Securing Apple devices: Managing growing cyberattacks and risk
Dive into all things Apple security with today’s guest, Kelli Conlin, Security Solutions Specialist at Jamf. Learn about securing devices across multiple operating systems, the hidden-in-plain-sight Apple security bible, and why Kelli’s mom isn’t allowed to use the 15-year-old Mac laptop Kelli is still hanging on to after all these years.
Kelli Conlin is a Security Solutions Specialist at Jamf focused on helping organizations be more secure with Apple. Prior to joining Jamf, Kelli was an Intelligence Analyst in the U.S. Air Force supporting special operations before starting an IT career path. Kelli currently lives in Tampa, FL with her husband, son, two cats and a miserable husky.
[00:00:00] CS: Today on Cyber Work, Kelli Conlin of Jamf joins me to discuss all things Apple security. In this episode, you’ll learn about securing devices across multiple OS’s, the hidden in plain sight Apple security Bible and why Kelli’s mom isn’t allowed to use the 15-year-old Mac laptop Kelli is still hanging on to after all these years.
Remember that Cyber Work listeners are eligible for a free month of InfoSec skills, by going to infosecinstitute.com/skills and using the promo cyberwork when joining. That’s 30 days of free security courses, hands-on cyber ranges, skill assessments and certification practice exams, all when you use the promo code cyberwork on signup. That’s infosecinstitute.com/skills. Now, let’s begin the show.
[00:00:43] CS: Welcome to this week’s episode of the Cyber Work with InfoSec Podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals and offer tips for breaking in, or moving up the ladder in the cybersecurity industry.
Kelli Conlin is a security solutions specialist at Jamf, focused on helping organizations to be more secure with Apple. Prior to joining Jamf, Kelli was an intelligence agent in the US Air Force, supporting special operations before starting an IT career path. Kelli currently lives in Tampa, Florida with her husband, son, two cats and a miserable husky. That is a mood for 2020.
Our topic today is the specific security issues around Apple’s platform and Apple products. Even lay people without a lot of security background know to some degree, that Apple seems built just to a different schematic than Linux, or other OS’s. As you imagine, this comes with variants and security remedies, as well as specific and inherent security issues.
Today we’re going to talk about uh what Apple security’s framework is like, what security issues you should be on the lookout for with Apple products and what you need to do, know if you want to learn about securing Apple products and systems, especially in a career role. Kelli, welcome to Cyber Work. Thanks for being here today.
[00:01:53] KC: Oh, thank you for having me.
[00:01:55] CS: Let’s start out with your background here. You said that you started out as intelligence analyst in the US Air Force uh before starting an IT career path. Can you talk about your tech hero’s journey? How far back does it go back with you? Were you a computer programmer as a kid? Did you find it later in life?
[00:02:16] KC: I instinctively picked up to computers when I was younger. I mean, we had one of the old, weird, beige Compaqs growing up that my mom never could use. I always was internal home IT from a very young age. Once I got into high school, I’m very lucky that the school I went to had a lot of different avenues for creatives. I got into, I want to say AV, because there’s not a proper label to it, but it was like our school’s announcement program. We did the school news, but it was all video editing and videography and photography.
That’s actually where I got introduced to Macs, was using – in that program, using video editing software and then I became a Mac hobbyist, because it wasn’t always in schools. It was my personal computer. Obviously, at work, they didn’t really come across a lot of Macs then. Yeah, so computers have always just been a huge interest. Macs were always just my personal choice.
Then I joined the Air Force. I had all this photography and video background and they’re like, “Hey, you would be really good as an imagery analyst when I go to the recruiter.” I’m like, “Oh, sure. Imagery analyst. That sounds fun.” No. That’s not what it was.
[00:03:47] CS: I don’t know that term. What does that entail?
[00:03:51] KC: Essentially, it’s a part of the intelligence community and intelligence gathering structure. That particular method of intelligence is just analyzing what you can see and reporting back off that. In modern times, that position and what I did for the Air Force was all drone work, satellite imagery analysis, monitoring videos from drones, doing that reporting. I mean, it was amazing.
It sounds very Jack Ryan, if I explain it. I mean, there’s times it was super cool. I was always in a classified space, because it was intel. I wanted to work on computers. I was using computers as an analyst and I just was magnetically drawn to – I just want to support this. I was constantly bothering IT, because I would write a script that would make it so my computer couldn’t lock me out. I was just a pain.
