- the most critical vulnerabilities impacting AI
- highlighting their potential impact
- ease of exploitation
- prevalence in real-world applications
LLM01: Prompt injection
For those familiar with SQL Injection attacks, prompt injection vulnerabilities in AI are a similar attack type. Inputs are crafted in a way to manipulate the model to cause unintended actions. Direct injections are capable of overwriting system responses while indirect injection attacks seek to manipulate inputs received from external sources.
And just like SQL injection attacks, security strategies to mitigate this vulnerability involve the implementation of both input validation and data sanitization practices for user-provided data. Additionally, formatting output encoding helps to filter responses while further reducing the vulnerability of prompt manipulation.
LLM02: Insecure output handling
Attackers often employ fuzzing tactics to determine how to best attack software. By examining the output responses to specially crafted input, critical information may be exposed that provides threat actors a clue as to vulnerabilities that can be exploited to compromise systems. When LLM output is not scrutinized, exposure to the underlying system can occur through Server-side Request Forgery (SSRF) vulnerabilities. To minimize this and further exploits that could allow effective bypassing of access controls and unauthorized access to sensitive data, a combination of input validation and sanitization is necessary to mitigate threats initiated by malicious requests. Additionally, frequent review of auditing data is recommended to ensure that resources remain protected from AI.
LLM03: Training data poisoning
If training data is the lifeblood of AI’s deep learning process, then it stands to reason that AI-generated output is only as good as its input. This precept is especially significant when considering that vulnerabilities may be introduced that could easily compromise data security, integrity and efficacy. This is why it’s so important for organizations to ensure that training data is obtained from trusted sources and that its integrity is verified to ensure that training data has not been poisoned or tampered with, nor that bias has been introduced that could impact the ethical behaviors of AI systems.
LLM04: Model denial of service (DoS)
Not unlike DoS attacks on networks, LLMs represent a valuable target for threat actors. The resource-heavy operations, when attacked, can lead to service interruptions and increased costs which are only further complicated by the reliance on AI-based tools for everything from business operations to cybersecurity. When coupled with the level of variance that comes from user inputs, the number of variables only grows exponentially. Despite having their work cut out for them, security pros should implement resource caps in order to limit excessive requests that would otherwise deplete resources. When paired with continuously monitoring resource utilization and strict input limits, administrators can take a proactive approach to prevent resource exhaustion while still providing users access to AI tooling.
LLM05: Supply Chain
2022 was a year that saw not one but several high-profile supply chain breaches. So impactful were these breaches in fact that guidance from analysts for 2023 foretold that supply chain attacks would continue to grow and proliferate as threat actors continued to set their sights on this large, opportunity-rich target. According to OWASP, “supply-chain vulnerabilities in LLM can affect the entire application lifecycle” – including everything from libraries, containerized instances, images and packages. This extends to cloud service providers that may be hosting models and/or providing services that interface with your LLM, like plugins (but more about them later as they have their own dedicated vulnerabilities that we touch upon). Protecting your AI models from supply chain threats requires a layered approach to your security plan. For starters, thoroughly vetting partners is tantamount to setting up a solid foundation. Performing regular auditing of sources is a key part of the solution to ensure security remains a priority. Implementing model and code signing best practices work best when paired with only working with trusted sources. Of course, active monitoring is a must to detect any vulnerabilities, out-of-scope components being used when they shouldn’t be or even to spot anomalies that could pose a risk to your LLMs security. Lastly, a current inventory of components that are being used in conjunction with Machine Learning Operations (MLOps) to ensure that models are deployed and managed reliably, efficiently and securely.
