Categories
Security

2023 prediction: Security workforce shortage will lead to nationally significant cyberattack

If 2022 was any indication, businesses are about to face an unprecedented volume, frequency, and sophistication of cyberthreats in 2023. Global cyberattacks have increased by 483 percent over the last two years, and at the current rate of growth, damage from such attacks will amount to $10.5 trillion in 2025.

Against that backdrop, and despite increased spending on cybersecurity, the skills gap has widened to a canyon. According to the (IC)² 2022 Cybersecurity Workforce Study, the global security workforce gap increased by 26 percent, with 3.4 million additional workers needed to effectively secure businesses. It’s this discrepancy that I believe will lead to a nationally significant cyberattack on a major US organization this year.

As an industry, we need to preemptively address these risks, both by immediately hiring and onboarding new cyber talent and introducing new tools and resources to help simplify operations for SMBs and other thinly-stretched teams.

How to find (and keep) diverse security staff—and when to turn to MSPs

Business leaders are doing a lot of hand-wringing these days. Fears of recession, geopolitical instability, and rising tides of cybercrime compete for attention and have already impacted budget decisions for 2023. But with the average cost of a US data breach at $9.44 million—more than twice the global average—many executives are putting their eggs in the cybersecurity basket. A recent Gartner survey of CIOs revealed that two-thirds plan to increase cyber spending this year.

And yet—will that be enough? Cybercriminals don’t retreat in the face of economic trouble. If anything, they up the ante to meet their financial goals, as has been witnessed firsthand with record cyberattack volume since the onslaught of the pandemic. Cybercrime surged to meteoric heights in 2020 and 2021, and 2022 continued the upward trend with an additional 28 percent increase in global attacks. These numbers hardly do the crimes justice, as they don’t include the effect on employee productivity and morale, lost profits and investments, and irrevocable damage to company reputation.

While organizations have made major investments in cybersecurity recently, hiring additional staff members to manage complex systems, processes, and people does not appear to be a priority. In 2022, the security employment gap expanded by 40 percent to 700,000 unfilled positions in the US alone. “The cybersecurity talent shortage is one of the most significant and threatening challenges facing our industry today,” said Barbara Massa, executive vice president at Mandiant, in an article for CNN.

Indeed, an estimated 70 percent of respondents to the (IC)² 2022 Cybersecurity Workforce Study reported that their organization does not have enough employees devoted to security, with more than half saying staff deficits put their company at “moderate” or “extreme” risk of cyberattack. It’s no leap of logic to assume a significant cyberattack will take place in 2023 due to a mistake made by an overburdened employee or an incident that overwhelms an understaffed team.

Signs of impending crisis have already started to show. According to a 2022 survey by Colbalt, a whopping 90 percent of respondents who have suffered shortages or lost team members are struggling with workload management. Talent gaps can have tangible impacts to an organization’s security posture, including difficulty maintaining standards, lackluster or non-existent training deployment, and undetected vulnerabilities slipping under the radar.

When security professionals are barely keeping their heads above water, important tasks slip through the cracks, leaving infrastructure exposed to the potential for massive compromise. That’s why it’s time to start thinking differently about the security talent shortage and look for creative solutions to the growing problem.

Recruiting security staff: fewer certifications, more diversification

Historically, job listings for cybersecurity positions have placed heavy focus on prior experience, often with a legacy security institution, as well as a laundry list of technical skills and certifications. Many businesses also require familiarity with their preferred software, with dozens of programs littering job descriptions. However, rigid adherence to such qualifications is often to blame for positions remaining unfilled for extended periods.

Instead, organizations should ditch preconceived notions that security professionals must possess a plethora of niche technical skills and consider candidates with so-called “soft skills” of creative problem-solving, communication, collaboration, and critical thinking. If the candidate shows strong potential and a willingness to learn—and is a good cultural fit with other team members and employees—they can be trained to pick up the technical skills they lack.

Another habitual practice in hiring security teams is to look at the same job boards or set of schools for graduates in computer science and information technology year after year. Instead, businesses should expand their search beyond the usual places and methods. A college degree is not always necessary for someone to become a talented cybersecurity professional.

