#921
docx
keyboard_arrow_up
School
St. Augustine's University *
*We aren’t endorsed by this school
Course
MISC
Subject
Information Systems
Date
Nov 24, 2024
Type
docx
Pages
17
Uploaded by nyamburareginah5
1
A Research about a Data Breach at Apple Inc.
2
A Research about a Data Breach at Apple Inc.
Executive Summary
Apple Inc. specializes in developing and selling outstanding products and building an
incredible ecosystem and platform for its loyal market where it sells services and applications.
The company’s moat builds on the consolidation of superb products protected by the parent’s
wall, economies of scale, robust brand recognition, and an exceptional ecosystem with a holistic
linkage of everything. Its focus on absolute maintenance of privacy and security in the iOS
ecosystem is an integral feature for end users. This paper conducts a risk assessment of Apple
Inc. through research about the recent data breach reported by the company. The main goal of the
Apple Company risk assessment is to establish controls that it was missing and evaluate their
risks. This is because the process would play a great role in helping it reduce such risks in the
future that would create a safer working environment free from cyber-attacks.
Key Takeaways
⮚
Apple Inc. underscores absolute maintenance of privacy and security in the iOS
ecosystem. This is an integral feature that informs the loyalty of many Apple
users.
⮚
Citizen Lab researchers believed NSO Group orchestrated the Pegasus spyware
because they discovered the code of exploit containing a distinct bug that was
only ever associated with NSO Group.
⮚
As noted by Ivan Krstić, the head of security engineering and architecture at
Apple Inc. Apple responded to the attack by working around the clock to develop
new iOS updates that fixed the bug.
3
Company Background
Apple Inc. stands out as one of the most iconic companies in the market. The firm not
only specializes in developing and selling outstanding products but also in building an incredible
ecosystem and platform for its loyal market where it sells services and applications. The
company's moat builds on an amalgamation of superb products protected by the patent's wall,
economies of scale, robust brand recognition, and an exceptional ecosystem with a holistic
linkage of everything. Apple Inc. has some highly personal products, such as iPhones, Mac
books, iPads, and Apple TVs, where users can safely store their personal and very sensitive
information because of the company's robust security features. This implies that maintaining
privacy and security in the iOS ecosystem is an integral feature for the end users.
Assessment Approach
The main goal of the Apple Company risk assessment is to establish controls that were
missing and evaluate their risks. This is because the process would play a great role in helping it
reduce such risks in the future that would create a safer working environment free from cyber-
attacks (Heiligenstein, 2022). Based on the 2014 NIST cyber security framework cores, the risk
assessment would answer the following questions;
1.
What are the main missing controls that contributed to the 2021 data breach?
2.
How can the risk assessment results be used to avoid data breaches in the future?
3.
How probable are the risks, and how serious could they be?
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
4
Figure 1: Showing Risk Distribution Levels
Very Low
Low
Moderate
High
Very High
0
2
4
6
8
10
12
Risk Distribution Levels
Series 1
5
Summary of Findings and Details
The most recent data breach at Apple Inc. was reported on September 2021 when security
researchers based at Citizen Lab discovered that the Israel-based company called NSO Group,
which sells spyware to governments including Saudi Arabia and Mexico, was secretly infecting
iOS devices with zero-click spyware called Pegasus to hack into the iPhones. According to
Heiligenstein (2022), the researchers at the Citizen Lab made this discovery while investigating a
Saudi-based activist's iPhone. The security report shared by Apple Inc. claims that the exploit
would have enabled the Pegasus spyware to record the victims' calls, emails, and messages and
could also turn on microphones and cameras without the victims' knowledge. Further evidence of
the Zero-click exploit understands that when this spyware is successfully deployed, it silently
hacks into a phone, gathers the user’s private and personal information by intercepting messages
and calls, and turns the phone into a remote listening device without a click.
In its defense, NSO Group maintains that its spyware is exclusively designed for use by
licensed law enforcement and governmental agencies to target terrorists and criminals.
