Mitigating social engineering attacks

Protecting user devices against malware is one of the first endpoint hardening tasks an IT administrator or Information Security (InfoSec) team will likely implement. When securing a fleet of devices, regardless of the operating system, ensuring that users cannot install malicious software like ransomware, spyware and rootkits is a basic level one CIS requirement. Jamf Protect's macOS endpoint security and malware prevention capabilities have long made preventing known malware from launching on corporate and education Macs easy.

It’s great that organizations place a tremendous focus on stopping malware from entering their environments. However, another threat is often overlooked — social engineering. Social engineering is the practice where attackers manipulate and trick individuals into providing sensitive data or access credentials. Social engineering is challenging to defend against because many of us have a trusting nature and have so much to do on the go that we sometimes overlook the out-of-place.

Social engineering continues to be a serious threat, and the risks it poses are only growing. According to the IBM 2023 Cost of a Data Breach Report, social engineering is involved in ~8% of attacks, costing on average $4.55 million. And this statistic doesn’t even include phishing — responsible for 16% of breaches and costing $4.76 million on average. In other words, it’s nothing to sneeze at.

Attackers are attempting to masquerade as corporate executives, and there seems to be more spam than ever hitting our inboxes. Fortunately, there are several tactics your organization can put in place to help mitigate the risk social engineering poses, and, of course, Jamf has a solution or two to create another layer of defense against those digital threats.

Strong passwords and two-factor authentication

Strong, unique passwords are the first line of defense when strengthening your organization's security posture. Sufficiently long and complex passwords mitigate the risk of shoulder surfing by making them tricky for someone to glance at a user's keyboard or touch screen and remember what they typed. Jamf’s management products, Jamf Pro, Jamf Now and Jamf School, all offer the ability to implement and enforce password policies on users’ Macs, iPhones and iPads.

However, a complex and/or long password isn’t enough to prevent social engineering. If a bad actor executes a successful phishing attack, for example, the user has provided the password outright, regardless of its complexity. This is why ideally passwords should also be unique for every application and never reused. If a particular application has a data breach and that specific password is compromised, it won't give the attacker access to other systems. The first thing an attacker tries once they have a user's application username and password is to try it against other applications.

A way to achieve this is by using a password manager and/or SSO solution. Jamf integrates with directory services and cloud identity providers (IdP) like Okta and Microsoft Entra ID to support SSO. And Jamf Connect keeps users' Mac passwords synced with their single sign-on (SSO) password, which likely can have its own enforced password policy. This way, users only have to remember one password, reducing password fatigue.

For SSO to be secure, two-factor authentication (2FA) or multi-factor authentication (MFA) should be implemented; otherwise bad actors have access to everything if they obtain a user’s master password. In two-factor or multi-factor authentication, not only does a user need their password, they also need either a randomly generated six-digit code or another form of authorization, biometric technology such as Face ID or Touch ID, or something physical like a Yubico YukiKey to access the requested application. 2FA and MFA help reduce the risk that attackers can access systems — especially when biometrics are used — since they may not be able to confirm the authentication prompt.

If your organization doesn't already have a password policy and password training or resources, champion their development to create formal and consistent messaging around passwords and two-factor authentication.

User training

Never underestimate the power of user training. Social engineering attacks often follow a consistent playbook. Spelling errors, strange icon placement, email spoofing and a sense of urgency are all strong indicators that an email or phone call is a social engineering attack.

However, bad actors are improving, making spoofe emails or websites look nearly flawless. AI is even helping attackers enhance their attacks. Users need to know what a convincing attack can look like, and how to proceed if they suspect a social engineering attack.

Therefore, one of the best ways to prevent social engineering attacks is to train users regularly on the common indicators of social engineering. Most organizations deliver this sort of training once or twice per year to account for changes in tactics and to keep employees vigilant. It's essential to have a blame-free culture to encourage users to report attacks as soon as they happen. Suppose a user does fall for a social engineering attack. In that case, it's better for the user to feel comfortable reporting it to IT early rather than further damage caused by a delay in reporting.

Some organizations leverage spam tests and training simulations to test their users' susceptibility to social engineering attempts. However, organizations have to be careful with this sort of testing. While data can be valuable, users may grow distrustful of their organization. Instead, organizations may want to consider incentive or reward programs for users reporting spam and phishing attempts. Work to create a culture of support, education and prevention around social engineering.

