Should Internal Network Traffic Be Encrypted?

Summary of Risk Assessment

This risk assessment was carried out through a combination of (1) brainstorming to determine likely threat scenarios for data in motion, and (2) the formulation of a risk model to determine the residual or remaining risk for each threat scenario, after existing controls are taken into account.  Chart A below shows the key potential threat scenarios against the internal network.

Chart A

After brainstorming threat scenarios the team evaluated them using a risk model. More details on the threats and risk model are in the Analysis section of this paper.  The goal of the risk model was to determine, for each scenario, the remaining or residual risk present after taking into account asset value (of confidential data), the impact of a data breach, and the strength of existing controls.

To help with the evaluation, a residual risk threshold was determined by considering management’s general intolerance for ineffective controls. In the risk assessment model employed herein, when a control is missing or poorly designed, the control rating can have at most a score of 5.  In contrast, effective controls can have a rating as high as 10. (See Chart B on pg. 2.)  High breach impacts and low control ratings yield unacceptable residual risk. Therefore as the impact of an event increases, any control rating below a 5 presents a worrying residual risk.  For higher impacts, higher control ratings are needed to mitigate risk. A control rating can’t be scored a 6 unless it is at least designed properly, so the tolerance flattens out as we approach a control rating of 6. Individual circumstances will dictate different results but generally the strength of the control rating determines how sharply the tolerance rises. Thus there is a higher tolerance for risk when controls are stronger.

Chart B below plots for each of the five scenarios an Impact Score (derived from assessing vulnerability, threat and asset value) against a Control Rating (derived from Control Score and Control Quality).

Synopsis

Based on the evaluation performed, management might consider additional controls to further mitigate Scenario 2 (WAN – protocol sniffer, or a physical tap performed by a rogue telecom technician) and Scenario 5 (Host compromise – malware). These two scenarios represent greater breach impact and lower control ratings than the other scenarios. The primary control over Scenario 2, for example, is the contractual obligations with our telecommunication providers that allow injured party to be made whole by way of legal damages. Another conceivable mitigating factor (albeit not a control) is the relatively low likelihood of such an attack, although this is difficult to verify. However, no amount of compensatory damages can compensate for the reputation impact that a large telecommunication-based breach would have on the injured party.

Regarding Scenario 5 (Host compromise – malware), while strict change management controls are in place to prevent unauthorized changes to production facilities and systems, a determined insider with high access could easily circumvent these controls. This also is offset somewhat by a low likelihood of occurrence.

Analysis

Network segments considered

To help organize the risk assessment and technology/vendor research, the project team divided the private network into discrete segments for evaluation. Then the team risk ranked each segment based on its existing controls, physical security, asset value (of data in motion), vulnerability to attack, and inherent risk; and then identified the residual risk that could be mitigated by the additional control of encrypting data in motion. This information was used as input to more detailed threat scenarios which added factors such as threat agents and attack methods. The team also used the segment definitions to assist in matching relevant vendors and technologies to the characteristics of each segment.  The Chart below shows the network segments, the nature of their data traffic flow, and their types of network links. For further technical details about these segments please see the Appendix.

Risk Assessment

The risk assessment was carried out through (1) a risk assessment of the network segments (2) brainstorming to determine likely threat scenarios for data in motion, and (3) the formulation of a risk model to determine the residual or remaining risk for each threat scenario, after existing controls are taken into account.  These are explained in more detail below.

Risk assessment of the internal network

The team relied on network subject matter experts to perform a risk assessment on the various network segments. The resulting ratings served as input to the overall risk model defined in depth starting on p. 5.  The criteria used to assess risk were data volume, # of network links, and the extent to which a segment was exposed to the public.  Simple ratings of high, medium, and low were used for volume and links, while a binary yes/no answer was used for public exposure. The segment with the greatest risk was the office connections to the data center, due to the large number of links (i.e., more points of exposure) and the public nature of the WAN circuits required to connect sites.

Description of threat scenarios

Threat Scenario 1: (LAN – protocol sniffer) Internal person on the internal private network, internal LAN*, captures confidential data or user credentials using a network protocol sniffer. Subject then uses the credentials obtained to commit unauthorized access to a desired target and commit further degradation of systems, install malware and commit further attacks.

Threat Scenario 2: (WAN – protocol sniffer or physical tap) Telecommunications employee or contractor gains physical access to the external (MAN/WAN) portions of the internal private network and captures confidential data or user credentials from high-speed network communications media. Data thus obtained may be used for obtaining illegal profit through sale of customer confidential data. Timed attacks might also attempt to intercept earnings release information in anticipation of quarterly stock fluctuations based on earnings reports.

Threat Scenario 3: (Network device compromise) Internal person on the internal private network who accesses a network router or switch, corrupts the routing mechanisms, and redirects confidential data or user credentials to an internal person or device **. The authentication credentials are then used for additional attacks.

Threat Scenario 4: (Passive physical tap) Internal or external person sets an inline; passive hardware tap on the wire to capture confidential data or user credentials. This could occur anywhere along the cable medium (copper or fiber) through entrance facilities, wiring closets, data conduits, raceways etc.

Threat Scenario 5: (Host compromise by malware) – Internal person injects a rogue, hidden software program*** into the internal private network so that that confidential data or user credentials can be captured and transferred to an internal person or device. Sub scenarios include:

• Software installed on a server via a worm or virus
• Root kit installed on a server by an internal threat agent

Notes

*     Scope includes any network segment that is privately addressable

**   Key question: how protected is the network from ARP poisoning and MAC spoofing, i.e., how do network standards, configurations, and designs safeguard this type of attack?

