Ivanti Blog: Posts by

Three Reasons Endpoint Security Can’t Stop With Just Patching

Wed, 14 Jun 2023 20:56:25 Z

With remote work now commonplace, having a good cyber hygiene program is crucial for organizations who want to survive in today’s threat landscape. This includes promoting a culture of individual cybersecurity awareness and deploying the right security tools, which are both critical to the program’s success.

Some of these tools include endpoint patching, endpoint detection and response (EDR) solutions and antivirus software. But considering recent cybersecurity reports, they're no longer enough to reduce your organization’s attack surface.

Here are three solid reasons, and real-world situations, that happened to organizations that didn't take this threat seriously.

AI generated polymorphic exploits can bypass leading security tools
Patching failures and patching fatigue are stifling security teams
Endpoint patching only works for known devices and apps

1. AI generated polymorphic exploits can bypass leading security tools

Recently, AI-generated polymorphic malware has been developed to bypass EDR and antivirus, leaving security teams with blind spots into threats and vulnerabilities.

Real-world example: ChatGPT Polymorphic Malware Evades “Leading” EDR and Antivirus Solutions

In one report, researchers created polymorphic malware by abusing ChatGPT prompts that evaded detection by antivirus software. In a similar report, researchers created a polymorphic keylogging malware that bypassed an industry-leading automated EDR solution.

These exploits achieved this by mutating its code slightly with every iteration and encrypting its malicious code without a command-and-control (C2) communications channel.

This mutation is not detectable by traditional signature-based and low-level heuristics detection engines. This means that security time gaps are created for a patch to be developed and released, for the patch to be tested for effectiveness, for the security team to prioritize vulnerabilities and for the IT (Information Technology) team to rollout the patches onto affected systems.

In all, this could mean several weeks or months where an organization will need to rely on other security tools to help them protect critical assets until the patching process is completed successfully.

2. Patching failures and patching fatigue are stifling security teams

Unfortunately, updates breaking systems because patches haven't been rigorously tested occur frequently. Also, some updates don't completely fix all weaknesses, leaving systems vulnerable to more attacks and requiring additional patches to completely fix.

Real-world example: Suffolk County’s ransomware attack

The Suffolk County government in New York recently released their findings from the forensic investigation of the data breach and ransomware attack, where the Log4j vulnerability was the threat actor’s entry point to breach their systems. The attack started back in December 2021, which was the same time Apache released security patches for these vulnerabilities.

Even with updates available, patching never took place, resulting in 400 gigabytes of data being stolen including thousands of social security numbers and an initial ransom demand of $2.5 million.

The ransom was never paid but the loss of personal data and employee productivity and subsequent investigation outweighed the cost of updated cyber hygiene appliances and tools and a final ransom demand of $500,000. The county is still trying to recover and restore all their systems today, having already spent $5.5 million.

Real world example: An errant Windows server update caused me to work 24-hours straight

From personal experience, I once worked 24 hours straight because one Patch Tuesday, a Microsoft Windows server update was automatically downloaded, installed which promptly broke authentication services between the IoT (Internet of Things) clients and the AAA (authentication, authorization and accounting) servers grinding production to a screeching halt.

Our company’s internal customer reference network that was implemented by our largest customers deployed Microsoft servers for Active Directory Certificate Services (ADCS) and Network Policy Servers (NPS) used for 802.1x EAP-TLS authentication for our IoT network devices managed over the air.

This happened a decade ago, but similar recurrences have also occurred over the next several years, including this update from July 2017, where NPS authentication broke for wireless clients and was repeated in May of last year.

At that time, an immediate fix for the errant patch wasn't available, so I spent the next 22 hours rebuilding the Microsoft servers for the company’s enterprise public key infrastructure (PKI) and AAA services to restore normal operations. The saving grace was we took the original root certificate authority offline, and the server wasn't affected by the bad update.

However, we ended up having to revoke all the identity certificates issued by the subordinate certificate authorities to thousands of devices including routers, switches, firewalls and access points and re-enroll them back into the AAA service with new identity certificates.

Learning from this experience, we disabled automatic updates for all Windows servers and took more frequent backups of critical services and data.

3. Endpoint patching only works for known devices and apps

With the pandemic came the shift to Everywhere Work, where employees worked from home, often connecting their personal devices to their organization’s network. This left security teams with a blind spot to shadow IT. With shadow IT, assets go unmanaged, are potentially out-of-date and cause insecure personal devices and leaky applications.

The resurgence of bring your own device (BYOD) policies and the lack of company-sanctioned secure remote access quickly expanded the organization’s external attack surface, exposing other attack vectors for threat actors to exploit.

Real-world example: LastPass' recent breach

LastPass is a very popular password manager that stores your passwords in an online vault. It has more than 25 million users and 100,000 businesses. Last year, LastPass experienced a massive data breach involving two security incidents.

The second incident leveraged data stolen during the first breach to target four DevOps engineers, specifically, their home computers. One senior software developer used their personal Windows desktop to access the corporate development sandbox. The desktop also had an unpatched version of Plex Media Server (CVE-2020-5741) installed.

Plex provided a patch for this vulnerability three years ago. Threat actors used this vulnerability to deliver malware, perform privilege escalation (PE), then a remote code execution (RCE) to access LastPass cloud-based storage and steal DevOps secrets and multi-factor (MFA) and Federation databases.

"Unfortunately, the LastPass employee never upgraded their software to activate the patch," Plex said in a statement. "For reference, the version that addressed this exploit was roughly 75 versions ago."

If patching isn’t enough, how can organizations reduce their external attack surface?

Cyber hygiene

Employees are the weakest link to an organization’s cyber hygiene program. Inevitably, they'll forget to update their personal devices, re-use the same weak password to different internet websites, install leaky applications, and click or tap on phishing links contained within an email, attachment, or text message.

Combat this by promoting a company culture of cybersecurity awareness and practice vigilance that includes:

· Ensuring the latest software updates are installed on their personal and corporate devices.

· Recognizing social engineering attack techniques including the several types of phishing attacks.

· Using multi-factor authentication whenever possible.

· Installing and automatically updating the databases on antivirus software for desktops and mobile threat defense for mobile devices.

Continuing education is key to promoting great cyber hygiene within your organization, especially for anti-phishing campaigns.

Cyber hygiene tool recommendations

In cybersecurity, the saying goes, “You can’t protect what you can’t see.” Having a complete discovery and accurate inventory of all network-connected hardware, software and data, including shadow IT assets, is the important first step to assessing an organization’s vulnerability risk profile. The asset data should feed into an enterprise endpoint patch management system.

Also, consider implementing a risk-based vulnerability management approach to prioritize the overwhelming number of vulnerabilities to only those that pose the greatest risk to your organization. Often included with risk-based vulnerability management solutions is a threat intelligence feed into the patch management system.

Threat intelligence is information about known or potential threats to an organization. These threats can come from a variety of sources, like security researchers, government agencies, infrastructure vulnerability and application security scanners, internal and external penetration testing results and even threat actors themselves.

This information, including specific patch failures and reliability reported from various crowdsourced feeds, can help organizations remove internal patch testing requirements and reduce the time gap to patch deployments to critical assets.

A unified endpoint management (UEM) platform is necessary to remotely manage and provide endpoint security to mobile devices including shadow IT and BYOD assets.

The solution can enforce patching to the latest mobile operating system (OS) and applications, provision email and secure remote access profiles including identity credentials and multi-factor authentication (MFA) methods like biometrics, smart cards, security keys, certificate-based or token-based authentication.

The UEM solution should also integrate an AI machine learning-based mobile threat defense (MTD) solution for mobile devices, while desktops require next-generation antivirus (NGAV) with robust heuristics to detect and remediate device, network, and app threats with real-time anti-phishing protection.

And finally, to level the playing field against AI-generated malware, cyber hygiene tools will have to evolve quickly by leveraging AI guidance to keep up with the more sophisticated polymorphic attacks that are on the horizon.

Adding the solutions described above will help deter cyberattacks by putting impediments in front of threat actors to frustrate them and seek out easier targets to victimize.

