It’s time to secure the Apple enterprise

It’s not unreasonable to assume that war in Ukraine will generate a wave of cyberattacks. That means every business or personal computer user should audit their existing security protections, particularly for companies that have embraced the hybrid workplace.

While larger enterprises usually employ Chief Information Security Officers (CISOs) and security consultants to manage such tasks, what follows is useful advice for Mac, iPad, and iPhone users seeking to start such an audit.  

Take a password audit

I’m hoping most Apple users use Keychain. It has a couple of useful features to help check your passwords, and now is a very good time to use them.

• On a Mac, open Safari Preferences>Passwords (Settings>Passwords on iOS/iPad) and review the list you’ll find there.
• You’ll see passwords for all your sites. You may see a warning triangle beside some of these.
• This triangle shows you sites for which you may be reusing passwords, or passwords that may have appeared in data leaks.

In both cases, you should change these; just select the service, and then choose Change Password on Website. Apple will then try to direct you to the account page for that site where you can change your password or delete your account.

When creating a new password, do make use of Keychain’s automated password generation facility which will create stronger passwords. You’ll find more information on Keychain here.

For most Apple users, the most important passcode is the one they use for their iCloud/Apple ID.

You should make certain that your iCloud/Apple ID passcode is unique and hard to guess. It is also good practice to change the password regularly. When you do, you’ll need to input your new password across all your devices, which is a drag, but think about all the personal information you store there to help justify the effort.

Harden your service security

Look, the cold, hard truth is that most people have a few services that make use of identical passwords. But this is a vulnerability you can patch with a few minutes work. Another improvement you can make is to ensure none of the passwords you use are on this list. You should also delete your account at services you no longer use to minimize your attack surface.

Enable 2FA

Enable two-factor authentication, 2FA (or MFA, multi-factor authentication) across all essential services, and certainly financial services.  Use Apple Pay wherever possible. Most major services offer 2FA, and you can also now create 2FA codes from within iOS on supported apps.

When creating new accounts and signing up to new services, be sure to use iCloud+ email masking (Hide My Email), or free services from the likes of Cloudflare, iPassword and others to obfuscate your true identity.

Protecting others to protect yourself

While I know Mac users continue to believe their platform is secure, it’s not just about you anymore. Install and use a malware checker. This should give you some protection against any Mac malware that may emerge, but it will also flag up any Windows malware you may otherwise inadvertently share with others.

Protect your social feeds

Some attackers try to find and harvest personal details concerning individuals to craft highly personalized phishing exploits or to help them guess a person’s account passwords or authorization information, such as a mother’s name.

An essential third-party app called Jumbo can help manage your privacy on numerous social networks, including Facebook, Twitter, Google, Instagram, and LinkedIn. It’s a useful added layer of protection for your social feeds that may help prevent hackers harvesting this kind of information.

A phishing ban

We all know not to click on emails from people we don’t know, but what about those that come from people you think you do know? Phishing attempts that pretended to be customer support messages from Apple have become more convincing recently, and these are designed to make you click on the link.

The FBI Internet Crime Report 2020 revealed that phishing attacks affected 241,342 victims in 2020, up from 114,702 in 2019. Take note that 90% of successful attacks involve legitimate passwords and that password phishing accounted for 83% of all cyberattacks in 2021.

In most cases, if you receive an email that contains a link asking you to update something, it’s better to manually access the service concerned in your web browser (rather than the link) and login. You’ll then be able to see if that alert is genuine. You should forward phishing emails both to the Federal Trade Commission (FTC) at spam@uce.gov and to the entity impersonated in the email.

When shopping online or accessing sites that require financial details, always check that the web address is protected by SSL, usually denoted by a padlock icon in your browser’s search bar

Protect your web traffic

If you have an iCloud+ account, you should begin using Apple’s beta Private Relay service to help protect all your online activity using the Safari browser. Otherwise use a VPN service.

If you don’t have a VPN, Ukrainian software developer MacPaw is offering ClearVPN for iOS, Mac, Android, and Windows for free. That VPN includes a range of shortcuts to fundraising, petition-signing, trusted media outlets and other ways to support Ukraine against Russian aggression. NordVPN, ExpressVPN, and Surfshark are also widely recommended services.

Enterprises can be reassured that iCloud Private Relay is compatible with your own enterprise security systems as it is smart enough to get out of the way if a device is using a corporate VPN system.

It should go without saying that even with a VPN in place, it still makes sense not to access any confidential or financial information using a public Wi-fi connection. This is because criminals will sometimes monitor traffic that takes place on those networks to undermine security.

