Mitigating social engineering attacks
Security
Author: October 16, 2023 by Braden Newell
Source: https://www.jamf.com/blog/mitigating-social-engineering-attacks/
Protecting user devices against malware is one of the first endpoint hardening tasks an IT administrator or Information Security (InfoSec) team will likely implement. When securing a fleet of devices, regardless of the operating system, ensuring that users cannot install malicious software like ransomware, spyware and rootkits is a basic level one CIS requirement. Jamf Protect’s macOS endpoint security and malware prevention capabilities have long made preventing known malware from launching on corporate and education Macs easy.
It’s great that organizations place a tremendous focus on stopping malware from entering their environments. However, another threat is often overlooked — social engineering. Social engineering is the practice where attackers manipulate and trick individuals into providing sensitive data or access credentials. Social engineering is challenging to defend against because many of us have a trusting nature and have so much to do on the go that we sometimes overlook the out-of-place.
Social engineering continues to be a serious threat, and the risks it poses are only growing. According to the IBM 2023 Cost of a Data Breach Report, social engineering is involved in ~8% of attacks, costing on average $4.55 million. And this statistic doesn’t even include phishing — responsible for 16% of breaches and costing $4.76 million on average. In other words, it’s nothing to sneeze at.
Attackers are attempting to masquerade as corporate executives, and there seems to be more spam than ever hitting our inboxes. Fortunately, there are several tactics your organization can put in place to help mitigate the risk social engineering poses, and, of course, Jamf has a solution or two to create another layer of defense against those digital threats.
Learn how to recognize phishing attacks and how to defend against them.
Strong passwords and two-factor authentication
Strong, unique passwords are the first line of defense when strengthening your organization’s security posture. Sufficiently long and complex passwords mitigate the risk of shoulder surfing by making them tricky for someone to glance at a user’s keyboard or touch screen and remember what they typed. Jamf’s management products, Jamf Pro, Jamf Now and Jamf School, all offer the ability to implement and enforce password policies on users’ Macs, iPhones and iPads.
However, a complex and/or long password isn’t enough to prevent social engineering. If a bad actor executes a successful phishing attack, for example, the user has provided the password outright, regardless of its complexity. This is why ideally passwords should also be unique for every application and never reused. If a particular application has a data breach and that specific password is compromised, it won’t give the attacker access to other systems. The first thing an attacker tries once they have a user’s application username and password is to try it against other applications.
A way to achieve this is by using a password manager and/or SSO solution. Jamf integrates with directory services and cloud identity providers (IdP) like Okta and Microsoft Entra ID to support SSO. And Jamf Connect keeps users’ Mac passwords synced with their single sign-on (SSO) password, which likely can have its own enforced password policy. This way, users only have to remember one password, reducing password fatigue.
For SSO to be secure, two-factor authentication (2FA) or multi-factor authentication (MFA) should be implemented; otherwise bad actors have access to everything if they obtain a user’s master password. In two-factor or multi-factor authentication, not only does a user need their password, they also need either a randomly generated six-digit code or another form of authorization, biometric technology such as Face ID or Touch ID, or something physical like a Yubico YukiKey to access the requested application. 2FA and MFA help reduce the risk that attackers can access systems — especially when biometrics are used — since they may not be able to confirm the authentication prompt.
If your organization doesn’t already have a password policy and password training or resources, champion their development to create formal and consistent messaging around passwords and two-factor authentication.
User training
Never underestimate the power of user training. Social engineering attacks often follow a consistent playbook. Spelling errors, strange icon placement, email spoofing and a sense of urgency are all strong indicators that an email or phone call is a social engineering attack.
However, bad actors are improving, making spoofe emails or websites look nearly flawless. AI is even helping attackers enhance their attacks. Users need to know what a convincing attack can look like, and how to proceed if they suspect a social engineering attack.
Therefore, one of the best ways to prevent social engineering attacks is to train users regularly on the common indicators of social engineering. Most organizations deliver this sort of training once or twice per year to account for changes in tactics and to keep employees vigilant. It’s essential to have a blame-free culture to encourage users to report attacks as soon as they happen. Suppose a user does fall for a social engineering attack. In that case, it’s better for the user to feel comfortable reporting it to IT early rather than further damage caused by a delay in reporting.
Some organizations leverage spam tests and training simulations to test their users’ susceptibility to social engineering attempts. However, organizations have to be careful with this sort of testing. While data can be valuable, users may grow distrustful of their organization. Instead, organizations may want to consider incentive or reward programs for users reporting spam and phishing attempts. Work to create a culture of support, education and prevention around social engineering.
Principle of least privilege
The “principle of least privilege” is an InfoSec concept where users should only be granted access to the specific applications and functionalities required to do their job. For organizations that use applications with user access levels, consider implementing and reviewing them regularly. In a situation where a user’s credentials are compromised, the attacker’s access can be limited to the user’s specific access level. This ensures that the attack has a restricted scope of access and, ideally, is limited from accessing critical or sensitive data.
After gaining initial access, attackers will attempt to move laterally through the network until they reach their final target. The “principle of least privilege” helps limit and mitigate the spread of social engineering attacks but is not a complete solution. Training users on being vigilant and cautious when receiving an odd request from a team member is a great additional step.
Zero trust network access
Even with strong password policies, least privilege access to applications and user training, social engineering attacks can still succeed. Zero trust network access (ZTNA) adds to your defense, taking the principle of least privilege further by segmenting network access beyond role-based access to applications.
With ZTNA, applications and other resources are accessed via micro-tunnels that are continuously reevaluated even after a user signs in successfully. This is done independent of user or device location. In other words, ZTNA connects users to company resources only after they have strictly verified their identity, continuously checks that the user and the device meet identity and security requirements, and totally prevents access to resources the user is not allowed to access (as the user can’t even reach the part of the network those resources exist on).
ZTNA is a helpful addition to a security stack. If the identity of a user or the security status of a device comes into question, ZTNA can restrict network access to all or some of the network. This prevents and/or reduces the spread of a bad actor in the corporate network, regardless of whether the device is compromised.
How Jamf can help
Jamf Pro
Policies in Jamf Pro help manage and secure devices by configuring devices to meet security requirements. Jamf Pro helps keep devices and software up to date with the latest security patches, helping to keep devices compliant with CIS benchmarks.
Jamf Pro supports Self Service — an enterprise, IT-approved app store where users can download and update apps as they need, without a help desk ticket. This reduces the risk of shadow IT and the download of malicious apps.
Jamf Connect
Jamf Connect helps with access control. With cloud IdPs, users can unbox their device and connect to their corporate applications using a single password. Jamf Connect enables ZTNA connectivity, keeping networks safe and users productive with effortless but secure authentication.
Jamf Protect
Jamf Protect has long been a powerful endpoint security solution preventing known malware from launching on macOS. Recently, Jamf Protect’s capabilities expanded with the addition of web threat prevention, formally known as network threat protection.
Web threat prevention is a network security capability that, among other things, prevents users from accessing known spam, phishing and malicious websites. Web threat prevention is available not only on macOS but on iOS, iPadOS, Windows and Android.
Jamf takes care of domain recognition and threat filtering; all organizations must do is deploy Jamf Protect’s web threat prevention capability to their operating systems of choice. Once deployed, even if a user clicks a known malicious link, they are prevented from accessing it and redirected to an informative block page.
Adding network security capabilities to Jamf Protect is a significant win for organizations looking for solutions to help reduce the risks of social engineering and other network-related threats. Plus, with Jamf Protect’s web threat prevention capability available for both Apple and non-Apple operating systems, all of your organization’s devices can be secured with the help of a partner you know and trust.
Jamf Protect also has built-in compliance with CIS benchmarks for macOS. Depending on an organization’s needs, CIS has two levels of profiles with different security recommendations. Level one profiles contain practical security practices that have little to no impact on the user experience. Some examples are:
- Ensuring automatic software updates are enabled
- Automatically setting the date and time
- Basic password management controls like minimum length and character diversity
Level two profiles may restrict a user’s experience in favor of tighter security. Some examples are:
- Disabling media sharing
- Disabling the sending of diagnostic information to Apple
- Restricting iCloud Drive document and desktop sync
Organizations can implement profiles from either level based on their security needs. CIS benchmarks are extensive, which is why they’re conveniently built into Jamf Protect where admins can verify if their fleet is in compliance with chosen benchmarks. With this information, admins can use Jamf Protect and Jamf Pro to maintain adherence to these benchmarks.
Jamf Safe Internet
Educational institutions can reap the same network protection offered in Jamf Protect with Jamf Safe Internet’s content filtering and network security. Jamf Safe Internet is built specifically for the education market with a price point and feature set catered to educational institutions.
Jamf Safe Internet focuses on helping schools meet their regional online child safety regulations while maintaining student privacy, supporting macOS, iOS, Chromebooks, and most recently, Windows. Jamf Safe Internet is straightforward to configure and deploy, and once again, Jamf handles all of the domain identification and network filtering for you.
Adding Jamf to your security stack helps defend against social engineering attacks.