How Ivanti Deters Malicious Threats in the Everywhere Workplace

Tue, 23 Aug 2022 21:33:31 Z

Back in May of this year, Verizon published its 15th annual Data Breach Investigation Report (DBIR) for 2022 which states that 82% of breaches involved the human element, whether it is the user of stolen credentials, phishing, misuse, or an error, people are the biggest contributors to security incidents and breaches.

The past several months has also resulted in numerous phishing attacks via corporate email and SMS text messages. One more notable attack was a very official looking email regarding my work performance and receiving a pay raise with innocuous-looking link to a malicious website.

Other colleagues have reported receiving text messages from our company CEO, again with a link to a malicious site. It’s very easy to fall victim to this sophisticated social engineering traps especially on our mobile devices we continue to heavily use them while we work in the Everywhere Workplace.

This short video just serves to remind the hybrid workforce that use their mobile devices for work that Ivanti has a Mobile Threat Defense solution that will block new and known malicious domains and websites!

9 Types of Phishing and Ransomware Attacks—And How to Identify Them

Wed, 19 Jan 2022 18:54:07 Z

Cyberattacks have become more pervasive globally, evolving quickly in sophistication and scale, and are now more lucrative than ever for cybercriminals. Not only has The Everywhere Workplace extended the cyber risk and threat landscape—especially for data privacy and its protection—but a lot of Agile software developers, many of whom lack any DevSecOps process, are publishing untested or poorly tested software that can be exploited as zero-days by criminal gangs.

The most common techniques used by cybercriminals have remained constant over the past several years, with phishing and ransomware continuing to occupy two of the top three spots. According to the Verizon 2021 Data Breach Investigations Report, phishing held the top spot as the data breach tactic used most often, jumping from 25% of all data breaches in 2020 to 36% in 2021. Ransomware, on the other hand, was responsible for most data breaches caused by malware.

Worse yet, these types of attacks continue to evolve and now include the use of machine learning artificial intelligence (AI), automation, chaining exploits against known and zero-day vulnerabilities, zero-click exploit kits developed by the NSO Group, fileless malware and the adoption of the “as-a-service” business model. These evolutions help cybercriminals stay one step ahead of their targets.

What is phishing?

Phishing is a social engineering tactic that uses deception to steal an end user’s credentials and other personal information. The most common phishing delivery tactics are email and attachments, text and multimedia messages, telephone and malicious advertisement networks. These tools persuade the end user to tap onto a hyperlink to a specially crafted counterfeit site or internet domain. End users are easily coaxed into divulging their precious personal information because of attention-grabbing headlines and authentic-looking, obfuscated or shortened hyperlinks. And when the end user lands on the site, a malicious exploit kit or keylogger can be unknowingly downloaded onto the device or desktop to steal personal information, including credentials or credit card numbers, which attackers can then use to compromise devices and steal more high-value information. Phishing continues to be the most common type of cybercrime today, and as remote and hybrid work becomes the norm, companies and employees have become more relaxed with their cybersecurity hygiene. It is human nature.

Types of phishing techniques:

Phishing-as-a-service is a business model that packages the most effective phishing tools and is sold as a commodity to anyone willing to pay.
Cloning duplicates legitimate-looking business emails and websites that deceive targets into clicking a hyperlink that is replaced with a link to a malicious site.
Deep fake employs artificial intelligence (AI) to propagate deceptive information or influence end users by manipulating an individual’s spoken words, mannerisms and expressions originally recorded as audio or video. 
Emails and attachments can be crafted that look legitimate but trick an individual into clicking a hyperlink where they unknowingly disclose personal information or credentials. 
Pharming employs authentic-looking hyperlinks in phishing emails that redirect end users from a specific, legitimate site to a malicious one by changing the Domain Name System (DNS) table in the host web server. 
Smishing (SMS phishing) leverages text communication that uses link shorteners to conceal malicious links within a text message.
Spear phishing usually targets administrative level individuals or groups by using a personalized pretext with the intent for greater success by stealing credentials that are granted greater permissions to access more sensitive company data.
Vishing or voice phishing uses traditional telephone voice communication to trick victims into revealing sensitive information or sending money to the cybercriminal. 
Whaling deceives C-suite executives by enticing them to click a hyperlink or attachment that installs an exploit kit or malware on their device to steal sensitive company or personal information.

What is ransomware?

Ransomware is malware whose sole purpose is to extort money from the end user. Once the end user’s credentials are known via phishing attack, cybercriminals can then grab additional valuable data on the user’s mobile device or laptop, then escape the device and move laterally onto connected networks in search of additional valuable data to steal. Cybercriminals can then block access to critical information often by encrypting the data, before sending out a ransom note and expecting payment in untraceable cryptocurrencies like Bitcoin or Monero. If the data is extremely sensitive, ransomware gangs can “double extort” their victims by threatening to reveal the information to the public unless an additional ransom is paid.

Ransomware is also proliferated using trojans, spam email with malicious attachments, fake software update tools, third-party software app stores and distribution sources that push apps and tools that contain malware, spyware, or exploit kits.

2021 was a record-setting year for data breaches and ransomware. Successful high-profile ransomware attacks were executed against CNA Financial Corporation in March, Colonial Pipeline in late April, Acer computer manufacturing in May, and, also in May, one of the largest meat packing companies, JBS Foods. Another was Kaseya VSA (Virtual System Administrator) in July, although no ransom was ever paid as the FBI (Federal Bureau of Investigation) was able to obtain the decryption keys from the servers of the ransomware gang to restore the IT (information technology) infrastructure of its clients.

Combating phishing and ransomware

Cybercriminal gangs have become more sophisticated and well-funded with a potent set of attack tools and tactics at their disposal. It feels like a constant perfect storm keeps hitting the internet, and some organizations believe that a life preserver is sufficient to withstand this Category 5 hurricane.

In the Everywhere Workplace, to have a fighting chance to protect your precious data, it is imperative to place as many robust impediments as possible in the path of these cybercriminals. Ivanti develops cybersecurity solutions to discover, manage, and secure your data found in mobile devices, desktops, servers, applications, networks and cloud stores and protect it from being compromised.

Learn more

Discover best practices for defending against phishing. Watch the on-demand webinar: A Multi-Layered Approach to Anti-Phishing.

My New Year’s Resolution: Going Passwordless!

Wed, 29 Dec 2021 19:34:08 Z

What is your New Year’s resolution for 2022? Well, it is that time of year again! My resolutions are not necessarily new, but a continuation of several that I have made in prior years. Eat healthier foods, lose weight, and save money are the ones that immediately come to mind. Another best practice that I started several years ago was to adopt a passwordless authentication initiative for all my internet connected personal devices. Fortunately for me, my company began enforcing zero sign-on authentication along with deploying a multi-layered anti-phishing protection system several years back. Additionally, we made the transition to using stronger authentication factors like inherence – specifically biometrics – and possession, which was a lot easier than I anticipated.

Eliminating passwords just makes too much sense as it raises your company’s Zero Trust security maturity level by removing the most common root cause of data breaches. This is more important than ever as 2021 has been a record-setting year for data breaches, and according to the Verizon 2021 Data Breach Investigation Report (DBIR), cybercriminals specifically sought out credentials as the most common data type in 61% of all breaches because it is the gift that keeps on giving. Also, with the resurgence of the Pegasus spyware that now exploits zero-day vulnerabilities in common apps like iMessage, FaceTime, Safari, WhatsApp, and others, stolen data – specifically credentials – allow attackers to gain a foothold onto a compromised device without the end user knowing. This privileged data can then be used for lateral movement onto the corporate network, data center, and cloud systems in search of other high value assets, resulting in a ransomware or an advanced persistent threat (APT) attack.

How can Ivanti help? Ivanti’s Zero Sign-On (ZSO) can be added onto your company’s passwordless authentication solution at any time. Contextual conditional access policies can be implemented to grant or deny access not only based on a trusted user, but also the trusted device, app, network (location), and time. For remote desktops, ZSO’s FIDO2 (Fast IDentity Online 2) solution can be enabled by using your iOS, iPadOS, or Android mobile device as an analog for the security key to securely access your Windows or Mac laptop, and then seamlessly access your Microsoft 365, Google Workspace, Salesforce, and other cloud-based work resources in a single sign-on (SSO) deployment within the Everywhere Workplace.

