What to do if (when) a security vulnerability happens

Jamf can help you remediate security vulnerabilities in the future—and stop them before they become exploits. Learn how in the blog.

December 7 2022 by

Hannah Hamilton

No matter how diligent you are in keeping your software updated, devices in compliance or networks locked down, you’re going to experience a security vulnerability. Take the 2017 macOS High Sierra root access issue as an example. Four things were reinforced:

  1. No operating system is immune to security challenges
  2. Operating system and/or software providers must be quick to address security vulnerabilities and issue updates
  3. Device management, and specifically patch management, are no longer simply nice-to-haves
  4. Community forums, such as Jamf Nation and Slack, provide instant and valuable insight into how to resolve issues

The High Sierra security vulnerability allowed a user or attacker to gain access to a Mac with default settings sans a password, provided the attacker had physical access to the device. This issue also allowed standard users who were already logged into a device to gain elevated privileges in System Preferences, access via a script, and most importantly at the Login Window.

Within 24 hours, Apple released a security update for High Sierra (HT208315), and went on to push the update to all applicable computers, automatically updating devices.

In this case, Apple provided a rapid 24-hour response—but this won’t always be possible depending on the vulnerability’s complexity and location of your system. Organizations can take action to remediate security vulnerabilities both before a global update is applied and when manual interaction is required to remediate the issue.

Responding to security vulnerabilities

NIST’s computer security incident handling guide lists these four stages of the incident response life cycle:

Preparation

This stage often lays the groundwork for how your incident response will play out. By having established procedures, you limit scrambling for resources and action while your company data is actively at risk. In this stage, your company should ensure they have the proper staffing to handle incidents, including people with technical expertise in networking, server administration, security, etc. Management should also be prepared to coordinate the response and liaise with relevant stakeholders. Teams should have a good understanding of cyberattacks and attack frameworks, a good communication plan and a response strategy.

Detection and analysis

The key to detecting threats is understanding the baseline activity of your network. Benchmarking frameworks like CIS Benchmarks provide a guide for how to configure your system. Using security information and event management (SIEM) software monitors your network and alerts you of suspicious activity. Outputted logs give insight into your network activity, giving you the ability to spot anomalies.

Once an incident is found, the incident response team should analyze and validate it by following a predefined process. This analysis should determine scope, origin and method of the incident. This process should be well documented to inform the next steps.

Containment, eradication and recovery

Incidents need to be contained while still preserving evidence that helps identify the source and method of the attack, if possible. For instance, if a device is being attacked over the network, it can be isolated from the network but kept running for further analysis. Ideally, information about the attack’s origin can be collected.

After containment, the threat should be mitigated, whether this means removal of malware, disabling of breached accounts, patching vulnerabilities or restoring systems from clean backups.

Post-incident activity

Once an incident is remediated, your organization should take the time to analyze how the incident was handled in order to improve the process in the future. Depending on how the incident came into play, teams should develop policies and procedures to prevent or discover vulnerabilities before they turn into active exploits. This could involve investing in an SIEM or additional training for employees, starting or expanding threat hunting practices, or expanding the scope of already existing risk assessments.

MDM: Proactive, not reactive

With a mobile device management (MDM) solution, admins have the power to push workarounds to their devices before a vulnerability is patched by the developer. For example, if an app in your self-service catalog gives notice of a potential issue, you can quickly deny users access to the app until the issue is resolved. On a managed Mac, an MDM like Jamf Pro uses a binary in addition to MDM, giving you the following capabilities:

  1. The ability to write scripts and deploy them through policies to address interim settings/fixes while you wait for a fix from a software vendor.
  2. Patch notifications in order to know when a third-party patch is issued from the provider.
  3. Patch policies to automatically scope the patch to the computers that need it for speedy remediation.
  4. The ability to upgrade or update (when an operating system or software provider releases an update or upgrade). Whether patching critical software is done via a robust binary or a streamlined MDM command, vendors like Jamf empower IT to immediately push important updates to all end users and close security vulnerabilities before a system is compromised.

An MDM solution gives you the power to react to newly discovered system vulnerabilities. An MDM in tandem with endpoint security and an identity and access management (IAM) solution like Jamf Connect improves your security posture by using it to be proactive. Here are a few features this combination provides to secure your devices before an incident befalls them:

  • Identity management: Using SSO with cloud identity provider credentials streamlines the user authentication process and reduces the likelihood of compromised credentials.
  • Zero Trust Network Access (ZTNA): ZTNA uncompromisingly restricts access to company resources unless the user successfully proves their identity.
  • Endpoint security: User devices are constantly and unobtrusively monitored for malware for faster detection.
  • Analytics: Monitoring endpoints for malware also gives behavioral analytics to prevent vulnerabilities from turning into exploits.
  • Content filtering: Restricting access to risky sites stops malware before it ever on the user’s radar.
  • Visibility and compliance: MDMs give you the ability to keep devices up to date with the latest security patches and operating systems, keeping them compliant and as secure as possible.

Apple provided a timely response and administrators could see their work in real time. And, while Apple responded swiftly, many organizations would prefer to not wait on another vendor to patch significant vulnerabilities. Thanks to communities like Jamf Nation and Slack, IT administrators often have the knowledge and, with the Jamf platform, the complete ability to quickly deploy workarounds and the latest patches once they are released by the developer.

Jamf streamlines your incident response process.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.