Back to security basics: phishing
Security
Author: October 13, 2023 by Liarna La Porta
Source: https://www.jamf.com/blog/signs-youve-been-fished/
Chances are, your mobile device doesn’t have the same security defenses as your work laptop or desktop computer. That’s why it’s important that you, the end user, do all you can to protect yourself from cyber threats. This article will focus on phishing — how to recognize if you’ve been phished, how it happens and what to do about it.
How does phishing work?
Phishing is a type of social engineering attack hackers use to steal user data, including login credentials and credit card numbers. It occurs when an attacker masquerades as a trusted entity to dupe a victim into opening a message and clicking on a link. Once the link has directed the victim to a fraudulent website, the victim is then duped into entering their login credentials or financial information, which is funneled through to the hacker.
Phishing is a simple yet effective attack technique, which can provide the perpetrators with a wealth of personal, financial and corporate information. The aim and precise mechanics of the attack can vary, but they are usually centered around soliciting personal data from the victim or getting them to install malicious software that can inflict damage upon their device.
Phishing is not only very common — it’s also one of the most damaging and high profile cybersecurity threat facing enterprises today. According to the IBM 2023 Cost of a Data BreachReport, phishing tops the chart at 15% of all data breaches, costing organizations $4.76 million on average.
Phishing usually begins with a form of communication to an unsuspecting victim: a text, an email, in-app communication and more. The message is engineered to encourage user interaction with an enticing call to action. Perhaps the chance to win a new iPhone, a voucher for a free holiday or, more simply, the opportunity to gain access to a service like social media, bank accounts or work email.
In order to solicit personal information from the victim, the attacker will often lull them into a false sense of security by sending them to a legitimate looking webpage to fill in their details. This intel could either be used immediately to gain access to the service via the official site or the data could be harvested and sold on to others on the dark web.
Types of phishing attacks
If you’ve been phished, chances are the attack was delivered in one of these ways:
- Text messages: Also known as “smishing”, bad actors send users an SMS message containing a link to a phishing site, often with the intent to steal user credentials.
- Whatsapp: Also known as “whishing” and similar to smishing, bad actors send malicious messages in Whatsapp.
- Email: Email phishing can be to personal or corporate emails, and may an organization or website the user is familiar with. These emails may ask the user to log in to software they use, ultimately sending the user to a malicious but legitimate-looking site.
- Voice phishing: Voice phishing, or “vishing,” can involve spoofed numbers that appear as legitimate institutions. These attacks may use a text-to-speech program or a real voice, and are often used to obtain financial information from their victims.
- Spear phishing: These attacks are sent to a specific target and may be through email, text or other means. Bad actors may impersonate an individual the user knows, possibly asking for assistance or their personal information.
- Whaling: Whaling attacks target high-profile targets like CEOs or other executives. Bad actors may impersonate other executives to appear legitimate, eventually sending their victims to a spoofed site to harvest credentials.
- Social media posts and direct messages: Bad actors may use social media to reach their victims. Like other methods, this usually involves sending the user to a spoofed site to gather their information.
How to recognize a phishing attack
Hopefully, you’ll spot some signs you’re being targeted by phishing before you get to the point of handing over your valuable information. Look for:
- Unsolicited and suspicious messages, emails and social posts containing shortened links
- Web pages that ask for login credentials or other sensitive information
- Suspicious emails with uncharacteristic language
- Web pages with suspicious or copycat URLs
- Misspellings, special characters or grammar mistakes (though note that AI is helping bad actors improve in this regard and some sites and messages may look totally legitimate)
In the example phishing attempt below, the message includes a shortened link and a demand for action (as users would want to dispute a purchase they didn’t make). The shortened link makes it difficult to vet its legitimacy, while the lack of obvious errors makes the attack less obvious. The best course of action would be to ignore the link and manually log into any banking or payment card accounts, checking to see if the purchase did indeed happen.
If you’ve been phished and handed over your information, there are some telltale signs that can help you figure out if you’ve taken the bait. Phishing attacks vary and because they are often packaged up with other threats, like as a way of delivering malware for example, the symptoms can be very broad. Here are some signs that a basic phishing attack has been successful:
- Identity theft
- Unfamiliar transactions
- Locked accounts
- Unprompted password reset requests
- Spam email coming from your account
What to do if you think you’ve been phished
So you’ve been phished, what now?
- Change all your passwords for the accounts that have been compromised as well as the accounts that use the same or similar passwords to those that have been captured by the hacker.
- If you entered your credit card information in the phishing page, cancel your card.
- Take your computer offline or delete your email account to avoid spreading phishing links to your contact lists.
- Contact the company or person that the phishing attack impersonated, if any — it might be your CEO, it might be a friend or it could be a major company or bank.
- Scan your device for viruses; clicking malicious links can instigate silent downloads of malware that corrupt devices without your knowledge.
- Watch out for warnings of identity theft and put a fraud alert on your credit account.
Proactive steps you can take to protect yourself
Mobile devices are particularly vulnerable to phishing attacks. Their smaller screen and on-the-go use makes it more difficult to closely inspect links for legitimacy, and users are often in too much of a hurry to do so regardless. Additionally, while many users download threat protection to their computers, less do so on their phones. This is why careful scrutiny is required.
The best remedy is prevention. Stay safe from phishing by following this guidance:
- Don’t click on suspicious links
- Don’t enter your credit card information into unknown or untrusted services
- If a link directs you to your banking website, open up your banking site in a separate window by typing the name in manually
- Don’t fall for more obvious scams that claim you’ve won a prize
- Check the address bar for suspicious or copycat URLs like my.apple.pay.com
Organizations can takes steps to prevent phishing on their corporate or BYOD devices, including:
- Training employees on phishing attacks and how to avoid them
- Implementing anti-spam filters so attacks don’t reach employee inboxes
- Using MFA to prevent stolen credentials from being used
- Deploying threat prevention software to block access to phishing sites even if they are clicked on
- Using password managers that auto-fill based on site domain (therefore not working on illegitimate sites)
- Keeping devices and software up to date
Request a free trial to learn more about our security products.
A holistic approach to security: endpoint protection
Security
Author: October 9, 2023 by Jesus Vigo
Source: https://www.jamf.com/blog/endpoint-protection-apple-devices/
The modern threat landscape continues to evolve to meet the changes in modern computing. One that sees companies migrating to remote and hybrid work environments, adopting Apple in the enterprise and varying device ownership levels. All in service to permit users to work:
- Where they feel most comfortable
- On their preferred device
- From anywhere and at any time
What is endpoint protection?
To best answer this question, we must first know what we need protection from. Armed with an entire arsenal at their disposal, threat actors actively target all endpoints in a concerted effort to compromise your device fleet, as well as your users to gain access to critical and sensitive organizational data for their own nefarious purposes.
The days of merely installing antivirus on your computer are both wholly inadequate and asking for trouble given the array of threats that exist across the threat landscape that impact modern devices — not just computers but mobile devices across multiple platforms too.
To that end, endpoint protection is the umbrella term that describes a group of security solutions that work in synergy to keep endpoints (devices), users and data safe and secure against the current and evolving modern threat landscape.
What is the primary purpose of endpoint protection?
Protect against new and evolving threats
Alas, it’s a brave new world and that includes a whole slew of threats and attacks that impact the security of your endpoint— regardless of whether users are at the office or home, connected to any network, or on macOS, iOS, Android or Windows.
How does it differ from antivirus software?
While malicious code is still very much a thing to be wary of. Historically, antivirus software only provided protection against malware and possible variants but that was it! As you can tell from the list of threats below, challenges to a device’s security posture — and to a greater degree, the organization’s security posture — have evolved to encompass a variety of threat types. Ones that merely protecting against malware cannot address. A few examples of modern threat types are:
- In-network attacks
- Man in the Middle (MitM)
- Zero-day phishing attacks
- SMS
- Social media
- Messaging
- Lateral movement attacks
- On-device attacks
- Living off the land (LotL)
- Malware
- Spyware
- Trojans
- Ransomware
- Cryptojacker
- Potentially unwanted programs (PuP)
- Unauthorized data exfiltration
Layered security protections to combat convergence
And while some of the threats above carry identifiable fingerprints that can tip IT and Security admins off to their whereabouts, an increasing number of bad actors are combining threats (referred to also as convergence), employing the latest tactics to remain unknown, and therefore able to carry out attacks stealthily over time.
Hence a need for comprehensive security solutions to protect against modernized and converged threats that place devices and users at risk by blending attacks that target multiple vectors. By implementing a defense-in-depth strategy, IT and Security teams gain the features necessary to keep endpoints safe while users get the support they need to stay secure while upholding organizational and privacy data security.