LLM06: Sensitive information disclosure
Another familiar cybersecurity concern that poses an exponentially unknown risk factor to data security is data leakage. While this too is nothing new to the security industry, the ramifications of AI-based risk cannot be quantified. Information shared with AI technology can (and has) inadvertently revealed confidential data in responses to users, such as it did in three recent issues of leaking proprietary data belonging to Samsung. ML applications particularly learn from all input data and as it builds its database, can and will rely on this data to resolve a query, leading to possible unauthorized data access, compliance and/or privacy violations and of course, possibly lead to a data breach. Hence why it’s critical for users to know and understand the potential consequences of their actions by implementing user training to establish awareness of what should not be shared with AI and whyit shouldn’t be shared. Additionally, organizations are well served by aligning user training to organizational policies to further support secure business practices.
LLM07: Insecure plugin design
Touched upon as part of the supply chain vulnerabilities, plugins and their design pose a critical risk to the data accessed and generated by AI due to the sheer nature of how plugins are designed to operate. In many cases, LLMs rely on plugins or APIs to work directly with input data and output data generated by AI models. Insecurely designed plugins may be prone to malicious requests that may result in but are not limited to data leakage, exposure of underlying systems or remote code execution. They may also lead to poisoning results, which will cause the model to generate output that has been compromised or provides sensitive system information that may be used to further an attacker’s aim. As a general precaution, it is advised that all input data be treated as unsafe and therefore, input validation (including parameterized input requirements) is recommended alongside explicit access controls to limit the risk of security issues. Additionally, plugins should be tested thoroughly to validate code and should adhere to best practices for developing secure code at each phase of the development pipeline.
LLM08: Excessive agency
The view and to some extent the marketing of AI, heralds thoughts of a personalized assistant that is always available to perform the “heavy lifting” for us, not unlike the JARVIS protocol used by Tony Stark/Iron Man to handle everything from curating playlists to performing scientific calculations on the fly when identifying an unknown element. And while AI certainly has been tapped to perform autonomous feats, like self-driving cars, the agency granted to the model (direct) or the automated actions that result from the data AI has processed and are executed by plugins or tools (indirect) all share a common trait: they are occurring without human input or authorization. This alone poses one of the more frightening concerns as LLMs or the plugins that rely on their data may perform functions that are not necessary or even intended to perform simply due to the agency or “permissions” given to them – even if the intended operation is one that humans wouldn’t want to be performed. Or as a core tenant of the European Union’s draft of the AI Act, “AI systems should be overseen by people, rather than by automation, to prevent harmful outcomes.”
How does one go about mitigating this risk type? Implementing a risk-based approach. Similar to a Zero Trust model, “LLMs should not be trusted to self-police or self-restrict.” To achieve this, look toward limiting access to plugins and tools to only the functions required. Also, avoid open-ended functions or any functions that are simply unnecessary to harden the attack surface (latter) while strengthening access controls to only interact with the data or perform the actions that are necessary to complete its process (former).
LLM09: Overreliance
If excessive agency is a frightening vulnerability, then overreliance is akin to it but from a more worrisome perspective. Let us explain. Many users have taken quite well to generative AI models, like ChatGPT, among others, to create content like writing articles, capturing captivating imagery or mashing up video content that is hyper-realistic, and yet all of it is completely produced by AI. While on the outset, the ability to generate media content is a capital feat in and of itself, as with many tools, the intent of the user is what drives whether it is used to build or to destroy. This may seem like overdramatization, but the risk posed by users relying on AI content as gospel truth could have disastrous consequences. Take for example the misinformation being generated in a technical paper due to a hallucination by the AI and how that could lead to any number of issues affecting major industries, such as healthcare and IT/IS. Or how relatively easy it is to produce audio recordings of individuals saying anything with only a few seconds’ worth of soundbites needed to digitally recreate their voice. Now how about taking that recording and broadcasting it online? Depending on the content of the words, it could be enough to ruin someone’s public reputation or instead, the “faked”recording could be used as part of a crime.
Simply put: we just don’t know how deep that rabbit hole goes in relation to the untold consequences of over-relying on AI. But there are tactics that can help aid discernment between what’s real and what’s generated by LLMs. Let’s begin with fact-checking output with trusted external sources as an additional layer of validation to determine the accuracy and validity of generated content. Similar to plugin development, establishing and adhering to secure coding practices helps to minimize the risk of introducing vulnerabilities into the development environment. In addition to the validation mechanisms and cross-verification of information, clearly and concisely communicating risks, known issues and limitations associated with using AI and AI-generated content is table stakes to ethical and transparency efforts between content creators and content users – not unlike FCC laws that govern truth-in-advertising.
LLM10: Model theft
This vulnerability is among the most straightforward, referring to the unauthorized access and exfiltration of data, in this case, the LLM itself by threat actors. It’s not unlike the data exfiltration threats in cybersecurity seen for years prior to AI where sensitive, private and confidential data is targeted and removed from devices or networks with the express purpose of leaking the information, stealing proprietary details or as part of espionage campaigns. AI model theft, like any piece of confidential data that is stolen, can range in severity from both an economic and a business continuity standpoint. The loss may present a loss of revenue or competitive advantage to unauthorized usage of the model up to and including using it as part of an adversarial attack against the organization the model was stolen from. The key is to secure your LLM using layered security strategies including strong access controls, limiting access to network resources through network segmentation and secure sandboxing, active monitoring of resources, as well as regularly performing audits of logs and activities tied to your LLM. Incident response alerted and deployed upon alerts of suspicious behaviors and to mitigate the detection of anomalous behaviors. In addition to access controls, quick mitigation of other vulnerabilities known to affect LLMs (such as those represented within this article) can help to reduce the risk of malicious actors pivoting or moving laterally from another threat to compromise your model.
Other AI-based security risks
Inadequate sandboxing
Sandboxing data is an excellent way to segment sensitive processes from the rest of a system. Doing so allows data to be effectively processed while it runs securely isolated from the underlying system, including being inaccessible by external threats or exposed to risks outside the sandbox environment. Because of AI’s relative nascency, a number of issues are at the heart of designing a universally accepted or regulated sandbox. However, organizations that wish to take advantage of AI technology today would benefit from sandboxing AI models, tools and systems to promote experimentation with products and services in a secure and ethical manner that minimizes risk while addressing challenges, such as lack of formal safeguards, unforeseen consequences or lack of fidelity across solutions.
AI misalignment
The term AI alignment refers to “research aims to steer AI systems towards humans’ intended goals, preferences, or ethical principles”, according to Wikipedia. If despite its competency, an AI system cannot advance the intended goals, then it is considered to be misaligned and its lack of alignment could lead to undesired behaviors, including actions and malfunctions that could further cause harm to businesses and worse still, impact human life. Consider for a moment an AI system used to generate code for a web service. While the aim of the developer is to create complex, secure code that will result in a service that can be used to simplify computer-related tasks, AI can also be subverted to generate powerful malicious code that may pose a threat to the web service mentioned previously or any web service for that matter. Hence why it’s critical to maintain a finger on the digital pulse of AI by identifying what works and refining what doesn’t to help make models safer to use. A key role in the alignment process is human oversight. Not just checking a box off when AI gets something right or wrong, but taking a more pragmatic and scientifically-based approach by documenting problems, performing continuous training, reviewing feedback, conducting evaluations of systems and doing so in a transparent fashion are just some of the key techniques to achieving better alignment.
Key takeaways:
- Develop input validation and output sanitization practices to reduce sensitive data leaks and prompt injection vulnerabilities
- Thoroughly vet supply chain partners to ensure compliance with security and ethical practices
- Ensure that training sets maintain data integrity and have not been tampered with or compromised by working only with trusted sources
- Audit all systems that are used for AI
- Impose limitations on data sharing, especially private and confidential information
- Implement data security and access controls according to industry best practices
- Harden hardware and software with up-to-date patches, vulnerability management and next-generation security tools (including AI/ML-based tooling)
- Provide adversarial training to respond to AI-based threats and improve the resiliency of models
- Integrate regular training so staff understand how to detect and avoid risks stemming from AI-generated threats
- Develop an incident response team for security issues detected and optimized for handling AI-related risks
Protect all your Apple devices with Jamf!