Endpoints Gone Wrong
On a rainy Saturday morning in Bethesda, Maryland, an IT staffer of global hotel chain Marriott noticed an alert on his monitor. The date was September 8, 2018, during what should have been an uneventful weekend shift.
An internal security program detected an attempt to access the company’s guest reservation database, flagged it as suspicious, and requested human eyeballs to investigate the issue.
What followed next turned out to be one of the largest data breaches in history spanning several years, and a regulatory fine that could cost the company over $123 million.
Backtracking the Breach
Two days after the alert, Marriott conducted an internal investigation of its systems and discovered two unauthorized programs.
The first catch turned out to be a RAT, or Remote Access Trojan; a malware program that provided hackers with a secret “backdoor” to the Marriott network. The other was MimiKatz, an exploit tool used to sniff out credentials like usernames, passwords, PIN codes, and even security tokens.
Faced with the damning evidence, the global hotel chain hired a third-party investigator to conduct a deeper probe of its systems. Their forensic analysis found something even more crucial. Two months after the initial alert, investigators found that two unknown encrypted files were stored and later purged from Marriott’s network. The contractors were able to recover the deleted files and after a week, managed to decrypt them.
What they revealed confirmed the company’s worst nightmare.
One file contained 383 million guest records from Starwood, one of Marriott’s brands that include upscale hotels like Sheraton, St. Regis and Westin. Among the sensitive data were names, emails, addresses, date of birth, contact numbers, hotel reservation dates, and even communication preferences.
The other file was just as shocking: a table containing the details of 18.5 million passports.
More amazingly, the malware had been infesting Marriott’s systems since July 2014 — over four years before it was discovered.
How it Began
Investigators believe the whole scheme began with a phishing email, a fake email that includes a malicious link or an attachment (in this case, the RAT program). An employee of Starwood was tricked into downloading the RAT through the email, giving hackers an invisible “foot in the door” to the network.
Through this backdoor, they were able to plant the MimiKatz exploit tool, which scoured the employee’s device for username and password combos. Once they landed a security credential, they effectively gained administrator-level access to the system.
In this scenario, Marriott’s database was breached not because of weaknesses in its central IT infrastructure, but because one of its employee’s devices used to access the network was exploited.
This is where endpoint security comes in.
Types of endpoint security risks
Knowing the endpoints is one thing, but plugging the attacks that can emanate from these endpoints is a whole other battle. Some of the most common endpoint security risks include:
The most popular and least sophisticated form of attack, phishing is the use of fake messages to gain access. The message ostensibly comes from a trustworthy entity (such as a bank or known company) to trick users into providing personal information or downloading malware. The information or malware is then used to gain access to the user’s system, and from there gain a foothold into the larger network that the user works for.
Apart from the Marriott data breach, phishing is also responsible for the JPMorgan Chase breach that compromised 76 million households and 7 million businesses, and the 2014 Sony Pictures hack that saw private emails leaked, upcoming movies released to torrent sites, and cost the company over $100 million.
Never discount good old-fashioned forgetfulness or physical theft as an endpoint security risk. According to TrendMicro, over 40% of data breach incidents between 2005 and 2015 were caused by lost or stolen endpoint devices like laptops, tablets, and smartphones.
In 2012, a physician’s stolen laptop contained the personal information of over 3,600 patients. The Massachusetts Eye and Ear Infirmary where the doctor was affiliated ended up paying a $1.5 million fine for violating the HIPAA privacy rule.
One of the pains of modern life, constant patches are a slight inconvenience but a necessary evil to keep up with evolving threats online. And yet many companies (even those on the Forbes 500) still neglect to hit the update button.
The most famous example is Equifax’s data breach in 2017. The credit reporting agency failed to patch a glaring vulnerability in one of its servers, which allowed hackers to steal the personal data of 148 million US consumers. The ensuing debacle ended in a $650 million FTC fine and a $77.5 million class-action settlement.
Also known as malvertising, this scam uses legitimate-looking advertisements, and can propagate across reputable websites and social media before being taken down.
In recent years, sophisticated malware have appeared that don’t require any user interaction at all. Such “pre-click” malware can be embedded in the main scripts of webpages, enabling them to run automatically even without being clicked by the user. Host victims include popular sites like The New York Times, the London Stock Exchange, and Spotify.
Similar to phishing, this method uses deception to trick users into clicking a link or downloading malware. Examples include fake system alerts, anti-virus notifications, or deceptive installation agreements different from the program the user intended to download.
Drive-by payloads can include Trojan backdoors like the RAT, keyloggers that record keystrokes, and ransomware like the 2016 Locky ransomware attack that took advantage of an auto-run vulnerability in Adobe Flash.
Data Loss and Theft
These are not methods of entry but post-exploit effects of an endpoint security breach.
Data loss refers to data being irretrievably deleted. For an individual, this endpoint security risk can be devastating – years’ worth of personal photos, portfolio or correspondence. For organization, this can be fatal: according to a University of Texas study, 94% of businesses that experience extensive data loss go belly up – 43% shut down immediately, while 51% close up within two years.