Eventually, I decided to make that switch. For DOD, if you want to work in intel, a lot of the times, they just need a lot of certs or requests require certain certs. I got CompTIA Security+ at the jump, so I can work on classified systems. Then it just dovetailed from there.
[00:05:23] CS: Well, cool. Let’s talk about your role now as security solutions specialist at Jamf. What does your average day look like? Do you have a pretty, this two hours of the day I do, this this two hours – or is it different every day? What are your primary roles and responsibilities, things like that?
[00:05:39] KC: It’s definitely different every day. Pacing can be very pretty dramatically. The role that I am in is a technical resource for new customers. I’m not on the internal Jamf information security team. I’m not actually looking at our employee’s machines data, or telemetry from security events on their devices. I’m more focused on how our customers can have a better security increase, or security posture overall with Jamf’s products and just explaining that.
[00:06:15] CS: Okay. You’re working case by case with each new incoming customer, and so you’re tailoring it to their specific security needs?
[00:06:24] KC: Yeah, exactly. Just being that translation, telling them okay, well that’s your need. This is how Jamf can help with that. I also work a lot with our marketing teams, coming up with blog posts, hosting webinars, as well as working really closely with our internal developers, giving them that feedback that I’m hearing from customers’ security concerns, that kind of thing.
[00:06:48] CS: Okay. Do you keep regular hours? Are you on-call all the time?
[00:06:52] KC: I’ve always been remote, since I’ve been with Jamf. This was my first at-home position. At the beginning, I was always available. I had our communicator on my phone, answered e-mails before I went to bed. I’ve slowly loosened that. I mean, it is hard, because I like to be responsive. I like to help, and so trying to turn that off. I don’t really have set hours. I am always available. It’s just a day-by-day thing.
[00:07:31] CS: Yeah, but that’s not necessarily the parameters of the job position. That’s you talking.
[00:07:35] KC: Yeah, that’s a personal choice.
[00:07:37] CS: Okay. Got it. Got it. Okay. I guess, winding back from that in terms of your skill sets, you’ve talked about a little bit about you got security plus and where you got started with things, but what were the skill sets and things that you knew that made you a good fit for Jamf? If people wanted to do the work that you do, what were the things that Jamf were looking for in terms of this role?
[00:08:03] KC: I started at Jamf in a position called a systems engineer, or sales engineer. I presented our products to new customers, or interested customers from a technical level. I was a Jamf customer before I came to Jamf. I worked at a company that was a full Mac shop and we used Jamf Pro to manage our Macs and our iPads. I was very familiar with Jamf as a company, because I purchased from them. Jamf was just became a goal of a company I wanted to work at. I loved their product.
[00:08:45] CS: You specifically were going after them. That’s great.
[00:08:46] KC: Yeah. I really wanted to work there. I actually applied a couple of times and didn’t get the positions and then finally, was able to move in as a systems engineer. Then when we purchased the company, Digita Security and created our security tool, Jamf Protect, I was – they knew my background and I was very quick to pick up the product. I was very excited about it. Then when we had this position open up, I was very eager to apply and step into that role.
[00:09:26] CS: Okay. As we mentioned at the start of the show, today’s episode is all about all things Apple. We’ve been talking about Apple. You’re a Apple evangelist from a long way back. Just start right at the very bottom here, at the very beginning, how does Apple’s OS differ structurally from PC and Linux in terms of a security perspective? I feel like Apple has the reputation and has for a long time of being the interface for everybody. It’s like, all the stuff is here. You don’t need to know coding, or even the perception of coding and things like that. How does an interface like that come about and so forth?
[00:10:04] KC: Obviously, I don’t work for Apple and I don’t know their –
[00:10:07] CS: Yeah, I’m not going to ask you how that – Yeah, what’s their recipe? Yeah, tell me.
[00:10:13] KC: I mean, I think the focus that Apple has always had on the user is one of the big key differences between them, because they’ve kept such a control on software and hardware, so they can control that user experience and that expectation of what the user has, because they’ve cut out that variable of multiple hardware vendors for their software, like you get on the Windows side. I think that’s the big key difference is that they’ve kept a hold of that they produce their hardware, they produce their software, so they can keep that focus on the end-user.
I think that’s why a lot of people, I don’t know if this is the right term, but drink that Apple Kool-Aid, because they feel so appreciated. This computer gets me. I get this. I can pick this up quick.