Minimizes costs associated with security risk
Risk from security incidents doesn’t just refer to a device’s vulnerability to threats. The cost(s) that stem from risk that — when left unchecked — leads to a data breach have been increasing steadily year-over-year. In fact, below are a few statistics that further underscore the real-world need organizations have for an enterprise-wide endpoint security solution that comprehensively protects company- and personally-owned endpoints used to access business resources:
- The global average cost of a data breach in 2023 was USD 4.45 million, a 15% increase over 3 years
- Nearly 60% of companies affected by a data breach are likely to go out of business due to reputational damage
- 41% of respondents report a regulatory violation in the past two years
- 74% of all breaches include the human element, with people being involved either via error, privilege misuse, use of stolen credentials or Social Engineering
- For the second year in a row, manufacturing was the top-attacked industry. With finance and insurance in second place again by a margin of nearly 6%
- 64% of vulnerable devices accessed collaboration tools while 34% accessed enterprise email
Features of robust endpoint protection
Jamf Threat Labs (JTL)
You may be thinking, how can you possibly stop that which you cannot see? With Jamf Threat Labs, that’s how. Jamf’s team of cybersecurity experts and data scientists works tirelessly to assess macOS and iOS-based endpoints, performing threat hunting to successfully identify and prevent both novel and unknown threats from affecting your Apple fleet. Not only are they great at what they do, but their research feeds the threat intelligence engines that drive Jamf’s endpoint security solutions. By incorporating their findings, detecting unknown threats through advanced behavioral analytics and frequently updated YARA rules work in tandem to mitigate security threats that may be lurking within your fleet before they have a chance to escalate to something worse, like a data breach.
The work performed by the JTL has a direct impact on Jamf Protect, which cascades and causes a ripple effect that reaches our users in the form of security benefits: From identifying new Mac-based and mobile threats to developing analytics for detecting them to stopping the sophisticated malicious actions of applications, scripts and even risky user behaviors. Keeping administrators alerted to detected threats, logging findings, and informing both administrators and users during each step of the way.
Speaking of logging threat data, the telemetry gathered by Jamf Protect is not only used by JTL to hunt for the latest threats — both unknown and known threats that have evolved in an attempt to evade detection — but this very same telemetry data can be used to aid your organization’s IT and Security (or authorized third-parties) in hunting for malicious threats that may be embedded within your device fleet, quietly gathering intel on your business processes, awaiting the right time to perform a data breach. By having access to your device’s health status through rich telemetry data, organizations can be better equipped to identify potentially malicious threats and risky behaviors, subsequently containing incidents before they have a chance to occur, ensuring compliance is maintained (but more on how Jamf Protect can help you with achieving your compliance goals a little later).
Key takeaways:
- Supported by Jamf Threat Labs team of cybersecurity experts and data scientists to research, identify and prevent novel threats
- Advanced threat intelligence engine and machine learning (ML) aid in threat hunting to identify potential attacks before they can happen
- Protect endpoints from new and existing, known and unknown threats, risky apps and suspicious behaviors
- Active hunting of threats — both unknown and in the wild — leading directly to the patching of vulnerabilities that impact macOS and iOS-based devices
- Constant incorporation of threat intelligence data, research and findings into Jamf Protect by a dedicated team of cybersecurity experts to enhance security protections
Monitor
In addition to the Jamf Threat Labs team constantly monitoring macOS and iOS-based operating systems across the expanding threat landscape to identify and thwart the latest threats facing organizations, Jamf’s endpoint security solutions actively surveil endpoints for known, unknown and suspected threats across all supported platforms, including Windows and Android.
This minimizes risk from various Apple-focused and mobile device security threats while serving as one of the foundational components in the comprehensive, multi-prong endpoint security protections. Jamf solutions keeps a watchful eye over your organizational devices and users by:
- Consistently and actively monitoring endpoints 24x7x365
- Gathering rich telemetry logging and reporting data
- Providing insight into device health, aiding compliance auditing
Key takeaways:
- Active monitoring of managed endpoints — regardless of the ownership model (BYOD/CYOD/COPE) — logging device health status
- Obtain detailed logging and rich telemetry data through deep visibility and insight into endpoints and threat trends
- Stream logging of gathered data to your preferred SIEM solution for centralized management of threat intelligence
- Leverage MI:RIAM and machine learning to find (and stop) new, advanced threats, like zero-day phishing and Cryptojacking attacks
- Maintain careful watch over managed endpoints, locking down unwanted software and limiting the execution of suspicious file types
Detect
Keeping vigil over endpoints is just one aspect of protection, the next is identifying threats. Whether known, unknown or suspected – IT and Security administrators will have visibility into device health, including real-time alerts that inform stakeholders of detected threats that affect their devices.
Further, logging data is gathered for each endpoint, providing in-depth information about the security of your entire fleet. The rich telemetry data collected serves administrators well in not only quickly identifying what risks impact their endpoints but also allows them to:
- Perform threat hunting to identify potential threats
- Leverage granular information to refine protections
- Mitigate risky behaviors to mitigate potential attack vectors
Key takeaways:
- Speed up incident response, resolution and remediation times with MI:RIAM and automated workflows
- Isolate affected devices and perform a clean-up of endpoints under attack using secure, managed processes
- Prevent malware, potentially unwanted apps and risky behaviors performed by end-users from impacting device performance or productivity with lean resource utilization
- Alert IT and Security teams, and critical stakeholders of security incidents in real-time with deep visibility into each endpoint
- Extend security protections across your Apple fleet — including personally- and company-owned devices so that business data is accessed securely from any supported device type
Prevent
Every threat, like malware, is a potential risk to exposing user and/or company data, so it’s important that organizations choose an endpoint protection solution that specializes in detecting the unique and evolving threats that target users on Mac and mobile devices – inside and out.
The on-device and in-network protections provided by Jamf endpoint security solutions mean faster detection, notification and threat response to known and unknown threats thanks to our:
- Advanced machine learning (ML) and threat intelligence engine – MI:RIAM
- Customizable behavioral analytics mapped to the MITRE ATT&CK Framework
- Data policy enforcement ensures data remains only on secured, compliant storage
- Blocking of network threats, such as phishing, malicious downloads and command and control (C2) traffic, including risky domains
Key takeaways:
- Stops threats that occur on-device, like malware while also preventing in-network attacks, like zero-day phishing and lateral movement
- DNS-based content filtering, purpose-built for Apple, prevents access to websites hosting malicious code, used in attacks or simply to block inappropriate content on managed devices
- Limit data exfiltration by enabling removable storage controls to enforce encryption of removable media, manage permissions or disable external storing of protected data altogether
- Implement ML for enhanced threat intelligence gathering to prevent advanced, novel threats from compromising endpoints, users and/or data
- Utilize rich telemetry data and MI:RIAM to perform both manual and automated threat hunting to detect unknown threats that may be lurking in your devices and stop them before a data breach can occur
Remediate
Even with increased visibility and compliance, granular reporting, real-time alerts, advanced threat intelligence and protection against novel threats, the modern threat landscape evolves so frenetically that endpoints may be impacted or drop out of compliance. What then?
Once again, Jamf endpoint security solutions – with their multiple layers of protection – facilitate powerful remediation workflows to correct deviations from your OS hardening configurations, quickly bringing endpoints back into compliance.
Jamf solutions flexibly provision manual and automated workflows to respond to and remediate incidents in real-time.
Key takeaways:
- In-depth visibility into all macOS security tooling activity and system processes in real-time
- Eradication of malicious, unwanted and potentially risky files, apps and downloads
- Isolating devices found to be out of compliance or that pose a risk to data security
- Aligning with CIS Benchmarks to develop, enforce and monitor secure device baselines
- Prevention of potentially unwanted apps and risky behaviors to ensure data remains secure while devices are free from end-user-introduced risk
Compliance
For some, compliance is nothing more than a term in a sea of other words. However, for others, particularly those tasked with ensuring that systems, data and processes are aligned with local, state, national and/or regional laws in highly regulated industries, compliance represents a potential nightmare. One that if left unchecked could lead to disastrous consequences for the regulated organization as well as its stakeholders — perhaps even impacting the customers that depend on the organization to protect and safeguard sensitive data types.
Thankfully, Jamf Protect users can sleep a little easier at night knowing that the endpoint security solution goes beyond just malware prevention. In fact, it goes well beyond with tight-knit integration (discussed in more detail below) by mapping analytics to the MITRE ATT&CK Framework to prevent known threats while remaining flexible and allowing administrators to customize existing analytics (or create entirely new ones) to meet the demands of your regulated environment.
Taking it further, Jamf Protect’s rich telemetry data combined with behavioral analytics — and enforced via Jamf Pro — form a covalent bond by securely sharing this data between solutions. The result? Jamf Protect establishes the requirements necessary for managed endpoints to be compliant. At the same time, integration with Jamf Pro enables the use of policy-based management to enforce compliance. Should a device, say miss a critical security update, have a vulnerable app installed or perhaps a curious user is performing risky behaviors, Jamf Protect’s logging system will share this data with Jamf Pro. In turn, this triggers a policy contained within the MDM that executes an automated workflow to remediate the issue, bringing the endpoint back into compliance…all without IT or Security teams having to lift a finger and without impacting end-user productivity.
But how does it actually help administrators meet compliance standards? That’s a great question and one that we’ll answer right now. As mentioned above, Jamf Protect can be configured to align with regulatory governance. By doing so, endpoints are actively monitored and report back on any changes to device health that would otherwise impact compliance status. Threat prevention works to limit the impact of threats on endpoints, mitigating the risk in one fell swoop. And when Jamf Protect is integrated with Jamf Pro, compliance is enforced through policy-based management, ensuring devices remain compliant and remediating any deviations from regulatory compliance through both manual and automated workflows.
