Not so long ago, a young researcher experienced a hacking incident at his university. Thousands of user names and passwords had been stolen, and this young man began thinking about what he could do to make the network more secure. He learned more about networking and cryptography and, within three months, had created a crypto-based access protocol that is now, just over 20 years later, used in hundreds of millions of computers.
That young man was Finland’s Tatu Ylönen, and the protocol is Secure Shell, which we know more commonly as SSH. The protocol’s primary function is to provide trusted access and encrypt communication in transit to prevent man-in-the-middle attacks. Once a connection is established, SSH effectively creates an encrypted tunnel to facilitate secure communication between two points.
It’s All About Access
This seems like a simple success story of a man who identified a problem and fixed it. But there’s more to the story. Since SSH comes pre-installed on servers and devices, most organizations do not have any group or individual responsible for monitoring SSH activities. In fact, most businesses make the leap that SSH equals encryption, and encryption equals security. In this day and age, who doesn’t want more encryption and security? The premise that encryption alone negates the need for vigilance and oversight of SSH use is dangerously flawed.
That is not an overstatement. Although SSH does encrypt communication, the more important point about the protocol is that SSH equals access. SSH access comes in two variants: interactive (Human to Machine) and non-interactive (Machine to Machine). Furthermore, access to critical resources and data needs to be managed, monitored and controlled. Thus, closing the SSH responsibility gap should be a Tier 1 priority for an enterprise.
To keep communications secure, SSH establishes key pairs comprised of a private and a public key. To understand the function of these keys, it’s best to use an analogy: A public key is similar to a lock on a door, whereas a private key is similar to a physical key you keep in your pocket. Presenting a matching private key to a public key grants an encrypted connection.
So far, so good. But there are intrinsic risks to SSH because of these features:
It is obvious, then, that in the hands of bad actors, SSH keys can spell disaster for any business, granting them the ability to do all sorts of nefarious things beyond detection within this security blind spot created through SSH.
Secure Steps for Secure Shell
To prevent this, organizations can follow best practices for effective, consistent SSH key management and risk prevention. First, create usage procedures that include periodic access reviews, documenting and disseminating security policies and standards, and implementation of required IT controls.
The second step is to develop and deploy hardening configuration and review the configuration periodically. Consider automated tools to manage the configuration and apply integrity control checks and monitoring over critical files. Make sure to define roles and responsibilities as well, so that SSH key management does not fall through the cracks again.
The third step is to put automation in place because it is critical for the success of SSH key deployments. Standardization is required, and access restrictions are key. Finally, inventory of keys and usage tracking is necessary as part of the overall provisioning of users and accounts.
It’s ironic that a protocol created to protect communications has, over time, developed inherent risks due to widespread adoption and poor to non-existent management practices. SSH keys are capable of granting pervasive, root-level access to the network that, in the wrong hands, could be the death blow to a company. Use the best practices recommended above to secure SSH and keep it secure.
About the author:Thomas MacIsaac is a cybersecurity strategist and currently serves as VP Eastern US, Canada and Federal Markets for SSH. Thomas has spent over 22 years in the high-tech industry representing many of the foundational and cutting-edge technologies of our time. Thomas regularly consults with Fortune 500 businesses and government agencies in the area of security on topics of data at rest and in transit, identity and access management, APIs, and SIEMS, and is a sought-after speaker for audit, compliance, and security events.