Nonetheless, extensive scrutiny into the matter, including the Guardian's Pegasus Project,
revealed that government officials have extensively used the spyware to target human rights
activists and journalists worldwide. The NSO Group further commented on this allegation,
noting that “NSO Group will continue to provide intelligence and law enforcement agencies
around the world with life-saving technologies to fight terror and crime” (Kirchgaessner, 2021,
7). However, contrary information by the Citizen Lab suggests that researchers made "high-
confidence attribution," alleging that the Pegasus spyware was a product of the NSO Group since
they noted “multiple distinctive elements” in it. Studies show that exploits are technical
susceptibilities, which render phones vulnerable to unauthorized access by spyware (National
6
Institute of Standards and Technology, 2018). Citizen Lab discovered the code of exploit
containing a distinct bug that was only ever associated with NSO Group.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
7
Table 1: Adversary Risk Template
Table 2: Analytical Scale – Features of Adversary Intent
8
Table 3: Accumulated risk levels
ID.RA-3: Threats, both internal and external, are identified and documented
According to a post released by the Guardian News website, security researchers from the
Citizen Lab indicated that the Israeli spyware and NSO Group companies hacked into apple
iPhones and devices in February 2021 (Kirchgaessner, 2021). However, Apple Inc. did not
9
realize this vulnerability until September 2021. Hence,
the first risk is the company’s inability to
completely understand cybersecurity risks related to image, assets, missions, and individual
operations.
This exposed the company to a greater risk of a data breach
.
Second, although the
company identified the hackers, they did not understand how they implemented the zero-click
exploit strategy to infect their customer’s devices. As a result, it came up with a lockdown mode
to work on the issue, which according to Dr. Chris Pierson, does not work on all cyber risks of
the companies’ devices.
This leads us to the second risk which is the lack of knowledge on the
current cyber-attacks malware exposed the company to the risk
(Satter and Bing, 2022).
ID.RA-1: Asset vulnerabilities are identified and documented
The first risk is the Apple Inc. lacks internal practices to check on any vulnerabilities that
would expose them to cyber risk.
Therefore, their employees, who are their top assets in doing
this work, seemed reluctant as they did not notice any anonymous activities taking place on their
customer's devices. This is evident as the attack was realized by an external company known as
the Citizen Lab (Petkauskas, 2022). As a result, their negligence exposed the firm to cyber risk.
Apple Inc.’s second risk is its overreliance on encryption cyber-security tools, which exposed it
to cyber-attack
. This is because it hindered the company from developing other cyber-security
tools that would protect its customers from cyber risk.
PR.IP-12: A vulnerability management plan is developed and implemented
Apple Company accepted that the vulnerability was introduced in their devices six
months before they realized it.
The first risk is evident in the delay in realizing this attack
indicated that it had poor vulnerability management and implementation plan, which deterred it
from realizing the attack at its early stage.
This delay made more than 37 activists, nutritionists,
and high politicians’ data leak to the Israel and NSO groups (Kirchgaessner, 2021).
The second
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
10
risk is the failure of the company to have an established vulnerability management solution that
would help it prioritize them through the MITRE Common Vulnerabilities and Exposure (CVE)
Score
. The lack of these solutions exposed the firm to cyber-attack (National Institute of
Standards and Technology, 2018).
DE.AE-3: Event data are collected and correlated from multiple sources and sensors
In the data breach at Apple Company, the hackers used the zero-click attack method,
which did not require the users to interact through messages or emergency requests. As a result,
the users found it difficult to realize any anonymous activities on their watches, smartphones,
and other devices (Goodin, 2021). Hence,
the first risk is the failure of the firm to continuously
monitor the behaviors of every user device,
which would show them real-time activities through
the Device Knowledge Base, which would have protected the incidence from taking place
(Perlroth, 2021).
The second risk is the lack of great sensors from the firm made it difficult to
create risk scores and updates that would generate security alerts in case of abnormal behavior in
the user’s network
. The company had great sensors since they did not realize their vulnerability
until an information system company noticed it while following a Saudi Arabian activist's
profile.
RS.MI-1: Incidents are contained
After the incident, Apple Company worked hard to mitigate the attack by developing a
lockdown mode to protect its users from zero-click cyber-attacks. According to Satter and Bing
(2022), the lockdown mode came with new features that block wireless connections while an
iPhone is locked, disables link previews, and blocks incoming calls from unknown sources.
Thus
the first risk is in the lack of these features in the previous devices, which reveals that they
exposed the firm and its users to cyber-attacks
(Perlroth, 2021).
The second risk is the failure of
11
Apple Company to support and work with organizations that investigate, expose and prevent
highly targeted cyber-attacks exposed it to the risk
. Hence, after the incident, it offered to donate
$10 million to support their work and create a great rapport that would help them in the future.