Below is a sampling of the security frameworks supported by Jamf to help organizations realize their compliance goals:
- Center for Internet Security (CIS)
- National Institute of Standards and Technology (NIST)
- Defense Information Systems Agency (DISA)
- International Organization for Standardization (ISO)
- macOS Security Compliance Project (mSCP)
Key takeaways:
- Behavioral analytics mapped to MITRE ATT&CK Framework for powerful, customizable prevention of threats, tailored to the unique needs of your organization
- Automated incident response and remediation workflows eradicate malicious, risky and unwanted files while isolating devices that pose a risk to data security
- Develop, enforce and monitor secure device baselines aligned with CIS Benchmarks to drive compliance and aid in auditing compliance tasks
- Adapt secure configurations and device hardening profiles to Apple-based endpoints in accordance with NIST, DISA and mSCP guidelines for secure computing
- Jamf cloud operations are certified for compliance with ISO 27001/27701, SOC 2 and FBI Infraguard, among many others for data security and corporate governance practices
Multiple layers of security – one solution
Look at the fingers on your hand. They work independently to accomplish certain tasks, yet work in tandem when needed to perform larger-scale functions, do they not? A single, yet powerful security solution similarly relies on many individual layers that – while capable of performing independently in their own right – also work together to form a holistic, multithreaded net to monitor, detect, prevent and remediate against attacks from bad actors and the various security threats they employ to target your device, users and critical data.
Defense-in-depth
“…loved by good, feared by evil.” – Voltron
In the show by the same name as the quote above, the first season saw a team of five pilots, each of whom commands a robot lion with unique strengths and abilities. In their quest to maintain peace and protect Earth from evil, the team of five would combine to form a larger, more powerful robot named Voltron, Defender of the Universe, to further aid them with their task.
Though it was a beloved cartoon from 1984, the premise of Voltron shares much with the strategy of defense-in-depth(DiD) to best secure assets, users and resources across the modern threat landscape. Specifically, the belief that a singular, “one size fits all” application will holistically keep organizations protected is a myth a best – and one that often leads to data breaches at worst.
The premise of DiD is simple, yet both efficient and effective. Layer security protections, just like the layers of cake, so that they overlap their strengths while minimizing weakness, in the service of identifying, stopping and if it comes to it, remediating against a variety of security challenges that threaten the integrity of your endpoint, the safety of your users and confidentiality of your data.
Simply put: should one layer fail, the next one exists to intercept it.
Integration
Jamf’s endpoint protection solutions, much like all of our solutions, are designed to work alongside numerous first- and third-party solutions to extend capabilities and enable automation while establishing feature-rich workflows to ensure data flows securely between solutions.
For example, Jamf Pro, our flagship mobile device management solution, is known for its seamless deployment and management capability, which includes installing patches. However, when integrated with Jamf Protect, not only is deploying endpoint security to your endpoints possible with just a couple of clicks but secure endpoint health data is shared in real-time between both solutions.
What does this mean for your organization? We’ll tell you. Event information relating to incidents, such as phishing attacks and other network-based threats are automatically synced to inform the risk status of any individual device. This connection between management and security is critical to taking real-time action to protect your environment. A few examples of the automated workflows that are made possible, thanks to the native, secure integration between Jamf solutions:
- Consider how crucial to endpoint security it is that devices keep up-to-date with patches. As part of a defense-in-depth strategy, organizations using Jamf Protect will receive alerts from endpoints found to be non-compliant with patches. This telemetry data is communicated with Jamf Pro, where IT can implement patch management policies to enforce compliance. Once triggered, Jamf Pro will execute workflows to deploy necessary updates to apps and OSs, bringing them into compliance.
- Organizations can leverage Smart Groups in Jamf Pro to dynamically update and respond when a device’s risk status changes in Jamf Protect. This trigger can automatically update a user’s access permissions via Jamf Pro’s conditional access integrations with Microsoft or Google Cloud BeyondCorp solutions.
- Use the advanced reporting options found in Jamf endpoint security solutions to automatically stream rich telemetry data to your preferred SIEM solution, like Azure Sentinel or Splunk, providing MacAdmins a single pane of glass view into the health of their Apple endpoints while further extending the capability to transform data using visualizations for added depth and granularity.
Key takeaways:
- Develop advanced workflows via integration with Jamf Pro and first- and third-party solutions
- Implement advanced security orchestration, automation and response workflows through integration
- Leverage Jamf’s API to communicate and share data securely between solutions while enhancing your endpoint security capabilities
- Extend features to support greater management and security capabilities across the Apple ecosystem of desktop and mobile devices
- Establish automation to simplify endpoint management while ensuring compliance with organizational policies and industry regulations
Purpose-built endpoint protection for Apple, Windows and Android
Jamf’s purpose-built, Apple-first endpoint security solutions offer IT and Security teams several benefits that firmly establish its solutions as best-of-breed, for example:
- Same-day support allows users to adopt the latest, safest releases from Apple as soon as they’re available – upgrade on your schedule, not ours
- Leverage Apple’s Endpoint Security API to embrace the latest security capabilities available natively for Apple devices
- Low-impact performance means battery life isn’t affected, won’t slow down machines or get in the way of user productivity
- Implement Apple-best security to your Apple fleet while supporting mobile platforms from Windows and Android, providing them with network-based endpoint security protections as well
Speaking of user productivity, being Apple-first (but not Apple-only) means Jamf designs and optimizes each of our endpoint security solutions to take advantage of the OS on which it operates so that protecting your devices does not come at the expense of user experience nor compromise the user’s privacy.
Key takeaways:
- Purpose-built for Apple to address the challenges of the modern threat landscape across macOS and iOS-based devices, but also designed and optimized for Android and Windows mobile devices
- Defense-in-depth strategy layers multiple protections to monitor, identify, prevent and remediate a variety of security challenges – should one layer fail, the next one intercepts it
- Extend services, features and capabilities by leveraging the Jamf Risk API, securely sharing pertinent device health data with first- and third-party solutions
- Update to the latest and safest releases from Apple the day they are released with same-day support across all Jamf solutions — no delaying critical updates until your MDM and/or endpoint security solution gets around to supporting it
- Minimal impact equals better performance, allowing users to utilize resources for productivity — not having to choose between getting work done or the security of their device
This post is one of a series on a holistic approach to security. See a roundup of all of the posts
Do you trust Jamf to help IT manage your Apple fleet efficiently and effectively?
Then you’ll love the way Jamf security solutions keep your endpoints, users and data safe across multiple platforms, securing them across your infrastructure.
OS upgrades 2023: OS upgrades and security
Security
Author: October 6, 2023 by Hannah Hamilton
Source: https://www.jamf.com/blog/ios17-ipados17-sonoma-security-privacy-updates/
Upgrading your operating system (OS) is more than getting the latest shiny new features — it’s also about ensuring your device has the latest security updates. While not the most common method of attack, unpatched software with known vulnerabilities can result in data breaches with costs upwards of $4.17 million on average, according to IBM’s 2023 Cost of a Data Breach Report.
Beyond new and improved features and performance enhancements, Apple’s recently released iOS 17, iPadOS 17 and macOS Sonoma include a number of security and privacy updates beyond the inherent OS architecture. In this blog, we’ll explore these features and what they mean for the end user.
Increased privacy and security
Safari and passwords
With the new operating systems, users can use different profiles to keep work and personal browsing separate in Safari. This separates your history, cookies, extensions, Tab Groups and favorites, making it easier to keep your work and personal data where they belong.
Enhancements to Private Browsing locks your private windows when you’re not using them; use your credentials like Face ID or Touch ID to unlock. Private Browsing also removes tracking info from URLs that websites can use to identify you, while known trackers are blocked.
If you’ve ever asked a friend or family member to log into your account for you, you might have given them your password in a not-so-secure way. It’s now easy to share your passwords and passkeys with trusted contacts running iOS 17, iPadOS 17 or macOS Sonoma.
Sensitive content warning and communication safety
Sensitive content warnings can be enabled to warn users when a picture may contain nudity, preventing the view of unwanted explicit images. This feature is available in Messages — for iOS, this is also available in AirDrop, Contact Posters and FaceTime messages.
Similarly, nudity can be detected in photos and videos children may receive or attempt to send in Messages and the system Photo picker in both iOS 17 and macOS Sonoma. This feature is also available in AirDrop, Contact Posters, FaceTime messages and the system Photo picker in iOS 17.
Expanded Lockdown Mode
Lockdown Mode was introduced in iOS 16, iPadOS 16 and macOS Ventura, with support added for Apple Watch in watchOS 10. Lockdown Mode is an extreme security measure intended for at-risk high-profile individuals, such as government officials, executives or journalists.
With the latest operating system, Lockdown Mode restricts or limits certain apps and features, including:
- Messages: Most attachments are blocked, other than certain images, video and audio while links and link previews are disabled.
- Web browsing: Certain web technologies are blocked and web fonts and images may not be displayed.
- FaceTime: Incoming calls are disabled unless you have previously called that person. SharePlay and Live Photos are unavailable.
- Photos: Location information is excluded when photos are shared, shared albums are removed from the Photos app, and shared album invitations are blocked.
- Device connections: iPhones or iPads must be unlocked to connect to an accessory or computer; Mac laptops with Apple silicon additionally require explicit approval from the user.
