37

Our internal HR site - which has our personal details, payslips, holiday details etc. runs entirely off a basic http site. The site is only accessible within the company network, and can't be accessed e.g. by employees at home (except through a VPN). It can be accessed via our internal Wifi network.

I know https isn't the be-all & end-all of network security, but is this ever 'OK'?

This isn't a small company - it's a major publicly listed UK company employing 10's of thousands. I'd held off saying anything, as they were meant to be replacing the entire system Q1 this year, but this has now been pushed back to 2018.

Keen to understand

  1. Whether there is a significant risk from this setup
  2. Whether there's a possible breach of UK / EU laws (eg, UK Data Protection Act) associated with this
  3. If there are any specific steps I as an individual can do to minimise my exposure (other than not using the site!) to being intercepted.

Network is a mix of wired & wireless. Site can only be accessed internally, or via VPN.

aldredd
  • 471
  • 1
  • 4
  • 5
  • 2
    Thanks for the quick response. My personal though is that it's likely not _particularly_ terrible that it's over http. Obviously it would be preferable to be using TLS, however if the company network is properly protected (firewall, IPS/IDS, etc.) then it might be okay. I'd wait for someone more experienced to answer though – d0nut Feb 22 '17 at 15:55
  • 53
    Acceptable? No. Surprising? No. Sad? Sad! – gowenfawr Feb 22 '17 at 15:56
  • @TessellatingHeckler I know you're addressing aldredd and not me, but to clarify my intention by saying 'outside the network' I specifically meant *only accessible via company provided machines on an internal network or accessible via a secured vpn connection.* I totally understand why people still would want TLS in this instance (trust me; I do as well) but I think that, provided my assumption on accessibility is correct, that there are worse evils that could've been committed. This isn't a super huge red flag in my eyes where I would say you should demand TLS from your employer right now. – d0nut Feb 22 '17 at 21:32
  • 1
    To quote from our [help/on-topic]: "Security is a very contextual topic: threats that are deemed important in your environment may be inconsequential in somebody else's, and vice versa. [..] To get the most helpful answers you should tell us: what assets you are trying to protect, who uses the asset you're trying to protect, and who you think might want to abuse it (and why), what steps you've already taken to protect that asset, what risks you think you still need to mitigate". Also, "acceptable" is subjective. Please edit the question to provide this kind of context. – D.W. Feb 22 '17 at 21:59
  • @D.W - fully agree it's a subjective topic. Given I'm coming from an end-user rather than the network / sys-admin, I've tried re-phrasing the question a little to ask more specific questions. Hope this is more acceptable – aldredd Feb 22 '17 at 22:10
  • 1
    No, it should be accessible through Gopher. – DepressedDaniel Feb 23 '17 at 04:38
  • Many thanks for the comments and answers. Some good 'food for thought' in terms of what the risk is. Seems there is a strong element of subjectiveness as to whether there might be a breach in law (specifically UK Data Protection is what I had in mind). In terms of next actions - I might drop a note to our HR team along the lines of 'In light of the HR project being pushed back to 2018, what steps are being taken to make the current system secure in the meantime' – aldredd Feb 23 '17 at 08:42
  • I don't know about breach in UK law, but as a web applications security expert I can tell you this is about as wrong as it gets. And no, this is not a matter of opinion. I just gave a presentation, day before yesterday, at a conference. My presentation was on web application security, and the first item on the "Basics" of attack mitigation was "Require SSL." You may think that using it only internally secures it, but it does not secure it from a malicious or disgruntled employee, and depending on your wifi's encryption, it may be quite trivial to access it from the parking lot. – AgapwIesu Feb 23 '17 at 16:55
  • 2
    I can't believe anyone who has any experience at all in web application security, can say that it is ok to run a web application over http, when it carries system wide passwords, payment information. Even if it is an internal only website, in a company with 10's of thousands of employees... words fail me! If I was a malicious hacker, i'd be dancing right now, thinking I just found myself a gold-mine. What do you mean "opinion-based"? All it takes is one disgruntled employee, or an opening in your mail-room, or a probably weak wifi, and I'd be rerouting your CEO's paycheck to my bank account. – AgapwIesu Feb 23 '17 at 17:06

7 Answers7

43

The main motivation for HTTPS is to prevent an attacker from reading and manipulating your communication with a website. So the decision to deploy it on internal sites depends on whether there is a risk of someone tampering with your traffic inside the company network.