The Connection between the Breach and Missing Controls
There is a logical connection between the breach and the missing controls on Apple Inc.
products, as Perlroth (2021) reported in an article in The New York Times dubbed “Apple Issues
Emergency Security Updates to Close a Spyware Flaw.” Perlroth quotes Ivan Krstić, the head of
security engineering and architecture at Apple Inc., commending the incredible job done by the
Citizen Lab in their finding. In response, Apple worked around the clock to develop new iOS
updates that could fix the bug. Krstić urged iPhone users to run the last iOS updates by installing
WatchOS 7.6.2, macOS 11.6, and iOS 14.8. The company promised to implement new security
defenses for calls, iMessage, the firm's main texting application, in its subsequent update, dubbed
iOS 15, slated for late last year.
Further investigation by New York Times dating back to 2016 revealed dubious activities
by NSO’s Pegasus spyware on iPhones. Some notable activities included lobbying for national
soda taxes by Mexican nutritionists, expanded voting rights lobbying by Emirati activists, the
investigation into the mass disappearance of Mexican students by lawyers, and an investigation
into sexual abuse by Mexican police. Although Apple has been updating its operating systems,
the infection of the Saudi Arabian activist by the Pegasus spyware was a wakeup call that
instigated the firm to act promptly and subvert the impact of the exploit, which put 1.65 billion
Apple products in use worldwide at risk (Perlroth, 2021).
Recommendations
12
People are developing new technologies each day across the globe to ensure that
companies are protected from targeted cyber-attacks. Apple Company needs to do the following;
First, internal and external workers with high information technology and multi-
disciplinary skills must be considered. This will play a great role in helping it hunt, understand
and handle cyber threats making the firm more resilient to cyber-attack. Secondly, the company
needs to engage in more security tests. These tests play a significant role in challenging the firm
network to detect any vulnerability to cyber-attacks. Through these tests, the company will be
able to detect the infrastructures they need to put in place to provide their networks with
maximum security. Additionally, the company must consider working with a security partner like
the Citizen Lab. This would give it a chance to get highly skilled experts who would always
work hard on conducting security audits to detect any vulnerability to the organizational and
users’ networks.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
13
Reference List
Goodin, D., 2021.
“Clickless” exploits from an Israeli firm hacked activists’ fully updated
iPhones
. [Online] Ars Technica. Available at:
<https://arstechnica.com/gadgets/2021/07/clickless-exploits-from-israeli-firm-hacked-
activists-fully-updated-iphones/> [Accessed 5 August 2022].
Heiligenstein, M., 2022.
Apple Data Breaches: Full Timeline through 2022
. [Online] Firewall
Times. Available at: <https://firewalltimes.com/apple-data-breach-timeline/> [Accessed 5
August 2022].
Kirchgaessner, S., 2021.
Israeli spyware firm targeted Apple devices via iMessage, researchers
say
. [Online] the Guardian. Available at:
<https://www.theguardian.com/technology/2021/sep/13/nso-group-iphones-apple-
devices-hack-patch> [Accessed 5 August 2022].
National Institute of Standards and Technology, 2018. Framework for Improving Critical
Infrastructure Cybersecurity, Version 1.1.
Perlroth, N., 2021.
Apple Issues Emergency Security Updates to Close a Spyware Flaw
. [Online]
Nytimes.com. Available at: <https://www.nytimes.com/2021/09/13/technology/apple-
software-update-spyware-nso-group.html#:~:text=the%20main%20story-,Apple
%20Issues%20Emergency%20Security%20Updates%20to%20Close%20a%20Spyware
%20Flaw,so%20much%20as%20a%20click.> [Accessed 5 August 2022].
Petrauskas, V., 2022.
Apple’s Lockdown Mode: a decent attempt, but no panacea | Cybernews
.
[Online] Cybernews. Available at: <https://cybernews.com/security/apples-lockdown-
mode-a-decent-attempt-but-no-panacea/> [Accessed 5 August 2022].
14
Satter, R. and Bing, C., 2022.
EXCLUSIVE iPhone flaw exploited by second Israeli spy firm
sources
. [Online] reuters.com/. Available at:
<https://www.reuters.com/technology/exclusive-iphone-flaw-exploited-by-second-israeli-
spy-firm-sources-2022-02-03/> [Accessed 5 August 2022].
15
Appendices
Appendix 1
Very Low
Low
Moderate
High
Very High
0
2
4
6
8
10
12
Risk Distribution Levels
Series 1
Appendix 2:
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
16
Appendix 3:
17
Appendix 4: