Is it acceptable for an internal HR site to run over HTTP?

Question

Our internal HR site - which has our personal details, payslips, holiday details etc. runs entirely off a basic http site. The site is only accessible within the company network, and can't be accessed e.g. by employees at home (except through a VPN). It can be accessed via our internal Wifi network.

I know https isn't the be-all & end-all of network security, but is this ever 'OK'?

This isn't a small company - it's a major publicly listed UK company employing 10's of thousands. I'd held off saying anything, as they were meant to be replacing the entire system Q1 this year, but this has now been pushed back to 2018.

Keen to understand

1. Whether there is a significant risk from this setup
2. Whether there's a possible breach of UK / EU laws (eg, UK Data Protection Act) associated with this
3. If there are any specific steps I as an individual can do to minimise my exposure (other than not using the site!) to being intercepted.

Network is a mix of wired & wireless. Site can only be accessed internally, or via VPN.

Answer 1

The main motivation for HTTPS is to prevent an attacker from reading and manipulating your communication with a website. So the decision to deploy it on internal sites depends on whether there is a risk of someone tampering with your traffic inside the company network.

If the internal HR site just serves static content that is already accessible to anyone in the company's intranet, then one could argue that HTTPS doesn't add any security because intercepting traffic to that page within the internal network would be pointless.

However, if the site uses a login system and employees aren't trusted to not interfere with the internal network or guests are allowed to access it - then the site should always be accessed over a secure connection.

it's a site we log into (using a password we're forced to keep to max 8 lower-case characters only), where we can view wage slips, personal address / contact details etc.

That is concerning. Not only is the artificial password length limit really low and the lowercase-only restriction questionable. If the site uses plain HTTP, a rogue co-worker (or malware on their machine) could intercept your connection to the page, sniff your password and record your interactions with that site. Since you're saying it's a big company, not everyone accessing it might be completely trusted and hence they should consider deploying HTTPS.

Answer 2

No, this is not safe. You said it's not a small company which means that there probably are people not everyone entirely trusts (which is pretty impossible for > 10 employees) and probably even means that there are some positions which occupied by different people coming into the company and leaving it quite frequently. Probably even just a few weeks for work experience, a summer job, or something alike.

Those people cannot be trusted not to manipulate IT systems they have access to. When sending unencrypted data over ethernet, everyone in-between can read it.

You don't even use challenge-response authentication but a password. This means no elaborate attack involving manipulating traffic live or intercepting packets and sending them after manipulating them or hoping that the otherwise same packets can be sent again after manipulating them when they have been sent to the server before (so the person using the site doesn't notice because they get the response from the server). Instead, one can just record the traffic, analyze it later on, get the password, and have access to the HR site until the password is changed and they have to record the traffic, again.

If manipulation from within the intranet is possible, sooner or later someone will do it. People even make up official announcements when they can:

The employee in this case had altered the Company’s intranet welcoming page with the following message: “500 jobs to be gone at Waterford plant before end of first quarter 2008”.

(http://www.cpaireland.ie/docs/default-source/media-and-publications/accountancy-plus/it/email-and-internet-use-by-employees.pdf?sfvrsn=2)

There are loads of reports (like http://www.askamanager.org/2014/02/ive-been-breaking-into-my-companys-computer-network.html) on the internet where people admit they have been breaking weak security measures. This doesn't even have to be malicious. It can result from boredom, curiosity (In your company's case: Does Mr. Smith really make so much that he's able to afford those 3 nice cars?), over even to increase productivity by destroying security barriers.

There are many recommendations similar to this one:

Every employer needs to have a detailed policy regarding use of company computers and resources accessed with computers, such as e-mail, Internet, and the company intranet, if one exists.

(http://www.twc.state.tx.us/news/efte/monitoring_computers_internet.html)

Of course, that's worth very little if compliance isn't enforced. And your connection is about as open as possible within the company because no transport encryption is used whatsoever and even the passwords are transmitted in plain text. The best way to enforce a policy is by making disregarding it impossible. Of course, that's not always possible, and sometimes there are better ways, but it seems very much like this is both the easiest, best, and most reliable way to go in this case.

This warning is very close to what your company is facing:

In addition to ensuring that they don't run afoul of HIPAA regs, companies need to focus on another critical intranet security issue: internal breaches. Internet security expert Norbert Kubilus, a member of Tatum CIO Partners, said that in most cases, intranet "hackers" are unhappy employees looking to inconvenience the company or gain some personal advantage.

