informa
4 MIN READ
News

PenFed Breach Shows That Endpoint Compromise Can Affect Database Security

Infected laptop led to database breach, credit union says
While many database security pros worry about insider threats and privileged access, a recent breach at Pentagon Federal Credit Union suggests that a "simple" endpoint malware infection could be just as dangerous to sensitive data stores.

An intrusion found by PenFed investigators in December came to light last week, following the publication of a notification letter sent by the financial outfit to the Attorney General of New Hampshire, which informed the state government of a breach that affected 514 New Hampshire residents -- and potentially thousands more across the country.

"PenFed discovered on or about December 12, 2010 that a laptop had been infected with malware that permitted unauthorized access to a database containing names, addresses, Social Security numbers, PenFed account numbers, credit card numbers, and/or debit card numbers for PenFed members, joint owners, former members, employees and beneficiaries," wrote PenFed's attorney Mark Schreiber.

While credit union officials have not disclosed the total records exposed by this breach, the number of New Hampshire residents affected offers a good clue that it likely will hit tens of thousands of current and former Pentagon workers. By comparison, a recent breach of Twin America that exposed 100,000 records affected a little more than half the number of New Hampshire residents affected by the PenFed breach.

According to the Privacy Rights Clearinghouse database, malware-induced database breaches made up about 33 percent of all publicly disclosed breach incidents tracked by the organization in 2010. And the recent 2010 State of Endpoint Security report released by Ponemon Institute on behalf of Lumension found that 43 percent of respondents reported a dramatic uptick in malware in 2010.

Seemingly inconsequential endpoints could be convenient launching pads for hackers to pry their way into sensitive databases, experts say. According to Roger Kay, of analyst firm Endpoint Technologies Associates, hackers depend on simple social engineering attacks to gain footholds within endpoints that enable more complicated attacks further down the line.

"All it takes is an unwary individual to actuate the payload, and you're in business," Kay says. "Let's say that an executive goes to the wrong site or has an email that looks like it's from a friend and says, 'Click on a link.' And then the link takes them to a drive-by situation where they get a download they didn't want."

From there, malware packages have evolved to the point where they can be installed in several stages.

"Packages can be assembled from multiple places around the Web," Kay explains. "You start off where someone gets a component, and maybe that component doesn't do that much -- but it knows how to call back to the Web, asking for different components from other servers.

"And so the next time it's connected, it says, 'Give me that second piece of the payload,'" Kay continues. "And then it starts to assemble itself, and even has the ability to recompile itself in the computer -- until finally, you have a payload that's pretty dangerous."

The dangerous malware can start exploring within the network and probe for vulnerable databases and caches of information, Kay says. Behavioral analysis of database activity can go a long way toward detecting anomalous behavior from endpoints that might typically access database information only on a limited basis, he says.

But today's savvy hackers have automated ways to slowly leak information in a way that could look similar to normal user behavior. Kay believes better authentication and verification of endpoint protection prior to connection with important assets could help.

"So let's say you have a trusted platform module in there, and it has some unique identifier," Kay says. "And during your load sequence, you've basically told it, 'Here's John Doe, this is his user name, this is his password, here is a summary of his biometric information, here is a summary of his equipment.'

"All that stuff has to blend and create a hash that matches on the inside before you let him do anything," Kay explains. "Let's say he doesn't quite meet it -- or his antivirus has fallen out of date -- then you can send that system to a remediation area that's walled off from the rest of the database."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.