Manage your Secure Shell keys or suffer the consequences, says Tatu Ylönen, inventor of SSH
Today, nearly all large enterprises, governments, and financial institutions use Secure Shell (SSH)l, an IT protocol that protects data in transit within the network environment while letting administrators manage systems remotely.
Secure Shell is implemented to protect sensitive data being moved throughout the network from being spied on by others logged into the system. It protects this data-in-transit through the use of paired encryption keys, installing one key on the user’s computer, and the other on the server, and then encrypting the data that passes between the two. Organisations use SSH to protect their most sensitive data, such as logins, accounting information and personally-identifiable information.
Negligence with SSH keys
Incredibly, despite the high value of the data it protects, organisations have been almost willfully negligent in managing their Secure Shell keys. This is highly risky: it is the corporate equivalent of leaving copies of a hotel room key card scattered around the hotel lobby. All it would take to gain access to that room is a little curiosity and patience.
As well as putting the safety of their sensitive data, companies who don’t manage their Secure Shell keys are also flouting a number of regulations in the US and elsewhere, which require organisations to control who can access sensitive information within the network. For instance, if auditors find a company has been unable to manage access to its accounting data, they can impose heavy fines for noncompliance.
Organisations with inadequate Secure Shell key management protocols in place are in violation of mandatory security laws and regulations. HIPAA, FISMA, PCI and SOX (Sarbanes Oxley) all require that the organisation strictly controls network access and termination of that access. Moreover, non-compliance puts organisations at risk of breaching policies mandated by their own customers, industry guidelines and even internal access control best practices.
Secure Shell key mismanagement is widespread because the problem is highly technical, and the depth and severity of the issue is only clear to a few who work within IT. Even within IT, system administrators often only focus on one area of IT operations and aren’t responsible for taking the kind of long view that might expose security problems. If IT itself isn’t fully aware of the problem, you can’t expect the executive management to be aware of it at all – so many companies operate at risk.
Our experience with major enterprises, governments and financial institutions, is that most organizations have anywhere from eight to over 100 Secure Shell keys within their network environments that authorise root access to each Unix/Linux server, typically far more than the number of current employees authorised to have that access. Any individual who has been given root access to the organisation’s servers has permanent access to production servers – leaving the organisation defenceless against insider attack.
An opportunity for viruses
Network breaches are now routine as attacks have grown in frequency and sophistication, and Secure Shell keys are often used as an attack vector for a virus. Once on an organisation’s server, the virus can then use the keys to spread system wide, undetected. Network servers are so tightly interwoven with one another that all servers become vulnerable to a viral attack – and this includes backup and disaster recovery servers that are also managed with Secure Shell keys.
A virus using Secure Shell as one of several several attack vectors could – when merged with destruction technologies – spread Internet-wide in minutes and destroy massive amounts of data.
These risks are not due to any flaws within the SSH protocol or any of its implementations: they come about because there are no widely agreed Secure Shell key management guidelines, and organisations do not give the problem enough resources and time.
Best Practices to manage SSH keys
Fixing the problem takes a substantial outlay of time, funds, several IT teams and the support of the organisation itself. The core of the remediation project is comprised of multiple steps:
- Automating key setups and removals to eliminate manual work that introduces human error.
- Controlling which commands can be executed using the key and the location where each key can be used.
- Enforcing proper processes for all key setups and other key operations.
- Monitoring the network environment in order to establish which keys are actually used – and removing old ones.
- Rotating keys, changing every authorised key and corresponding identities regularly, so stolen keys cease to work.
- Revealing all current trust-relationships (who has access to what), to identify who is improperly using them.
Secure Shell continues to be the gold standard for data-in-transit security, but the prospect of further threats should urge organisations to take action in improving key management.
Due to mismanagement of these keys, nearly all of the Fortune 500 and many major governments are inadvertently putting themselves at risk for security threats. To fully address the issue will take several years and thousands of IT professionals. CISOs, CIOs and enterprise IT risk management must make it a priority to ensure that Secure Shell user keys are properly managed.
Tatu Ylönen is the creator of the secure shell (SSH) protocol, and is CEO and founder of SSH Communications Security. As a researcher, he created SSH to solve a password-sniffing attack which was hitting the networks of the Helsinki University of Technology, and it has now taken the place of older technologies including rlogin, telnet and rsh.
Are you a pedant on privacy? Try our quiz!