If the internal HR site just serves static content that is already accessible to anyone in the company's intranet, then one could argue that HTTPS doesn't add any security because intercepting traffic to that page within the internal network would be pointless.

However, if the site uses a login system and employees aren't trusted to not interfere with the internal network or guests are allowed to access it - then the site should always be accessed over a secure connection.

it's a site we log into (using a password we're forced to keep to max 8 lower-case characters only), where we can view wage slips, personal address / contact details etc.

That is concerning. Not only is the artificial password length limit really low and the lowercase-only restriction questionable. If the site uses plain HTTP, a rogue co-worker (or malware on their machine) could intercept your connection to the page, sniff your password and record your interactions with that site. Since you're saying it's a big company, not everyone accessing it might be completely trusted and hence they should consider deploying HTTPS.

Arminius
  • 43,922
  • 13
  • 140
  • 136
  • 3
    Yes, the short password worries me (ironically, we're forced to do online training on using secure passwords!), however because we have a common password across all systems - from HR to Google Apps to the Mainframe system - it's the 60's mainframe system which doesn't allow longer passwords / upper case / characters. Very frustrating. – aldredd Feb 22 '17 at 16:37
  • @Arminius Some systems (especially older legacy) have such limitations due to the storage engine. I worked for a company with an IBM AS/400 which had a password restriction of alpha (case insensitive) and numbers only up to 15 characters. White space at the end of the password was ignored - all passwords were padded with spaces for 15 total characters. – Der Kommissar Feb 23 '17 at 01:48
  • @Arminius This was also for all users, admins, HR, even customers. And all passwords were in plain text if it's not obvious by now. – Der Kommissar Feb 23 '17 at 01:50
  • Note that there is not even the need to interfere with internal traffic. Imagine someone with a notebook connected to a switch loading the site suddenly stands up and disconnects the ethernet cable. The vast majority of switches will now flood all packets that should previously go to just that one ethernet port out to all others, which will very often contain one tcp fast retransmit packet from that ongoing transfer. So you just need someone to listen with wireshark or similar. – PlasmaHH Feb 23 '17 at 08:55
  • 12
    @aldredd "we have a common password across all systems" makes this a serious threat - as long as *one* of those systems uses HTTP, even if it's not sensitive by itself, anyone can sniff everyone's common password sent over the insecure HTTP channel and use that to access all other systems. – Peteris Feb 23 '17 at 11:30
  • To add to this, [you don't even have to pay for SSL anymore](https://letsencrypt.org/)... and it's fairly trivial to set up. Honestly, I see no reason why there is even hesitation to implement it, *especially* for something like the *Human Resources department*, which **handles sensitive information about employees**! – Chris Cirefice Feb 23 '17 at 18:52
11

No, this is not safe. You said it's not a small company which means that there probably are people not everyone entirely trusts (which is pretty impossible for > 10 employees) and probably even means that there are some positions which occupied by different people coming into the company and leaving it quite frequently. Probably even just a few weeks for work experience, a summer job, or something alike.

Those people cannot be trusted not to manipulate IT systems they have access to. When sending unencrypted data over ethernet, everyone in-between can read it.

You don't even use challenge-response authentication but a password. This means no elaborate attack involving manipulating traffic live or intercepting packets and sending them after manipulating them or hoping that the otherwise same packets can be sent again after manipulating them when they have been sent to the server before (so the person using the site doesn't notice because they get the response from the server). Instead, one can just record the traffic, analyze it later on, get the password, and have access to the HR site until the password is changed and they have to record the traffic, again.

If manipulation from within the intranet is possible, sooner or later someone will do it. People even make up official announcements when they can:

The employee in this case had altered the Company’s intranet welcoming page with the following message: “500 jobs to be gone at Waterford plant before end of first quarter 2008”.

(http://www.cpaireland.ie/docs/default-source/media-and-publications/accountancy-plus/it/email-and-internet-use-by-employees.pdf?sfvrsn=2)

There are loads of reports (like http://www.askamanager.org/2014/02/ive-been-breaking-into-my-companys-computer-network.html) on the internet where people admit they have been breaking weak security measures. This doesn't even have to be malicious. It can result from boredom, curiosity (In your company's case: Does Mr. Smith really make so much that he's able to afford those 3 nice cars?), over even to increase productivity by destroying security barriers.