FIDO2 is the most secure passwordless identity authenticator option available, especially if it is used in a multi-factor authentication (MFA) system to securely access your digital work resources and services. FIDO2 leverages the stronger authentication factors, with biometrics as the inherence factor and your mobile device as the possession factor. Newer ZSO features that are being released in January 2022 include Bluetooth Low Energy (BLE) desktop login to Windows and Mac laptops offline without an internet connection (see Figure 1), and support for FIDO2 compliant security keys from Yubico and GoTrust to access your desktop as well as cloud apps (see Figure 2).

So, why is FIDO2 the most secure option available? The most notable is that a password or PIN (personal identification number) is no longer required with FIDO2, which adds more security. Also, the cryptographic (public key) credentials used to log in to websites and online services across the internet with FIDO2 are unique. This ensures your online privacy and adds confidentiality to your session. Your personal information remains on your mobile device and is never transmitted over the internet or stored on a server. This immediately eliminates the threat of phishing and credential theft. Additionally, your built-in biometric scanner within your mobile device, using either your fingerprint or face to validate your identity, is frictionless and very convenient.

FIDO2 is a component of the Ivanti Access platform which requires Neurons for Mobile Device Management and Zero Sign-On (ZSO). Ivanti recommends a defense in depth zero trust security strategy to combat today’s sophisticated threats with additional solutions that include Neurons for Unified Endpoint Management (UEM) and Mobile Threat Defense (MTD). MTD provides multiple layers of protection against device-, network-, app-level and phishing attacks. Neurons for Secure Access (nSA) and Neurons for Zero-Trust Access (nZTA) add the next-generation software-defined perimeter (SDP) secure remote access solution, and Neurons for Patch Intelligence that now adds the RiskSense risk-based vulnerability management (RBVM)
solution to the security patching process.

With credential theft so rampant on the Internet and the invasive Pegasus spyware out in the wild today, it’s no wonder that exploits like ransomware are growing dramatically. The solution is to place as many impediments as possible in front of malicious cybercriminals, increasing the chance that they will give up and seek out other targets which lack the proper security controls. Ivanti provides the robust toolset to help thwart today’s sophisticated cybercriminals. Now that is a New Year’s resolution, we can all get behind and support!

Quick Demo: Android 12 Anti-Phishing Protection

Wed, 13 Oct 2021 19:21:24 Z

This month is Cybersecurity Awareness Month and at Ivanti we want you to be #BeCyberSmart. We’re focusing on this week’s theme of phishing. In this short video, James Saturnio, Senior Lead Technical Market Advisor at Ivanti, shows the power of Ivanti’s Mobile Threat Defense (MTD) multiple-layered anti-phishing protection to block 10 random phishing URLs from the OpenPhish feed. To learn more about Ivanti MTD check out this blog post to see how the Ivanti solution can defend against phishing and ransomware.

Be a Cyber Defender and Protect Your Mobile Devices!

Tue, 12 Oct 2021 18:37:03 Z

Like zero trust security, being a cyber defender is a personal mindset. One can argue that it might be a form of paranoia, but being situationally aware while connected online is a nice behavioral attribute to have given today’s internet climate with the barrage of news regarding ransomware and data breaches. Zero trust states never trust, always verify, act like the network you are connected to and your device are compromised by threat actors, and the applications and content installed on your device are vulnerable to sophisticated chained exploits.

Now, take a deep breath and let’s fight back against these cybercriminals! Follow the list below of cybersecurity hygiene best practices to protect all your mobile devices physically and virtually by applying multiple layers of protection. And a pro tip: Ivanti Neurons for MDM, formerly MobileIron Cloud, Ivanti Mobile Threat Defense, Ivanti Zero Sign-On, and Ivanti Connect Secure can all be configured, deployed over-the-air, and enforce policies to ensure these security controls are enabled on your mobile devices.

Turn on your mobile device’s screen lock with biometric authentication such as iOS’ Face ID or Android’s fingerprint or Face Unlock, or Samsung’s Iris unlock. This is the first impediment for a threat actor to attempt to bypass if your mobile device is lost or stolen. controls are enabled and remain enabled on managed mobile devices.
Enable file-based encryption. This is automatically enabled as soon as you create a strong passcode that is used as the entropy source to start the data protection process for file-based encryption. This is the second impediment for a threat actor to solve.
Never share your credentials with anyone and enable multi-factor authentication (MFA) for your online accounts and remote access services such as Virtual Private Networks (VPN). Use stronger factors, which use inherence (biometrics), possession, and context (location and time-of-day), not knowledge factors which use passwords or PINs.
Refrain from connecting to unsecured Wi-Fi networks. If you must connect to Wi-Fi networks in public spaces, such as the airport or hotel, turn on an always-on VPN.
Regularly update your mobile operating system and applications.
Install mobile threat defense (MTD) onto all your mobile devices, preferably one that has advanced detection and protection capabilities at the device, app, and network levels including anti-phishing protection for email, attachments, and text messages, like Ivanti Mobile Threat Defense.
Only download applications from the iOS App Store or Google Play Store. If your company employs a unified endpoint management (UEM) platform, the IT administrator can deploy the company’s enterprise app store or silently install work applications onto the managed device. If the device is lost or stolen, the UEM can remotely lock, retire, or wipe the managed device to further safeguard your data.
Do not jailbreak or root your mobile devices. This removes the native device protections and can install malicious exploits to take control over your device.
Backup important data onto your desktop or upload to your trusted cloud storage service.
With the ongoing pandemic and the resurgence of the COVID virus, most of us spend our time at home. I employ a home firewall with an intrusion prevention system turned on in front of my wireless router from the internet. There are free open-source firewalls that you can install and run on an older PC with easy-to-follow instructions online.

Apply the same common sense and multiple layered security strategy that you use to safeguard your wallet and personal valuables from thieves to your mobile devices. Take it a step further by implementing the aggressive countermeasures above for protecting all your mobile devices—not so much for the cost of replacement for the device itself, but for all the sensitive data and irreplaceable content that it contains. The additional benefit may include keeping your sanity intact!

Interested in reading more about mobile device security? Check out my other blog posts to learn how to defend against ransomware, phishing and more!

Fighting Ransomware: Using Ivanti’s Platform to Build a Resilient Zero Trust Security Defense – Part 2

Fri, 10 Sep 2021 01:24:36 Z

Within the initial blog in this series, we discussed ransomware attacks and their remediation on Android mobile devices. Part 2 addresses potential ransomware exploits and their remediation on iOS, iPadOS mobile devices and macOS desktops.

iOS and iPadOS Exploits

The quickest method to check for the presence of malware on your iPhone, iPad or macOS devices is to look for the presence of an unknown configuration profile within the Settings > General > VPN & Device Management settings. Malicious third-party apps commonly sideloaded from non-sanctioned internet websites, or from an infected personal computer, or downloaded from package managers like Cydia or Sileo along with unofficial app stores like TweakDoor (formerly TweakBox) or TutuApp, will add their own configuration profile into the Device Management settings. Package managers, commonly installed after performing a jailbreak of your iOS or iPadOS device, and unofficial app stores that do not require a jailbreak, are repositories for alternative apps, tweaks, and software tools to customize your Apple iDevice. Often these third-party apps have not been rigorously tested for vulnerabilities and can contain malware and malicious exploits that can then take complete control of your device without you knowing.

Apple’s mobile device management (MDM) enables your company’s IT department to remotely enroll and deploy corporate and personally owned iOS, iPadOS or macOS devices over-the-air using a unified endpoint management (UEM) platform like Ivanti Neurons for UEM by deploying a root MDM profile within the same Device Management settings. UEM then fully manages, distributes applications and content, and enforces restrictions and security configurations to these managed devices.

A configuration profile can contain many payloads that store key value pair settings for MDM, with a partial list below. The link to the full itemized list is located here. The good news is as of iOS version 12.2 and later, the profile must be manually installed and then trusted by the user as additional security steps to explicitly approve its installation within the Device Management settings. The partial list includes:

Restrictions on device features
Credentials like identity and chain of trust certificates, secrets, and keys
Wi-Fi profiles
VPN profiles
Email server and Exchange settings
LDAP directory service settings
CalDAV calendar service settings
Web clips.