[00:11:05] CS: Feels natural.
[00:11:06] KC: Yeah, they’ve made it very easy to adopt their products.
[00:11:12] CS: Yeah. I mean, this is a total tangent, but I feel there are – It sounds like you were an Apple family. I feel like, computer preferences seem to go by family. I was a PC family. My wife’s family was an Apple family, across the board and straying from that would be almost a dishonor to the family.
[00:11:33] KC: Right. It’s like Pepsi or Coke. If your mom drinks Diet Coke, you can’t all of a sudden bring in a 2 liter of Pepsi.
[00:11:39] CS: Yeah. No, exactly. You’re working across purposes there.
[00:11:43] KC: I am the oddball of the family. My mom is not –
[00:11:48] CS: You’re in the house divided.
[00:11:48] KC: I pray she doesn’t listen to this. She’s not the most technical person. She got iPhones when iPhones became a thing and were cool and the new hotness. She was never a Mac user. I have old iMacs that I use for testing, or that I’ve just taken apart. She constantly asks me for it. She says, “You just have it sitting in your office. I want that.” I’m like, “This is not the computer you are used to. I would have to retrain your brain.”
Yeah, I used Macs at school in video editing. Then I just fell in love and begged her and begged her like, “Please, I need an Apple computer. I need the Apple machine.” Finally broke her down.
[00:12:39] CS: Nice. This might be a perception issue and you can feel free to pop the balloon, but for those of us that are old enough to remember when Apple first became the player on the scene, I feel like there was a long time where Apple products were perceived, whether right or wrong as “safer” than PCs and Windows, because as I heard that most viruses and attack software were designed for PC. As such, Apple seemed safer by virtue of being hidden slightly in the background.
Obviously, that’s not the case anymore. Speaking to that, was Apple truly safer at one time and how does the relative security posture of Apple now vary from Windows systems in the present day?
[00:13:20] KC: That’s so hard to – I blame Jamf a little bit for how Apple’s, or just Macs in particular, their – bit them as a target for security threats has grown. I think that’s because their solutions like Jamf Pro that allow it to be easier for an organization to manage Macs, where that’s always just been a PC thing. When you’re at work, it was a PC of some variation. Because pcs were so dominant in enterprises and organizations, hospitals and schools, they’re an easy target, because there’s so many of them. It’s like shooting fish – not shooting fish in a barrel. That’s a bad – Oh, wait. Yeah, there’s more fish in the barrel, that’s what that means. Yeah, there’s more targets.
[00:14:09] CS: Shooting a barrel full of lots of fish.
[00:14:11] KC: Yes, exactly.
[00:14:12] CS: Okay. You’re going to hit something.
[00:14:14] KC: Exactly. They were an easier target. I don’t necessarily think that it was easier to attack a PC from a functional level than it was to attack a Mac. I think it’s just, it was based off numbers and now those numbers are starting to get a little closer. Also, a lot of people use Macs from the individual consumer, like at home.
If you’re trying to attack an individual, you can have a better chance if you know their system and that stance. I don’t think they were always safer than the PC from a technical standpoint. I don’t know. There’s so many different ways to argue that point, because from a hardware perspective, because there are so many variables in vendors, there could be different physical security risks, because of the hardware differences, where the Mac, that hardware was always really controlled. I think it just comes down to your interpretation of security. I think they are more on an even playing field and they definitely have a similar landscape now for sure.
[00:15:31] CS: Yeah. I think it was not so much attacks in terms of hackers, but I just feel – I remember hearing that viruses were customized so much to PCs that exactly people who are like, “Well, it’s not going to necessarily come through my e-mail, because it’s not really Mac-specific.” I feel at this point, there’s just a lot of everything, right?
[00:15:48] KC: Yeah, exactly. A 100%.
[00:15:51] CS: Okay. Can you speak at all to – this is some something that we had a suggestion from someone in staff here. I think they heard it on a podcast somewhere, but speaking of Apple’s system across multiple types of devices. On one hand, it makes things easier to protect, but it also means that zero-day attacks can be more pervasively destructive as they cover thousands of times the surface area that a target attack might otherwise have. I’m not sure if I’m getting that right, but is there a uniformity of Apple’s structure, or whatever that makes zero days especially vulnerable?