Experts recommend looking in-house at employees not currently on the security team to fill open slots. Perhaps someone in IT, Q/A testing, or customer service has expressed an interest and can be easily trained. Capture the flag, bug bounty, and other security contests are also excellent sources of highly-skilled candidates, as are apprenticeship and internship programs. Finally, SMBs might have surprising luck poaching experienced candidates who are looking to make more of an impact from enterprise businesses, though admittedly this does little to address the overall skills shortage.

In addition to expanding skill and location parameters, it’s crucial for businesses to diversify their cybersecurity teams. With fresh perspectives, a diverse IS department can not only look at a problem from new angles but address multiple issues stemming from multi-dimensional adversaries. Diversifying security teams means adding members with different skill sets and backgrounds, including those traditionally excluded from the industry.

Women are a growing, yet still underrepresented group in cybersecurity, cornering just 25 percent of the global security workforce in 2021. Hiring managers can look to nonprofits, such as WiCyS, CybHER, Inteligencia, and the Diana Initiative to connect them with women looking to enter the field. The SANS Institute also offers the CyberTalent Immersion Academy for Women, where candidates receive world-class training and certification.

Businesses should also conduct outreach to tap into Black, Indigenous, and people of color (BIPOC) and LGBTQ+ communities for potential job prospects. A September 2021 study on diversity and inclusion in cybersecurity found that only 4 percent of US security professionals self-identify as Hispanic and 9 percent as Black.

To court ethnically and culturally diverse applicants, add language to job descriptions that explicitly states interest in groups often left out of hiring pools. Let candidates know the company fosters a welcoming environment for all and encourages professional development of its cybersecurity talent. In addition, look for organizations matching diverse hopefuls to job openings, such as CyberSN, Secure Diversity, and Blacks in Cybersecurity.

Retaining security staff: show them the money

Cybersecurity as an industry suffers from a retention problem. A study from the Kapor Center estimated that high turnover has cost the technology sector more than $16 billion annually. At the heart of such turnover: toxic workplace culture. Nearly 40 percent of employees surveyed said that unfairness or mistreatment played a major role in their decision to leave their company.

It follows, then, that creating fair policies for workload, promotion, and pay—plus treating all employees with dignity and respect—can help businesses hang onto talented security staff. Other strategies include:

  • Having a succession plan in place so employees can envision and make reality their career growth within the business.
  • Establishing a mentoring program to allow junior personnel to shadow senior staff and picture what the next stage of their career might look like.
  • Offering security staff opportunities to be involved in the planning stages of projects so they feel their voice is heard.
  • Giving employees ample time off for well-being, including mental health and personal days, to avoid burnout.
  • Allowing flexible in-office hours, including a hybrid or remote work schedule to keep competitive offers at bay.

Finally, of critical importance to attract and retain quality employees is offering a competitive salary. Currently, the median salary for cybersecurity professionals in the US is $135,000, according to (ISC)². The study also shows that 27 percent of security workers enter the sector for the high earning potential and strong compensation packages.

Salaries should increase to keep up with both market trends and increasing responsibilities related to the growing sophistication and frequency of cyberattacks. Between 2020 and 2021, some cybersecurity salaries jumped by more than 16 percent to well over six figures, according to a 2021 report from Dice, a tech recruiting platform.

To MSP or not to MSP

Organizations of every size are in the crosshairs of cybercriminals, but SMBs disproportionately feel the weight of cyberattacks. A 2022 Devolutions report found that 60 percent of SMBs have experienced at least one attack in the past year, and 18 percent have endured six or more. However, 44 percent of respondents indicated they do not have a comprehensive, updated incident response plan in place. Alongside choppy economic waters, 2023 could shape up to be a perfect storm for SMBs who haven’t shored up cybersecurity defenses.

SMBs traditionally have fewer resources than enterprises but are at the receiving end of more attacks. Top threats against SMBs include phishing, credential theft, and ransomware, the latter of which can render a small business bankrupt if not properly thwarted. SMBs need robust security protections, but over 40 percent have no internal IT personnel, and most of these businesses are staffed with just one generalist on call.