Back everything up

Back up your websites, image collections and all other digital assets. Cloud services usually have teams of security pros to help protect against attacks, but this isn’t foolproof and doesn’t protect from a successful password scam. This is why most enterprises will employ a combination of online and local storage services.

When it comes to local storage, many employ daily backups to a drive and weekly (or more frequent) backups to another mode of storage held offline and quarantined from the enterprise network.

The advantage of the latter is that the data stored is less likely to become corrupted or be deleted in the event of an attack, which limits data loss if that happens. You should also consider changing your backups regularly to avoid incidents in which the backup itself is infected.

Apple also lets you create an account recovery contact for your Apple ID. This should be a very trusted person who will then be able to help you recover access to your account in the event you forget your password, or if it is changed without your permission. You can define your recovery contact in Password & Security in Settings.

Segment your IT deployments

Just as it’s a good idea to maintain an offline backup system, it’s also useful to maintain multiple networks of devices within larger businesses.

The theory is that if all your systems are kept on one network, anyone accessing that network may be able to overcome your defenses. Segmenting systems internally may help protect against that, as it means that if one is breached, the entire network of machines isn’t.

It’s also important to protect the data itself. Apple’s FileVault on Macs is a disk-encryption system built into macOS that makes it hard for anyone to access your confidential data in the event the machine is lost or stolen. Here’s how to apply that protection on your Mac.

Make use of Zero Trust

Enterprises and educators that make use of MDM systems such as those offered by Jamf, Apple Business Essentials, and others may be able to deploy more robust protection across managed devices. That includes the ability to prevent employees from making and sharing their own passwords, but instead use assigned, encrypted authorization.

Many enterprises now employ increasingly complex forms of zero-trust protection. These might limit access to services depending on who, where, and when a device seeks access. A good security policy should be built around an awareness that use cases can differ drastically within an organization and therefore the more flexible and customizable your solution is, the better.

If you use cloud services, it may be possible to assign geographical zones in which your data is stored, which helps you avoid storing essential information in or near conflict zones. You may also want to make use of geolocation tools to ensure your services/data are only available in nations in which your bona fide users are based.

Check and update your kit

Apple’s security teams will be watching for any major new vulnerabilities, which is why you should always ensure all your devices are kept up to date with the latest software updates.

Do you still have an old PC on your network? Perhaps you maintain a vintage printer? Jamf recently warned that 39% of organizations allowed devices with known OS vulnerabilities to operate in a production environment with no restrictions to privileges or data access.

You should ensure all software is up to date and consider quarantining any equipment for which security updates are no longer available.

Tools, including those built into your routers, should be able to tell you what IP addresses are actively on your network and you should audit these to ensure no rogue data is being exfiltrated by an unknown device.

Check and verify your registrars

Checking your kit also extends to your domain registrar records. Are these accurate and up to date and are the passwords secured? If not, secure them.

You should also validate the security of all your external-facing internal and external services. Are these up-to-date? Have any of these ceased to receive security patches? Replace any services with unpatched vulnerabilities, or that no longer provide security updates. Replacement may have a cost, but the cost of an attack will be far higher.

How safe are your partners?

If any of your external customers, partners, suppliers, or anyone else has access to your networks, you should verify their security procedures and constrain their access privileges, removing any that are not required. Your own internal systems being hard as nails makes no difference if hackers exploit a less secure external partner to break in.

Always download software from reputable sources

Never install apps from questionable sources. Apple’s model works so well because it forbids sideloading of apps. It does so because it knows that without effective policing and protection in place, users can easily be fooled into installing malware-festooned apps. Enterprises should develop and educate employees in a secure app installation policy.

Have a plan before disaster happens

Industry wisdom around security is that a security breach is inevitable, which is why it makes sense to plan how your business will react if an exploit takes place.

Individuals and enterprises should plan what to do after a breach, ensure remedies are in place, and make sure all parties are fully aware of what their responsibilities are. A user of a single Mac, for example, may know they need to return their machine to factory settings and restore data with backups. An administrator of 500 remote Macs will need to figure out how to achieve the same thing (probably using an MDM system).

The priority in any plan is to confirm that escalation routes and contacts are in place and that communications will continue to work even if your business systems fail.

Security is an ever-changing risk environment in which even your own government may be a threat, so the more secure you are at the best of times the safer you should be when bad times come.

You may now want to take a look at the Apple Platform Security Guide, a high level Principles for Board Governance of Cyber Risk from the World Economic Forum, and a couple of earlier blogs written by me for Mac security, iOS security and working from home. 

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.