- Wireless connections: Devices won’t automatically join non-secure Wi-Fi networks.
- Configuration profiles: Configuration profiles cannot be installed and the device cannot be enrolled in Mobile Device Management.
Compatibility
While updating to the latest OS is recommended for security, it can sometimes break your existing workflows if your vendors don’t offer same-day compatibility. iOS 17 and iPadOS 17 have already seen a number of updates — it can be hard to keep up.
Enrolling in beta programs and testing with these betas can help organizations ensure their workflows remain intact. Jamf offered same-day compatibility with Apple’s latest operating systems (and has since 2012); testing your infrastructure with the latest Apple and Jamf betas can ensure seamless updates on the release date without affecting productivity. Join the Apple beta program or the Jamf beta program, available in Jamf Account.
Stay productive and secure on release day with Jamf.
Manage and secure your most vulnerable endpoints: Mobile devices
Security
Author: October 6, 2023 by Jesus Vigo
Source: https://www.jamf.com/blog/manage-and-secure-vulnerable-mobile-devices/
State of mobile security
Advancements in technology are everywhere but nowhere is it as present as in the mobile device space. Due to increased adoption and dependence on mobile devices, security implications like:
- data leaks
- unauthorized access to private user information
- discrepancies in Mac and mobile endpoint security
- difficulty assessing and maintaining compliance
present greater challenges to mobile security – increasing risk to endpoints, users, business and personal data, and the organization’s overall security.
Read our in-depth technical paper, “Manage and secure your most vulnerable endpoints: Mobile devices” to learn about the State of Mobile Security, its evolving risk considerations and how the convergence of desktop and mobile protections is the future of mobile security.
The enterprise landscape
Historically, organizations choose to align business needs with a single platform. This helps to simplify management while addressing the unique needs of the company. While working within a homogenous environment reduces some of the challenges relating to IT and Security processes, mobile devices combined with distributed workforces have placed a spotlight on the often-viewed consumer-oriented devices.
This creates a new management and security challenge for organizations that have relied on maintaining just one platform. Instead, enterprise IT and Security teams now find themselves at odds, with more traditional tools providing limited to no support for mobile OS platforms and introducing security issues that impact everything from user productivity to the organization’s ability to safeguard users from bad actors and evolving threats targeting the security of their sensitive data.
What are some of the contributing factors impacting mobile security?
- Fragmentation among supported versions within each OS
- Disparate levels of support lead to delays in update deployments
- Different ownership models affecting management (e.g., BYOD/CYOD/COPE)
- Supported vs. unsupported feature sets in MDM solutions
- Ability to assess and verify security telemetry regularly
- Limitations to policy-based enforcement for compliance requirements
- Dissonance between implementing and enforcing protections on desktop and mobile OSs
Convergence and compliance
Speaking to compliance, the ability to actively monitor devices, assess their health in real-time and verify any issues while following up in quick form with mitigation workflows is overshadowed by a critical failure that is often witnessed when it comes to mobile security: balance.
More specifically, balance in this instance refers to the concepts of management and security. Incorrectly framed as a tug-of-war between IT and Security teams, the reality is that relying solely on an MDM solution to pull double duty falls short of the mark. Conversely, organizations that rely on user’s personal devices to access business resources, with best practice standards such as:
- Choose a long, complex password
- Never connect to public hotspots
- Follow security hygiene practices for communications (i.e., don’t open unsolicited attachments, never click on a link or share your password)
- Install comprehensive malware protection
- Encrypt data using volume encryption
without the ability to enforce these requirements through policy-based management lack the necessary insight for effective, adaptable mobile security.
In other words, without device management, how can organizations verify that endpoints are secure and therefore compliant? Similarly, without endpoint security, devices simply cannot be secure. Hence, why balance is such a critical concept. It reduces the risk of devices being over-protected (and subsequently unable to be used for work due to a subpar user experience) or under-managed (insufficient or neglected mobile security that jeopardizes value assets and company resources).
For a deeper look at the State of Mobile Security, including:
- Mobility drivers and how they fit into the larger enterprise deployment landscape
- Rising concerns, risk factors and the modern threat landscape
- Holistic approaches that bridge the gaps between desktop and mobile security
- Adhering to compliance requirements for regulated and non-regulated industries
- And the keys to unifying mobile and Mac management + security
We invite you to review our technical paper: Manage and secure your most vulnerable endpoints: mobile devices, to discover a future where every device enjoys uncompromised protection without any need for trade-offs. This vision represents the ultimate goal: enterprise-secure, consumer-simple technology to manage and secure all of your endpoints.
Mobile device balance is the key to unifying management and security for your entire fleet.
On-Device Content Filtering: Powerful and Privacy Friendly
Security
Author: September 26, 2023 by Laurie Mona
Source: https://www.jamf.com/blog/on-device-content-filtering-with-jamf/
You can have more and better security at your organization without having to compromise your employees’ or students’ privacy with Jamf’s new on-device content filtering solution.
The on-device content filter for iOS and iPad OS is a web protection technology Jamf brings to both Jamf Security Cloud and Jamf Safe Internet.
In this session “On-device Content Filtering: Powerful and Privacy-friendly,” presenter Hernán Romero, Product Manager at Jamf, shows what’s so exciting about this new solution.
What does on-device content filtering mean?
Simply put, this feature enables the evaluation of policies on the device rather than the gateway.
Romero says that thanks to more powerful iPhone and iPads and new network APIs from Apple, we’ve been able to move the evaluation of web-protection policies from the cloud to the device.
The on-device content filter uses an Apple network extension to analyze traffic directly on a device. And because of the semi-sandbox architecture of this network extension, we’re able to not only provide more and better security but to do so in a privacy-friendly way.
How is it more powerful?
Because the on-device content filter is deeply integrated with Apple’s architecture in an unrestricted way, we can go beyond the usual domain-based rules.
Expanded areas of filtering include:
- URLs – evaluation of full paths and query parameters, even with TLS encryption
- IP addresses – block not only single IP addresses but also ranges and subnet
- Bundle IDs –full traffic filtering of all incoming and outgoing traffic in iOS/iPadOS apps
- Keywords – broad or specific blocking of words and phrases in a URL and HTML body
Romero walked through the traffic flow of on-device content filtering. He explained that once Jamf Trust has fetched a policy from the cloud if the on-device content filter needs to ask threat intelligence for classification, the response is cached on the device. Similarly, if there’s an explicit rule, it’s applied immediately.
The result: fewer round trips versus cloud-based vectoring, which means lower latency and faster end-user experience. Additionally, users with personal VPNs are not able to bypass on-device filtering as opposed to cloud-based vectoring.
How is it more privacy-preserving?
Thanks to Apple’s semi-sandboxed architecture of the network extension, on-device content filtering offers privacy by design.
All evaluation of end-user activity is done in the encrypted site of the network extension where all sensitive data is stored. Once the evaluation is complete, sensitive data is stripped as it passes through the unencrypted part of the network extension before it’s available for reporting.
The result: on-device content filtering gives more and better security in a privacy-friendly way.
Who is on-device content filtering for?
While the Jamf team was building this solution they specifically focused on:
- Students and parents – give peace of mind from privacy safeguards built-in by design
- Teachers – apply policies as broad or specific as you need them to be
- High-compliance environments – make sure sensitive private data stays private
- Admins – gain effective and comprehensive tools aligned with Apple principals
As Romero notes, we’re thinking about end users, admins and organizations – it’s an upgrade for everyone.
Check out the full session for a step-by-step demonstration of setup, deployment and usage as well as an audience Q and A.
Register for JNUC to access this session as well as others on demand.
What is Mobile Security?
Security
Author: September 15, 2023 by Jesus Vigo
Source: https://www.jamf.com/blog/what-is-mobile-security/
Simply put, mobile security is the protection of smartphones, tablets and mobile computers (laptops) from security threats.
What is mobile security?
While it is typically defined in scope to specifically call out threats associated with wireless computing, this could be misleading as there are threat types that do not rely on wireless communications to be considered successful attacks, like device theft or exfiltrating data locally to a USB flash drive.
Why is mobile security important?
Similar to computer-based security, as more users and organizations come to rely on mobile technologies for communication, collaboration and working while on the go, mobile devices are increasingly being leveraged to contain, process and/or transmit sensitive data. While this bears little difference to desktop computers in usage, the difference for mobile security lies in that mobile devices provide new ways of performing personal and professional tasks, in turn introducing new forms of risk that endpoint security solutions designed for desktop computers may not and usually do not address comprehensively.
For example, given the nature of how mobile OS’s are designed, most malware targeting mobile devices thus far operate within resident memory once executed. Once a smartphone or tablet is power cycled, the memory is flushed, and the threat is removed until it is triggered once again. However, users seldom reboot their mobile devices, leading these threats to linger on, causing untold havoc.
Conversely, on desktop operating systems, malware works nearly identically, except that there exist multiple ways by which malware authors can establish persistence, allowing them to retain a foothold within the computer even after being rebooted. Therefore, endpoint security for desktop systems scans memory as well as the system itself for other Indicators of Compromise (IoC). Once identified, the remediation workflow executes to remove the threat.