[00:16:28] KC: Apple doesn’t have the same operating system across all the devices. There’s Mac OS, there’s iPad OS, there’s iOS, there’s TV OS, Watch OS. Each device does have its own separated operating system. Apple is taking approaches to make that more uniform, allowing to be able to pick something up from your phone and then be able to pick it back up on your Mac, or on your iPad. They are allowing that cross use against the different operating systems. They are making that more uniform.
I don’t know. I could totally see what the potential risks there, especially as apps made for iPads, or iOS devices being added to the app store and being available on a Mac. Because even though Apple is pretty strict on their developers and what they allow in the app store, I mean, they just had a case recently where they actually notarized Mac malware to be able to be downloaded. Notarization was one of their big security approaches to help only allow things that are authorized and been blessed off.
There’s no perfect defense. You have to be aware of everything. There’s always things that are going to possibly slip in. I do see that there could be potential risk with that for sure.
[00:17:54] CS: Okay. Yeah, so speaking to that, it sounds like it’s pretty hard – Is it pretty hard to get one over via the app store in that way that they were able to authorize this thing? What happened with that? Was it just that it looked very, very realistic and just didn’t – it passed the sniff test or something?
[00:18:13] KC: Yeah, exactly. Then it just turned out to be malware.
[00:18:18] CS: That’s not a common case?
[00:18:20] KC: No. That’s the first I’ve heard of. There may have been more, but that was the first. That was publicly made.
[00:18:25] CS: That was a big knowledge. Yeah.
[00:18:27] KC: Yeah. It’s like, “Oh. Mm.” Yeah.
[00:18:28] CS: Okay. We mostly want to talk – obviously, you’re a bit of a Mac guru here and a Mac enthusiast. We want to talk about Mac-specific security risks that people should be aware of. What are some common errors, first of all that are made by Apple users just out in the world that open them up to big security risks?
[00:18:44] KC: Being careful what you click on. I mean, I think that goes across any user for computer, not just Mac-specific. Yeah, just being cautious of what you click on. Apple does a really good job of trying to put in some protections to the end-user. Not disabling things in the operating system. If you go to stack exchange, looking for how to hey, how do I do this really cool thing on my Mac? Then they recommend that you disable internal protections. You shouldn’t do that, just because some dude on the Internet told you to.
[00:19:18] CS: Yes. Not worth it.
[00:19:20] KC: Yeah, exactly. There’s always those targeted tools that are like, let’s clean up your Mac. Here’s your pop-up. That happens a lot on the Mac side, because they are very focused on, “Your Mac is contaminated. You need to download this thing.” I think there’s always that risk. Depending on the type of attack and what the attacker’s motives are, there’s always that sense of urgency. Like, “You need to do this right now, because you’re –”
[00:19:56] CS: Yeah, you’re short-circuiting their common sense. It’s like, right before I can think about it, just do it.
[00:20:01] KC: Exactly. Yeah, you just have to take a step back. Is this really – is something bad? That’s hard. I think there’s always that pressure as a user to just be aware, but people like Macs, because it’s easy to use. They don’t need to know all the ins and outs of everything.
People don’t know where their launch statements are at and that there may be potential persistent tool there. I think it’s just keeping – being patient, being weary of things that they download and click on. Keep the native security functionality that Apple gives you enabled. Don’t turn it off. Just be more investigative into what they want me to add, I think would be my biggest – just for any end-user.
[00:20:52] CS: Yeah, it’s pretty solid. I mean, there’s always that balance between putting it all on security awareness. It’s like, well if you hadn’t thought of – if you hadn’t took that pizza coupon, as we wouldn’t be here, versus the really restrictive endpoint thing of you can’t click on anything without five authorizations. There’s got to be a balance in there somewhere.
[00:21:12] KC: Yeah. I think because of my military background and specifically working in intel, I am naturally more of a paranoid person. I don’t think I am, but I guess I am. I think of the same thing, like just because somebody tells you, “Hey, you should leave your front door open, because it’s going to make your house so much cooler all day,” you’re not going to leave your front door wide open and just let anybody in. It’s just the same thing. Don’t just download this tool, because they’re like, “Hey, your memory is all used up. We can help you there.” Double check.
