Open the morning’s newsfeed, sit down with a cup of coffee and chances are you’ve read about three new major corporate network security breaches before your first cup is finished. With fresh waves of advanced persistent threats hitting corporate giants and governments each day, it is incredible to remember the days when sensitive network data was unencrypted.
When I was a college student in Helsinki, packet-sniffing attacks frequently targeted passwords in our university network. To protect our sensitive data, I wrote a program protecting information as it moved from point to point throughout the network. I called it the “secure shell,” or SSH for short. Years later, nearly all large enterprises, governments and financial institutions have incorporated a version of SSH to let administrators manage systems remotely ultimately protect data in transit.
While we now can look back and smile at the naiveté of sending plaintext data through the network, a look at the security risks of today’s labyrinthine network environments is sobering. When organisations are unable to control who creates SSH keys, the number of keys created, or even where the keys wind up in the network environment, they are leaving themselves dangerously open to security breaches and non-compliance with federal regulations.
To protect against today’s threats, organisations must recognise their SSH key management problems and take immediate action toward establishing and deploying automated control over the SSH key environment.
The problem today
SSH works by creating two encryption keys – one installed on the server, the other on the user’s computer – and protecting all data that passes between those two points. Organisations use SSH to encrypt their most important data, including health, financial, or any other kind of sensitive information only meant to be viewed by the sender or receiver.
Despite the fact that organisations use SSH to protect their most critical data, the actual management of these keys has suffered significantly, to where network security has been compromised. Today, the average network environment resembles an apartment building with access keys scattered at random in the halls, stairways, elevators and lobby. The landlord has no idea who made most of them, or what doors they open, but since his tenants seem to be accessing their apartments fine, he hasn’t investigated further.
Inside your system
Of course, no apartment manager would stand this scenario, and neither should the major banks, enterprises and federal agencies we have spoken with. Yet through discussions with major enterprises, governments and financial institutions, we have discovered that on average most organisations have between eight and over 100 SSH keys in their environments that permit access to each Unix/Linux server. Some of these keys also provide high-level root access, leaving servers vulnerable to “high-risk” insiders. These “insiders” such as disgruntled former employees, can use these mismanaged SSH keys to secure permanent entrances to production servers.
Despite the clear risks, because the problem is highly technical, it has been hidden in the IT department. Executive management often is unaware that it’s a problem at all. Even system administrators who are charged with SSH key management duties rarely get a full picture of their own network environments, and therefore may not appreciate how serious the risk of a breach truly is.
The likelihood of such a breach is increasing daily. Using SSH keys as an attack vector in a virus is very simple, requiring only a few hundred lines of code. Once a virus gains successful entry to a server, it can use improperly managed SSH keys to spread from server to server throughout the organisation.
Because key-based access networks are so tightly knit together, it is likely that a successful attack could infect virtually all servers, particularly if the virus also uses additional vectors to heighten its privileges to “root” after breaching a server. With so many keys being distributed, a virus could corrupt all servers before anyone realized what was going on. These compromised servers also could include disaster recovery and backup servers that would be implemented when such an attack occurs.
The worst-case scenario for an attack using mismanaged SSH keys would be for a virus using multiple attack vectors to merge with destruction technologies and spread Internet-wide, resulting in enormous amounts of data loss.
The risks described are not a result of any weaknesses or defects in the SSH protocol itself. Rather, the risks have sprouted from years of bad key management protocols, insufficient time and resources to research solutions, lack of understanding of the consequences and the hesitancy of auditors to flag issues that they cannot solve.
Organisations without proper SSH key management protocols in place are in violation of mandatory security laws and regulations. HIPAA, FISMA, PCI and SOX are all industry regulations that require control of server access and the capability to terminate that access. Furthermore, organizations may also be infringing upon other security policies, including those mandated by their customers.
It is clear that the issue of SSH key mismanagement must be addressed. Without properly auditing, controlling, or terminating SSH key-based access to their IT systems and data, most enterprises, government agencies, and healthcare providers are vulnerable.
Remediation will require the buy-in of the entire organisation. The core of the remediation project is comprised of multiple steps:
- Automating key setups and removals to eliminate manual work requiring a vast amount of administrators
- Controlling what commands can be executed using the key and the location from which each key can be used
- Enforcing proper processes for all key setups and other key operations
- Monitoring the environment to establish which keys are actually used and removing keys that are no longer in use
- Revealing all current trust-relationships shows who currently has access to what information
- Rotating keys, i.e., changing every authorised key as well as the corresponding identity keys regularly, so that any stolen keys cease to work
While SSH continues to be the gold-standard for data-in-transit security, the current threat landscape requires organizations to take pivotal steps to improve the management of their SSH networks.
Almost all of the Fortune 500 and many major government agencies continue to operate out of compliance, and are unknowingly facing major security threats from hackers or rogue employees. To fully address the issue, it will take the commitment of the entire organization to ensure that SSH user keys are properly managed in their network environments.
Tatu Ylönen is the CEO and founder of SSH Communications Security