The growing complexity of securing ever-widening digital threat surfaces while maintaining industry, national, and international security and privacy regulations has driven many SMBs to turn to managed service providers (MSPs) as a lifeline.
MSPs allow small businesses to cost-effectively supplement or stand in for a full-fledged security team to protect against infections and reduce exposure to threats.

Many SMBs, recognizing that MSPs can be critical partners in helping them overcome security challenges, are planning to increase investment in managed IT and security solutions this year. The widespread and growing need for process digitization, cloud migration, post-COVID collaboration, analytics, compliance, and all-around better security are creating strong demand from SMBs for external expertise in cybersecurity.

SMB investment in MSP solutions will not only provide a shield against the onslaught of digital threats in 2023, but help organizations achieve their business goals while improving collaboration and engagement. Whether your organization has budget to hire a diversified security team or requires an MSP to handle complex security needs, ensuring you have skilled professionals to manage and deploy comprehensive protections will keep your business thriving in the new year and many years to come.

For more information on Malwarebytes’ Managed Service Provider Program, check out our dedicated MSP portal.

Categories
Security

Why securing credentials is more important than ever

Passwords. They’re the bane of our existence—whether you work in IT, IS or just have trouble remembering them all. Passwords may have originated as a security measure, but now, at least alone, they’re a liability. Why? Unintentional user negligence and intentional cybercriminal enterprise have rendered the username/password combo, otherwise known as credentials, practically moot.

Thanks to countless years of desks left unattended and phishing scams coercing users into entering their personal information, millions of credentials are readily available to be stolen, sold, and/or leaked online. That’s why credentials—or more importantly, the security measures we use to verify identity and grant access—need protecting now more than ever.

Unfortunately, many businesses continue to rely on outdated credential security models that leave their networks exposed—a situation only exacerbated by remote work.

Securing credentials for the 2022 threat landscape

Once upon a time, before the pandemic ushered in the era of Zoom fatigue and cloud-based-everything, access to the corporate network could be protected by a level of security provided by the four walls of the workplace. Traditional on-premises security inferred onto employees an automatic level of trust. Swipe a badge, gain entry. From there, identity could be verified by simply recognizing a familiar face at work.

This trusted access extended to all systems and networks, empowering organizations to follow the “trust, but verify” model, in which users were given full access to the corporate network once their login credentials—typically just a username and password—were substantiated.

As cybercrime tactics advanced, however, this approach was like handing threat actors the keys to the proverbial castle: If criminals had just one employee’s credentials, they could gain access to the entire corporate network, including sensitive data like financials or employee records.

In fact, cybercriminals have developed a wide range of sophisticated (and some unsophisticated) methods for targeting credentials, ranging from key loggers and credential-harvesting malware to spear phishing and business email compromise. Before the pandemic brought about the mass migration to remote work, organizations were already in need of revamping their credential security to better adapt to modern-day threats.

Remote work further compromises credential security
Enter: the sudden, intense shift of organizations’ entire workforces to the WFH model. It’s no secret that, while beneficial in many ways for businesses and their employees, remote work has dramatically expanded an organization’s threat surface. The sheer number of new, potentially vulnerable access points introduced by remote employees alone—including personal devices, home networks and IoT—would be enough to instigate the type of credential policy change advocated here.

Many work-from-home (WFH) devices and networks are under-secured, with minimal or no identity verification required. A single remote employee might introduce a handful or more of new vulnerabilities: Using a personal laptop without entering credentials. Connecting to the corporate network from a home network that isn’t password-secured. Using a home assistant and smart refrigerator with their default credentials settings still in place.

Add to that a remote workforce that may not be up-to-date on the latest WFH best practices, and you have the perfect recipe for a breach.

Cyber criminals are, unfortunately, well aware that remote work has weakened businesses’ security postures. A steep rise in cybercrime has paralleled the adoption of remote work—especially cybercrime targeting credentials. With compromised credentials cited as the most common cause of security incident, it’s clear that organizations should re-imagine how they protect credentials and prove identity when providing access to their remote employees.