[00:21:45] CS: Well, I mean, that also speaks to just what people actually do with their computers in terms of – I just use it as a tool, versus I actually understand the behind meetings. You would never blame your house. “Well, I just live here. It’s not like I actually know enough not to lock my door in the front.” A lot of people can give that excuse of, “I just wanted to write e-mail to my grandkids. How was I supposed to know?” What are your thoughts on ways to get that baseline technology people, who are just using what’s known as the easiest interface in a possible way?
[00:22:25] KC: I think Apple does a really good job of they don’t tell the end-user, “Hey, you need to know this.” They have those protections in place, but they’re silent. You’re not going to get a ton of pop-ups, because like, “Hey, we completed a scan. Everything’s good.” Apple has –
[00:22:42] CS: Everything updates behind the scenes while you’re sleeping.
[00:22:44] KC: Exactly. Right. They want it to be easy to use. They want they’re taking ownership of let’s make it the best and allow for the end-user to have the best experience. Yeah.
[00:23:04] CS: We started with a individual level here, but obviously, most offices even before the pandemic were mixed use in terms of who was using what operating system, or even more so now that people are working from home. Maybe some of them are using a work computer and maybe a little bit of their own devices in the evenings and stuff like that. What are the differences in trying to secure Window devices versus Macs, or Linux?
[00:23:30] KC: I mean, the biggest differences are the different types of attacks, or just being aware of the different types of attacks and what those different methods look like. I know that having uniform protection across all of the devices you manage seems like it would be the solid thing and the right answer, but you need to make sure that whatever you’re doing to secure your device is specific to that device.
With a Mac, putting in certain root permissions and ensuring the end-users don’t have access from an administrative level to modify things that they shouldn’t be doing is just as important as doing that from the Windows side, but they’re done differently. It’s understanding how they differ and mapping that out.
I don’t think there’s one device hardening plan that you could have as an organization that would fit everything from Windows to the Macs. I do think you have to go through and really understand the differences in those operating systems.
[00:24:40] CS: Do you have any thoughts on how this non-uniformity of devices should be dealt with at an IT level, in terms of making this hardening plan?
[00:24:52] KC: Personally, I think – My IT background started in secure facilities. We didn’t have dedicated InfoSec built out teams. It wasn’t like, here’s your InfoSec department. Here’s your IT department. We were already working on devices that were so heavily secured, that IT was InfoSec kind of a structure. Moving from DOD and federal government to commercial spaces, that’s been one thing that I’ve been shocked by is that there is such a – a lot of the times, there’s such a departmental harsh line on InfoSec and IT. I think when it comes to device management from the IT level and policies that InfoSec are putting in play, I think they need to be closer than they are.
I think, instead of InfoSec being like, “Hey, you need to go enforce all these settings,” IT should be able to have a say and say like, “Well, if we do that, the end-user is going to be – they’re going to be mad and they’re going to just turn that off, or they’re going to constantly put a ticket.
I would love to see a world where those two teams have a closer relationship, just naturally, there isn’t that separation. Yeah, more cross – that line needs to blur, especially with everything being mobile nowadays. You’ve got to be prepared for that.
[00:26:24] CS: That jumps perfectly to my next question here, because obviously, you mentioned that you are very much still checking your e-mail just before bed and all hours of the day. As the notion of the fixed-day work gets more amorphous and employees work on projects at different points in the day from a wide range of devices, do you have any safety tips to keep you from compromising your company’s valuable files, even if you plan on say, working on some spreadsheets while you’re watching TV?
[00:26:47] KC: Yeah. This is hard and Apple has made it harder, because they have that cross-platform use. I can log into my iPhone with my iCloud information and I can log on to my work computer with my iCloud information. All of that is cross-transferred. The first step I would take is make sure end-users understand acceptable use policy. If they have a work machine, what are they allowed and not allowed to do on that work machine? What personal things can they handle there, as well as on their mobile devices?
If you expect me to have e-mail on my mobile device, are there things I’m not allowed to have on my device, because e-mail’s there? I think there needs to be a lot more education to employees and staff on acceptable use, instead of just a super dry 10-page contract in your employee handbook, where people just sign it? I think there needs to be clear boundaries there.
My phone is my most personal device that I could have. My banking information is there, my family’s photos, my routes that I take. When I go for a run, I log on my routes. If somebody wanted to attack me and they wanted to do it when I’m alone and vulnerable, all they need to do is get access to my route plans for my workouts. Acceptable use is the big one there. Really defining out what you’re okay with from your end-users and where that bleed of personal and work is allowed to cross.