Though both slightly differ, in the background there are significant differences in how endpoint security operates between mobile and desktop computing platforms. It is this difference, paired with the explosive growth of mobile security and the fact that, after all, mobile devices do utilize network connections to communicate with apps, resources and services over the internet, that poses a greater risk to securing data and end-user privacy. This includes acting as a conduit forfacilitating larger-scale network-based attacks – as well as future attacks being actively developed – if left unchecked.
Out-of-the-box, mobile security is not enough
Many who follow our blog know how pivotal security and privacy play when using technology. One of the leaders of this discussion arguably is Apple, whose commitment to both is witnessed in its consistent inclusion of security and privacy frameworks that serve as a tentpole of the platform.
In fact, since its inception on the iPhone by way of Touch ID, Apple has included the security and privacy framework into every piece of hardware – mobile and desktop computing alike – ensuring that anyone using a device across its entire product line will find the same level of protection. However, discussing mobile security requires Microsoft and Google, alongside Apple, and relates not just to smartphones but tablets and wearables as well.
Even with all their security-focused features in tow, ones like device encryption or biometrics as mentioned earlier, mobile security requires a comprehensive approach in order to keep mobile endpoints safe and ensure data security. This doesn’t imply an inherent weakness in the devices themselves but rather speaks to the nature of the evolving mobile threat landscape. Specifically, one that is impacted by dynamically occurring changes that are hard for organizations to keep up with. For example, in their rush to deploy mobile devices, many businesses overlook the following:
- Critical security protocols that expose them to potential threats
- Holistic endpoint security that addresses existing threats, as well as novel threats
- Rigorous security hygiene procedures that begin with device provisioning and deployment
- Ensuring mobile devices adhere to strong baseline settings
- Adherence to security standards that are crucial for maintaining organizational integrity
- Failure to meet/maintain compliance due to rapid adoption of cloud-based services
- Lack of understanding increased risk factors associated with the rise of hybrid work patterns
- How the expansion of native apps challenge the current enterprise mobility model
While we could go on about endpoint security in general, the focus of this blog is specifically on mobile security and how the growth of this segment has led to mass adoption at a global level. Furthermore, said adoption has fueled incorporating mobile technology into many different industries, from education with a 1:1 program for students to supply-chain andlogistics where they serve as invaluable tools to get supplies where they need to go fast and to remote/hybrid work environments in every industry, thanks in no small part to its blend of powerful computing and lightweight form factor. The ubiquitous design lends itself to helping users access critical resources at any time, from anywhere.
And therein lies the rub, doesn’t it? How does an organization manage mobile devices without diluting the powerful, yet easy-to-use platforms while at the same time not compromising security at the expense of convenience? Or how about the common tradeoff that occurs when incorporating security by ensuring that it does not compromise end-user privacy in an all-consuming aim to secure mobile devices?
As we’ve seen historically, sadly there’s usually a tradeoff when implementing a mobile security plan. The compromise to efficiently being able to work from anywhere is often mobile security as organizations typically fall into the trap of over-protecting or under-managing. Regardless of the category your company falls into, however, the end result remains the same: devices, users and data are left vulnerable.
By ensuring that data security and privacy are always at the forefront (and never an afterthought) of any process running on mobile devices, they don’t have to be.
How does mobile security impact organizations?
Like cybersecurity in general, mobile security affects multiple aspects of an organization — not just its devices, users or data — though these are certainly factors that are critically affected and often what you hear about most in the media. Some of the other ways mobile security impacts organizations are:
- Loss of company integrity and its public perception/reputation
- Ceasing of business operations and preventing business continuity
- Leaking of confidential information, like trade secrets
- Civil and/or criminal liability stemming from violating compliance regulations
- Device compromises that lead to lateral network movements and subsequent data breaches
- Unauthorized access to protected user data, like PII and PHI
- Hindering the potential of mobile workspaces and distributed workforces
It’s important to note that, while any or potentially all of these security issues may impact your organization, this information is not intended to scare, but rather to inform. Being aware of the mobile threats that exist and how they impact organizations is the first step toward implementing a defense-in-depth strategy that holistically and comprehensively manages mobile devices while mitigating the current and growing list of mobile threats.
Types of mobile security threats
Below is a list of key threats affecting mobile security. By no means is this list exhaustive or future-proof but doesprovide insight into various types of threats so that IT and users alike have a better idea of the vulnerabilities and attack campaigns threat actors are currently leveraging when targeting mobile endpoints.
- Phishing: Social engineering, or campaigns that leverage SMS, email, phone calls, social media and messaging software that tricks end users into divulging sensitive information, such as passwords, or gets them to click on malicious links to compromise mobile devices.
- Malware: Malicious code or applications that compromise the security and privacy of endpoints and users respectively in order to achieve a particular means, or several of them, depending on the malware type or how they’re combined. Examples are:
- Ransomware: Encrypts private data and prompts the user to pay a ransom for the decryption key or risk losing data forever.
- Spyware: Gathers information on users, such as what websites they visit, logs keystrokes and copies cookies to allow actors to attack their devices and hijack their sessions.
- Adware: Delivery of advertisements for products and services to get users to click on them to further compromise a device. Also used to deliver malware to devices.
- Stalkerware: Similar to spyware, data gathering takes steps to include webcam, photos, telephone and text conversations to track user’s whereabouts, including leveraging GPS to physically track victims.
- Cryptomining: A tiny program that utilizes hardware resources to mine cryptocurrency for bad actors. Reduces performance and may impact normal device operation.
- Potentially Unwanted Program (PUP): While PUPs do not have to be malware, typically unwanted apps are packaged together, residing unbeknownst to the user on their device, possibly leading to greater security risks in the future.
- Trojan: Programs that are masking their true intention, such as malware being repackaged as a legitimate app. Additionally, several trojan apps are legitimate apps that have been cracked (has their internal security broken) to include malicious code. These may be distributed via third-party app stores as free versions of commercially licensed software.
- Loss/Theft: Mobile devices, by nature, are typically removed from offices and/or homes, taken to remote locations to work from alternative locations. This increases the likelihood that mobile devices are lost, misplaced or targeted for theft by criminals, placing the contents of those devices – sensitive data and privacy information – at risk of compromise.
- Man-in-the-Middle (MitM): Also known as “eavesdropping”, this attack is quite common wherever unsecured Wi-Fi hotspots are available. This allows unsuspecting users to connect to unencrypted wireless networks, where attackers may intercept their communications and/or leverage it to gain access to their devices.
- App Permissions: Granting app permissions to resources is not uncommon nor a big cause for concern generally. However, when apps are granted improper permissions or these apps abuse the permissions granted, this may lead to violations of privacy and/or data exfiltration.
- Patch Management: Updates to apps, the operating system and hardware components are made available by developers to fortify the software and hardware, protecting it against known attacks by mitigating vulnerabilities. Without updates in place, devices and apps may become vectors for attacks, compromises and further data breaches.
- Weak/No Passwords: Weak passwords that are easily guessed, not changed from their default or simply not enabled at all represent the “low-hanging fruit” for bad actors. Sometimes, the only protection standing between a compromised device and one that has not been compromised is a strong, unique password to keep data safe.
- Encryption: Fitting hand in glove with weak/no passwords and device loss/theft above that, encryption is often considered the last bastion of security when a device is no longer accessible. Whole disk encryption scrambles the internal data using powerful algorithms that are nearly unbreakable (or may take a few thousand years, give or take) when a strong, unique password is enabled, utilizing multiple key spaces for greater complexity.
- Unsecured Connections: Open Wi-Fi hotspots do not offer any security protection – just internet access. This leaves your devices, data and the network connection being used to communicate all open to threats. It also leaves the resources you’re connecting to on the other end open to attack as well. Securing untrusted connections via VPN encrypts transmissions and connects to endpoints within a secure tunnel to keep free from unauthorized access. Zero Trust Network Access (ZTNA) offers the security of a VPN, while also providing device health checks before granting access each time a resource is requested.
- Misconfigurations: Misconfigured devices, those that have kept default configurations in place or have fallen out of compliance are at a greater risk of being compromised by threats than those that have been hardened against common threats by limiting the available attack surface of your mobile device.
Benefits of having a mobile security solution
Let’s start with the most obvious reason, though it may seem like two reasons, they both go hand in hand as mobile device adoption rates worldwide have and continue to grow at breakneck speeds.
Just how deep is mobile penetration, you ask? According to a survey performed by Statista, in 2023, “the current number of mobile phone users is 7.33 billion, which makes 90.97% of people in the world cell phone owners.” If we factor out feature phones, choosing to only account for smartphones, then “the current number of smartphone users in the world today is 6.92 billion, meaning 85.88% of the world’s population owns a smartphone.”
That figure represents only smartphones. Despite taking a majority of the market share in the mobile device space, it still leaves out other popular device types, such as tablets and wearables, like smartwatches. Each of these devices are also being utilized by users for personal usage as well as at work.
Each mobile device that:
- Processes business data
- Uses work-related apps
- Accesses organizational resources
- Connects to company networks
Even if doing so alongside apps and data for personal use, that isn’t properly managed and secured, poses a risk to the enterprise, compliance and the user’s privacy.