There are many recommendations similar to this one:

Every employer needs to have a detailed policy regarding use of company computers and resources accessed with computers, such as e-mail, Internet, and the company intranet, if one exists.

(http://www.twc.state.tx.us/news/efte/monitoring_computers_internet.html)

Of course, that's worth very little if compliance isn't enforced. And your connection is about as open as possible within the company because no transport encryption is used whatsoever and even the passwords are transmitted in plain text. The best way to enforce a policy is by making disregarding it impossible. Of course, that's not always possible, and sometimes there are better ways, but it seems very much like this is both the easiest, best, and most reliable way to go in this case.

This warning is very close to what your company is facing:

In addition to ensuring that they don't run afoul of HIPAA regs, companies need to focus on another critical intranet security issue: internal breaches. Internet security expert Norbert Kubilus, a member of Tatum CIO Partners, said that in most cases, intranet "hackers" are unhappy employees looking to inconvenience the company or gain some personal advantage.

"Most of what I've heard about and observed is internal abuse," Kubilus said. "You can get a disgruntled employee who gets into the intranet and raises havoc by changing vacation schedules or time cards. If you don't have the right protections in place, or the right education and process in place, you leave yourself vulnerable to a disgruntled employee."

(http://www.techrepublic.com/article/intranet-data-requires-a-good-security-review/)

When considering that the data at risk is quite important, it's clear that this is an unacceptable risk. Depending on where your company is located, it might also be illegal to operate the site in that way, e.g. because it contains insufficiently secured personal data.

Telling management that this is illegal (if it is) probably has higher chances security will be improved than telling them the system is insecure.

I don't know about UK law but I think you definitely can't have such a system under EU law and therefore not under UK law.

Following a quick search, I found this EU regulation. A quote of article 32 which could give you hope that it's illegal:

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

[...]

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

You can't guarantee confidentiality nor integrity if everyone in the company can access the HR site after watching a 10 minutes YouTube video about how to connect Ethernet cables so their laptop is between the server and a HR computer and a 5 minutes YouTube video of how to use Wireshark to get a password which was sent over the network. Of course, virtually any person who ever played with Wireshark could do that without wasting 15 minutes watching YouTube videos first. ;-)

UTF-8
  • 2,300
  • 1
  • 9
  • 24
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/54148/discussion-on-answer-by-utf-8-is-it-acceptable-for-an-internal-hr-site-to-run-ov). – Rory Alsop Feb 24 '17 at 00:19
1

Lack of HTTPS makes it possible for an attacker on the same network to listen in on the connections to this server and modify requests and responses. This can be used to sniff passwords that HR persons are using, for example.

What exactly "the same network" is depends on your network configuration and how much work the attacker is willing to put into it. It is pretty likely that you would be able to execute an attack from your company computer. Sometimes a man-in-the-middle attack is possible from the parking lot by using the company's WiFi.

Sjoerd
  • 28,707
  • 12
  • 74
  • 102
  • Thanks for the reply - so the main threat is probably someone intentionally wanting to intercept details, rather than being able to 'accidentally' stumble upon them? – aldredd Feb 22 '17 at 16:02
  • No, any network admin with Wireshark could accidentally stumble upon the confidential data or login credentials in the course of their duties. They may even capture a session in a packet capture file and not even know they logged this kind of data. Of course, if your company has no web administrators who can properly configure HTTPS, it's also possible your network admins aren't very good at monitoring network traffic. :-/ – John Deters Feb 22 '17 at 16:29
1

There are different problems with HTTP vs. HTTPS and being on an internal network should mitigate some.

  • no strong server identification: not important on a internal network, it is unlikely that a fake server could exist in the internal network. Normally such a MITM attack would require administrative privileges, and in a corporate organization, you already have to trust the admins because they manage all network equipments and client machines.
  • confidentiality of responses to requests made by authorized employees: it depends whether all authorized access all come from same office (only admins or co-workers with equivelent access permissions should be able to spy(*)) or if any manager can do requests. In the latter case risk of interception of confidential data are important but the (internal) attacker cannot know in advance what information it will gain.
  • credential protection: if even the authentication procedure uses plain HTTP, the problem is much more serious. In that case, an attacker could get credentials and be able to issue requests (including modifications) on behalf of a legitimate user: integrity is no longer guaranteed not speaking of confidentiality

Of course, if it is a readonly server, and if confidentiality is not really a concern, HTTP can be used. But as soon as we speak of HR, confidentiality should immediately raise to a medium to high level.