The other good news is these suspicious or untrusted configuration profiles, malware, and other malicious exploits including the Pegasus spyware will be detected by Ivanti Mobile Threat Defense (MTD) and trigger compliance actions like block access to corporate resources or quarantine actions on the device. Ironically, another indication of the presence of a threat on your mobile device is as part of a quarantine compliance action, UEM provisioned managed apps and their content are removed from an iOS or iPadOS device to prevent data loss. After the threats are removed, the managed apps are restored to allow the user to continue to be productive. (See video below that demonstrates this capability.)

macOS Exploits

Apple macOS desktop devices are also not immune from malicious exploits as evidenced by the list of high severity arbitrary and remote code execution vulnerabilities within the Common Vulnerabilities and Exposures details database. Fortunately, security updates exist for these known and former zero-day vulnerabilities.

More recently, a new variant of the AdLoad malware has been detected out in the wild and been able to evade Apple’s built-in malware XProtect scanner. Adload is a trojan, specifically targeting macOS platforms and is currently used to push malicious payloads like adware, bundleware, and Potentially Unwanted Applications (PUAs). It is capable of harvesting system information that can then be deployed to the infected remote web servers under the control of these malicious threat actors. Other macOS malware strains have been able to bypass XProtect as well and infect macOS devices with chained malicious payloads that exploited zero-day vulnerabilities to evade Apple’s File Quarantine, Gatekeeper, and Notarization security checks. Future versions of AdLoad can also evolve into dropping exploit kits that can harvest your personal information, perform lateral movement onto the network, and potentially ransomware.

iCloud Exploits

Back in June of 2014, an iCloud ransomware attack succeeded with victims in Australia, New Zealand, and the United States.

On infected iOS, iPadOS devices and macOS laptops, their lock screens were overlaid with a demand for payment message to unlock them. How did the malicious threat actors pull this off? Personal user account information was harvested using sophisticated phishing tactics and brute-force password cracking techniques from vulnerable iCloud accounts.

These threat actors used the Find My iPhone, Find My iPad, Find My Mac, or Find My iPod services within iCloud that allow the owner to try to locate their lost device from any web browser. If the lost device were still connected to the internet, the rightful owner could display a message on the screen instructing the person in possession of the device to contact them, remotely set a locking PIN (Personal Identification Number) or wipe the contents of the device.

Once the threat actors obtained the victim’s iCloud account credentials, they remotely changed the PIN and locked the device from the rightful owner. They could then display a ransom message demanding the $100 payment to unlock the device.

Other similar exploits include fake antivirus support pop-up messages that inform the user to call a telephone number to remove the malware. Victims would then be coerced to pay money to remove the malware from their devices or laptops. The simple solution was to restore from a Time Machine backup.

The good news is iCloud exploits have decreased in severity and total count in recent years. Although, credential theft and ransomware attacks, some leveraging the same machine learning (ML) artificial intelligence tactics and techniques applied by reputable security researchers, are now used by nation-state backed advanced persistent threat (APT) actors to evade detection and cover their tracks after a successful data breach, have gone up dramatically in the Everywhere Workplace. According to the Verizon 2021 Mobile Security Index, there was an increase of 364% in phishing attempts in 2020 versus 2019. That is mind blowing! What will the outcome for 2021 reveal?

Additional iOS, iPadOS and macOS Remediation

These settings are applicable within the iOS, iPadOS and macOS device:

Apple devices require a 6-digit, 4-digit, or random length alphanumeric passcode as the entropy source to initiate the Data Protection mechanism that leverages file-based encryption on iOS and iPadOS devices, and disk volume encryption for macOS desktops. The stronger the user passcode, the stronger the encryption key and lessening the likelihood of a successful brute force attack by malicious threat actors. Unified endpoint management platforms like Ivanti Neurons for UEM and Ivanti Mobile Threat Defense (MTD) can enforce strong and complex passcodes onto the managed device.

Only download apps from the iOS or Mac App Stores.

If your company employs a UEM platform and deploys an enterprise app store, download apps from the company app store only, as well.

These settings are configured within Ivanti UEM Neurons for UEM or MobileIron Core:

Create a Software Updates configuration to automatically update to the latest available iOS, iPadOS or macOS version for the device. For iOS and iPadOS only, Ivanti MTD can also enforce that the latest OS version is running on the device and if not, alert the user and UEM administrator that the device is running a vulnerable OS version and apply compliance actions like block or quarantine until the device is updated.
For macOS desktops, create a FileVault 2 configuration to enable volume-based encryption.
For iOS and iPadOS devices, enable Ivanti MTD on-device (using MTD Local Actions) and cloud-based to provide multiple layers of protection for phishing (Anti-phishing Protection) and device, network, and app level threats (using the Threat Response Matrix within the MTD management console).
For macOS desktops, augment the built-in malware scanner by also installing a reputable antivirus agent that updates its detection signatures and engine regularly.
For BYOD (Bring Your Own Device) deployments, create a deny list of disallowed apps on the device. For company-owned devices, create a allow list of allowed apps that can be installed on the device.
Backup data automatically onto a cloud storage provider like iCloud, Google Drive, OneDrive, Box or Dropbox. Make secondary and tertiary copies of backups using two or more of these personal storage providers since some offer free storage. Also, backup personal data onto a local hard drive that is encrypted, password-protected and disconnected from the device and network.
Create a Wi-Fi configuration that enables WPA3 Enterprise for your wireless connection when you are back in the office. At home, enable WPA3 Personal on your home router to secure your wireless connections from eavesdroppers.
Create a Web Content Filter configuration to limit access to adult content and specific websites prescribed by your company’s security and acceptable use policies. Ivanti UEM and MTD also provide a robust and multi-layered anti-phishing protection that updates the on-device engine’s database every 8 hours and is augmented by the cloud-based lookup engine’s database, which is updated every hour.
Create an Encrypted DNS (Domain Name System) configuration setting that enables DNS over HTTPS (DoH) or DNS over TLS (Transport Layer Security) (DoT) to encrypt and secure your DNS queries.
Configure a VPN client on a device like MobileIron Tunnel, Ivanti Secure Connect or Zero Trust Access to protect sensitive data-in-motion between the mobile device and MobileIron Sentry or Connect Secure or ZTA gateways.
Enable Ivanti Zero Sign-On (ZSO) for conditional access rules like trusted user, trusted device, and trusted app authentication to critical work resources on-premises, at the data center, or up in the cloud. Also, enable MFA (Multi Factor Authentication) using the stronger inherence (biometrics) and possession (device-as-identity or security key) authentication factors. Passwords and PINs can be phished, guessed or brute forced.

In the third blog in this series, we will discuss ransomware attacks and remediation of Windows 10 laptops and desktops. Stay tuned.

Securing iOS and iPadOS 14’s Hidden App: Code Scanner

Thu, 19 Aug 2021 19:16:37 Z

Did you know there is a hidden app in iOS and iPadOS 14? It’s called Code Scanner and yes, it is used specifically for scanning Quick Response (QR) codes. So why does Apple hide this app? The app is already integrated into the iOS and iPadOS Camera app which is why your iPhone or iPad’s camera can scan and decode QR codes. So why have a standalone app that is hidden? There is a slight difference between the two apps. Code Scanner can open links with a unique in-app browser, and it automatically closes when you are done. Using the Camera app to scan a QR code will automatically open Safari browser, where each scan will open more browser windows that can easily clutter your Safari or default browser app. The user must manually close each browser window afterward. Code Scanner does not do this.

To find the Code Scanner app, go to the search menu by swiping right from the home screen. Search for “Code Scanner” and then simply tap on it to launch the app. So why am I writing a quick blog and recording a short video about this hidden app? Whether you use your Camera app or Code Scanner to scan QR codes, both are protected by Ivanti Mobile Threat Defense’s (MTD) multilayered mobile anti-phishing protection engines as demonstrated in the video below. QR codes can embed a malicious URL that redirects you to an infected website that can potentially download drive-by malware onto your device, unknowingly. MTD blocks you from landing onto the malicious website by preventing you from circumventing the blocking page.

