Security Report 360: A primer

Security practices change over time with new technologies being introduced to aid administrators in better combating threats that impact the security of critical business data, endpoints and users – and their privacy.

But endpoint security isn’t the only one getting upgrades in the battle to secure data. Threat actors continue to bolster their tools and processes as well to evade detection, find new ways to target victims and make greater inroads into compromising the security posture of targeted devices and enterprise networks.

Let’s not stand on ceremony here and dive right into the trends that are and will continue to make headlines in 2023.

Social engineering

The top threat that continues to lead the charge thanks in no small part to the relative ease with which bad actors can carry out attack campaigns. Combined with the minimal overhead required to execute attacks, social engineering threats offer maximum payoff in comparison to the minimal effort often required.

Regardless of whether the attack carried out is of the traditional phishing type over email, smishing attacks that rely on SMS text messaging to deliver bite-sized messages to hundreds or thousands of targets at any given time or newer campaigns that are carried out over social media – in which anonymity and short responses are an accepted way of communicating – make no mistake, social engineering attacks can be crafted to target just about any type of victim and gather almost any piece of data.

“In 2022, 31% of organizations had at least one user fall victim to a phishing attack”, according to Jamf. And it’s not surprising given the commonality of receiving a message, phone call or email from unknown sources, one that could very easily claim to be someone (or something, like a business) that they are not. With very little ability by the average user to verify the authenticity of a potential scammer's identity, the high success rate of social engineering attacks continues to assure attackers that this method of attack is well worth their effort. Even with all the security tools in the world, it is of little consequence in stopping threats when it’s the users themselves handing out passwords and other sensitive data willingly. Hence why ongoing user training that focuses on threats – both broad and specific to your industry – is often the greatest defense against social engineering attacks.

User privacy

Another data type that has seen increasing attention from both users and attackers alike is user privacy data. Such as the type of metadata often attached to data generated from the use of applications that rely on the numerous sensors and components backed into mobile devices.

Why is this so important you may ask? Because threat actors are utilizing privacy data for personal and financial gain. As part of sophisticated social engineering campaigns that target something else to bad actors that resort to extorting victims in exchange for not leaking privacy data that could otherwise impact their reputation, jobs or standing in the public eye. There are also nation-state attackers that have been known to inject malicious code into apps to spy on dissidents, whistleblowers or persons deemed by them to be a threat to the government.

While user privacy is often targeted as part of an attack chain and not the central target of the attack itself, the best defense is a vigilant user that plays an active role in authorizing and regularly auditing which apps are granted access to what components. For example, allowing an app that maps directions access to GPS on your smartphone makes sense if you find yourself relying on its directions capability regularly to find your way around. However, why does a third-party messaging app request access to the same GPS sensor? It’s not as though GPS is a central component to exchanging messages with contacts, right?

Novel threats

Malware-based attacks have shown to be in decline in the previous year. This is something to celebrate, but before we get too carried away, let’s not forget that attackers continue to sharpen their tools and skill sets as well. And this is being seen by way of converged attacks that combine multiple attack types to develop a newer type of threat – some of which have never before been seen.

This is also in response to the changing work environments and/or organizations evolving how they conduct business. Switching to remote work, hybrid environments or even allowing employees to use their own personal devices (BYOD)for work are catalysts that have bred new forms of attacks to isolate users from their devices and separate devices from their data.

Jamf Threat Labs data found that “in a single month of 2022, 53% of compromised devices accessed conferencing tools, while 35% accessed email, 12% accessed a CRM, and 9% accessed cloud storage services.” This combined with examples of sophisticated attacks in the wild indicates that attacks may take on more than just one form and can occur over any period of time without detecting any of the threats used in the chain until it’s too late. While converged attacks are certainly harder to protect against given the difficulty by administrators to predict when attacks will occur, certain practices – when combined as a defense-in-depth security strategy – provide the best form of protection against novel threats.

Consider a mix of:

• actively monitoring endpoints
• deploying endpoint protection
• implementing policy-based management
• sharing telemetry securely between solutions
• practicing patch management
• leveraging machine learning (ML) for behavioral analytics
• automate incident response workflows

Compliance

While gathering data for the Security 360: Annual Trends Report, Jamf discovered that “in 2022, 21% of employees were using devices that were misconfigured, exposing them to risk." This is not a walk in the park but rather this figure identifies that potentially just over one-fifth of the employees at an organization are utilizing devices – regardless of whether they are company- or personally-owned – that are out of compliance.

Should a threat find one of these affected devices, in turn exploiting one of these vulnerabilities in configuration, there’s no telling the extent of the data breach. This isn’t intended to promote fear, uncertainty or doubt (aka FUD), but rather to speak earnestly regarding the serious nature of complying with regulatory governance and the possible consequences of violating laws when endpoints fall out of compliance.

Identifying which penalties your organization may be subject to and based on violations that stem from regulations that apply to your industry is beyond the scope of this article or the Security 360 report it discusses. That said, the fact remains that governance requires organizations to comply with their laws in order to be deemed compliant. Furthermore, organizations are subject to regular audits to ensure that their business processes and protected data types are being handled in accordance with regulations.

This places the burden of proof on the organization itself to gather and provide evidence that it is compliant end to end. With this in mind, compliance is not a separate piece to be managed by a compliance officer or risk assessment specialist only – compliance is part of the security stack – and much like user privacy, it makes up a critical piece of the overall security posture of the organization and needs to be treated as such when planning, testing and deploying security controls, processes, personnel, applications, services and workflows that impact regulated data.

Remote/hybrid environments

Remote and hybrid work environments have become as commonly accepted and ubiquitous in many industries as email is to business communications, thanks in no small part to technologies that stepped up to fill the void left as the network perimeter began eroding when organizations shifted to users working remotely to some degree or another.

And in the years since the initial exodus began from corporate offices to working from home (WFH), there are still organizations that may be just now getting around to migrating or simply still have yet to find the right combinations of solutions and policies to bridge the gaps left in their security posture.

When Jamf Threat Labs found that “1 in every 5 devices ran an operating system that was not up to date.”, this qualifies the previous statement. At its core, the cause of this is not known since it varies from business to business just like their needs are unique from one to the other. What is known is that it further underscores the very real-world need for visibility into your device fleet – as well as a clear understanding of how exactly each component that makes up the security posture interfaces with the organization’s infrastructure. If your organization is part of a highly-regulated industry, like finance or healthcare, for example, visibility is a critical component to achieving and maintaining compliance.

Alongside visibility, a few of the steps organizations can take to secure mobile devices in remote/hybrid environments are:

• Integration between management and security tooling
• Automated processes and workflows
• Decentralized logging and threat intelligence
• Risk assessment practices to identify assets and threats