[00:28:39] CS: Without going into, or I guess maybe going into specifics, but how do you secure – What are your steps for your – Because I think a lot of us have that back of head feeling like, “Oh, I probably should be more secure on my mobile devices.” What do you do to give you the peace of mind to go running and not worry about your schedule being hackable?
[00:28:57] KC: I do two-factor for everything. I don’t do the same password. I love Apple’s random password suggestion tool that they have when you’re creating new accounts. I’ve slowly started moving into the Apple account that they have been out announced. I think it was last year at their developer conference, where you can now sign in with Apple when creating new apps. I’ve tried to migrate to that, because they don’t share your e-mail address.
I do a lot of research on apps and software that I use on what do they – what of my data are they going to publish? Where is that going to get sent? A big part of the intel piece that I did was location data. I’m more cautious on location information. I don’t tag I’m at this place on Instagram. I try and avoid that as much as possible. I am not some celebrity, where people are going to be like, “Oh, she’s at Starbucks on 54th Street.” I don’t have to have that concern.
I do think there’s a lot of people that do have that draw to them, or if people are wanting to know where you are at, because of what they’re putting out on social media, it is easy to find. The running app I use is not a community-facing one. My routes are not published to a community for people to give me kudos. I don’t want that out there like that, because there’s a ton of applications that do that and people don’t realize what they’re giving out. Again, I’m just more paranoid than the average person.
[00:30:46] CS: I think that’s worthwhile. There is definitely that feeling of yeah, catch me at the 7-Eleven here or whatever.
[00:30:53] KC: Exactly. I also listen to a lot of true crime. I’ve always been a big true crime fan. I’ve always got that caution behind me.
[00:31:02] CS: Oh, the more that you listen to, especially from the 70s, you’re just amazed at people’s in their windows and their doors and they’re nothing as secured at all.
[00:31:08] KC: Yeah. Who sleeps with their window open all night on the first floor.
[00:31:10] CS: Yeah. Sure. Why not? What’s the worst that could happen?
[00:31:12] KC: Crazy people.
[00:31:15] CS: For listeners who are maybe trying to break into cybersecurity, we have a lot of listeners who are just considering security as a stepping stone, or a first step. Obviously, there’s some other platforms that have specific certifications. There’s Linux Plus, there’s MCHE. Is there an Apple specific certification? If not, what do you go about – what do you study to study Apple security?
[00:31:42] KC: The only Apple certification from a security level that I’ve seen is I want to say, it’s a company called Black Bag. I think that’s the name of it. Yeah, Black Bag Tech. They have an Apple forensics course. Investigating Apple from more on the analyst side of things. That’s one of the first ones I’ve seen that’s been focused on Apple, covering iOS and Mac OS.
Yeah, there isn’t a ton. I mean, there’s certifications for being Apple administrators. Jamf has a few that we offer, but not a ton that’s focused on security. One thing that I don’t think a ton of people know is Apple produces a platform security guide that’s made available to the public. They updated every OS, or just changes.
[00:32:33] CS: I did not know that.
[00:32:35] KC: It’s a beautiful document. I mean, they really cover why they’ve taken these approaches, what enhancements they’ve done and they get into that technical deep. If you’re wanting to know more on Apple’s just general security approach, that’s such a great place to start.
[00:32:51] CS: Okay. I’m guessing, if you’re learning to secure multiple different types of operating systems, PCs, Apples, Linux, it might be trying to learn Spanish, Portuguese and Catalan all at the same time. There’ll be a lot of similarities, but enough variances that it might be hard to keep track of what goes where. Can you speak to learning about security issues that vary between different types of OS’s?
[00:33:14] KC: Yes. I think, understanding the fundamentals of what cybersecurity means. There’s network security vulnerabilities that could affect multiple OS’s, social engineering tactics, what potentials could happen to that end-user. I think starting with fundamentals is such a great place to begin, obviously. I mean, a lot of people don’t even think about that. They’re like, “Well, I want to be a Linux security admin. I’m going to start here.” It’s like, I think you should take at least five steps back. Go through just basic InfoSec practices. Just get used to the terminology. Get used to types of attack.
People don’t realize that when you say viruses and trojans and ransomware and malware, also can be interchangeable depending on the tech, depending on the techniques that hacker has taken. I think start with the basics and then build that path from there. There’s so much information out there and there’s so many different ways to learn. I’m very hands-on. I have to observe somebody actually doing things for it to really set into me, and I have to do a lot of correlation. Or not correlate, like association.