MTD can be enabled within Ivanti Neurons for Unified Endpoint Management (UEM) platform that provides discovery and visibility to all your company’s endpoints. Also, Ivanti UEM manages all your mobile devices and laptops and provides self-healing and self-securing capabilities using hyper-automation. Finally, raise your company’s zero trust maturity model by also adding Ivanti’s Zero Sign-On for passwordless authentication that enables the stronger inherence and possession factors in a multifactor authentication (MFA) system. ZSO also helps prevent phishing and credential theft by eliminating passwords altogether. Stay safe and secure out there!

Humans Can be Hacked. So Stop Using Passwords, Already!

Mon, 09 Aug 2021 21:43:05 Z

Humans are the weakest link in the cybersecurity chain. Where have you heard that before? Humans can be hacked! That too? Yes, I am also one of those weak links in the constant battle against malicious cyber criminals and it can be attributed to just being lazy. It’s human nature and we can easily be socially engineered into giving up our precious online user credentials to the bad guys. Without thinking, I’ll tap onto a link within my email or text message because I think I recognize the sender, and then realizing too late that I had just been phished. Then panic ensues where I start changing my passwords on every online bank, retail, and work account, all in a frenzy. Did I write passwords (as in plural) in the previous line and not the same password that I use amongst all my accounts? Another stupid human weak link move!

Then when it’s time to change my password for my work account, I try to use something that is easy for me to remember. Inevitably, I initially try using a weak password that can be easily guessed not only by me, but brute forced by bad guys! Fortunately, my company has policies in place that don’t allow me to reuse the same password from before, and once I have come up with a strong new password somehow the very first time I am asked to use it to log back into my work account I’ve already forgotten it because I neglected to write it down (because that is what our company InfoSec training tells us not to do). Then you try to reset the password you just created the day before yesterday! It’s a vicious cycle.

How do we save us from ourselves? Enter FIDO2 security keys to kill off the password! In the case of Ivanti’s Zero Sign-On, your company can implement a FIDO2 solution by using your managed iOS or Android mobile device as a replacement for the security key. It’s called device-as-identity. You already carry your mobile phone with you in the Everywhere Workplace and you can use it to unlock your Windows or Mac company-owned laptop, and it seamlessly grants you access into your work accounts in a single sign-on (SSO) workflow. No carrying your security keys everywhere that can get lost or misplaced. How cool is that?

FIDO2 is the most secure passwordless identity authenticator option out there today especially if it is used in a multi-factor authentication (MFA) system to securely access your digital work resources and services. FIDO2 leverages the stronger inherence factors with biometrics and using your mobile device adds the possession factor. On newer mobile devices you can use Apple Face ID, Android Face Unlock or Iris scan biometrics to access not only your mobile device’s home screen, but also to access the MobileIron Go authenticator app that must be tapped via push notification or scan a quick response (QR) code to grant access to these same resources. There is your MFA system right there.

You want to know a little about the technology behind FIDO2 and why it is the most secure option out there? The most notable is a password or PIN is no longer required which adds more security. The cryptographic (public key) credentials used to login to websites and online services across the internet are unique. This ensures your online privacy and adds confidentiality to your session. Your personal information remains on your mobile device and is never transmitted over the internet or stored on a server. This immediately eliminates the threat of phishing and credential theft right off the bat. Your built-in biometric scanner on your mobile device using either your fingerprint or face to validate your identity is very convenient. FIDO2 can also scale within your enterprise as your company grows by eliminating passwords and implementing one of the mature solutions in the cybersecurity hygiene best practices checklist.

FIDO2 is part of Zero Sign-On (ZSO) and included in Ivanti’s Secure product portfolio that also includes Mobile Threat Defense (MTD) which provides multiple layers of phishing, device, network and app level protection. Ivanti Neurons for Zero-Trust Access (nZTA) adds the next-generation software-defined perimeter (SDP) secure remote access solution as a replacement for VPN, and Neurons for Patch Intelligence that now adds the RiskSense risk-based vulnerability management process to the security patching solution. All these, as well as, implementing Ivanti’s entire product portfolio which also includes Ivanti’s Unified Endpoint Management (UEM) for Mobile adds to a company’s Zero Trust security maturity model.

With credential theft and the sophisticated Pegasus spyware out in the wild, it’s no wonder that exploits like ransomware are growing by leaps and bounds. The more security impediments that your company places in front of the malicious cybercriminals, aka the bad guys, the greater chance that they will give up and seek out other targets which lack any controls whatsoever. I call that a winning formula. Learn more in my video below!

Fighting Ransomware: Using Ivanti’s Platform to Build a Resilient Zero Trust Security Defense

Tue, 03 Aug 2021 22:41:56 Z

Ransomware is a strain of malware that blocks users (or a company) from accessing their personal data or apps on infected iOS, iPadOS, and Android mobile devices, macOS laptops, Windows personal computers and servers, and Linux servers. Then the exploit demands cryptocurrency as payment to unblock the locked or encrypted data and apps. This form of cyber extortion has been increasing in frequency and ferocity over the past several years. Seemingly, a week does not pass without hearing about the latest ransomware exploit attacking government agencies, healthcare providers (including COVID-19 researchers), schools and universities, critical infrastructure, and consumer product supply chains.

The most common delivery mechanisms are email and text messages that contain a phishing link to a malicious website. By tapping on the link, the user is redirected to an infected website where they unknowingly download drive-by malware onto their device. The malware can contain an exploit kit that automatically executes malicious programmatic code that performs a privilege escalation to the system root device level, where it will grab credentials and attempt to discover unprotected network nodes to infect via lateral movement.

Another common delivery mechanism are email attachments that can also contain malware exploit kits that affix themselves to vulnerable apps, computer systems or networks to elevate their privileges in search of critical data to block.

There are 4 main types of ransomware. First is the locker ransomware, where the earliest form on mobile devices was found on Android. It was detected in late 2013 and called LockDroid. It secretly changed the PIN or password to the user’s lock screen, preventing access to the home screen and to their data and apps.

The second type are encryptor ransomware that employs encryption of apps and files making them inaccessible without a decryption key. The first exploit using this type of ransomware was found in 2014 and called SimpLocker. It encrypted the personal data contained within the internal Secure Digital (SD) storage of an Android device. Afterward, an official looking message showing criminal violations based on scanned files found in the device is displayed to the victim. This is followed by a demand for payment message that would allow the victim to resolve the fake violations and receive the decryption key to unlock their blocked data and apps.

Extortion payments are often made with Monero cryptocurrency because it is digital and often untraceable, ensuring anonymity for the cybercriminals. Bitcoin is still sometimes used, but lately, companies like CipherBlade have been able to track down ransomware gangs using Bitcoin and return the money back to victims. Rarely, mobile payment methods like Apple Pay, Google Pay or Samsung Pay are also used, but cryptocurrency is still the preferred payment for ransomware.

Just within the past several years, cybercriminal gangs have added several more types of ransomware exploits including Doxware, which are threats to reveal and publish personal (or confidential company) information onto the public internet unless the ransom is paid. The other is Ransomware-as-a-Service (RaaS). Cybercriminals leverage already developed and highly successful ransomware tools in a RaaS subscription model, selling to lesser skilled cybercriminals to extort cryptocurrency from their victims and then share the ransom money.

Android Exploits: Anatomy of the SimpLocker Attack

Installation: The victim unknowingly lands on malware compromised or Angler hosted web server and wants to play a video or run an app. The video or app requires a new codec or Adobe Flash Player update. The victim downloads the malicious update software and installs it, requiring device administrator permissions to be activated. The mobile device is infected, and the ransomware payload installs itself onto the device.

Communications: The malware scans the contents of the SD card. Then it establishes a secure communications channel with the command and control (C2) server using the anonymous Tor or I2P proxy networks within the darknet. These networks often evade security researchers, law enforcement, and government agencies making it extremely difficult to shut them down.

Encrypt Data: The symmetric key used to encrypt the personal data on the attached SD card are kept hidden within the infected mobile device’s file system so the encryption can persist after reboots.

