Just a Heartbleed Away: IT Security's Dirty Little Secret Putting Organizations at Risk

One of the major lessons learned from the Heartbleed vulnerability is how critical IT components, like encryption, are often overlooked; thereby placing organizations at high risk for an attack. To make matters worse, a lack of management controls and visibility – especially in ubiquitously deployed software – gives hackers the ability to go after a huge attack surface the moment the vulnerability is identified, continuing to exploit the breach because remediation processes are not in place.

Encryption isn’t new.  Even though the average person relies on encryption everyday to keep personal data, banking information and more safe and secure, they probably don’t know much about how it works. As technology “ages,” costs tend to decrease. Today, encryption technology is often viewed as fully commoditized and widely deployed via open source software.

There is a wide body of debate as to whether commercial or open source software is better for the enterprise. Because encryption technology is often available at little or no cost, IT managers and executives often don’t have encryption security on the brain. As we’ve seen, in instances like Heartbleed, this can be a real problem.

Software has vulnerabilities and breaches occur – we know this. It’s important to note that typically it’s not the software itself or the encryption protocol that is the problem. In many cases it’s that encryption management is left largely in the domain of IT application developers or system administrators and has never been properly managed with access controls, monitoring and proactive data loss prevention.

Open Doors

While Heartbleed has helped raise awareness surrounding the management of encrypted networks, there is still a lot more happening below the surface that needs to be addressed.

In Secure Shell networks, key-based authentication is one of the more common methods used to gain access to critical information. Keys are easy to create and at the most basic level, simple text files that can be easily uploaded to the appropriate system. Associated with each key is an identity: either a person or machine that grants access to information assets and performs specific tasks, such as transferring a file or dropping a database, depending on the assigned authorizations. In the case of Secure Shell keys – those basic text files – provide access to some of the most critical information within an organization.

If one does the math, it becomes evident that with all of the employees, contractors and applications that have been assigned keys over the past decade or more, there are potentially over a million keys present in any single enterprise. In one example, a major bank with around 15,000 hosts had over 1.5 million keys circulating within its network environment. Around 10 percent of those keys – or 150,000 – provided high-level administrator access. This represents a tremendous number of open doors that no one was monitoring.

How could this happen? In large part, because encryption is often perceived as a tool – and because nothing appeared on the surface to be out of place – no processes were shut down and no one was alerted to the problem.

Backdoors

In other instances, “convenience” factors come in to play as well. System administrators and application developers will often deploy keys in order to readily gain access to systems they are working on. These keys grant a fairly high level of privilege and are often used across multiple systems, creating a one-to-many relationship. In many cases, employees or contractors who are terminated – or even simply reassigned to other tasks that no longer require the same access – continue to carry access via Secure Shell keys; the assumption is that terminating the account is enough. Unfortunately, this is not the case when Secure Shell keys are involved; the keys must also be removed or the access remains in place.

Another example of the commonplace dangers of unmonitored Secure Shell keys is the use of these keys to subvert privileged access management systems (PAMs). Many PAM systems utilize a gateway or jump host that administrators log into to gain access to network assets. PAM solutions connect with user directories to assign privilege, monitor user actions and record which actions have taken place. Sounds like an airtight way to monitor administrators, right? It is, until one realizes how easy it is for an administrator to log into the gateway, deploy a key and then log in using key authentication, a clever work around any PAM safeguards in place.

Clever Workarounds

In encrypted environments, lack of access control is just part of the story. Conventional PAM solutions, which utilize gateways and focus on interactive users only, are designed to monitor administrator activities. Unfortunately, as mentioned above, they end up being fairly easy to work around. Additionally, encryption blinds attackers the same way it blinds security operations and forensics teams. For this reason encrypted traffic is rarely monitored and is allowed to flow freely in and out of the network environment. This creates obvious risks and negates security intelligence capabilities to a large degree.

Ask an IT security professional how they handle encrypted traffic at the perimeter and that professional will likely say that he or she simply lets it flow through. If one searches for “SSH firewall” the result is a number of highly instructive articles on how to use Secure Shell to bypass corporate firewalls. This is actually a pretty common and clever workaround policy that unfortunately creates a huge security risk. In order to eliminate this risk, the organization must decrypt and inspect the traffic.

A Light in Dark Places

In order to decrypt Secure Shell traffic, an organization would need to utilize an inline proxy with access to the private keys – essentially a friendly man-in-the-middle – to decrypt the traffic without interfering with the network.

When successfully deployed, 100 percent of encrypted traffic for both interactive users and M2M identities can be monitored. Also, because this is done at the network level, it’s not possible for malicious parties to execute a workaround. With this method, enterprises can proactively detect suspicious, or out-of-policy traffic. This is called encrypted channel monitoring and represents the next generation in the evolution of PAM.

Encrypted channel monitoring helps organizations move away from a gateway approach to PAM and solve the challenge of decrypting traffic at the perimeter, while simultaneously preventing attackers from using the organization’s own encryption technology against itself.

In addition, an organization can utilize inline access controls and user profiling to control what activities a user can undertake. For example, policy controls can be enforced to forbid file transfers from certain critical systems. With the more advanced solutions, an organization can even block subchannels from running inside the encrypted tunnel, the preferred method of quickly exfiltrating data.

In relation to Heartbleed, encryption technologies are often deployed in the absence of proper access controls or effective monitoring, which also blinds layered defenses. A major vulnerability like Heartbleed potentially compromises the entire server, which could in turn expose other areas of the network to subsequent attacks.

The Takeaway

The technology community has embraced encryption technology for over a decade using it ubiquitously in applications, data centers and other foundation infrastructure. What Heartbleed showed the industry is that widely used, critical technologies have lived for far too long below the surface.

Best practices for managing encrypted networks, such as centralized provisioning, are not in place for the majority of enterprises despite the obvious risks of going without. Encrypted channel monitoring is rarely implemented and many IT administrators assume that conventional PAM is solving this problem, when in reality easy workarounds can render it ineffective.

The importance of network security should compel IT security managers to invest in solutions that ensure these technologies are secure as possible. Organizations should take a serious look at their encrypted networks to ensure that layered defenses are enabled and that proactive monitoring is in place. Taking a holistic approach to encrypted channel monitoring can greatly distance organizations from being a Heartbleed away from a critical, widespread security disaster.  

About the Author:

Jason Thompson is Director of Global Marketing for SSH Communications (News - Alert) Security. Mr. Thompson brings more than 12 years of experience launching new, innovative solutions across a number of industry verticals. Prior to joining SSH, Mr. Thompson worked at Q1 Labs where he helped build awareness around security intelligence and holistic approaches dealing with advanced threat vectors. Mr. Thompson holds a BA from Colorado State University and an MA for the University of North Carolina at Wilmington.