Do I need to encrypt connections inside a corporate network?

Question

Provided that I have a decent level of physical security in the office, I monitor the physical addresses of devices connected to the network and only give VPN access to trusted parties, do I need to encrypt access to intranet resources over HTTP?

There is an employee complaining that he doesn't like sending his credentials in plain text over the network and that he cannot take responsibility for his network identity in such case. What are the real world chances that someone would steal his identity? I can't find any clear-cut recommendations for encryption within a corporate network.

Answer 1

Yes encrypt, it is easy. Plus according to a 2014 Software Engineering Institute study 1 in 4 hacks was from someone inside the company with an average damage 50% higher than an external threat actor.

Link to source: https://insights.sei.cmu.edu/insider-threat/2017/01/2016-us-state-of-cybercrime-highlights.html Although this is the 2017 version.

Answer 2

What are the real world chances that someone would steal his identity?

Running a MITM attack on an HTTP connection when on the same LAN is basically trivial. ARP is not designed to be secure. Some high end switches provide reasonable mitigation, but it is mostly pretty weak on anything that is not fabulously expensive.

There is an employee complaining that he doesn't like sending his credentials in plain text over the network and that he cannot take responsibility for his network identity in such case.

If the guy is accountable for actions that are taken with his credentials, it is unfair to not take reasonable precautions to protect those credentials from other employees. They might be safe from external actors due to network isolation, but that is probably not what the guy is worried about...

Answer 3

Yes, you have to encrypt your connections. Let's take a scenario where you believe your network is physically secured (with required physical security and other required security measure) and no internet access (since you have indicated you only allow VPN access to trusted sources), but let's assume your employees take their laptop home and connecting to internet. The chances of any malware be implemented without their notice is there. And this malware may become active when it's connected to your corporate network and started sniffing traffic. This would lead to exposure of all your corporate communication including everyone's credentials.

Hence it's always recommended to encrypt sensitive traffic.

Further a study by CA (Insider Threat Report - 2018) indicates below concerns over insider threats (Reference: https://www.ca.com/content/dam/ca/us/files/ebook/insider-threat-report.pdf).

Extract from report:

• Ninety percent of organizations feel vulnerable to insider attacks. The main enabling risk factors include too many users with excessive access privileges (37%), an increasing number of devices with access to sensitive data (36%), and the increasing complexity of information technology (35%).
• A majority of 53% confirmed insider attacks against their organization in the previous 12 months (typically less than five attacks). Twenty-seven percent of organizations say insider attacks have become more frequent.

• Organizations are shifting their focus on detection of insider threats (64%), followed by deterrence methods (58%) and analysis and post breach forensics (49%). The use of user behavior monitoring is accelerating; 94% of organizations deploy some method of monitoring users and 93% monitor access to sensitive data.

• The most popular technologies to deter insider threats are Data Loss Prevention (DLP), encryption, and identity and access management solutions. To better detect active insider threats, companies deploy Intrusion Detection and Prevention (IDS), log management and SIEM platforms.

• The vast majority (86%) of organizations already have or are building an insider threat program. Thirty-six percent have a formal program in place to respond to insider attacks, while 50% are focused on developing their program.

Possible solutions/mitigation controls for insider attacks would be: Source: 2018 Insider Threat Report, CA Technologies

Answer 4

Risk of Repudiation

In addition to all the fine answers about employees as a threat and visitors as a threat, I think you have to consider that the mere fact that the traffic is unencrypted is of itself a vulnerability even in the total absence of hackers.

You are setting yourself up for a situation where any employee who does something they are not supposed to do (by mistake or on purpose) and then is called out on it can deny that it was actually them. Normally, you the manager would just say, "we know it was you because you were logged in". In this case the accused employee can reasonably reply "the login is worthless and you know it. Anyone on the LAN could have sniffed my password and done this bad thing posing as me."

Answer 5

Some companies, especially larger ones that have been around long enough to develop bad habits, have roughly the following fallacious security model:

The network is safe as long as nobody else plugs into it and nobody inside is technologically skilled enough to abuse it.

Is this possible to protect in all cases? No, but proper physical/building access controls can help lower the risk. But what if guests are allowed in the office for meetings etc.; are there easily accessible ethernet ports in the conference rooms or easily-accessed wireless networks, or are these networks segregated from ones where credentials may be flying around?

It also depends on what you are trying to protect. Consider the worst-case scenario where someone (from inside or outside the organization) steals plaintext credentials for another user. What are they able to do; access critical infrastructure or just some low-profile development servers? If an identity is stolen, are you able to determine who is using the login?

Ideally, everyone would use encryption everywhere. But if the above threats are within your risk tolerance, then maybe it is not urgent to encrypt intranet resources. Depending on the size of the organization, there may be some overhead in deploying a CA and SSL certificates to all resources. Ask yourself what is worse: the worst case scenario or putting in the work to encrypt everything?

Answer 6

In 2018, the answer depends on your threat and risk analysis results. Which, of course, you have performed, identified the likely scenarios, rated them and made a business decision based on the impact and frequency, according to a proper statistical or quantitative method.