Extortion: An official looking message from the FBI, Department of Homeland Security, or other government agency is displayed informing the victim that they are in violation of federal laws based on data found on the device after a scan of their personal files.

Demand Payment: A demand-for-payment screen with instructions on the method of payment is then displayed. The fine was normally $300 to $500 and commonly paid in cryptocurrency.

If the ransom payment is made, the symmetric key is provided and used to decrypt the personal data. If the victim is fortunate, they can retrieve all their personal files intact, although there have been reports that some if not all the data are corrupted and no longer usable after they are decrypted.

Android devices are especially susceptible to ransomware because of several factors. First is its global adoption with 72% of the worldwide market share and 3 billion devices around the world. Next is the 1,300+ original equipment manufacturers (OEM), along with the fragmentation of the Android operating system. Devices running versions from 2.2 to 11.0, means a very large number of them never receive a critical security update leaving them vulnerable to malware.

The last factor is Android users routinely root their devices and install apps that are unverified by Google. There are now an estimated three million apps available for download just from the Google Play Store, with potentially a million more that can be downloaded from unknown and many malicious sources. Any one of these apps can be used to host malware that can lead to ransomware exploits.

Android Remediation

Here are the remediation tasks to help fight ransomware on Android devices.

These settings are configured within the Android device:
1. By default, within the Google Settings and Security configuration, the Google Play Protect settings Scan apps with Play Protect and Improve harmful app detection are enabled. These settings are the equivalent to a resident antimalware agent on the device and should remain enabled.

2. Within the Apps & notification and Special app access configuration is Install unknown app settings. Leave storage, email and browser apps as Not allowed, which is the default setting.

These settings are configured within Ivanti UEM for Mobile or MobileIron Core:
3. For Android Enterprise devices, the above settings can be configured using the Lockdown & Kiosk configuration. Select Enable Verify Apps and Disallow unknown sources on Device or Disallow Modify Accounts.

4. Create a System Update configuration to automatically update to the latest available Android OS version for the device. Ivanti Mobile Threat Defense (MTD) can also enforce that the latest OS version is running on the Android device and if not, alert the user and UEM administrator that the device is running a vulnerable OS version and apply compliance actions like block or quarantine until the device is updated.

5. Enable Ivanti MTD on-device (using MTD Local Actions) and cloud-based to provide multiple layers of protection for phishing (Anti-phishing Protection) and device, network and app level threats (using the Threat Response Matrix within the MTD management console).

6. Create a SafetyNet Attestation configuration that checks for device integrity and health every 24 hours via Google APIs.

7. Create an Advanced Android Passcode and Lock Screen configuration to turn on multi-factor authentication (MFA) for the lock screen and work profile challenge using a biometric fingerprint, face unlock, or iris (eye) scan instead of a passcode or PIN.

8. Enable Device Encryption. This may sound counter-intuitive but encrypting your personal and work data on the device can prevent the cybercriminals from threatening to publish your work or company information online.

9. Backup data automatically onto a cloud storage provider like Google Drive, OneDrive, Box or Dropbox. Make secondary and tertiary copies of backups using two or more of these personal storage providers since some offer free storage. Also, backup personal data onto a local hard drive that is encrypted, password-protected and disconnected from the device and network.

10. Enable Android Enterprise or Samsung KNOX on the device to containerize, encrypt, and isolate the work profile data from your personal data in BYOD or COPE deployments. Android Enterprise in the various deployment modes and Samsung KNOX can be provisioned by Ivanti UEM for Mobile or MobileIron Core.

11. For BYOD deployments, create a blacklist of disallowed apps on the device. For company-owned devices, create a whitelist of allowed apps that can be installed on the device. Both settings can be configured within MobileIron Core’s App Control feature and applied to the security policy. For Android Enterprise devices, Restricted Apps and Allowed Apps can be applied to the Lockdown & Kiosk configuration or Create an App Control configuration to whitelist or blacklist apps within the personal profile side of the device. This can also be configured within Ivanti UEM for Mobile’s Allowed App settings and Policies & Compliance.

12. Configure a VPN client on the device like MobileIron Tunnel, Ivanti Secure Connect or Zero Trust Access to protect sensitive data-in-motion between the mobile device and MobileIron Sentry or Connect Secure or ZTA gateways.

13. Enable Ivanti Zero Sign-On (ZSO) for conditional access rules like trusted user, trusted device, and trusted app authentication to critical work resources on-premises, at the data center, or up in the cloud. Also, enable MFA using the stronger inherence (biometrics) and possession (device-as-identity or security key) authentication factors. Passwords and PINs can be phished, guessed or brute forced.

14. As a last resort, there are anti-malware vendors that provide software to detect and remove ransomware from an infected device. The user can also boot the device into Safe Mode, deactivate the Device Administrator for the malware, and then uninstall it.

In the next blog in this series, we will discuss ransomware attacks and remediation on iOS and iPadOS mobile devices, and macOS laptops and desktops.

Not Another Phishing and Ransomware Blog!

Wed, 21 Jul 2021 20:03:22 Z

What can I say further about Ivanti’s mobile threat defense (MTD) solution for iOS, iPadOS and Android devices that has not already been mentioned in any of my previous blogs and quick video demos? If I was to state where Ivanti has a clear advantage over other unified endpoint management competitors, it is with Ivanti’s MTD solution. Ivanti’s UEM competitors often partner with third-party mobile threat defense vendors which means the solution requires a secondary app to install onto the device. Even competitors that have their own MTD solution still require a second app to be installed. With a second app, the user might have to interact with the app to authenticate to their mobile threat defense portal and activate to start protecting the mobile device. There is a greater chance that the user may opt-out of installing the MTD protection, altogether. Even if the app is silently installed onto the mobile device, for iOS and iPadOS devices, the app has to be signed by the company's enterprise code signing certificate with every app update, or every other year when the certificate expires. This is an administrative pain to maintain and upkeep if there are a lot of corporate apps that are deployed to iOS and iPadOS devices.

Ivanti UEM Mobile employs a single agent app for UEM and MTD to manage and secure mobile devices which allows Ivanti’s platform to achieve closer to 100% user adoption, whereas a second app is closer to achieving 30% or less user adoption. The biggest battle for company cybersecurity architects and CISOs is getting threat defense installed onto mobile devices and endpoints, and then activated to start the protection from device, network, app, and phishing threats! Protection is now more important than ever. According to a recent Ivanti survey, 74% of respondents said their organization was a victim of a phishing attack in the last year, with 40% confirming they have experienced an attack in the last month alone.

The slides below show that for other mobile threat defense solutions, they tout a lightweight agent that is cloud first and device-assisted to save on battery life. The problem there is it would take longer to detect and remediate mobile threats because the heavy lifting is done in the cloud. This could cause multiple round trips between the device and the cloud-based threat detection engine, and then to UEM to enforce a compliance action, and finally back to the mobile device to mitigate the detected threat. And, if the device's internet connection is interrupted the client engine could run in a degraded mode or leave the client brainless on the device making it unable to detect or remediate mobile threats.

Ivanti’s solution has two layers of protection. An on-device detection and remediation engine that is provisioned by UEM and works even without an internet connection to the cloud-based engine. It can detect and remediate 45 different device, network, and app threats. Even Ivanti’s phishing protection has an on-device engine that blocks the browser from landing on a malicious website. This is augmented by Ivanti’s cloud-based engine that can detect 63 different network, device, and app level threats, and assists Ivanti’s phishing protection with a cloud-based lookup engine that is updated more frequently.

According to Verizon’s 2021 Data Breach Investigations Report (DBIR), 36% of data breaches involved phishing attacks, last year. That is an increase of 11% from the previous year and it can be directly attributed to COVID-19 related spear phishing campaigns with the stay-at-home Everywhere Workplace paradigm shift that started to take effect at the same time. Sadly, that percentage is still rising and will lead to millions more stolen credentials used in more data breaches and ransomware attacks! Ninety-five percent of all attacks targeting enterprise networks are caused by successful spear phishing campaigns, and 97% of users are unable to recognize a sophisticated phishing email. Staggering numbers!

