Authentication: Don't Forget Endpoint Protection

Google recently stated that none of its 80,000 employee accounts using their Titan Security Key has been compromised since deployment. This is because this hardware authentication device is a possession factor that cyber criminals cannot electronically steal as they do passwords. But, as great as this and like tools are, they are susceptible when the endpoints using them are compromised. Read on to learn more about how your different authentication mechanisms depend on endpoint protection as well as the one capability you need for this but may have never heard about.

Authentication is the First Floor of the Security High Rise: If it Crumbles, All Else does too

Without authentication establish the ‘who’, then authorization’s function of enforcing ‘what’ the ‘who’ may do becomes pointless. Similarly, what good is the audit function of recording ‘what’ was done if ‘who’ is unknown? Confidentiality (e.g., encryption) and integrity (file and record changes) suffer if not just ‘who’ but anyone can decrypt this or change that. And if anyone can do anything, then we cannot be confident that special resources are available when the correct ‘who’ needs them. Whether you know it or not, nearly everything you do with computers involves these matters. So, clearly authentication is critically important.

And this explains why cyber criminals focus so much of their efforts on stealing credentials. In fact, when they aspire to steal the corporate jewels of some enterprise, they need to compromise not just the one endpoint with the jewels but a number of them. What you might not know, the adversary does not want to have to infect each of those endpoints. They rarely take that approach because it’s too much work. Instead, the adversary steals credentials/accounts and uses those to compromise other endpoints, which is much easier.

Google’s Titan Security Key

Google has recently revealed that some 80,000 employee accounts have yet to be hijacked or compromised since they began using their Titan Security Key for authentication. This possession factor cannot be electronically stolen and replayed by an adversary, unlike passwords. Any enterprise can buy these or those from others such as YubiKey. They make life more difficult for the adversary, but not impossible.

The Endpoint is the Foundation for the Security High Rise: If it’s Compromised, All Else is too

Authentication functionality is performed on endpoints, whether laptops, desktops, servers, containers, or even micro services. Perfect authentication cannot save the day when the endpoint is compromised. For example, a Google Titan Security Key successfully authenticates from an endpoint compromised with malware. Bad things can still happen. First, the malware can perform covert operations during the authenticated session. Imagine that the portal is a banking portal and the malware is transferring funds while you’re connected yet you don’t see a thing.

Second, the malware can steal the session identifier or cookie to extend the session after you the user thinks you’ve logged off. This is more difficult but doable. There have even been examples where the session identifier/cookie has been used from a different endpoint. This is even more difficult and the web portal should be implementing countermeasures to thwart this. Yet, it happens. 

And lastly, if you’re using a smart card for Windows authentication, your security people need to know the risks posed by legacy authentication protocols (NTLM) that are still in use in most enterprises. Despite the fact that an end-user logged in via a smart card, Windows (NTLM) generates a hash that is kind of like a password in that it can be stolen and replayed to represent the user that logged in with the smart card. Worse, this hash never changes for that user account unless made to manually do so. Consequently, the adversary can electronically steal that hash with malware to impersonate the end-user elsewhere in the enterprise where NTLM is used. There are Windows Group Policy settings to mitigate these risks as well as an open-source PowerShell script that will periodically reset that hash. Ideally, one removes all remnants of NTLM from the enterprise. Unfortunately, legacy requirements can be difficult to overcome. If they cannot be, then your organization needs something on the endpoint to prevent the adversaries from accessing these hashes from the memory of the Windows lsass.exe process.

If malware can mess with a hardware authentication device, why bother? Because they make the effort by the adversaries thousands to millions of times more difficult for them. And, if you protect the endpoint, you add more zeroes. Without these, our society is already paying a big price. To quantify, estimate the banking and credit card fees all consumers pay. Half of that may be covering the costs of the status quo.