Your individual employee, however, has made his own personal risk analysis and arrived at the result that you indicated, namely:

he cannot take responsibility for his network identity in such case

And he is perfectly correct in that assessment. Even a superficial glance at the situation makes it clear that someone other than him, with minimal technical skills, could impersonate him.

To you the business risk is acceptable (obviously, I mean it's 2018, that the internal network is unencrypted is an intentional decision and not, say, a case of we've-always-done-it-like-that, right?) and you may well be right in that decision. Accepting a risk is a perfectly valid option.

To him the risk is not acceptable. Note that he does not make a business decision for the company with his statement. He makes a personal decision for himself. That is why the two risk analyses can come to different results - different context, risk appetite, impacts.

The correct answer is that you are taking the responsibility that he refuses to take. By running the network unencrypted, and accepting the risk, the company assumes the responsibility for the network identity of the users of that network, as it has decided to not protect them.

I could also be mistaken in my assumptions about your corporate risk management, in which case I recommend doing a risk analysis of this particular fact (unencrypted internal network) and threat (impersonation of users) so that you can either revise the decision of having an unencrypted network, or solidify it with results that show that securing the network would be more expensive than the expected loss.

Answer 7

Yes, you do need to encrypt inside your "secure" corp network.

Any network penetration will lead to snooping traffic, and anything not encrypted is easy pickings for the attacker. Credentials, passwords, salary information, business plans, whatever.

For real world horror stories, just search for "lateral movement security" Hard, crunchy shell, soft chewy inside is no longer a valid security posture for any company.

While GDPR has few strict technical requirements, if you are handling Personal Information for EU citizens, a common solution to meet GDPR compliance is to show you have encryption on data-in-flight (over your network)

The reality is, your physical security aside, it's just not too difficult to get access within the network, either by physically plugging in to a port (are you monitoring your nightly cleaning staff every night? - how about visiting vendors?) or, more likely, through some form of network intrusion.

Others have cited Google's BeyondCorp paper, which is worth a read. https://cloud.google.com/beyondcorp/

Essentially, your "inside" network should not be trusted much more than the wild, nasty outside internet.

Encryption is low cost, high reward defensive stance. Why wouldn't you do it?

Answer 8

Yes. You should always encrypt connections on any intranet, just as you would on the public internet.

The DNS Rebinding attack publicized yesterday allows an attacker full access to any HTTP resource on a victim's intranet, by use of a DNS rebind from an attacker controlled IP address to a corproate intranet IP (e.g. 10.0.0.22). (Scanning of an intranet IP space for HTTP services can be done with other techniques, made easier with knowledge of the user's private IP address.)

The only thing necessary for such an attack to work is to trick the victim into loading an attacker-controlled webpage (or javascript or iframe etc).

This attack is best mitigated with HTTPS, since the DNS rebind will not match the presented certificate domain. While removing default virtual hosts also appears to mitigate this particular attack, this attack just goes to show how exposing internal resources over unencrypted connections can turn into a liability with a security vulnerability somewhere else. (I'm not even talking about the slew of 802.11 wifi vulnarabilities we had late last year. Please don't expose intranet resources over wifi!)

Answer 9

Defense in depth

There are several good answers here, but even if you trust all your employees completely (which you most likely should not), you open the door for an external attacker and make security so much harder.

Normally an attacker first needs to somehow get into your network (this could be done in a variety of ways) and then he needs to get a login somewhere to actually access sensitive data. By providing Login-passwords unencrypted flying around everywhere you have just made the second step so much easier. Now whenever an attacker gains access to your network, he immediately has access to high level credentials.

The concept to defend in multiple layers is called defense in depth - if an attacker can compromise one layer, he still has to break additional barriers to cause harm.

So please ENCRYPT YOUR CREDENTIALS!

Answer 10

do I need to encrypt access to intranet resources over HTTP?

Yes - if people are authenticating against the service.

What are the real world chances that someone would steal his identity?

I don't know - I've never met the people who work at your office / are within the range of its Wifi network / might be able to tap your network. I don't know what you consider a "decent level of physical security". I don't know how much you trust the "trusted parties". Certainly, monitoring MAC addresses does very little to protect against network sniffing.

How much would it hurt to implement TLS?

Answer 11

Your employee's critique is spot on.

Think about it this way: if you trust your network to the point where encrypting credentials seems unnecessary, then why do you need credentials at all? Do you think you could replace a login form with a simple field where users could type their name?

If the answer is no, then sending credentials unencrypted is not an option either, because you don't trust your trusted parties that much after all, and a password sent over HTTP is not much of a secret.

Answer 12

To quote a t-shirt: "Just do it!"

• You are spending hours on stack exchange for a justification of not spending $7 for a cert and 20 minutes securing your server.

• One thing you didn't think about: How does the employee know that he is entering his credential into the real website and not into a clone of the site that is running on an arduino hidden behind the copier that is ARP spoofing?

• Does the word "compliance" mean anything? PCI/HIPAA/GDPR is going to come knocking any day. If any "admin" user logs into your website, you HAVE TO encrypt all connections or face serious trouble.