Nearly every major network environment today – including governments, large enterprises and financial institutions – uses a version of the Secure Shell data-in-transit protocol, to protect data as it moves throughout the network and allow for administrators to manage systems remotely.
Secure Shell works by creating an encryption key pair – one key for the user’s machine, and the other key for the server – while encrypting the data that is transmitted between those two keys. Organisations use Secure Shell to encrypt everything from logins to financial data, health records and other personally-identifiable information. While Secure Shell keys protect highly sensitive information, organisations have been astonishingly indifferent at managing the creation, location and access of Secure Shell keys giving access to critical assets.
Many organisations are unable to control the creation quantity and location of keys in the network; they are leaving themselves open to security breaches and noncompliance with international regulations including Payment Card Industry Data Security Standard (PCI-DSS), Sarbanes-Oxley Act (SOX), as well as Singapore standard such as Monetary Authority of Singapore (MAS). Organisations may also be infringing upon other security policies, including those mandated by their customers.
Attacking key-based access network
Having thousands to millions of these keys is common for the majority of enterprises, governments and financial institutions worldwide. However, most of them are still using manual processes for generating, configuring and deploying the Secure Shell keys. Over time, this results in the uncontrolled proliferation of authentication keys, with little to no visibility into what each key does. A malicious actor, that gains access to a private key, can mimic an authorized user and access sensitive information with impunity.
Network breaches are commonplace as attacks become more prevalent and sophisticated. Implementing Secure Shell keys as an attack vector in a virus is fairly simple, requiring only a few hundred lines of code. Once a virus gains successful entry, it can use improperly managed Secure Shell keys to spread from server to server.
In fact, key-based access networks are so tightly woven that it is highly likely that a successful attack will infect virtually all servers within an organisation, particularly if the virus also uses other attack vectors to elevate privileges to “root” after breaching a server. With so many keys being distributed, odds are the virus will corrupt nearly all servers in a matter of seconds to minutes, including disaster recovery and backup machines that are usually also managed using such keys.
Under the worst circumstances, a virus using numerous attack vectors could spread Internet-wide, quickly and, merged with destruction technologies, could destroy immense amounts of data.
Time to take pivotal steps
Taking the steps to address Secure Shell key mismanagement will require proper support and endorsement within the organisation itself. The core of the remediation project is comprised of multiple steps:
– Automating key setups and key removals; eliminating manual work, human errors, and reducing the number of administrators from several hundred to virtually none.
– Managing what commands can be executed using the key and where the key execution can happen.
– Requiring proper processes for all key setups and other key operations.
– Monitoring the environment in order to establish which keys are actually used and removing keys that are no longer in use.
– Rotating keys, i.e., changing every authorised key (and corresponding identity keys) regularly, so that any compromised (copied) keys cease to work.
– Identifying all current trust-relationships (who has access to what).
Going forward
Today a considerable portion of the global financial institutes, Fortune 500 and many major government agencies continue to operate out of compliance, and are unknowingly facing major security threats from hackers or rogue employees. Best practices, such as the ones identified above, will position organisations to prepare for security threats and new compliance mandates before they occur.
In addition to IT involvement, executive management needs to step-in to protect the company from neglecting any compliance regulations that could bring about liability; and make it a priority to ensure that SSH user keys are properly managed in their organisations.
Tommi Lampila is Vice President, APAC, SSH Communications Security.
