As a university student in 1995, I invented a security protocol to protect data-in-transit as it moves through the network. Today, the world knows this protocol as “secure shell” or SSH. Secure shell works by developing an encryption key pair, with one key for the server and one for the user’s computer. Currently, almost every major network environment – including those in large enterprises, financial institutions and governments – uses a version of SSH to protect data in transit and let administrators operate systems remotely.
While this sounds like a simple concept, most organizations have no process for managing, removing, and changing access “keys” once they are created and deployed, which can lead to serious threat exposures for organizations. Not only are organizations leaving themselves open to security breaches, but they are also in danger of being noncompliant with federal regulations that can lead to a multitude of additional problems.
Organizations looking to remedy this problem should look at how their secure shell protocols are currently being managed. This article discusses steps organizations can take to ensure the security of their networks and the proper management of secure shell keys.
Don’t Ask, Don’t Tell
Without proper management, thousands of secure shell keys can be distributed throughout the network environment, with no way to find, remove, or trace their access paths. But how does this problem manifest and continue to proliferate without regulation?
The answer is that the problem typically remains hidden in IT departments, mainly due to its technical nature. Each system administrator typically only sees a small portion of the IT environment and therefore can’t see the problem from a big picture perspective. Compounding the problem is the tendency for managers to ignore the issue simply because they don’t understand its scope or possible implications.
In working with major enterprises, we have seen that the typical organization has anywhere from eight to more than 100 secure shell keys that grant access to each Unix/Linux server, some of which even grant high-level administrative access. This alone presents a significant vulnerability because attackers can use these unmanaged keys to install backdoors in servers, bypassing all security controls a network might have in place. These malicious attackers can take the form of anyone who has ever had access to the server, insiders and outsiders, employees and contractors.
With risks that can originate from anyone who’s had contact with the network, it’s incredibly important that system administrators take particular care to manage secure shell keys so they can’t be used maliciously.
Mismanaged Secure Shell Keys – A Hotbed for Viruses
The chance of an attack occurring is not diminishing. If anything, network breaches are becoming more common as attacks become more sophisticated and capable of spreading at an alarming rate. Secure shell keys are targeted for attack because they can spread viruses very easily. Once a virus successfully gains entry it can use mismanaged keys to spread server to server until the virus has infected every facet of the network environment.
With the quantity of keys being distributed it’s highly likely the network could become infected within a matter of minutes, including the compromise of disaster recovery and backup systems which are also typically managed by secure shell keys. In a nightmare scenario, a virus using multiple attack vectors could spread Internet-wide and if combined with destruction technologies, effectively wipe away vast amounts of important data.
The Threat of Noncompliance
In examining the entire scope of the damage improper secure shell key management can present, organizations should also realize they might be non-compliant with mandatory security regulations. Industry regulations such as SOX, FISMA, PCI (News - Alert) and HIPAA, all require control over server access in conjunction with the ability to terminate this access.
With all the arguments in support of effectively managing secure shell keys, why does the problem persist? First, it’s important to acknowledge that these problems aren’t the result of any flaws or vulnerabilities within the secure shell protocol itself. Several factors have contributed to the persistence of the problem, including:
Lack of company-driven guidelines or policies related to secure shell keys
Misunderstanding of the scope of the problem
Insufficient resources to educate administrators about the problem
Hesitation from auditors to flag problems that don’t have a solution
Even so, secure shell key mismanagement shouldn’t be swept under the rug moving forward. Without properly controlling, auditing or terminating SSH key-based access to IT systems and data, organizations are intentionally leaving themselves vulnerable to attack.
The Road to Recovery Starts with Acknowledgement
Organizations need to take the first step to remedying the problem and acknowledge its existence in the first place. Once the problem is recognized, several teams must take steps toward remediation and be willing to support one another throughout the process.
Taking back control should begin with the following steps:
Automate key setups and removals. This will eliminate manual work and potential human error that can result
Discover all existing trust-relationships that control who has access to what
Rotate keys regularly so that any compromised key pairs cease to work
Monitor the network environment and which keys are still in use and remove those that are not
Control where each key can be used and which commands the key can perform
Enforce proper process for all key setups and operations
Into the Future
Secure shell continues to be the gold standard for data-in-transit security, but technology only gets you so far. Organizations need to proactively manage their secure shell keys if they want to take full advantage of the many benefits that secure shell offers. If organizations continue to ignore the problem and allow for the proliferation of unmanaged keys, they will likely see many threats become a reality in the future. It will take the dedication of several well-trained people to remedy the situation and many years to fully vet out the problem. However, taking important steps, like those listed above, is a great starting point for companies who are serious about addressing this issue.
Tatu Ylönen is the CEO and founder of SSH Communications (News - Alert) Security.Tatu has been a key driver in the emergence of security technology, including SSH & SFTP protocols and co-author of globally recognized IETF standards. He has been with SSH since its inception in 1995, holding various roles including CEO, CTO and as a board member.
Edited by Cassandra Tucker