A comprehensive mobile security strategy — one that integrates alongside your existing Mac environment — that provides a holistic management and security plan ensures that:
- Protection extends uniformly across the infrastructure
- All endpoints are secured against modern and evolving threats
- Business resources and user privacy data are safeguarded, regardless of whether devices are company- or personally-owned
- Users can work from anywhere, on any device and over any network connection securely
- Ever-increasing risks impacting devices, users and data are effectively mitigated
- Organizations maintain compliance with regulations
Types of mobile security solutions
If you haven’t guessed yet, there are a lot of real and potential threats affecting mobile security. And if it continues its rate of growth, it is estimated that approximately 8+ billion mobile devices will exist globally by 2024. While it’s unlikely that every single one of them will be attacked, any attempt to quantify a figure will be pure speculation given the number of variables.
What is known are the mobile security solutions available, how they work and why they’re necessary to protect your mobile fleet and keep your users, devices and data safe and secure.
- Zero Trust Network Access: ZTNA as its referred to, secures network communications similar to VPN, while providing additional safeguards that protect resources, such as apps and services. With built-in device health checking, IT gains granular insight into devices, including patch levels, if devices are compromised or affected by malware and whether they meet organizational requirements, before access to individual resources is approved. Resources are segmented from others for the purposes of maintaining security; this way, if a user’s access has been compromised for a particular app, only that app is affected and users may continue to work on other resources without fear of lateral movement compromising other resources. Devices failing health checks are denied access, then placed into remediation where the issues are mitigated before access can once again be granted.
- Mobile Endpoint Protection: Preventing malware is just one part of the mobile security equation. Mitigating threats from phishing, by identifying and blocking domains that leverage malicious URLs in their campaigns and zero-day attacks is a significant step forward in protecting your mobile fleet. Further security from network-based attacks, such as MitM, as well as compliance checking that allows organizations to align requirements to Acceptable Use Policies (AUPs) to minimize misconfiguration of settings through policy-based management further strengthens your device’s security posture and that of your infrastructure – regardless of whether it is local, cloud-based, public and/or private – or a combination thereof.
- Website Content Filtering: Implementing intelligent content filtering of malicious websites to not only minimize the threat from phishing websites, but additionally the reduction in legal exposure from inappropriate use and/or illicit websites while leveraging network-aware security controls that safeguard cellular, wired, roaming and Wi-Fi connections provide an additional layer of protection. Seamless scaling across multiple management models, such as BYOD/CYOD/COPE, for enforcing AUPs on company-owned and personally owned devices alike ensure that organizational resources are protected equally as is end-user privacy – not at the cost of one another.
- Patch Management: No device management would be complete without discussing the apps and devices through their lifecycle. Ensuring that both are sourced and updated, that critical configurations are set properly and consistently across all device types, all while providing a centralized management platform that allows end-users the flexibility to do their work from anywhere, at any time without placing limits on their efficacy – and simultaneously permitting IT and Security teams to quickly respond to any number of issues in real-time. And let’s not forget the capability of supporting the very latest security features, new functionality and software updates from day one.
Why your mobile devices need as much attention as your Macs
If your company secures Mac computers, why are you not securing mobile devices?
Regardless of your industry or regional location, organizations worldwide have and continue to adopt Apple devices for work. Consider that less than two years ago in 2021, Apple’s annual revenue was $365.8 billion dollars! The percentage of that revenue generated from iPhone (51.9%) and iPad (8.8%) combined sales was 60.7%. The Apple Watch alone sold more than iPad and Mac (9.8%) individually, accounting for 10.4% of the total revenue.
There’s clearly a demand for mobile devices running iOS and iPadOS, among others running Windows, Android and Chrome OS. More devices equals a higher potential of introducing risk into your organization.
If they are different, why do they need the same level of security?
Well, they are computing devices after all and more to the point, ones that utilize and rely upon the same types of apps, services and processes to get work done safely and securely. Sure there are differences in the ways which mobile device and desktop computer operating systems handle certain processes or the workflows by which users can be productive within these respective OS’s, but make no mistake — they share just as many similarities when it comes to data security as they share differences — making it critical for admins to embrace the similarities while minimizing the risk that the differences could introduce if left unchecked.
How do mixed environments, using personally- and corporate-owned devices, impact mobile security?
For organizations that do not have a mobile device security plan in place, the reality is that there is little difference discerning personally-owned devices from corporate-owned ones when viewed through the lens of risk management. Without the comprehensive protections in place to prevent malware, secure network connections or separate business data from personal data with segmented and encrypted volumes, organizations will experience great difficulty in determining if device meets compliance, is authorized to access sensitive resources or has opened the door to a data breach after a unpatched vulnerability has been exploited by threat actors.
In other words, IT and Security teams lack the necessary insight into device health in real-time to truly understand the security posture of the devices themselves or how that impacts the organization’s overall security posture.
Now, let’s flip this around. Your organization does have a mobile device security plan that’s integrated alongside the larger, holistic security plan. How does that change things?
For starters, there’s protection against modern threats. Not just ones that impact desktop or mobile operating systems, but rather all supported platforms — regardless of the device type or ownership model. Next, there’s coverage that protects the infrastructure comprehensively. It spans across devices, users, resources and data repositories to ensure that security is a fundamental requirement that is addressed top to bottom and end to end.
What are the use cases for mobile?
It used to be that mobile devices were not really used by consumers, let alone for business. This goes back almost a decade until the smartphone began to gain the interest of enterprise users, like those that relied on Blackberry to communicate over IM and email while on the go.
With the release of the first iPhone in 2007, users took to the sleek device with its promise of desktop-like features without carrying around a laptop or something far heavier. Years later, the rise of native mobile applications, increased adoption of cloud-based services and greater performance and efficiency have effectively placed a thin, lightweight computer in the pockets of billions of users globally.
Mobile devices have expanded since then, to encompass tablets and smartwatches, to greater fanfare and some incredibly simple yet powerful workflows that help keep users productive — working smarter, not harder.
Any scenario is a use case for mobile. That said, some of the more commonly seen ones by industry are:
- Healthcare: Health practitioners have taken to mobile technology to perform wellness checks through tele-health sessions with patients.
- Education: Students rely on 1:1 programs that have transformed how teacher’s deliver lessons while effectively exchanging multiple books, paper, pencils and other materials for a tablet.
- Logistics: Cloud-based services combined with tablets and smartphones allow teams to manage inventory, ensure manifests are accurate or track product shipments anywhere across the globe.
- Retail: Large, clunky POS systems and antiquated credit card imprint machines have given way to thin, large screened mobile devices that simultaneously handles sales transactions, keeps a database of customer information, provides up-to-date inventory data in real-time and does it all with a tap or two.
- Finance: The FinTech industry has adopted mobile in ways that make it easier than ever before for consumers and businesses to keep track of their financial standing and myriad investments, all without having to stand in line at the bank.
- Sales: Long the trappings of the road warriors, mobile devices lend themselves to greater performance while sipping battery power and allowing teams to keep in contact from just one, lightweight device.
- Aviation: Pilots must carry nearly 40lbs. of documents, like navigational maps and aircraft manuals in their kitbags. With the adoption of tablets, the clutter and weight was reduced to 1.5lbs as part of their electronic flight bag.
Why is now the right time to invest in mobile security?
When it comes to security, there’s an aphorism, more anecdotal in nature that identifies the time before a security incident as being the time when businesses do not feel the need to invest in protection because it’s deemed an unnecessary expense…until a security incident occurs and then, businesses are much more willing to throw money at the incident in order to make it go away.
Simply put: when things are quiet, it’s easy to lose sight of the good endpoint security is doing because security incidents are being mitigated.
Another way of looking at it is that the best time to invest in mobile security is not when your organization is under attack, but rather when IT and Security teams can work together to properly implement the technologies they require to address the unique requirements of the organization without hasty measures being taken to “clean up the mess as quickly as possible.”
Conclusion
Mobile security is a critical, sometimes mismanaged and often overlooked aspect that is part of a greater, holistic security plan. One that comprehensively protects devices, as well as users and business resources, from the modern threat landscape that includes current and novel threats.
Exacerbating the mobile security dilemma is the fact that user adoption of mobile computing devices continues to rocket with global adoption rates that are second to no other hardware technologies. The increase in devices married with the advancements in mobile technologies means that greater usage and reliance across platforms and touching just about every industry.
When combining the above with continued business migrations toward distributed work forces and the increased targeting of mobile devices by threat actors, organizations shouldn’t want to protect their entire fleet of devices — company- and personally-owned alike — from threats…they need to protect their infrastructure to remain compliant and keep resources safeguarded.
And one of the keys to protecting your environment lies in the integration of mobile security alongside your existing security strategy to ensure there are no gaps in protection — just seamless security that protects all your endpoints without compromising the efficacy of solutions or impacts to user privacy while upholding the user experience.
Mobile security is a critical part of your infrastructure
and should be integrated alongside your existing security plan.
Platform Single Sign-On and the future of user logins
Security
Author: September 14, 2023 by Sean Rabbitt
Source: https://www.jamf.com/blog/wwdc-2022-sso-extension/
What is the Single Sign-On extension?