How does a cybersecurity architect and CISO counter these ever-growing sophisticated malicious cyber threat actors? They can configure both the on-device URL handler for Android devices and Content Blocker on iOS and iPadOS devices that blocks suspected malicious domains and websites when the user taps them. This is the first layer of protection. The local URL handler and Content Blocker database holds 35 MBs of data for its phishing database and machine learning classifiers. Both databases are updated every 8 hours.

This is augmented by Ivanti’s cloud-based lookup service that has its database updated every hour. On Android devices, the anti-phishing protection leverages Ivanti’s MobileIron Tunnel service. Within the MobileIron Tunnel app configuration, a UEM administrator can configure it to support anti-phishing only or also connect to an on-premises or datacenter site via MobileIron Sentry, and/or SaaS-based site in the cloud via MobileIron Access.

This capability is like the multi-layered anti-phishing protection on iOS and iPadOS devices also using Ivanti’s MTD solution.

Phishing and ransomware are intertwined in a malicious cyber threat actor’s exploit arsenal. Deploying Ivanti’s UEM for Mobile with MTD is a great start to fighting off these threat actors. Throw in Ivanti’s Zero Sign-On (ZSO) solution that can employ the stronger factors like inherence and possession in a multifactor authentication policy, instead of the knowledge factor that often use passwords. Passwords are the weakest link for most companies, so it is time to kill it off! #SummerOfSecurity

The demo video below highlights the power of our multiple-layered anti-phishing protection on an Android Enterprise device in a bring-your-own-device (BYOD) deployment scenario.

Soaking Up the Summer of Security Sun!

Thu, 01 Jul 2021 18:11:43 Z

My wife and I make it a habit of taking a 2-to-3-mile power walk every day around the neighborhood park where we live. With summer upon us and recent heatwave on the west coast, lately these walks take place during the mid-morning hours when it is a lot cooler outside, and sometimes in between meetings. The walks are not only for us to stay fit and lose some (winter and pandemic) weight, but it does wonders for our mental health after being cooped up inside for several months. Personally, this aligns with our credo of always moving forward.

Since these walks coincide with my normal working hours, I always carry my smartphone with me to remain in contact with my teammates. Often, several of my teammates collaborate with me via chat while I am soaking up the summer sun – the epitome of the Everywhere Workplace! Ironically, it is after one of these power walks that I sat down and did a brain dump to write this blog!

The cool thing about using my personal smartphone to work, when I'm not tethered to my work laptop back at home, is it is managed by Ivanti Unified Endpoint Management (UEM) Mobile and protected by Mobile Threat Defense and Zero Sign-On. I am reassured that all my work productivity, collaboration, and email apps are installed, my identity credentials are provisioned automatically, and all my personal and work data are safeguarded, no matter where I’m hanging out.

Also, I don't have to wrack my brain to remember and then enter my username and password onto a small mobile device screen while I'm walking around the park. My company employs multifactor authentication (MFA) that uses my device (possession) and biometrics (inherence) as strong factors to access my critical work resources, always remaining productive while I'm sweating from the physical exercise, not from worrying about my password getting phished or information on my smartphone being stolen. If I happen to lose or misplace my smartphone while on my daily walks, I'm not worried because Ivanti UEM allows me to locate or lock my device and retire or wipe my personal and work data from the device remotely. It definitely is the summer of security (SOS) and fun, so stay safe and secure out there!

No One Likes Passwords and They are the Leading Cause of Data Breaches

Tue, 15 Jun 2021 18:11:00 Z

Did you hear about the latest data breach caused by a stolen password? Technically, it was a user account security token used by the malicious cyber threat actors to gain initial access into the company’s chat workspace. Once on the IT chat channel, the threat actors impersonated an employee and then used a simple social engineering tactic to trick an IT support member into providing them with a long-lived login access token onto the corporate network.

Once on the network, the threat actors moved laterally to discover and gain access to critical company services that allowed them to download valuable source code, potentially the crown jewels. The threat actors began selling the stolen software development kits (SDK) within multiple underground forums, afterward.

It's difficult to gauge at this early stage what the total cost of this data breach will be for the company, albeit they appear confident that damage will be minimal at this point. I’m also curious to know what security improvements have been made by the company to ensure that this type of data breach and security incident never happens again. It’s easy to be a forensic supersleuth after having all the indicators of compromise (IoC) divulged, but there were several security incidents that ultimately led to the data breach.

By order of magnitude, the first security incident is the issuance of long-lived access refresh tokens to sensitive workspaces like employee chats. Instead, short-lived tokens that expire with no refresh tokens or rotate access tokens could be deployed to protect users, the company chat app, and workspace. I’m not really convinced that the IT member provided a god-level multifactor authentication (MFA) token to the threat actors that granted them access to the corporate network. Some security feeds have made that claim. It sounds more likely the threat actors initiated and succeeded with a privilege escalation tactic and then was “living off the land” to locate and then break into the company vault.

For clarification, a token is not a password or hash value, but a random string value generated by a computer and contains some secret information, and static (long-lived) tokens can be abused just like a password. With that logic, the knowledge factor (something you know) used in an MFA implementation, should be replaced with the something you have (possession) factor, like a FIDO2 security key, or your device-as-identity, and strong biometrics (something you are) factor like liveness facial recognition. Notice the word and in the previous sentence is italicized? No one likes passwords and the worst part is that they are the leading cause of security incidents often ending in data breaches.

Continuous employee social engineering training including phishing awareness needs to be practiced and enforced. The irony is the IT department at most companies are an extension of the InfoSec team, so handing out administrative level access to someone who is saying that they lost their phone at the party last night, without being visibly challenged, even virtually, for additional identity used for authentication and authorization is a very bad security policy. Last I checked, most chat and collaboration apps have video conferencing capability to do just that.

You might ask, would having implemented a zero trust security framework thwarted this security incident and data breach? Absolutely! Why? Because of the zero trust mantra, trust no one, verify everyone! The three core tenets help to reduce company risk and reduces the attack surface. The first tenet is securing the user with Zero Sign-On (ZSO) that eliminates user passwords and can enforce the stronger factors like possession and biometrics in a company’s MFA implementation. Additionally, the first tenet provides multiple layers of anti-phishing protection that protects the user’s credentials including access tokens from being harvested.

The second tenet is securing the device by verifying its health and posture. This ensures the cyber hygiene of the mobile endpoint is good and free from sophisticated morphing device, network, and app level threats before it is allowed to connect to corporate resources. The third tenet is securing the network gateway with strong contextual access rules that can detect bad user behavior on the network. On-demand and per-app VPN also helps in the zero-trust network access (ZTNA) story by only allowing the authenticated user, authorized app and managed device access to the secure access gateway. A software-defined perimeter (SDP) further secures the network and connected resources by cloaking both the control and data planes. All resources behind the gateway are invisible to unauthorized users, apps, and devices.

In summary, implementing a zero-trust security framework may not have eliminated the published security incident, but would have helped to lessen the effects or may have prevented the data breach, altogether. How? Ivanti has all the components that make up the three core tenets of the zero-trust security framework. Proper deployment of Ivanti’s UEM platform, ZSO, MTD, and Zero Trust Access technologies would limit a threat actor’s ability to get to the data - thereby protecting it.

Quick Demo: A Day in the Life of a Remote Knowledge Worker

Mon, 07 Jun 2021 21:00:00 Z

Do you make it a habit of connecting to the free Wi-Fi network at the coffee shop, restaurant, hotel, airport or even in-flight on the airplane to save on your cellular data minutes? Watch this short 2-minute video to see what happens if you connect to a wireless network with a malicious cyber threat actor performing Man-in-The-Middle (MiTM) attacks to unsuspecting victims.

Not having a unified endpoint management (UEM) platform and mobile threat defense (MTD) solution can lead to your personal and work data, along with your user credentials being stolen and exfiltrated from your mobile device. See how Ivanti UEM Mobile and Mobile Threat Defense protects your iOS, iPadOS, and Android devices from Man-in-The-Middle attacks! Thanks for watching.

Quick Demo: Leaky App Detection and Remediation

Mon, 17 May 2021 18:51:19 Z

Here's a quick two-minute video demonstrating the power of Ivanti's UEM for Mobile and Mobile Threat Defense and this time detecting a leaky app, specifically the very popular video-sharing TikTok app.

