Most organizations spend a lot of time working on making their external network perimeter as resilient to attack as possible—and they should! The relentless scanning and probing of automated bots and enthusiastic hackers around the world should convince every organization to be very careful before deploying a new Internet-facing system and should remind them to test and re-test those exposed systems frequently. Unfortunately, the recent Sprint data breach (https://techcrunch.com/2018/08/25/hacker-accessed-sprint-portal-customer-data/) reminds us that external network security is not enough. Although many organizations (including Sprint) have implemented multi-factor authentication on their Internet-facing systems, very few have such security measures on their internal applications and networks.
But the bad guys are outside my network, right? This is a long-standing assumption that conveniently justifies the lack of internal security measure typically seen on nearly every corporate network ever examined by security assessors or pen testers. The reality is that hackers from around the world find themselves on the internal networks everyday (just like burglars perform the majority of their crimes inside houses).The lack of security on most internal networks makes the job of internal network exploitation very simple. In the case of the recent Sprint breach, their internal portal required a mobile number as a username and a four-digit PIN as the password. Since there were no limits on the number of unsuccessful PINs an attacker could submit, logging-in to the system was a freshman-level scripting project. But this isn’t surprising. Most internal penetration tests turn up world-readable file shares, user accounts with super-weak passwords (I’m thinking of admin/admin or test/test), and plenty of web servers requiring no password at all. We excuse these security lapses because they’re “behind the firewall,” or as the Sprint spokesperson said, “…we do not believe customer information can be obtained without successful authentication to the site…”
What’s the solution? CIOs and IT Directors need to require strong security inside their network as well as on their network perimeter. We all need to quit winking at security theater for internal systems and recognize that internal systems are not out of the reach of cyber adversaries (including internal systems on air-gapped networks). Will this cost more money? Probably. But whatever money Sprint saved by not implementing strong security on their internal employee portal (and it would have been minimal) will be far exceeded by the unplanned expenses they will incur as they investigate and respond to the data breach. And what of the systems already deployed with weak security on internal networks? IT leaders need to start inventorying these “security legacy systems” and fund efforts to upgrade these relics or correct their security weaknesses before the security debt bills comes due in the form of data breaches and incident response engagements.