"Most of what I've heard about and observed is internal abuse," Kubilus said. "You can get a disgruntled employee who gets into the intranet and raises havoc by changing vacation schedules or time cards. If you don't have the right protections in place, or the right education and process in place, you leave yourself vulnerable to a disgruntled employee."

(http://www.techrepublic.com/article/intranet-data-requires-a-good-security-review/)

When considering that the data at risk is quite important, it's clear that this is an unacceptable risk. Depending on where your company is located, it might also be illegal to operate the site in that way, e.g. because it contains insufficiently secured personal data.

Telling management that this is illegal (if it is) probably has higher chances security will be improved than telling them the system is insecure.

I don't know about UK law but I think you definitely can't have such a system under EU law and therefore not under UK law.

Following a quick search, I found this EU regulation. A quote of article 32 which could give you hope that it's illegal:

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

[...]

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

You can't guarantee confidentiality nor integrity if everyone in the company can access the HR site after watching a 10 minutes YouTube video about how to connect Ethernet cables so their laptop is between the server and a HR computer and a 5 minutes YouTube video of how to use Wireshark to get a password which was sent over the network. Of course, virtually any person who ever played with Wireshark could do that without wasting 15 minutes watching YouTube videos first. ;-)

Answer 3

Lack of HTTPS makes it possible for an attacker on the same network to listen in on the connections to this server and modify requests and responses. This can be used to sniff passwords that HR persons are using, for example.

What exactly "the same network" is depends on your network configuration and how much work the attacker is willing to put into it. It is pretty likely that you would be able to execute an attack from your company computer. Sometimes a man-in-the-middle attack is possible from the parking lot by using the company's WiFi.

Answer 4

There are different problems with HTTP vs. HTTPS and being on an internal network should mitigate some.

• no strong server identification: not important on a internal network, it is unlikely that a fake server could exist in the internal network. Normally such a MITM attack would require administrative privileges, and in a corporate organization, you already have to trust the admins because they manage all network equipments and client machines.
• confidentiality of responses to requests made by authorized employees: it depends whether all authorized access all come from same office (only admins or co-workers with equivelent access permissions should be able to spy(*)) or if any manager can do requests. In the latter case risk of interception of confidential data are important but the (internal) attacker cannot know in advance what information it will gain.
• credential protection: if even the authentication procedure uses plain HTTP, the problem is much more serious. In that case, an attacker could get credentials and be able to issue requests (including modifications) on behalf of a legitimate user: integrity is no longer guaranteed not speaking of confidentiality

Of course, if it is a readonly server, and if confidentiality is not really a concern, HTTP can be used. But as soon as we speak of HR, confidentiality should immediately raise to a medium to high level.

---

(*) in common corporate networks, the usage of switches and proxys only allows to spy exchange on same subnet, except for network admins that can see all unencrypted traffic of their domain.

Answer 5

Since we are talking about HR, and HR usually administers benefits, it is likely they are not HIPAA compliant.

In other words, SSL and TLS usage must comply with the details set out in NIST 800-52. This implies that other encryption processes, especially those weaker than recommended by this publication, are not valid.

link

Answer 6

Clearly its not a great idea, but there are a lot of ifs and buts depending on the overall network configuration.

It's worth pointing out that a malicious admin could install a trusted cert on all machines and intercept all traffic anyway. There is almost nothing you can do to stop a malicious admin.

From a legal point of view the company has to take reasonable steps to secure your data. If a summer intern can intercept the data in transit by hooking up their own laptop then they are not meeting their legal liability. If a skilled pentester requires unsupervised physical access they probably are.

Answer 7

No, this is absolutely not acceptable and depending on your jurisdiction may be illegal to the point of criminal liability.

Most countries have laws in place that basically say that sensitive personal data - and employment records almost always fall into that category - are required to be protected by "adequate technical means".

While the precise meaning of that term is intentionally open to interpretation, courts typically interpret it as such technology which is readily available and common and serves the purpose of protecting the data. In other words: You don't have to invent some new security thing, but if there's some easy, off-the-shelf security measure that other people use and you don't, you are not protecting the data adequately.

HTTPS is very, very common and typically used for precisely such purposes. To not use it is very likely gross negliegence. More specific laws in your jurisdiction might push this higher.