Don’t Bet the Farm on Test Step Verification (e.g., passcode texted to your smartphone)

If you’re reading this blog post, you’ve probably authenticated to something that required you to enter six character passcode that was texted to your phone. Search the web for “SIM swapping”. You’ll find many stories of enterprises and cyber savvy people learning the hard way that two step verification is very beatable. The adversaries take advantage of your smartphone carriers need to allow its customers to get a new SIM card when needed. One of these carriers currently faces a lawsuit from a customer that lost $24 million in crypto currency because someone fooled the carrier. In short, cyber criminals are social engineering the carriers to beat your two step verification.

The good news about two step verification is that it typically is ‘out of band’ relative to your laptop/desktop because the passcode arrives via the end-user’s smartphone. So, the bad guy would need to compromise two endpoints with malware: the smartphone and the laptop/desktop.  Unfortunately, one can receive SMS text messages via applications on their laptop/desktop too, reducing the attack to one endpoint again. Worse, two step verification is highly vulnerable to man-in-the-middle attacks. In short, you think you’re logging into that bank portal but instead you’re doing so to a fake website, which is in turn logging into the actual bank site. Because the Google Titan Security Key is PKI based, it is much less susceptible to man-in-the-middle attacks.

Two-step verification is better than just passwords ONLY. If you’ve got something worth stealing, make the move to Titan, Yubikey, or another.

Password Manager Applications are Valuable, but the Endpoint is the Soft Underbelly

They address at least two shortcomings of password based authentication. First, too many people use weak passwords. Second, too many people reuse the same passwords for many different portals/resources. The latter bears a little more explanation. After each website/portal is compromised over time, you should expect that the stolen credentials are sold or donated to the dark web. The stolen passwords are organized by email address and other data. So, if you re-use the same few passwords on different sites, odds are that eventually a cyber criminal will hack one of your accounts. The password manager application makes it much more convenient for us to use strong passwords and use different ones for different sites.

Password manager applications are great. I use one and recommend you do so. That said, they too are susceptible to malware on the endpoint. When you copy/paste a password from the password application to whatever, malware can copy that from the clipboard. So, install the web browser add-on associated with your password manager application. It’s not impervious to sophisticated malware. But, the different vendors employ different mechanisms to make compromising your passwords much more difficult. Even so, they can only do so much if malware is active on the endpoint with high privileges. You need rock solid endpoint protection to make these tools even better.

Cyber Criminals Steal Passwords Stored by your Web Browser

The web browser makers do what they can to make credential theft from their stores difficult. However, there are loads of tools that any cyber criminal can download to harvest passwords from a victim’s web browser. Here are a few for FireFox: PasswordFox, FirePasswordViewer, and Firefox Password Recovery Tool. There are loads more and I couldn’t tell you if the three I listed are among the better or worse ones. My point is that your web browser is NOT the best place to store passwords. Only store unimportant ones there, if any at all.

Effective Endpoint Protection Maximizes the Value of All of your Authentication Mechanisms 

Obviously a traditional antivirus is NOT adequate. When considering a tool for securing your authentication, weigh real-time protection over that of ‘detect and react’. The latter means the adversary may have hours to months on the endpoint before the ‘react’ nullifies the malware. Select a tool that doesn’t rely solely on telling good from bad things coming into the endpoint, and that doesn’t have to successfully pierce a disguise (e.g., password protected document). Also, prioritize tools that effectively deal with fileless attacks. I’m referring to in-memory tactics and those that use the legitimate utilities (PowerShell, cmd.exe, etc.) on our endpoints to do their harmful actions. 

Something Else to Seek in Endpoint Protection that may be Unknown to You

Isolation and containment tools strive to keep bad things from getting out of one place to mess with the rest of the endpoint. That’s not what you’re seeking. You want the opposite. You want something to keep ‘the rest of the endpoint’ from messing with one or more special places on the endpoint. Imagine there’s malware on your endpoint and it cannot penetrate cyber walls between it and one of those special places. You could designate an entire web browser as one of those special places to keep malware from hijacking your web sessions. Similarly, you might safeguard your password manager application. If your endpoint relies on smart card software, you want that protected so malware cannot alter its settings. The more you can divide your endpoint into enclaves or compartments, the better you can maximize the value of your authentication.