Tiktok has had a history of vulnerabilities where the personal information of users was exposed and could have potentially been harvested and leaked out by malicious cyber threat actors. Fortunately, TikTok has patched these flaws, but there are government and DoD agencies that block its installation on government issued mobile devices. Thanks for watching!

For more information, check out the quick demo video below of Ivanti Unified Endpoint Manager and Ivanti Mobile Threat Defense in action, and request a full private demo through our website.

Avoid Market Pressures That Compromise Mobile App Security

Fri, 14 May 2021 22:06:53 Z

The marketplace for mobile apps is a broad and highly competitive one. There are millions of apps available on Apple’s App store, Google Play, and within private enterprise app stores. Expanding market demands continue to drive the pressure to innovate. New iOS and Android updates and mobile device releases, along with myriad apps from companies vying for their customer’s attention, are creating shorter app release cycles.

The process of releasing apps quickly to assuage market demands can lead to security issues. Bringing apps to market quickly, while trying to deliver that all-important optimal user experience, often has mixed results that can actually create negative user experiences. Mobile app developers must have the proper balance of delivery with the assurance of security and privacy built- in from the start.

Cloud-native development with flexible software architectures can meet fast time-to-market goals, but still require proper security testing. Conversely, legacy processes with code written without unit testing can take months, which is unacceptable in today’s digital world. New apps, developed to compete in today’s era of digital transformation, regardless of development process, require rigorous security testing.

When it comes to the user experience, app security is as important as usability. If security is too arduous and time-consuming, users will abandon them. If security testing takes too much time and becomes unmanageable, developers will limit their testing regimen.

Leaky apps put businesses and consumers at risk

According to the Verizon Mobile Security Index 2021 report, one in twenty-five apps downloaded from public and private app stores leak sensitive credentials, email addresses, user ID’s, credit card information, and location data. Bad coding and shortcutting on security testing are partially responsible for this. Additionally, over half of the Verizon report respondents said cybersecurity challenges hold back their digital transformation initiatives. Market pressures continue to work against development cycles. For many enterprises, the mounting pressure to continuously deliver new apps and updates has put time-to-market, and security and privacy, at odds. This can mean choosing between time-to-market and security, which often comes down to limiting app security testing.

For companies to remain competitive, their developers must meet rapid time-to-market requirements, while delivering mobile apps with solid security and privacy. The costs of not fully testing mobile apps can easily outweigh the costs of proper testing. Catching bugs in the earliest stages of the software development life cycle, or SDLC, can save money, brand equity, and user loyalty, compared to implementing security fixes after apps are in the hands of users.

The high cost of shortcuts

Sacrificing the effort necessary to provide a secure user experience is like "throwing the baby out with the bathwater." Security is one of the most important functions of a mobile app. Shortcuts that can be taken to speed up the process are one of the problem areas within the DevSecOps and the Agile development process. Unfortunately, vulnerability testing is often one of the security testing functions that gets pared down, or eliminated completely. A similar issue can occur with no code and low code development, where companies have little to no visibility into the SDLC or DevSecOps process, because it’s outsourced to third-party software developers.

Processes and solutions for secure app development

Agile software development methods and continuous integration and delivery, or CICD, help bridge the gaps between development and operational activities, by automating the building, testing and deploying of apps.

Automation can help developers properly balance time-to-market delivery with effective security testing. The SDLC is the process of planning, creating, testing, and deploying an application. It consists of six stages, including requirement analysis, design, development and testing, implementation, documentation, and evaluation. The idea behind SDLC, and for that matter DevSecOps, is that apps need security built into their development from inception.

Software development engineers are tasked with using any and all prescribed secure development tools at their disposal to unit test software. For example, penetration testing software can be accomplished by installing the app within customer-duplicated environments, and running tools like Rapid7, Burp Suite, and Nessus visibility scanners, and fuzzer tools like Synopsis Codenomicon, HCL AppScan and others to discover vulnerabilities before apps are released.

Developing secure mobile apps requires a synergistic ecosystem

Many enterprises develop their own mobile apps inhouse, or use third-party software services. Mobile apps continue to grow unabated, with powerful new capabilities. The need to quickly release them can put development teams in precarious positions. Even with security tools available, they don’t always use them. The gap between developing and testing app security, versus how quickly organizations can get them in front of their users, is a growing divide.

There is no single product or development process solution. It is a matter of being deeply committed to providing secure apps that protect business assets and user privacy. This is ultimately what is best for all concerned parties. This includes companies that need to protect their systems and data, DevSecOps that need to appropriately manage the product lifecycles, and users that depend on secure apps to protect their data.

How can Ivanti help? Ivanti incapptic Connect employs the zScan feature that will scan the iOS or Android app for security and privacy vulnerabilities before the app gets distributed for public consumption. Learn more about Ivanti incapptic Connect.

Quick Demo: Updated Magisk Systemless Root Detection and Remediation

Wed, 12 May 2021 17:44:31 Z

Magisk is a very sophisticated systemless rooting technique that can bypass Google's SafetyNet attestation and allow apps like Google Pay, many banking apps, and even Fortnite and Pokémon Go games to be installed on a rooted Android device. Rooting an Android device is popular to allow the user to customize and tweak their device by allowing the installation of third-party apps and tools, removal of bloatware, and speed up the processor and network.

The problem with rooting your device is malware and malicious exploits can also be downloaded and installed onto the device often without the user knowing. These specific apps mentioned previously, check that the device is not rooted and pass Google SafetyNet attestation before the app can run correctly on an Android device.

Magisk using the Magisk Hide feature attempts to evade root detection, but Ivanti UEM for Mobile and Mobile Threat Defense are able to detect and remediate this updated Magisk rooting technique. This helps protect the user’s personal and work data from being harvested by malicious threat actors by providing multiple layers of protection using our device machine learning, and is augmented by our cloud-based threat detection and intelligence engines.

For more information, check out the quick demo video below of Ivanti Unified Endpoint Manager and Ivanti Mobile Threat Defense in action, and request a full private demo through our website.

Quick Demo: Ivanti UEM for Mobile - checkra1n Jailbreak Update for iOS 14.5

Tue, 04 May 2021 21:16:25 Z

The checkm8 vulnerability and the updated checkra1n jailbreak tool are the gifts that keep on giving for Apple devices. Using Ivanti UEM for Mobile and Mobile Threat Defense, you can protect your iPhone 5S through iPhone X, iPad 5^th through 7^th generations, and iPad Pro 2^nd generation, Apple TV 4 and 4K, and iPods up to 7^th generation devices.

There are also reports that the latest version of checkra1n can jailbreak the latest Apple MacBooks running the M1 chips! In this quick demo video, you can see the power of the Ivanti solution to protect your personal and work data using these devices from threat actors in the Everywhere Workplace.

You can learn more about Ivanti Unified Endpoint Manager and see how other companies are keeping their business up and running, and request a full private demo through our website.

Quick Demo: Ivanti UEM for Clients

Wed, 28 Apr 2021 23:32:19 Z

Some of the many ways that malware, including ransomware, is commonly spread is through malicious attachments to business email, unsanctioned apps downloaded from third-party app stores, drive-by downloads via phishing and pharming attacks, employing brute-force tactics using Remote Desktop Protocol (RDP), and network propagation via SMB and CIFS sharing. Email attachments can be zipped, or encrypted files like Microsoft Word documents or Excel spreadsheets that contain malicious scripts or macros can be triggered once the file is unzipped or decrypted.

In this short two-minute video, we demonstrate the power of Ivanti’s UEM for Clients (formerly Endpoint Manager) that can automatically deploy and install an antivirus and endpoint security agents to the Windows workstation or server. Both agents stop the propagation of malware and ransomware by first detecting the malicious attachment, blocking the script from executing, and then isolating the infected endpoint from the network. Once the threat has been remediated by the company IT administrator, the workstation or server can be restored to normal operation. Thank you for watching!

You can learn more about Ivanti Unified Endpoint Manager and see how other companies are keeping their business up and running, and request a full private demo through our website.