This past August, a key set of vulnerabilities was discovered in Apple devices, prompting the company to urge users to update their iPhones, iPads, and Macs. Essentially, the vulnerabilities could allow a hacker to take total control of a device.
"One of the software weaknesses affects the kernel, the deepest layer of the operating system that all the devices have in common, Apple said. The other affects WebKit, the underlying technology of the Safari web browser."1 According to Apple's update information, "About the Security Content of iOS 15.6.1 and iPadOS 15.6.1.,"2 both the kernel and WebKit vulnerabilities have the following descriptions: "An out-of-bounds write issue was addressed with improved bounds checking."
Given the potentially serious nature of the vulnerabilities, users are being told to update devices as soon as possible, including "the iPhone6S and later models; several models of the iPad, including the 5th generation and later, all iPad Pro models and the iPad Air 2; and Mac computers running MacOS Monterey. The flaw also affects some iPod models."3 The vulnerabilities have a fairly wide breadth, with multiple types of devices being possibly impacted.
Keeping Your Data Secure
While public figures, in particular, are at risk of being targeted by this threat, active patch management is always essential for every business, organization, and individual that uses technology on a daily basis. This threat does pose a great risk, giving cyber criminals an opportunity to take over a given device, but it should be noted that there are always threats that need to be actively mitigated. Technology (and, by extension, cyber security) is not perfect. Vulnerabilities such as those identified by Apple or human errors can open the door to cyber attacks.
A strong security posture is one that takes this reality into account. Keeping software up to date and staying apprised of new cyber threats and mitigation techniques are critical. Current asset inventories are also essential, as protecting data and devices requires an evolving knowledge of their locations at any given time. In my last article, "Evolving Threats? Assess and Update Security Measures" (June 2022), I discussed the need to regularly review and make adjustments to incident response plans. Reviewing patch management policies and procedures should be part of an organization's ongoing cyber-security plan.
Initiated prior to the recently reported vulnerabilities, Apple is also continuing its efforts to better secure devices. This undertaking includes implementing a new feature called Lockdown Mode. Announced this past July, this ability is designed particularly for users that face the worst cyber-security threats. Additionally, "Apple also shared details about the $10 million cybersecurity grant it announced last November to support civil society organizations that conduct mercenary spyware threat research and advocacy."4
It may be impossible to perfect cyber-security measures and completely eliminate the risks that come with technology. However, prioritizing research and improving security methodologies can counteract or mitigate risk. At an industry level, this kind of commitment is indispensable in balancing the benefits and risks of technology.
Addressing and Mitigating Security Vulnerabilities
But we can also take a cue from Apple within our own organizations. When security issues are brought to upper management's attention, they should be addressed readily and without repercussion for those that bring them to light. Furthermore, improved features should be applied when necessary, and the current threat landscape ought to be incorporated when making risk management decisions. Investment in education and training, and open communication, can help support proactive security measures.
Many have been quick to criticize Apple or any other technology company when a vulnerability is discovered. However, the steps taken to address these vulnerabilities and mitigate them should be acknowledged. As is always the case, patch management is an ongoing process regardless of the problems they address. Keeping track of your organization's devices and data in an up-to-date asset inventory is needed for this process, as is a methodology for assessing compliance.
Security is everyone's responsibility, including having knowledge of current threats and enacting best practices.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.