*** Windows platforms have anti-malware processes but other platforms do not

Risk Model

Residual risk is that risk which remains after considering the effectiveness of existing controls in place to mitigate inherent risk.  A basic formula for residual risk is used as a starting point:

Residual Risk = (Threat x Vulnerability x Asset) – Control Rating

To enable ease of use, the scoring system used for the inputs in the above formula are based on simple ratings Low, Medium, High; 1, 3, 5; 1-5; 0-2, etc. The results for each variable in the above formula are weighted in order to bring the result within a scale of 1 – 10. The weighting is not based on importance; rather the weighting brings each variable of the equation within the same 1-10 range. Thus threat, vulnerability, Asset and Control are weighted equally. While variables like Vulnerability have more sub-components than Threat, the goal is to consider all variables equally. Therefore weights are applied to achieve this effect.

Threat

Each of the five scenarios posited considers the highest rated threat agents, leaving little variability among the threat scores.

Assumptions

• For the purposes of this assessment, all threat agents are assumed to be highly motivated and have malicious objectives
• This nullifies motivation and objectives across the different threat agents
• The focus is on bad actors, not on average people who have no desire to compromise data. This focus removes the highly subjective guesswork involved in ascertaining the probability and likelihood of bad actors within trusted communities of people. The downside of this approach is that the final analysis simply compares each of the five scenarios to each other on a relative basis as opposed to objectively determining a validated or even perceived “amount” of risk inherent in each scenario.

Threats are evaluated against threat agent attributes known as SKRAAMO: Skills, Knowledge, Resources, Access, Authority, Motivation, and Objectives. For a single threat agent or a group of threat agents sharing common characteristics, a rating of Low/Medium/High is given for each attribute. The ratings are combined to produce an overall threat rating of Negligible, Moderate or Severe. This is accomplished according to the following:

Low = 1, Medium = 3, High = 5. The scores for the seven attributes are summed and the rating derived based on the following spread: Negligible = 7 to 16, Moderate = 17 to 15, and Severe = 26 or higher.  For the actual analysis, please refer to the Table “Threat Agents” in the Appendix.

Threat scores range between 7 and 35 and are multiplied by .3 to bring the scores within 2.1 and 10.5, approximately 1 -10.

Vulnerability

According to the Common Vulnerability Scoring System approach, used by NIST in compiling the National Vulnerability Database, a vulnerability may be broken down into the following elements:

• Threat Vector is scored by combining the scores from Impact and Exploitability, giving a range of scores from 3 – 30. Threat Vector Score is multiplied by .334 to bring the result within a range of 1 – 9.  Threat Vector is comprised of:
  • Impact to Confidentiality, Integrity and Availability and scored as follows: None = 0, Partial = 3, Complete = 5. The Impact score will range from 0 to 15.
  • Exploitability is scored by summing the results from the below elements resulting in a score ranging from 3 – 15. Exploitability is comprised of:
    • Access Vector: Determines whether the attacker must be on the same network (less risk) as the target or whether the attack can be performed from remote networks (more risk). Scored as follows: Remote Network = 5, Adjacent Network = 3, Local Network = 1.
    • Access Complexity: Indicates how complex the attack must be to defeat the authentication mechanism(s). Scored as follows: Low Complexity = 5, Medium Complexity = 3, High Complexity = 1.
    • Authentication Level: Indicates whether the attacker must overcome multiple layers of authentication, a single layer or no authentication at all. Scored as follows: No Authentication = 5, Single Authentication = 3, Multiple Authentications = 1.
• Network Segment Attributes are the second component of the Vulnerability Score. The score falls within a range of 2 – 7, which is multiplied by 1.43 to produce a score ranging from 2.9 – 10. Network Segment consists of the following:
  • Volume of Data: Volume of traffic can increase potential for sensitive data to be present. Volume is scored as follows: High Volume = 3, Medium Volume = 2, and Low Volume = 1.
  • Number of Links: the more links the greater the attack surface. High = 3, Medium = 2, and Low = 1.
  • Public Exposure: Whether the network segment(s) in scope traverse public space, e.g. WAN links. This is a binary score of Yes/No corresponding to 1 or 0.

Asset

The scope of the risk assessment scope focuses on scenarios where customer confidential data or user access credentials are compromised. Because this data is of the highest value, Asset value across all scenarios is high, thereby nullifying the effect of asset value in the final analysis.

Control Rating

Two elements comprise the Control Rating: Control Quality and Control Score.

• Control Quality is measured by considering whether a control is preventing a potential risk event, Detecting or Correcting prior events. Additionally, control quality is measured by whether a control is manually performed by a person, is fully automated, or is some combination of the two. The Control Quality score ranges from 1 -5 and is derived from these six elements as follows:

• Control Score is determined on whether a control exists and if the control is designed properly. If designed properly the control is assessed for effectiveness.

Control effectiveness is determined through detailed testing procedures conducted by a control owner or auditor. The scope of the current effort did not include control testing therefore all controls were assumed to be properly designed and operating effectively. As a result, only control quality is considered within the scope of this analysis. All Control Quality scores are multiplied by a Control Score of 2, the Score for an effective control. This leaves the Control Rating falling on a scale of 2-10.  See “Control Rating Analysis” in Appendix D.

Substituting the aforementioned risk elements, the original formula for residual risk now looks as follows:

Residual Risk = (Threat x ((Impact x (Access Vector + Access Complexity + Authentication Level) x (Volume + Number of Links + Public Exposure) x Asset Value) – ((Control Automation x Control Mode) x Control Score)

Chart B on p. 2 plots the Impact Score (bolded) against the Control Rating (non bolded).

Appendix  - Threat Information