When I think of investigating a cyber threat, I think like a police officer. I have to build my evidence. I have to understand its storyline, or build up that timetable. I think very much like that, because I I’m a true crime fan and I put that association there.
[00:34:52] CS: Cool. As someone who’s come to this through a securities route, what job or learning tips do you have for professionals that want to get into this type of field, or these specific types of security work? Are there any particular job titles to aspire to if you want to work on security at this level?
[00:35:11] KC: I would recommend – I didn’t take a traditional path to be in a security role. I love the idea of starting out as an analyst. Working in a SOC, actually seeing data as it’s flowing through getting your hands dirty in data, I think is super helpful. There’s so many routes you can take. You can be a SOC analyst. You can work on the developer side, work for a company, making security software and be an engineer, or build Python scripts for testing companies. The cybersecurity world is just so big and there’s so many chances there. I mean, I still don’t a 100% know what I want to do when I grow up and where it’s going to lead me.
[00:36:06] CS: We’ll figure it out.
[00:36:07] KC: Yeah, exactly. Most companies have a C-suite level position that is in charge of security, information security, or security as a whole and physical. I think, starting from the analysis level, because you’re going to see the data, meet that telemetry, I think would be really helpful. There’s so much information out there. There’s so many blogs.
Actually, speaking of Mac specific, or Apple specific, two really great blogs that I would love to just plug are Objective-See, which is Patrick Wardle’s blog. He is a Jamf employee, but he is this crazy Mac security genius. He has some great free tools that he’s built. I mean, he blogs all new Mac threats as they come available. Really amazing, amazing tool. Just his blog alone, just a knowledge source is awesome. Then also, the blog called the MIT and Mac, it’s all on Apple forensics, or just Mac forensics and understanding that security side of things.
[00:37:16] CS: Okay. As we wrap up and we start moving into the speculative area of things, based on current business practices at Apple, do you have any thoughts on what future security issues might – where they might be coming from? I know that there were some ads on some NFL games recently where Apple was stressing user privacy. Whether there is or not, they definitely see a perception issue in terms of how people view their privacy and things. I know, it’s not necessarily for you to speak about it, but do you have any thoughts in the directions of security and privacy issues in the coming years?
[00:37:46] KC: Okay. I personally have very different opinions, because I’ve worked as an analyst analyzing data. The more data you have, the easier analysis is and the easier you can build your assumption. You can make facts out of different pieces of data, because you can build out a full story.
I love the idea of having access to data, but then I think from a personal level, do I want everybody to know all of that about me? Heck, no. I think a lot of people don’t realize what cyber, or just data privacy really truly means. Like, “Oh, well. I’m just so-and-so living in Iowa. They don’t really care about me. Of course, they can just have all my information.” You don’t really know what that could lead to, how that can be affected and there’s a lot of great uses to user data as well. It’s such a fine line, like from a marketing perspectives, making it easier for you to find things that oh, you really like this, you’ll also really love this. That kind of thing. I respect Apple’s approach.
On the Windows side, with Windows 10, I don’t think people realize how much of their data was being able to be extracted, like all their Cortana usage. All of that was just turned on by default and I don’t think people were aware of how much of that information could have gotten.
[00:39:13] CS: Oh, yeah. It’s a whole other labyrinth. Yeah.
[00:39:15] KC: Exactly. I don’t know what that’s going to look like. I think there’s going to be a lot more focus on Apple security. I think there’s going to be a lot of people who want to get those gotcha moments. I took advantage of it. I was able to hack Apple and I think there’s going to be a lot of attempts like that. I don’t know where it’s going to be.
It’s such a hard question. I think Apple is definitely going to get bigger. There’s going to be a lot more adoption for larger organizations for sure, coming in the next couple years. I think they’re going to be a bigger player and they’re going to have a bigger target for sure.
[00:39:51] CS: Okay. As we wrap up today, tell us a little bit about Jamf and some of the projects and products that you’re working on right now, or things that you’re excited about, or want to talk about.
[00:40:00] KC: Jamf is a Apple management provider. We provide Apple management software. It’s such a cool company. This is one of the first places that I’ve worked at that I’m like, these are my people that get me.
[00:40:16] CS: It’s a nice feeling.