Best practices for credential security today
With cybercriminal tactics for targeting credentials becoming more sophisticated, with users (both on-premises and remote) in need of more acute security awareness, and with WFH environments contributing to a burgeoning collection of new vulnerable access points, it’s time for organizations to follow more contemporary principles of credential security.

Want to get started? The following tools and policies help improve both credential and overall security:

Password hygiene:  Password hygiene remains a problem for most people—two-thirds of users reuse their passwords across multiple accounts; 59 percent use their birthday in their password; 43 percent have shared their password with someone—so it’s no surprise that login credentials alone provide little security.

With criminals increasingly credential stuffing, aka using stolen credentials to access other peoples’ accounts and services, preventing password reuse and requiring stronger, more frequently-updated passwords is a first step in the right direction.

  • Set maximum password age limits to ensure passwords are changed, as well as minimum age limits so they can’t be quickly changed back.
  • Require passwords meet complexity requirements, like containing at least one uppercase and lowercase letter, a number, and a special character.
  • Set minimum password lengths and encourage employees to create long passphrases unrelated to their personal information—so no birthdays, street numbers, names, etc.
  • Use Enforce Password History policies that store old passwords and restrict repetition.

Multifactor authentication (MFA): There are 8.4 billion or more passwords stolen from data breaches that have been leaked online— in a single hacker forum. With criminal access to so many credentials, requiring a second or third layer of identification through MFA helps thwart many attempted cyberattacks. MFA calls for at least two modes of identification, including:

  • Something the user knows, such as a password, PIN number, or answers to personal security questions
  • Something the user has, such as a security token, USB device, smartphone, or other physical object
  • Something the user is, a unique physical characteristic, like fingerprints, voice recognition, facial recognition, or retina scanning

Single sign-on (SSO): Besides credential theft, password fatigue is also a key contributor to security breaches. When users are prompted to change passwords frequently, they often make too-simple alterations, such as swapping one special character for another or capitalizing a different letter of an existing password. In addition, having to remember different passwords for dozens of accounts encourages reuse.

Using SSO authentication—i.e., allowing one set of login credentials to access multiple systems—can mitigate risk by reducing both password fatigue and credential theft. When implemented securely (in combination with MFA), SSO benefits include:

  • Reducing password fatigue by eliminating password re-entry.
  • Minimizing risk of accessing third-party sites because passwords are no longer stored externally.
  • Decreasing the likelihood that users will store passwords insecurely (e.g., by writing them down on post-its).

Businesses looking to further improve credential security should consider adopting the latest thinking in best practices. The prevailing philosophies are:

Least-privileged access: One of the most menacing aspects of credential compromise is that cybercriminals can gain access to your entire network with only a low-level user login. Following a principle of “least-privileged access” helps limit damage that might be done by a hacker or malicious insider with unauthorized access.

Least-privileged access involves restricting users’ access rights to only the data and systems they need to perform specific tasks. Least privileged access can also be used with segregation of duties policies to limit users’ access to specific functions.

Zero trust: Traditional perimeter-based security is no longer enough to protect against modern-day risks to corporate credentials, thanks to cybercriminal innovation in credential-stealing methods and the difficulty organizations now face in verifying the identity of their remote workers.

Employees themselves will always be a security risk—albeit one mitigated by successful security education programs—but now their working environments are unsecured and unmanaged by IT. Even least-privileged access could allow bad actors to gain a foothold into the corporate network. Zero trust offers an even more secure approach.

Zero trust follows a “never trust, always verify” philosophy, where every user and device must be continuously validated before receiving access, and access is only granted upon request. Instead of authorizing broad access to a collection of network resources, zero trust grants access to specific resources on an as-needed basis. Users and devices are never trusted by default, even if they had been connected to company resources before.

