I'm sure many of you received a notice from your technology team last week alerting you of a breach in your Apple devices.
When I got ours, I immediately forwarded it to my wife—who had a slight panic attack—and then to my kids. I'm sure the downloads of their security update were burning our national bandwidth over the past week. What I found fascinating about the situation is that AAPL has been touting how secure their platform and devices are…in fact, they have been paying for ads on TV and other media channels talking about these new features. As they say, pride goes before the fall.
I'm
not a technologist by any means. When something is not working correctly, I
generally call my son and hope he can fix it for me. This breach was different
though, because many of us have our entire life's information stored on our
phones, iPads, and other devices. I thought it was worth investigating a little
further, so I asked our resident expert Alex Dickson to give me some insights.
Alex has been with us for over 15 years, with the last eight being specifically
focused on cybersecurity issues. He has
attended numerous conferences and received many certifications in this field. He
would be the first to state that things are changing rapidly and that the
attacks are multiplying. Banks, credit unions, insurance companies, broker
dealers, and anyone that deals with money is at risk. It is real and it is
happening now. Think about it: Apple is one of the greatest technology
companies in the world and they were successfully attacked and had to adjust. I
had some questions for Alex, and I hope you find his responses as useful as I
did.
(Kurt)
I saw something about an Apple hack or spyware this week, what happened?
(Alex) Although we've seen many company hacks and breaches in the news recently, the Apple security news that broke this week was not a hack of Apple itself, but the discovery of the potential to hack all our personal Apple devices. To better explain the situation, it would be useful to use an analogy. Imagine a lock manufacturer sells one model of lock to the large majority of people. After this lock is installed in many houses, all over, an engineer figures out that if you bend a paperclip in a specific way, it will not only open her own lock, but also every single lock of the same model. This is similar to what we often see referred to in the software world as an "exploit" or vulnerability in software—the worst type allows full access to mobile devices or computers. Now imagine that the engineer who found this flaw or vulnerability in the lock model decided that instead of responsibly disclosing it to the manufacturer for a fix, sells it to the highest bidder. The winner of that auction would then have the recipe for a key that works on the majority of locks all over the world. Eventually, once use of this flaw became known, the manufacturer would likely have to recall all the locks to correct the flaw—and lock owners would have to take action, or they would remain vulnerable.
Unfortunately, this type of situation happens frequently in the software world due to complexity and level of connectedness of our devices. While the severity varies from case-to-case, the Apple vulnerability disclosed this week was as severe as it gets. While the technical details are not yet known, this software vulnerability allowed an attacker to have full access (the ability to install spyware that can read emails, read files, look at camera and photos, etc.) to almost any iPhone, iPad, or Mac computer in the world by means of sending a malicious document to the chosen device. The victim would not have to open the document, click on a link or anything! It worked without interaction, that is, "zero clicks" as many news outlets reported.
Initial reports are saying this vulnerability has been used in secrecy as far back as February 2021 and was finally discovered and reported to Apple in early September. The resulting emergency security update from Apple is similar to the lock manufacturer recall in our story—it's them providing a fix for this flaw in hopes that everyone will apply it.
I have personal Apple devices: my iPhone, my iPad, and my home computer. Should I be worried that people are going to somehow steal my data? Are there any action steps I need to take?
The good news is that as far as we know, the Apple flaw/vulnerability is still relatively secret and has only been used by the group mentioned in the articles against very specific targets. This means that right now, the likelihood of this vulnerability being used against us to steal our data is relatively low. However, as time goes on and more people become aware of how the flaw works, bad actors will likely be able to replicate it and usage will become more widespread.
To prevent this from happening to you and your devices when the frequency of these attacks starts to increase, it's important to install the Apple updates that came out this week to remediate the vulnerability or resolve the flaw. This is why many news outlets and sources are recommending installing updates ASAP.
To update iOS devices such as iPhones and iPads, you should go to Settings, General, then towards the top there is an option for Software Update. Once there, you will either see that your device has version 14.8, in which case it is up to date and you are good to go (for now!), or you will see the option to download and install it. When doing the download and install, you may also need to be above 50% battery life or plugged in and connected to Wi-Fi. For Mac computers, go to the apple menu in the corner, choose System Preferences, then click Software Update.
For both iOS devices and Mac computers, it's also recommended to select the option to automatically update because these flaws will happen again in the future, you'll want to be automatically protected right away when the newest update is available.
As
mentioned above, these types of flaws can occur in all sorts of connected
devices, not just Apple. Other manufacturers and software providers regularly
have similar updates and should be checked periodically, or better yet, set to
automatically update.
If
a company like Apple with huge cybersecurity resources can have such issues,
how can smaller companies or institutions with more modest resources possibly
defend themselves?
While it may be true that highly resourced groups may be able to successfully breach smaller organizations, it's also less likely that they would expend those resources to do so. Larger organizations are often targeted due to the value potentially gained, similar to our Apple situation where a successful flaw in their software would result in access to any iPhone device—a huge opportunity for the ill-intended.
That being said, it's important to consider a risk-based approach to cybersecurity for your organization in order to determine the correct fit. Finding out where your organization stands in terms of likelihood and desirability of being targeted is an important step in determining the right level of resources to dedicate to defense. Organizations like FS-ISAC, that facilitate information sharing among the financial services industry, may be useful here.
Given the Apple situation this week, there's another key takeaway for verifying your institution's cybersecurity posture. As discussed above, we see why it's so important to update our personal devices to protect from software flaws. Our organizations may not be made up of Apple devices and Mac computers, but they are made up of other similar hardware and software. Just as we protect our personal data by updating those devices, organizations must update their hardware and software as well. Ideally this is done in a centralized and automated fashion by an IT department, who should also have a process in place to verify that all required updates are successfully applied.
I know banks, credit unions and other community institutions do not love risk.
After all, we are all scratching and clawing for every basis point right now. We all focus on credit and worry about loans going bad every day. However, I think there is a chance that we are not recognizing the cyber security risk for what it is. Yes, we all have technology people working for us, and yes, we all probably have a plan on paper if a breach occurs, but are we taking it seriously enough?
Apple's devices were just exploited. If it can happen to them, it can happen to you. There are people seeking flaws in your cyber systems every day. The threat is real, and I believe often underestimated.
I want to thank Alex for his insights and commentary. He is happy to answer any more specific questions for you, just e-mail him at adickson@performancetrust.com.
Final, final thought: The time for fall football cookouts is upon us. Please share with me (and our team) your best tailgate recipes! I will share mine next week.
Fill out the form below to subscribe to my weekly blog.
