- Jason Thompson, global director of
marketing for SSH Communications Security, says:
The secure shell (SSH) data-in-transit
protocol was invented in 1995, but since then has rapidly become an indispensable tool in the arsenal of network administrators the world
over. SSH has been used within networks
of all varieties and sizes to securely transfer data from device to device and allow
administrators to access networks remotely. A version of SSH is accompanied with
every type of Linux, Unix and Mac OS, and is becoming rapidly adopted in the
Windows world as well. Virtually half of all of the websites in the world use some
version of SSH. While reaching an exact estimation of the number of SSH implementations
worldwide is impossible, the number is estimated in the millions, making SSH a
trusted workhorse in the network security ecosystem.
Since its launch 20 nearly two
decades ago, SSH has protected billions of corporate transactions without any major
security breaches. Even though the protocol itself is highly secure, today’s quickly-changing
threat environment means that companies must take a serious look at how they
manage SSH key creation, rotation and removal.
Making Copies of Keys
Ordinarily, SSH is used to transfer
sensitive data from one point to another within the network, such as between a
user’s computer and the server. This
data can include personal identity information, credit card numbers, classified
intelligence and healthcare records. From the perspective of a malicious
insider or a hacker, SSH protects a smorgasbord of vital organizational
information.
Nonetheless, since SSH itself is iron-clad,
how would a hacker obtain access to the sensitive data it protects? That’s where SSH key mismanagement comes in.
When a user connect to the server
via SSH, a trust relationship between the user’s computer and the server is created
using a cryptographic key pair. These
trust relationships are generated and managed by the organization’s IT
department, often via systems dating back decades. None of these older systems have the ability
to search for or find these SSH key trust relationships on the network. Therefore, tracking trust relationships must
be done manually. When a network
ecosystem potentially contacts hundreds of thousands of keys, these trust
relationships are unavoidably lost or misplaced. An attacker with access to one of these trust
relationships can imitate an authorized user with freedom to access valuable
company information.
Therefore, sloppy management of SSH
keys presents an avenue to exploitation by attackers searching for access to
sensitive data. After conducting a study on the administrative operations of some
major worldwide organizations, an alarming trend emerged:
- Nearly 10 percent of all SSH user keys deliver root access, a major security and compliance violation
- Companies often assign the same SSH host key to thousands of devices, leaving the network defenseless to man-in-the-middle attacks
- Businesses rarely understand what each key is used for, displaying not only a security risk, but also a business stability risk
- Many SSH keys that allow access to critical servers are abandoned and no longer used
- A number of organizations authorize administrators to create or delete SSH user keys at will – without approvals or control – essentially permitting unfettered access to systems and people
- Very few organizations ever remove SSH user keys, or even rotate them when a user departs or an application is withdrawn
- Key-based access grants are fundamentally permanent, in direct offence of SOX, PCI and FISMA requirements for improperly terminating access, leaving the network vulnerable to treats
With increasingly sophisticated
threats becoming more frequent, organizations without suitable SSH key
management protocols in place are taking on water. The further an organization strays
from a best practices approach to SSH key management, the greater the danger
becomes.
In addition to the security
implications of SSH key mismanagement, organizations need to be conscious of
what federal standards – such as PCI, SOX, NIST and HIPAA – demand from them as
well. Specifically, these federal
regulations require that organizations retain a high degree of control over
access to sensitive network data, or face expensive fines. These factors even
leave out the economic argument, which is compelling in and of itself. Major
organizations today often have over 20,000 servers. The cost of manual SSH key
management for a server environment of this size is projected to be close to
$40 million over the next decade. Add in
the excruciatingly visible reputation damage caused by a security breach that
plays out in public view, and organizations are soberly considering a host of motivations
to fix their SSH key management practices.
Key Management
Practices Need to Change
Luckily, security concerns in the secure shell environment are
not due to any flaws or vulnerabilities in the SSH protocol itself. Rather, the
security and compliance risks discussed above are caused by:
- Lack of clear guidelines or procedures for years relating to SSH key management
- Lack of understanding of the extent and consequences of the issues
- An inadequate amount of time and resources needed to gain understanding and develop solutions
- A lack of worthy tools and procedures early on for resolving key management issues
- A hesitation on the part of auditors to identify issues for which they do not have efficient solutions
- The attention of the access management field on shared users without addressing computerized access
It’s understandable to wonder why this issue has stayed
hidden for so long, given the consequences of exploitation. Unfortunately, the
simple answer is that because SSH key management is so deeply technical, it has
stayed hidden and obscured within the field of system administrators. Each
system manager usually only sees a small portion of the IT environment, and
does not have the full picture. Administrators today are extremely busy – particularly
with staff cutbacks in the recent years – and they might not acknowledge that
there is an issue. Since management is several steps removed from the problem –
and its potentially destructive consequences – too often, nothing is done about
the issue.
But the risk remains.
SSH Key Management Prevention
– Best Practices
Because exposure is commonly found in all Unix/Linux servers
and many Windows servers, the requirements needed to fix the problem typically involves
several teams within IT operations. The
potential liability and compliance issues require the understanding and buy-in
from executive management as well.
Best practices to prevent these problems include:
Learning about all
existing users, shared and private keys, and recording trust between servers and
users
Observing the
environment to establish which keys are actually used, and eliminating keys no
longer in use
Enforcing appropriate
approvals for all key systems
Automating key formats
and key removals; reducing manual work and human faults. This step reduces the
number of administrators necessary for key setups from potentially several
hundred to only a couple extremely reliable administrators
Alternating keys frequently,
so that copied keys stop working and proper termination of access can be guaranteed
Restricting where
each key has access and what instructions can be implemented using the key
To reduce risk further, SSH key management should involve
the establishment of internal limitations within the organization. An organization should rigorously control
what key-based trust relationships can be accepted by which boundaries, while implementing
an agreed IP address and “forced command” restrictions for all authorized keys concerning
trust relationships crossing such boundaries.
Although SSH is generally recognized as the standard for
data-in-transit security, the existing threat landscape demands that
organizations reconsider how they manage encrypted networks access. Using these
best security practices will help position a company to better prepare for
security breaches and new compliance authorizations before they occur.
About the Author:
Jason Thompson is director of global marketing for SSH
Communications Security. Mr. Thompson brings more than 12 years of experience
launching new, innovative solutions across a number of industry verticals.
Prior to joining SSH, Mr. Thompson worked at Q1 Labs where he helped build awareness
around security intelligence and holistic approaches dealing with advanced
threat vectors. Mr. Thompson holds a BA from Colorado State University and an
MA for the University of North Carolina at Wilmington.
No comments:
Post a Comment