Implementing this many layers of credential security may take a great deal of time and money—or it might not be possible for many small businesses or start-ups right now. That’s okay—any small improvement in credential security makes a difference. But understanding the threat landscape and the tools, policies, and philosophies that are best recommended helps organizations develop a credential security model to strive for.

To learn more about password hygiene: https://blog.malwarebytes.com/cybercrime/2019/03/hackers-gonna-hack-anymore-not-keep-reusing-passwords/

For a deeper dive on zero trust: https://blog.malwarebytes.com/explained/2020/01/explained-the-strengths-and-weaknesses-of-the-zero-trust-model/

For more information on best WFH practices: https://blog.malwarebytes.com/how-tos-2/2020/03/security-tips-for-working-from-home-wfh/

Categories
Security

Combat fear fatigue with these security tips

Nearly two years ago, companies around the globe scrambled to support entire workforces strong-armed into remote work practically overnight. For far too many, security was an afterthought — until it was too late. Now, as remote work transforms from novelty to the new normal, organizations must double-down on security efforts. But what if those efforts alienate employees and increase stress instead of alleviating it?

While many employees have expressed a desire to be more secure, as our recent Still Enduring From Home report found, fear fatigue has set in after years of constant concern and change. And that is a vulnerability likely keeping IT and security leaders awake at night.

Why can increasing security cause increased stress and fear fatigue?

How to fight fear fatigue while keeping remote workers secure 

Hybrid and remote work are on their way to becoming permanent fixtures. Yet the digital infrastructure so hastily thrown up two years ago to support the remote workforce now needs a serious security overhaul.

Multiple new access points — many of them weak on or lacking cybersecurity protections altogether — have introduced additional vulnerabilities to an already-taxed system. Users connecting from unsecured home networks, personal computers and mobile phones using shadow IT, haphazard physical environments exposing proprietary data, and unchecked identity and access management policies have left organizations at increased risk of compromise.

As such, it’s time for businesses to sharpen security processes, beef up technical protections, and, most importantly, roll out new forms and frequencies of security training. Security awareness has never been more important.

In fact, many organizations have already taken steps to reduce risk and plug security vulnerabilities introduced by remote work. In Malwarebytes’ recent report, Still Enduring From Home, researchers surveyed 200 IT decision makers to see how organizations fared with remote security measures over an 18-month period.

The results paint an optimistic picture: 74 percent of IT teams have implemented new tools, such as antivirus software, password managers, virtual private networks (VPNs), and two-factor authentication (2FA); 71 percent have introduced new forms of training; and 48 percent have updated their crisis management protocols. Overall, 56 percent of respondents said their organizations have become slightly or significantly more secure since they began working from home.

That’s good news, right? Organizations making moves to boost security is cause for celebration, to be sure. However, the outlook is murkier when examining how employees feel about this increased security. According to the report, they’re fairly well-invested: 83 percent care to some degree about security practices, with 51 percent caring deeply.

However, caring doesn’t always translate to awareness, nor does awareness always result in action. While 62 percent of respondents said their employees are either “very” or “acutely” aware of security best practices, nearly 40 percent range from “aware but not a priority” to “oblivious and risky.”

And while employees care about getting security right, many are also suffering from “fear fatigue.” Nearly 80 percent of the Still Enduring From Home respondents reported some level of fear fatigue or jadedness in their organization. Adrenaline-fueled anxiety and adaptation have left them feeling jaded or overwhelmed, making them vulnerable to simple security mistakes.

Fear fatigue (otherwise known as security fatigue) inspires complacency, and complacency leads to risky cybersecurity behavior, like opening an email attachment without properly scrutinizing the sender or neglecting to turn on a VPN while using public WiFi. Scammers are primed and ready to take advantage of this reduced focus. In fact, organizations should consider “human-proofing” an essential layer of their cybersecurity approach.

According to the Verizon 2021 Data Breach Investigations Report, 85 percent of breaches are caused by people. Employees are an organization’s biggest asset, but they also break the rules and make mistakes — sometimes, costly ones. Mistakes can happen due to distractions (57 percent), stress (52 percent), and general fatigue (44 percent), and employees need protecting, supporting, and keeping safe.