Data theft is even more insidious. This means that priceless corporate data, from customer databases to years of R&D, can end up on the dark web or in the hands of competitors.
In 2014, Yahoo suffered a data breach that exposed 1 billion user accounts, the largest of its kind. About 200 million ended up for sale on the dark web, including unencrypted security questions and answers. The incident resulted in a Senate investigation, a $35 million SEC fine, a $117.5 million class-action settlement, and knocked $350 million off Yahoo’s valuation during its acquisition by Verizon.
No other endpoint cyber security risk is as straightforward an extortion as ransomware. This type of malware encrypts all of the users’ files, making them inaccessible unless a ransom is paid.
In most cases, the app is disguised as a legitimate program that tricks users into running it — however newer versions have appeared that require no user interaction, and can travel automatically between computers in a network.
The infamous WannaCry attack in 2017 spread to 150 countries and included victims like Boeing, Deutsche Bahn, FedEx, Hitachi, Honda, Nissan, O2, Renault, Taiwan’s TSMC and Vivo. It also affected government organizations in Brazil, China, India, Russia, the UK, and the US, and was able to extort over $130,000 in bitcoin payments before it was stopped.
The worst thing about ransomware is its indiscriminate effect. Unlike most attacks that deliberately target large enterprises in the hope of monetary gain, ransomware spreads like a virus and can affect virtually anyone, from small mom-and-pop stores and startups to MNCs. Schools, hospitals, and even sheriff’s offices are just some of the victims that shelled out a bitcoin ransom to unblock their data.
A Distributed Denial of Service attack uses a flood of incoming traffic to overwhelm a website, server or network. It uses compromised devices to repeatedly access the target site and eventually disrupt its bandwidth, resulting in a denial of service to normal traffic.According to one research, DDoS attacks soared by 87% year-on-year in 2019, with 16 attempts being made every minute. Of all the attacks made last year, two-thirds were aimed at customer-facing enterprise systems.
Advanced Persistent Threats
APTs refer to groups that gain access to a network and remain undetected for a long period. As the name implies, they are distinct from typical hacker groups in three ways:
Advanced – They have access to a wide range of both commercial and non-commercial intrusion technologies, including advanced hardware and software available only to nation-state actors
Persistent – Rather than being short-term opportunists, APTs are content to lie dormant in compromised networks for months or years, similar to “sleeper cells”
Organized – Compared to informal groups, APTs are highly organized, disciplined and coordinated in their intrusion and execution
In the Marriott breach, US government sources suspect that APTs affiliated with Chinese state agencies were behind the attack. Among the circumstantial pieces of evidence are 1) the code and methodology employed are similar to those use by state-sponsored Chinese hackers, 2) none of the compromised data was leaked or sold to the dark web, in contrast to amateur groups looking for financial gain, and 3) Marriott happens to be the top hotel provider for the US government.
Likewise, China was also implicated in the Equifax breach. Three years after the incident, a Justice Department investigation indicted four members of China’s military for the attack that compromised the personal information of 148 million US citizens.
In both cases, the APT actors lived up to the word “persistent”; the Marriott intruders lay undetected in Starwood’s network for four years, even before it was bought by Marriott. In Equifax, the intruders gained access in March, but only began acting in July after weeks of virtual reconnaissance and subtle queries to get a feel for the system. Both incidents also displayed organization: the stolen data was first compressed and broken into chunks, stealthily exfiltrated as part of background traffic, then deleted in an attempt to cover their tracks.
Unfortunately, the fact that state-sponsored actors may be behind the breach are of little consolation to the victims. Marriott still faces up to $123 million in GDPR fines, while Equifax had to shell out $700 million in penalties and consumer settlement.
A botnet is any device that has been compromised and can be controlled by unauthorized people. They can be used to send spam, infect other devices, or carry out DDoS attacks as part of a botnet campaign. In effect, the device has become part of a “zombie army” without the owner being aware of it.
In the past botnets were limited to PCs. Today, thanks to the prevalence of IoT (Internet of Things), a wider range of wireless devices are vulnerable to botnet infection. These range from Android smartphones and tablets to smart TVs, CCTV cameras and even smart home appliances like Alexa-enabled lights and microwave ovens.
This endpoint security risk is a double pain because once infected, a portion of the device’s processing power, energy and bandwidth goes to botnet attacks whenever it gets activated to take part in a botnet campaign.
Macro and Script Attacks
A macro attack uses a virus written in macro language, the kind used by word processors and spreadsheet apps. Hence, it’s most commonly disguised as a Word or Excel document. What makes this endpoint security risk doubly insidious is its form; while most users would be cautious opening a .exe file, a .doc or .xls attachment is less likely to arouse suspicion, particularly if it looks like an office document or sales invoice.
On the other hand, a script attack comes from infected sites or browser-based apps. When a user views such a site or app, it executes a malicious command in the browser without the user’s knowledge.
