If your company hasn’t updated its iOS and Apple (News - Alert) computers over the last month, you need to drop everything and make that happen. News of Apple’s extreme SSL vulnerability rippled across the Internet throughout late February.
Developers, tech experts, and media figures implored consumers and business users to update their mobile devices to iOS version 7.0.6, which included the critical fix for the SSL bug.
According to Apple Insider, the adoption rates for this software update hit 13 percent within the first two days of the update release. Incidents like these illuminate several key points that companies and IT departments need to learn, when it comes to securing their in-house, loaner, and BYOD technology.
Essentially, security professionals uncovered two extreme flaws in Apple products: the “goto fail” bug in both the iOS and OS X platforms, which run on Apple mobile devices and computers respectively. Security professionals who wrote and warned users about this bug attempted to conceal certain key points about the flaw, in order to prevent would-be attackers from exploiting the vulnerability before a patch was released by Apple.
The flaw is known as the “goto fail” bug because of a slight typo in the system code, which causes the software to skip a key piece of verification. That extra “goto fail” line represented a hidden snake in the operating system, which posed a threat to users who logged onto secure websites while on untrusted networks, such as public Wi-Fi.
The most terrifying aspect of this error is that it has been affecting Apple mobile devices ever since the release of iOS 6 in September 2012.
The news is equally dire for businesses that rely on the native and third-party apps in OS X, especially if your company has remote or telecommuting workers who complete tasks at a distance from your secure office networks. Security experts suspect that Mac apps such as Safari, Twitter (News - Alert), Facetime, iMessage, and other integral system apps were open to the vulnerability.
Threats to businesses
The flaw affects users’ SSL certificate security: the protocols we rely on when we log on to secure services such as social media, bank accounts, and work-related systems. This opens users up to sniffing, aka man-in-the-middle (MITM) attacks.
Imagine an employee going to pick up some coffee outside the office, and he jumps onto the café's Wi-Fi to check something on the company’s cloud computing system. A malicious attacker who’s connected to the same network has an opportunity to intercept critical data, such usernames and passwords, before it can securely reach the website. This is the process known as “sniffing.”
How companies can minimize risk
The first thing to note about this flaw is that it wasn’t anything new; it’s a code error that has existed for more than a year. IT education is paramount: The people who maintain your office technology need to be in the loop about breaking news so they can respond appropriately.
The second element to focus on is scheduled maintenance and updates. It’s possible that many users had no idea about this vulnerability until Apple released the latest updates, which described the vulnerability in their notes.
Scheduled system and software updates can help protect companies against current attacks.
The third way companies can minimize damage is to leverage Mobile Device Management software for tablets and smartphones. IT departments can enforce key security practices, such as complex unlock passwords, network settings, and “open in-app” settings, which can significantly reduce risk even in the face of the “goto fail” bug.
Apple’s recent SSL controversy might have been a rude wake-up call for many businesses. It highlighted the very real need for regular IT updates, management, and security protocols.
No system is infallible; just a few characters of code can mean the difference between a secure and a breached work system. Company leaders can minimize risk through continued IT training, scheduled maintenance, and device management software.