[00:40:18] KC: Yeah, I love it. Our approach of helping organizations succeed with Apple, that’s the company motto. It’s so simple, but it’s perfect. We just want you to have a better experience using Apple products in your organization, whether it’s a school, a hospital, financial institutions. We want to have across the board, you have a good experience.
With that and as things have changed, we introduced Jamf Protect, which is our security solution. I’ve been heavily focused on that. I love the possibilities of where it can go. It’s a very different approach to third-party security software, because we took the approach of what we thought would be as respectful to Apple as possible, or just respectful to the OS. What is already in the Mac OS and what will work best with that. Still, give administrators and security teams the level of information that they need without impacting the end-user.
Like I said, we’re not like and have pop-ups like, “Hey, scan complete. You’re all clear.” That’s just not part of our product, because it’s not something we thought Apple would do, because that’s not something they’ve done. When it comes to security software, I think if an institution has more visibility, if they can see what’s happening, they can loosen the reins of restrictions. If you have more insight and you know what’s going on, then maybe you don’t have to be so controlling and push things down, because you can have a little bit more peace of mind. I think that’s something really unique that you get with protect.
[00:42:05] CS: Yeah. I think that’s worth noting in terms of like you said, people – It just comes down to their perception of like, “I don’t really know what’s going on back there, so let’s just turn all the protections on,” and so you can be more freed up if you know someone else is at least minding the store.
[00:42:19] KC: Exactly. Yeah. No trust, because I can’t see it. If I can’t see it, I’m not going to trust it. Yeah.
[00:42:26] CS: Great. Last question, for all the marbles, if people want to know more about Kelli Conlin or Jamf, where can they go online?
[00:42:31] KC: Obviously, jamf.com. I’ll talk about Jamf first, because there’s way more that has access to –
[00:42:36] CS: That’s J-A-M-F for those of you who are –
[00:42:38] KC: J-A-M-F. Yes. If you’ve ever had any question from a technical level on Apple, if you’ve Googled anything, I guarantee you’ve probably come across a Jamf nation post. Jamf nation is our users’ community. You don’t even have to be a Jamf customer to be a part of Jamf nation. It’s a Mac admins’ community. It is the coolest thing and such a big part of Jamf and why I wanted to come work at Jamf.
Definitely, jamf.com, we’ve got Jamf nation and they’ve got – Oh, I’m going to get yelled at. I think it’s @JamfSoftware on Twitter and Instagram from the social media perspective. I have social medias. My Twitter is retweeting Real Housewives and posting about maps and security.
[00:43:31] CS: Okay. No worries.
[00:43:32] KC: It’s a craziness. I mean, I’m on LinkedIn. Would love to connect to people there. Message them.
[00:43:37] CS: Perfect. Okay. K-E-L-L-I Conlin. C-O-N-L-I-N.
[00:43:40] KC: Exactly.
[00:43:41] CS: All right. Kelli, thank you for being our guests on Cyber Work today. It was a lot of fun.
[00:43:44] KC: Yeah, thank you so much for having me. This is a podcast dream. I’m a big podcast fan, so this is super exciting.
[00:43:49] CS: Oh, fantastic. That’s great. Both of our dreams came true today then. Thank you. To all you listeners whose dreams came true as well, thank you for listening and watching. If you enjoyed today’s video, you can find many more of them on our YouTube page. Just go to youtube.com and type in Cyber Work with InfoSec. Check out our collection of tutorials, interviews and past webinars.
If you’d rather have us in your ears during your workday, all of our videos are also available as audio podcasts, so you can just search Cyber Work with InfoSec in your favorite podcast catcher of choice. As ever, if you’d like a free month of our InfoSec skills platform, which includes hundreds of cybersecurity classes and evaluation exams and cyber ranges, just go to infosecinstitute.com/skills, type in promo code cyberwork. C-Y-B-E-R-W-O-R-K. No capital letters, and you get one free month.
Thank you once again to Kelli Conlin and thank you all for watching and listening. We will speak to you next week.
Weekly career advice
Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Carbon Black, IBM, CompTIA and others to discuss the latest cybersecurity workforce trends.
Get the hands-on training you need to learn new cybersecurity skills and keep them relevant. Every other week on Cyber Work Applied, expert Infosec instructors and industry practitioners teach a new skill — and show you how that skill applies to real-world scenarios.
Q&As with industry pros
Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.