Both attacks are primarily used as vectors to gain access to the device. For example, the macro attack might be used to download malware automatically, while the script attack may be used to control the device’s webcam, microphone, or steal session cookies (credentials that will allow them to spoof the user on other sites).
Endpoint Security Challenges
Amid the many ways endpoint security can be breached, there are four main factors that limit an organization’s ability to effectively address these risks.
The first is human behavior. Majority of the attack methods depend on human users unwittingly giving access to external actors, whether from falling prey to a phishing scam to neglecting a critical patch or downloading a malware app or macro attachment. Case in point: just a couple of weeks ago, Marriott disclosed yet another data breach affecting 5 million guests, after two employees were phished.
Second is disjointed security solutions. While a workstation and office server may have all the necessary security software, most mobile endpoints like smartphones and personal laptops may not have the same safeguards. A survey of 588 IT security professionals employed in Global 200 companies found that 67% experienced a data breach in their organization caused by mobile endpoint devices.
Third is limited resources. Even if an organization identifies gaps in endpoint cyber security, it may not have the necessary resources to plug all the holes. For example, not all enterprise security platforms cover devices like Android smartphones and tablets, leaving a chink in its network armor.
The last one concerns evolving endpoint security threats. Each day brings a new virus, malicious code, SQL injection, or piece of malware on the web. Even old vulnerabilities like the ‘90s era macro virus can get recycled and updated for the new generation of Office 365. Meanwhile, it takes companies over six months on average to even become aware of a data breach (in Marriott’s case, it took 4 years!)
How to protect your organization
1. The first step to safeguarding your information is to get informed. Just by reading this article you’re already halfway there. The other half is getting information about your business endpoints. More specifically, endpoints at the organization-, people-, and device-level.
- Organization – What type of IT setup do you have (Own server, co-located data center, etc)?
- People – What kind of setup did they have before the pandemic (Office, remote, field, co-working space)?
- Tools – What types of business software is used for communication, project monitoring / collaboration, accounting, etc?
2. Once you have the necessary information, it’s time to do something about it and get organized.
- Organization-level: What are the endpoint security risks that need to be addressed on the network side?
- People-level: Group people according to working environment (office vs home / remote), device source and type (personal vs. company provided, PC vs mobile), and even OS (Windows, Mac, iOS, etc.)
- Tools: List down the apps and business programs most commonly used by everyone, including specialized apps used by specific departments (ex. Adobe for the creative team)
3. Finally, with all endpoints identified and organized, get help.
- Organization – What network security platform best fits your specific IT setup? What hardware / software / updates may have been overlooked?
- People – Assuming that the office-based and company device-provided group have the requisite security software, focus on the remote group using their own mobile devices and personal PCs. What security solution best fits the myriad gadgets and OS platforms?
- Tools – Does your current enterprise software cover all your business apps? If not, which ones are vulnerable to intrusion and require additional protection or replacement?
Unified endpoint security software
If you followed the key steps above, one of the glaring challenges will likely be the diverse endpoint devices employed by your team. A security suite for Windows or Mac will be useless for team members who use iOS or Android.
This is where unified endpoint security comes in.
An excellent example of a multi-device, multi-OS endpoint security solution is Prey. Our software combines four critical security components in one convenient app:
Device security – Lost or stolen devices can be remotely screen locked, sound an umutable alarm, and send a message alert. Front and back cameras, along with nearby WiFi networks can also be remotely accessed to identify the device’s location.
Data protection – Prey enables partial or full memory wipe of computers, Apple and Android devices. It also supports file retrieval of lost devices via the cloud.
Tracking and location – Devices can be tracked live, on-demand or on a set schedule, using a wide variety of tracking technologies (GPS, GeoIP, and even WiFi triangulation). In addition, boundaries can be assigned to each device, along with automated actions should the device leave the boundary. For multinational teams, the tracking options of each device are customizable to comply with local privacy laws.
Streamlined device management – All enrolled devices can be controlled and managed under a single easy-to-use program.
Prey addresses each of the endpoint security challenges posed earlier. It mitigates the weaknesses in human behavior by ensuring that each device is electronically protected, and safeguarded from loss or theft. In the event of a lost device, the data can be remotely retrieved and the source remotely wiped. In fact, we keep an active blog of lost endpoint devices that were successfully retrieved thanks to the software.
It also addresses the problems of disjointed solutions and limited resources by combining everything in one convenient, multi-device program.
The current coronavirus epidemic, a changing workplace environment, and evolving data security threats mean that endpoint security risks are higher than ever before.
As more people work outside the traditional office, businesses will have to meet the challenge of protecting their data pipeline from external actors, whether it’s ransomware, a new macro virus, or shadowy state-sponsored hackers. Like a goalie in a soccer game, all it takes is one threat that slips through the net to undermine the whole play. In this high-stakes game, it pays to be informed, organized, and protected before the shot.
Your organization deserves no less.