Also known as the extensible Single Sign-On or SSOe, the single sign-on extension is a configuration profile payload for macOS, iOS and iPadOS introduced by Apple at WWDC 2019. This configuration profile redirects the request to authenticate to a website, app or service that is gated by a cloud Identity Provider (IdP).
The SSOe configuration profile payload tells the Apple device that when a user logs into a service with a SAML, OAuth 2.0 or OpenID Connect 2.0 authentication methods to redirect this request to the SSOe app locally installed on the device. Consider the payload as process requests through a local proxy. For example, if you wish to visit Microsoft’s SSO-enabled website, it launches the Microsoft Authenticator app instead.
Upon launching, the app, it will first request authentication for the user from the IdP, to validate that the requestor is really the user in question. Next, it will obtain an “access token” and a “refresh token” to keep the user’s login alive until the next time the user changes their password. The authenticator app is then responsible for authenticating the user to services, like logging into Salesforce via Safari or accessing your Office 365 email account within the native Microsoft Outlook app.
Note: SSOe configuration profiles can be set up to work either as a redirect or to provision a credential within the SSOe app. Currently, Microsoft Entra ID uses a redirect payload, while Okta FastPass uses a credential payload. In the latter, the FastPass authenticator app obtains a certificate from the Okta Certification Authority (CA) to authenticate the user. Both are important to note for future deployments as the technology continues being developed.
What is Platform Single Sign-on (PSSO)?
Platform SSO builds on the SSOe configuration profile by tying the local user account on a Mac to the Single Sign-On application. In this model, the user is presented with an identity provider login when they arrive at the macOS login screen.
But wait, doesn’t that sound a bit like Jamf Connect? More on that in a moment. Once the user enters their credentials at the Mac login window, the PSSO will either update the local account password for the user or use a token stored in the secure element of the Mac to authenticate the user locally — the workflow executed depends on how the PSSO extension is written by the developer or how the administrator has configured the deployed option for login handling. Depending on how the PSSO extension is written or how the administrator has set up the option for login, the PSSO will either update the local account password for the user OR it will use a token stored in the secure element of the Mac to authenticate the user locally.
After the user has successfully logged in, they can start accessing any resources gated by the IdP and the SSOe app will intercept the login and automatically authenticate the user, without additional password prompts. Pretty cool, right?!
So, how can I get started with PSSO at my organization?
Jamf Pro was early to ship support for the creation and management of PSSO profiles for increased efficiency, user productivity, and security. But to make use of PSSO, customers depend on their identity provider to provide a single sign-on extension host app. So while Jamf Pro supported PSSO, customers could only take advantage of this functionality once their identity provider also offered support. Jamf teamed up with Okta to update the Okta Verify app for Mac so that Okta and Jamf Pro customers can use the combination of platforms and enjoy the benefits of single sign-on for their Mac. This will make Jamf and Okta customers the first to make use this new capability that was originally showcased by Apple.
What does this mean for Jamf Connect users?
It’s an amazing case of “working better together” since there are no provisions for creating local macOS user accounts with the PSSOe by itself. PSSOe only works when a local user account is created on a Mac. In this case, a user account would need to be created either by running the Setup Assistant when first starting up their Mac for the first time or an administrator would need to go to create a new user account through some other means before the benefits of PSSOe can be realized.
Jamf Connect, on the other hand, can create the first user account on the Mac — or any additional user accounts needed. Furthermore, it can enforce linking the local account to the identity provider credentials and also determine if a user should be made a local admin or a local standard user.
From there, the PSSOe can attach itself to a local user account and magically log users into their organization’s IdP-gated tools and resources.
What if my organization doesn’t use Okta?
Jamf Connect is the portion of the solution that you can deploy right now, knowing that it supports integration with SSOe, to augment the user experience when it’s made available. With Jamf Connect:
- Users log onto their Mac with their common identity provider credentials. This gets users accustomed to using the IdP login when accessing organizational resources.
- User account permissions are secured by the IdP. This means that you can manage who gets assigned admin-level privileges from one centralized place. Additionally, this adheres to the best security principle of only creating an administrator account on a Mac until you absolutely need it.
- You can customize the onboarding experience. Jamf Connect helps IT streamline onboarding for the end-user to get them working productively from the moment they first power on their device.
- If your IdP supports it, try out the previews of the existing SSOe apps with an account created by Jamf Connect. The experience of accessing organizational resources so simply and easily is a truly transformative experience.
- Review the implications of SSOe and PSSO with your company’s Security team. Concerns may exist surrounding the new technology’s efficacy, prompting them to favor a more mature security stack, like with Jamf Protect.
Additional security with Zero Trust Network Access (ZTNA)
The combination of Jamf’s integrated solutions, including built-in Zero Trust Network Access (ZTNA), leverages your IdP to upgrade organizational security by:
- Frequently checking device health
- Assessing app vulnerability status
- Securing network communications
- Mitigating risky user behaviors
- Establishing microtunnels to securely access resources
- Denying access to devices/users found to be compromised
- Maintain optimal productivity by blocking access to only affected resources
- Automatically execute workflows to remediate devices
Integrate Jamf Connect into your authentication and IdP workflows to benefit from a mature authentication stack.
StateRAMP for Jamf School and Jamf Pro
Security
Author: September 12, 2023 by Mat Pullen
Source: https://www.jamf.com/blog/stateramp-cybersecurity-for-education-with-jamf/
What is StateRAMP?
StateRAMP was born in early 2020 from the clear need for a standardized approach to the cybersecurity risk management standards required by educational organizations and state and local governments. This critical cloud security assessment and authorization program is designed to ensure that products address the specific technology and compliance requirements of these public sector organizations.
With the increased focus on cybersecurity in the public sector, many education institutions and state and local governments are partnering with StateRAMP to streamline their cloud procurement processes.
What does this mean for education?
Cybersecurity in education is a large and ever-growing concern. Cybercriminals see education as a target due to the rapid deployment of devices over the last few years. With the fast pace of change, institutions need to trust that their cloud providers are appropriately managing their cybersecurity risk to protect their users and institutions. Learn more about Jamf’s commitment to education.
What has Jamf done to achieve this state?
In order to ensure our public sector customers are able to meet their various regulatory requirements, Jamf has gone through the rigorous process to achieve StateRAMP Ready status for Jamf School and Jamf Pro. Although this certification applies most specifically to public-sector customers in the US, this work helps Jamf to advance our overall security maturity and increase our safeguards— which benefits all Jamf School and Jamf Pro customers globally.
We will continue to move through the stages of StateRAMP in order to ensure our systems meet these standards to keep our customers compliant and, more importantly, to keep our customers safe.
For more details, read our press release.
See for yourself how Jamf can help with your institution’s StateRAMP requirements.
Jamf Trust now notifies when ZTNA connection is lost
Security
Author: September 11, 2023 by Alexander Kozlowski
Source: https://www.jamf.com/blog/jamf-trust-now-notifies-when-ztna-connection-is-lost/
As many people can relate with, working with traditional VPN software agents can be a pain — not only from the constant authentication and clunky user experience but from a lack of visibility into what is going with your connection. While Zero Trust Network Access (ZTNA) removes much of the headache traditional VPN can cause (since ZTNA only routes relevant traffic through your company network instead of all traffic, for example), it’s not immune to flaws.
A common issue we hear from customers was how we managed and reported the current status of ZTNA within Jamf Trust, especially with captive portals — often used to present end users with a license agreement, login or payment that needs to be completed prior to being allowed to use the internet services. This is very common with airlines or other modes of transportation to allow customers to make purchases such as beverages or snacks or to allow additional information to passengers (such as journey details or maps).
Most modern operating systems (OS) provide standard support for the wireless internet service provider roaming (WISPr, pronounced “whisper”) protocol that allows an OS to detect whether there is an internet connection, but this often leads to complicated configurations and confusing statuses on the device. In some cases a device will think it is connected to the internet when it is not.
These configurations are set up with good intentions to help improve the user experience by helping with navigation or reducing errors when connected to the in-flight network, but as you can imagine this essentially breaks a necessary ZTNA or VPN connection. This can leave the end user in an even worse state where they are unable to use the network whatsoever which means no movies, no internet and worst of all — no beverages or snacks.
Returning to what we mentioned at the start, this is exactly what was happening with Jamf Trust. End users often were frustrated and saw this as the fault of the app, so it was definitely a problem we needed to address. This is why we are very pleased to announce that this problem will now start to be a problem of the past.
Jamf Trust on macOS has recently launched better detection for this. In addition, it provides clearer end-user information within the app and via notifications when such a connection is unavailable. When a connection is unavailable, ZTNA will temporarily disable to ensure that internet traffic is not blocked; once the connection is restored the app will automatically reconnect to ZTNA and provide access to company resources — all without any user intervention. Ultimately with this resolution, no passenger should now need to worry about being able to watch those in-flight movies or purchase their favorite snacks.
This feature is now available for Jamf Trust on Android and macOS. It will be be available on iOS in mid-September. Windows is planned to be supported later this year.
Overall this provides an excellent example of our continuous pursuit in helping organizations succeed with Apple. Additionally, we are excited to help end users in knowing what is going on with their computer instead of having to guess why their computer isn’t connecting as expected.
Stay connected on the go with Jamf.