(*) in common corporate networks, the usage of switches and proxys only allows to spy exchange on same subnet, except for network admins that can see all unencrypted traffic of their domain.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • *no strong server identification: not important on a internal network, it is unlikely that a fake server could exist in the internal network.* - I plug a machine in, it hands out DHCP addresses and my own DNS server, and answers that the HR site is on my server, but relays all other DNS requests to the main servers. How likely is it that this company controls what can be plugged into the network, or can handle rogue DHCP servers? – TessellatingHeckler Feb 22 '17 at 18:17
  • @TessellatingHeckler In a corporate network, machines often have fixed addresses, fixed DNS servers and fixed proxies. You can certainly plug your DHCP server, but you could be your only client. – Serge Ballesta Feb 22 '17 at 18:49
  • 1
    I don't agree that static addresses are common practice for user machines. Printers, timeclocks, etc. sure, but not desktops and laptops. –  Feb 22 '17 at 19:50
  • 1
    Most devices (desktops etc) are on DHCP rather than fixed. – aldredd Feb 22 '17 at 22:04
  • I have been working in large organizations (several thousands to hundred of thousands employees) where security is a concern and all desktops and laptops are configured by system admins (the user is not admin of his machine) with fixed IP addresses. – Serge Ballesta Feb 23 '17 at 08:24
0

Since we are talking about HR, and HR usually administers benefits, it is likely they are not HIPAA compliant.

In other words, SSL and TLS usage must comply with the details set out in NIST 800-52. This implies that other encryption processes, especially those weaker than recommended by this publication, are not valid.

link

John Wu
  • 9,101
  • 1
  • 28
  • 39
  • HIPAA is a complex set of guidelines and liability for breaches is (AFAIK) decided on a case-by-case basis. There are no strict requirements for encryption, and I'm not familiar enough with the luxsci.com blog to say whether or not they have any authority to make such claims about what the guidelines "imply" about weaker encryption. –  Feb 22 '17 at 19:46
  • 1
    And while HIPPA compliance is something those dealing with healthcare records in the USA have to keep up with, it isn't something particular relevant to Info Sec in the UK. (OP is discussing a UK company) – Ruscal Feb 22 '17 at 21:03
0

Clearly its not a great idea, but there are a lot of ifs and buts depending on the overall network configuration.

It's worth pointing out that a malicious admin could install a trusted cert on all machines and intercept all traffic anyway. There is almost nothing you can do to stop a malicious admin.

From a legal point of view the company has to take reasonable steps to secure your data. If a summer intern can intercept the data in transit by hooking up their own laptop then they are not meeting their legal liability. If a skilled pentester requires unsupervised physical access they probably are.

ste-fu
  • 1,092
  • 6
  • 9
  • 1
    There really is no if nor but in this particular question. It is a large company, period. Attack vectors are plentiful, from the intern to the admin, over LAN or WiFi, and while https won't make them 100% secure, there is still a difference between not being 100% secure and being 100% wide open. – AnoE Feb 22 '17 at 23:20
  • "From a legal point of view the company has to take reasonable steps to secure your data." According to what laws? – jpmc26 Feb 23 '17 at 01:47
  • @jpmc26 I was paraphrasing uk dpa from memory. Exact wording here http://www.legislation.gov.uk/ukpga/1998/29/schedule/1 paragraph 7 – ste-fu Feb 23 '17 at 07:51
  • @ste-fu Thanks. Would probably be good to cite that source in your answer. ;) – jpmc26 Feb 23 '17 at 07:56
  • @jpmc26...yeah was doing it from my phone in bed and being lazy – ste-fu Feb 23 '17 at 09:06
0

No, this is absolutely not acceptable and depending on your jurisdiction may be illegal to the point of criminal liability.

Most countries have laws in place that basically say that sensitive personal data - and employment records almost always fall into that category - are required to be protected by "adequate technical means".

While the precise meaning of that term is intentionally open to interpretation, courts typically interpret it as such technology which is readily available and common and serves the purpose of protecting the data. In other words: You don't have to invent some new security thing, but if there's some easy, off-the-shelf security measure that other people use and you don't, you are not protecting the data adequately.

HTTPS is very, very common and typically used for precisely such purposes. To not use it is very likely gross negliegence. More specific laws in your jurisdiction might push this higher.

Tom
  • 10,124
  • 18
  • 51