Now, there’s a need to keep remote employees appraised of the increased cyberthreats they face and informed about how to deal with them. This requires an increase in training frequency, and confirmation employees are absorbing that training. However, alarmingly, 27 percent of IT leaders said their employees seem “particularly overwhelmed” by threats and jaded by security procedures.

That’s why organizations need to tread a fine line between equipping their employees and overwhelming them. They must learn to balance cybersecurity education while avoiding fear fatigue.

Easier said than done, I know.

To implement an effective fear fatigue mitigation program, it’s important to first address the generalized stress brought on by nearly two years of living in a deadly pandemic.   

  • Collaborate with employees to figure out strategies, including developing strong social networks and regularly practicing healthy routines.
  • Offer employees mental health days separate from sick or personal days.
  • Provide access to counselors and other mood-boosting activities, such as virtual meditation or yoga classes.

Or take the advice of Tanya Barlow, an IT leader at PROCON, Inc.: “The best approach is to continually practice radical empathy — for others in the workplace and for yourself. You have to be willing to forgive and be flexible. You can’t be too hard on yourself, as we are all still collectively healing. In moments of extreme exhaustion, I think it’s important to take time to reflect and practice mindfulness. Remind yourself of things you’re still grateful for and let go of outdated mindsets, routines, and things that don’t truly matter.”

Organizations must also design cybersecurity programs that take the burden off of employees and counter inadvertent actions that put networks, devices, and data at risk. This can be done in two ways: through security tools designed to protect against human error, and/or more engaging training content and mediums for delivering that training. Organizations should:   

  • Leverage technology to automatically block site visits from users clicking potentially malicious links or to detect and bin spear phishing attempts before the targeted employee sees them.
  • Reinforce security measures often and in a fun way. Phish your own employees. Gamify security trainings.
  • Consider delivering training using different modes of learning, from audio-visual (videos) to kinesthetic (scenario planning).

Employees can feel fatigue from over-communicating, too, so balancing the right amount of communication is key. Remember: There’s no one-size-fits-all approach to managing people, so iterate and check in on employee fatigue regularly. Once you know how to provide folks with the right guardrails, they won’t be so afraid of driving off the road. 

Categories
Security

Mac security and the need for endpoint protection

There’s been a lot going on in the Mac security world lately. Just after Apple dropped its Platform Security Guide on February 18, a mysterious new Mac malware named Silver Sparrow swooped in to infect 30,000 endpoints. In the same week, Forbes covered Corellium — the security research startup that Apple is suing — tracking their momentum after a December court win against Apple. Later, on March 9, Apple released a patch for iPhones, iPads, and MacBooks to fix a security flaw found by researchers at Google and Microsoft. 

And then there’s what we uncovered in our State of Malware Report, where Mac detections on business endpoints increased by 31 percent over the previous year. And Mac malware — primarily backdoors, data stealers, and cryptominers — was on the rise by 61 percent overall in 2020. 

All of this paints the picture of a Mac threat landscape primed to erupt.

Apple shines and buffs Mac security — but is it enough to stop today’s malware? 

Lately, it seems Apple aren’t the impenetrable fortress they’ve claimed to be. Just last week, the company released a patch for iPhone, iPad, and MacBook for a bug that could allow code execution through websites hosting malicious code. This means its browsers were vulnerable to exploits that could be launched from malicious website content. 

Apple didn’t comment on whether this vulnerability had been discovered by cybercriminals. However, the company released patches for three separate security bugs that were being actively exploited in January 2021. And just a couple weeks ago, there was Silver Sparrow. 

Silver Sparrow is a new Mac malware that was found on nearly 40,000 endpoints by Malwarebytes detection engines. While it’s not as dangerous a threat as initially believed (researchers now believe it’s a form of adware), Silver Sparrow is nevertheless a malware family that has mature capabilities, such as the ability to remove itself, which is usually reserved for stealth operations. One of its more advanced features is the ability to run natively on the M1 chip, which Apple introduced to macOS in November, and which is central to the apparent security paradigm shift happening within the company’s walls. 

