The secure shell data-in-transit protocol has been deployed millions of times by organizations of all kinds and sizes since its inception nearly 20 years ago. Today, it is recognized as an industry gold standard, capable both of securely moving data from one machine to another and providing remote administrator access. Linux, Unix, and Mac OS all ship a version of SSH with every version of their software, and SSH is gaining momentum in the Windows market as well.
These SSH deployments have secured billions of business transactions without any major security breaches by the protocol itself. However, while the SSH protocol itself is highly secure, organizations today face the risk of suffering debilitating security breaches if they are not managing their SSH environments. Major changes in how hackers approach secured network environments now require large enterprises, federal agencies and financial institutions to improve how they manage their SSH keys to protect their sensitive data adequately.
A Brave New World
SSH is used to transmit valuable business intelligence within the network environment, including personally identifiable information, healthcare records, credit card numbers and classified information. To a malicious insider or an attacker, then, SSH is a fortified channel that carries along the most valuable data a company possesses. Yet since the protocol itself is impermeable, hackers must find a shortcut.
The shortcut lies in how SSH keys are managed, or mismanaged.
To create an encryption channel between the user’s computer and the server – a channel often referred to as a trust relationship, network administrators make a cryptographic key pair, installing one key on the server and the other key on the user’s machine. These trust relationships are established and managed internally, sometimes on systems dating from the mid ‘90s. These systems do not have the capabilities to search trust relationships; as such, tracking the locations of these trust relationships must be done manually. It is therefore inevitable that a significant number of trust relationships will be lost when a network has potentially hundreds of thousands of keys. If an internal or external malicious actor gains access to one of these keys, he or she can mimic an authorized user and exploit sensitive data.
Therefore, improper management of SSH keys presents an opportunity for an attacker to exploit a serious vulnerability and gain access to sensitive intelligence. The scope of the issue is sobering. (See text box.)
With advanced persistent threats becoming increasingly common, the risks faced by organizations without proper SSH key management protocols in place are substantial. These risks increase proportionately to the company’s variance from a best practices approach to SSH key management.
In addition to the clear security implications of SSH key mismanagement, organizations must be conscientious of federal compliance standards – including PCI (News - Alert), SOX, NIST and HIPAA – that demand a high degree of control over access to sensitive network information. If these standards are not met, the company risks failing an audit and being hit with expensive fines.
In addition, SSH key mismanagement is simply an inefficient way of doing business. Many organizations today have more than 20,000 servers, which makes the cost of manual SSH key management $40 million over 10 years. The costs plus the significant reputation damage that follows a security breach give organizations a lot of incentives to take a closer look at their SSH key management practices.
Improving SSH Key Management
IT operations must be involved in fixing the issue because the vulnerability is typically found in all Unix/Linux servers and many Windows servers. Yet the IT department cannot solve this issue alone. Executive management must also be aware of the problems and willing to help in whatever ways they can since the potential liability and compliance issues of doing nothing are so great.
Best practices to rectify the problem include:
· uncovering all existing users, public and private keys, and outlining trust between machines and users;
· observing the environment to determine which keys are actually used, and eliminating keys no longer in use;
· executing proper approvals for every key setup;
· diminishing manual work and human errors by automating key setups and key removals;
· circulating keys regularly, so that copied keys no longer work and proper termination of access is ensured; and
· limiting where each key has access and what commands can be executed using the key.
To further reduce risk, network environment boundaries within the organization must be a critical component of proper key management. These boundaries should clearly delineate key-based trust relationships’ access while enforcing strict IP address and forced command regulations for all authorized keys concerning trust relationships exceeding such boundaries.
The SSH protocol has done a great job in protecting data-in-transit at a tactical level, but that doesn’t combat the increasing number of threat vectors that leave even the most secure network operations at risk. Regardless of the security levels of SSH protocols for data-in-transit, organizations must reevaluate their management systems for allowing access to their encrypted networks to keep up with the current threat landscape. Effective management of the SSH environment is critical to eliminating network vulnerabilities that have costly consequences when exploited. The best practices for security identified above can prepare your enterprise for security threats and new compliance mandates before they occur.
Edited by Stefania Viscusi