Principle of least privilege

The “principle of least privilege” is an InfoSec concept where users should only be granted access to the specific applications and functionalities required to do their job. For organizations that use applications with user access levels, consider implementing and reviewing them regularly. In a situation where a user's credentials are compromised, the attacker's access can be limited to the user's specific access level. This ensures that the attack has a restricted scope of access and, ideally, is limited from accessing critical or sensitive data.

After gaining initial access, attackers will attempt to move laterally through the network until they reach their final target. The “principle of least privilege” helps limit and mitigate the spread of social engineering attacks but is not a complete solution. Training users on being vigilant and cautious when receiving an odd request from a team member is a great additional step.

Zero trust network access

Even with strong password policies, least privilege access to applications and user training, social engineering attacks can still succeed. Zero trust network access (ZTNA) adds to your defense, taking the principle of least privilege further by segmenting network access beyond role-based access to applications.

With ZTNA, applications and other resources are accessed via micro-tunnels that are continuously reevaluated even after a user signs in successfully. This is done independent of user or device location. In other words, ZTNA connects users to company resources only after they have strictly verified their identity, continuously checks that the user and the device meet identity and security requirements, and totally prevents access to resources the user is not allowed to access (as the user can’t even reach the part of the network those resources exist on).

ZTNA is a helpful addition to a security stack. If the identity of a user or the security status of a device comes into question, ZTNA can restrict network access to all or some of the network. This prevents and/or reduces the spread of a bad actor in the corporate network, regardless of whether the device is compromised.

How Jamf can help

Jamf Pro

Policies in Jamf Pro help manage and secure devices by configuring devices to meet security requirements. Jamf Pro helps keep devices and software up to date with the latest security patches, helping to keep devices compliant with CIS benchmarks.

Jamf Pro supports Self Service — an enterprise, IT-approved app store where users can download and update apps as they need, without a help desk ticket. This reduces the risk of shadow IT and the download of malicious apps.

Jamf Connect

Jamf Connect helps with access control. With cloud IdPs, users can unbox their device and connect to their corporate applications using a single password. Jamf Connect enables ZTNA connectivity, keeping networks safe and users productive with effortless but secure authentication.

Jamf Protect

Jamf Protect has long been a powerful endpoint security solution preventing known malware from launching on macOS. Recently, Jamf Protect's capabilities expanded with the addition of web threat prevention, formally known as network threat protection.

Web threat prevention is a network security capability that, among other things, prevents users from accessing known spam, phishing and malicious websites. Web threat prevention is available not only on macOS but on iOS, iPadOS, Windows and Android.

Jamf takes care of domain recognition and threat filtering; all organizations must do is deploy Jamf Protect’s web threat prevention capability to their operating systems of choice. Once deployed, even if a user clicks a known malicious link, they are prevented from accessing it and redirected to an informative block page.

Adding network security capabilities to Jamf Protect is a significant win for organizations looking for solutions to help reduce the risks of social engineering and other network-related threats. Plus, with Jamf Protect's web threat prevention capability available for both Apple and non-Apple operating systems, all of your organization's devices can be secured with the help of a partner you know and trust.

Jamf Protect also has built-in compliance with CIS benchmarks for macOS. Depending on an organization’s needs, CIS has two levels of profiles with different security recommendations. Level one profiles contain practical security practices that have little to no impact on the user experience. Some examples are:

• Ensuring automatic software updates are enabled
• Automatically setting the date and time
• Basic password management controls like minimum length and character diversity

Level two profiles may restrict a user’s experience in favor of tighter security. Some examples are:

• Disabling media sharing
• Disabling the sending of diagnostic information to Apple
• Restricting iCloud Drive document and desktop sync

Organizations can implement profiles from either level based on their security needs. CIS benchmarks are extensive, which is why they’re conveniently built into Jamf Protect where admins can verify if their fleet is in compliance with chosen benchmarks. With this information, admins can use Jamf Protect and Jamf Pro to maintain adherence to these benchmarks.

Jamf Safe Internet

Educational institutions can reap the same network protection offered in Jamf Protect with Jamf Safe Internet’s content filtering and network security. Jamf Safe Internet is built specifically for the education market with a price point and feature set catered to educational institutions.

Jamf Safe Internet focuses on helping schools meet their regional online child safety regulations while maintaining student privacy, supporting macOS, iOS, Chromebooks, and most recently, Windows. Jamf Safe Internet is straightforward to configure and deploy, and once again, Jamf handles all of the domain identification and network filtering for you.