And what paradigm shift is that? Macs running the M1 chip now support the same degree of robust security consumers expect from their iOS devices, which means features like Kernel Integrity Protection, Fast Permission Restrictions (which help mitigate web-based or runtime attacks), and Pointer Authentication Codes. There are also several data protections and a built-in Secure Enclave. 

In other words: Apple have baked security directly into the hardware of their Macs. 

Looking at the security improvements made to Macs over the last several months — the M1 chips, system extensions replacing external ones, an entirely new endpoint security framework — it appears Apple is making great strides. In fact, they should be commended for developing many beneficial technologies that help Mac users stay more secure. However, not all of the changes are for the better. For example: 

  • External validation of the security components of M1-based Macs are harder to analyze and verify.
  • Security researchers and the tools they develop/use may be thwarted by the relative opacity of the environment.
  • Threat actors with the right resources can develop or pay for a zero-day exploit and jump over Apple’s defenses — then be protected by them once inside.
  • System extensions enable potentially unwanted programs (PUPs) developers to apply for and be granted approval from Apple, which then gives them total protection by the macOS framework.

That last bullet is great for legitimate third-party software programs, like Malwarebytes for Mac, especially in protecting against outside threats that might try to disable security software during an attack. But not every company that applies for system extensions is legitimate. We’ve already seen a few examples of developers with a long history of cranking out potentially unwanted programs (PUPs) get their extensions from Apple. Because of this, some PUPs can no longer be removed by Malwarebytes (or any other security vendor). And while there are some ways that users can manually remove these programs, they are by no means straight-forward or intuitive. 

And sure, you might be saying, “It’s only PUPs!” But PUPs and adware are a significant issue on Mac computers. While many like to trivialize them, PUPs actually open the door for more vulnerabilities, making an attack by malicious software even easier. Adware, for example, could host malicious advertising (malvertising), which often pushes exploits or redirects to malicious websites. If the most recent vulnerability patched by Apple wasn’t already being exploited, that would have been a perfect opportunity for cybercriminals to penetrate the almighty Apple defenses. 

As we found in our State of Malware Report, malware on Mac endpoints belonging to businesses increased by 31 percent in 2020. There may not be as many “actual” malware attacks on Mac endpoints as on Windows, but the share of Macs in business environments has been increasing, especially since the start of the pandemic. You really don’t want some targeted malware hitting your high-value Macs. 

Apple has developed some impressive armor for its Macs, but it doesn’t protect against the full scope of threats in the wild. In addition, Apple only uses static rules definitions for its anti-malware protection, which means it won’t stop malware it doesn’t already recognize. A security program that uses behavioral detection methods (heuristic analysis), like Malwarebytes Endpoint Detection and Response, has the potential to catch a lot of bad apples that Apple hasn’t seen yet. 

As time goes on, we’re increasingly in danger of a major attack waged against Macs. There are still a myriad of Mac users who don’t install any third-party security. Fundamentally, Macs still aren’t all that difficult to infect — even with all the bells and whistles. And by closing their systems, Apple is limiting the capabilities of additional third-party security layers to assist in stopping that major attack from doing major damage. 

For a deeper exploration of Mac threats, security changes, and the ways they thwart full protection, read the article in Malwarebytes Labs: 
https://blog.malwarebytes.com/mac/2021/03/apple-shines-and-buffs-mac-security-is-it-enough-to-stop-todays-malware/

To read more about Malwarebytes’ research with Red Canary on Mac malware Silver Sparrow: 
https://blog.malwarebytes.com/mac/2021/02/the-mystery-of-the-silver-sparrow-mac-malware/

Categories
Security

Most US schools fail to secure distance learners

Education in the United States faced a crisis this year. The looming threat of the coronavirus — which spreads easily in enclosed classrooms — forced schools across the country to develop new strategies for education, most involving some form of distance learning.

The dramatic stress of this transition on teachers, parents, and students is well-known. But the impact of long-term distance learning on the cybersecurity posture of schools and districts has not yet been studied — until now. Researchers at Malwarebytes surveyed IT decision-makers and students from K–12 and trade schools, as well as colleges, throughout the US to compile a report on how education security has fared in the wake of the pandemic.

