Not external or internal: Midternal attackers are today’s biggest threat

If you walk around the trade show floor at any security conference you’ll see lots of devices aimed at solving your external attacker problems: firewalls, spam filters, intrusion prevention systems, really big safes, etc. There’s also a fair amount of focus recently on internal attackers and tools like digital rights management systems, policy enforcement agents, etc. Some of the biggest risks to organizations today come from midternal attacks. These are attacks that aren’t quite external, not exactly internal, but an appealing mix of the two.

Midternal is a word I made up so it probably needs definition:

midternal attack (mid-ter-nal at-tack) noun: Attack perpetrated by a partially trusted entity. This entity may be authenticated, yet heavily restricted by design. Due to poor internal barriers and untested security controls for authenticated users, the attacker is able to escalate privilege.

Midternal vulnerabilities are rampant on the Internet in my experience. I think it comes from the mentality that once a user is authenticated, the amount of security (or security testing) of the software that keeps the boundary between users needs little attention.

Many websites make it easy to get some sort of restricted account either by signing up for something, volunteering some demographic information or buying something cheap. Each account is then partially trusted to some degree and in my experience most corporate security spending is on fortifying the boundary between the internal network and an anonymous user. This leaves the wall between users paper thin.

A related phenomenon is that authenticated connections are often encrypted which–depending on the architecture–could create a pipe that flows unimpeded through intrusion prevention systems and web application firewalls. Sending malicious data through an encrypted connection can negate some of the network defenses that have been put in place to protect against the true external attacker.

Someone I met at a conference recently told me he had previously worked for a small electrical parts company that was submitting a competitive bid to supply light fixtures to a Fortune 500 company through their vendor portal. Within 10 minutes of registering his company on the portal he found that with a couple of keystrokes (through a common software attack known as SQL Injection) he could see the bids of all of his competitors for that job. Needless to say his company won that bid and every good contract for electrical supplies thereafter. And they actually charged the Fortune 500 company more than they intended to by pricing just below their closest competitor. 

To battle midternal attacks we need to ask tough questions and think broadly about who an “authenticated” user is—it could be someone who’s created an account that just gives them access to newsletters about your company. Consider these questions:

How easy is it to get an account on one of your systems or to become an authenticated user? Think in broad terms of customer portals, partner sites, vendor bidding/proposal sites, HR portals, etc.

What existing security or intrusion prevention controls are negated if a user is already authenticated?

What kind of security testing is done as an authenticated user?

How difficult is it to revoke individual accounts (or shared accounts) on externally facing sites? For example, what happens if someone from one of your trusted partners quits his job where the whole company uses one account to a system?

Bad guys sign up for accounts, free promotions, newsletters, vendor portals, etc. too and its easy to indirectly extend more trust to those folks than we ever intended to.