The results paint a rather grim portrait; the education sector, having always struggled with lack of IT budget and personnel, was ill-equipped to move millions of students to a distance learning model. And despite Herculean efforts by IT teams to connect every student and teacher, cybersecurity often slipped through the cracks.

US distance learners remain vulnerable to cyberattack

US schools have been under tremendous pressure over the last 10 months. Forced to close their doors with little warning, teachers, administrators, and IT teams spent the first few months of the pandemic simply figuring out logistics, such as how to get students access to school resources, devices, and Internet service. Unlike most workplaces, schools have been slower to adopt new technologies, and they were not set up for an easy transition to a distance learning model.

Yet even now, halfway through the schoolyear, educational institutions are struggling with cybersecurity for distance learners. Nearly half of all schools did not change their cybersecurity protocols in response to the new distance learning model, which resulted in a number of issues that dramatically increased IT workload and put undue strain on teachers. Some schools even suffered cyberattacks that delayed their distance learning lesson plans for up to a week. Other key takeaways from the report include:

  • 51 percent of IT decision-makers said that no students, teachers, staff, or guests (including parents) were required to enroll in cybersecurity training before the new school year began
  • 47 percent said their schools developed no additional requirements — no distance learning read-throughs, no antivirus tool installations — for the students, faculty, or staff who connected to the school’s network
  • 46 percent of students said their schools suffered a cyberattack (though only 3 percent of IT professionals admitted to the same); On the flip side, of those who engaged in security best practices before the transition to distance learning, none experienced a breach or had to cancel a single day of learning due to a cyberattack

Clearly, security awareness makes a difference in the overall safety of an organization. In fact, of those who were well-studied in cybersecurity, fewer suffered sustained, excess IT workload or experienced Zoombombing attacks than those who were less prepared. However, knowledge is only half the battle. Many respondents were saddled with device and data shortages. Other schools fell flat on security budget. Additional IT challenges presented by distance learning include the following:

  • 40 percent of educational IT pros said their schools are still missing laptops, computers, or tablets for students
  • 28 percent are still missing these devices for teachers
  • 20 percent of IT decision-makers said they had trouble convincing their schools to invest in cybersecurity
  • 44 percent admitted to difficulties in managing the sudden increase of devices connected to the school network
  • 80 percent said there was a steep learning curve for teachers, students, and staff to adapt to online learning tools

But the report wasn’t all doom and gloom. IT professionals had a gargantuan task in front of them to keep teachers teaching and students learning, and for the most part, they were up to the task. About 72 percent of schools provided Chromebooks, tablets, and hotspots to students, and 59 percent distributed laptops, external microphones, and webcams to teachers. More than 70 percent deployed new software tools for distance learning, including Google Classroom and Zoom.

Unfortunately, despite super-human efforts by some educational IT teams, lack of resources, personnel, and budget have strained an already impacted security posture to nearly the breaking point. About 76 percent of respondents experienced connectivity issues, 30 percent suffered a Zoombombing attack, and 52 percent of teachers had to step in and solve an IT or security issue for students and parents. On the bright side, actual cyberattacks were relatively rare.

So, what can educational IT teams do to improve their school’s security posture in 2021 and beyond? Here’s what the report suggests:

  • Create and train teachers and staff on new cybersecurity policies relevant to distance learning (For other businesses, this can be an additional set of rules related to remote work/work from home)
  • Develop requirements that direct teachers and parents to the appropriate point person in IT or security, should issues arise that need solving quickly
  • Implement access rules, including whether students should use a VPN or password manager to access the school’s network and accounts
  • Host cybersecurity training events for teachers, staff, students, and parents

For more information on the state of education security in the US, read the full report from Malwarebytes Labs here: https://resources.malwarebytes.com/files/2020/12/Lessons-in-cybersecurity_How-education-coped-in-the-shift-to-distance-learning_Malwarebytes.pdf