Click here to close now.

Welcome!

Security Authors: Pat Romanski, Jacob Olcott, Adrian Bridgwater, Liz McMillan, Elizabeth White

Related Topics: Security, Java, XML, Microservices Journal, Web 2.0, Cloud Expo

Security: Article

Remediating SSH Key Mismanagement

The Necessary Steps to Secure Your Network

From its origin in 1995, SSH, the secure shell data-in-transit protocol, has been used the world over as a method to transfer data between machines, as well as a tool to provide remote administrator access. Some variation of the protocol is packaged free in every version of Unix, Mac OS and Linux. Recently, its use has grown exponentially in Windows operating systems as well. While the exact number of worldwide SSH deployments is unknown, it is estimated that nearly half of all of the World Wide Web uses SSH, making it a virtually mandatory service in the world of network security.

After nearly two decades of use, SSH has succeeded in securing billions of business transactions without any faults of the protocol itself, demonstrating its dependability as a security solution. On the other hand, the evolution of cyber-threat ability requires that organizations take a careful look at how they manage their SSH environments.

New Threats Requires New Thinking
Organizations rely on SSH to securely transmit immense amounts of sensitive data - such as banking information, healthcare records, classified intelligence and other personally identifiable material. Therefore, to attackers and malicious insiders, SSH is a barrier protecting vital corporate data.

However, because this barrier is inherently unbreakable, attackers must pursue alternate routes around the secure shell; to do this, they must focus instead on the mismanagement of SSH keys.

Network administrators establish a trust-based relationship between a user's computer and server by implementing a cryptographic key pair. The connection is established and managed within the corporation's networking system. Unfortunately, many of these systems are outdated and often cannot search for or pinpoint the location of trust-based relationships. Therefore, the search for keys must be done manually. Given a network often houses keys numbering in the hundreds of thousands, it is too easy to lose track of these trust relationships.

This leads to a disheartening conclusion: if an attacker inside or outside the company walls can discover a key, they can essentially imitate any authorized user and gain access to any sensitive data freely.

Improper management of SSH keys presents a prominent vulnerability available for exploitation by attackers looking to gain access to sensitive information.

A study performed recently on some of the largest corporations in the world produced shocking results deriving from the lack of judgment and knowledge of the importance of key management:

  • Roughly 10 percent of all SSH user keys offer root access, creating a major compliance and security issue
  • Having key-based access grants be essentially permanent leaves the network vulnerable to attack and is in direct violation of SOX, PCI and FISMA requirements for proper termination of access
  • Enterprises rarely know what each key is used for, presenting not only a security risk, but also a business continuity risk
  • Many SSH keys that grant access to critical servers are no longer usable
  • Man-in-the-middle attacks are made simple when organizations share the same SSH host keys across thousands of computers
  • Some organizations permit administrators to create or delete SSH user keys at will - without approvals or control - essentially granting unfettered, permanent access to systems and people
  • Very few organizations ever rotate SSH user keys, or even remove them when a user leaves or an application is decommissioned

Today, advanced threat vectors are very real and are becoming more commonplace. It is more imperative than ever for organizations without proper SSH key management protocols to restructure their approach to key management, or otherwise face serious consequences.

Organizations must also understand that federal compliance standards such as SOX, NIST, PCI and HIPAA all entail huge fines if they do not exercise the utmost control over access to sensitive network information. With 20,000 servers, a typical number for many large organizations, the cost of manual SSH key management is $40 million over ten years. When the reputation damage caused by a security breach is factored in, organizations have a slew of incentives to repair organizational SSH key management practices.

Key Management Practices Must Change
Fortunately, access control issues in secure shell environments are not a result of any vulnerabilities or flaws in the SSH protocol itself. Rather, the security and compliance risks identified are caused by:

  • A reluctance on the part of auditors to flag issues for which they don't have effective answers
  • Insufficient resources and time to dig into the issue to gain understanding or develop answers
  • Years of lack of clear guidelines or policies relating to SSH key management
  • Unintentionally ignoring of the scope and implications of the problem
  • A lack of guidelines and good tools early on for solving key management issues
  • The focus of the access management field on interactive users without addressing automated access

Why then, has this problem remained in the dark, particularly given the possible consequences? Given its complexity, SSH key management has remained buried in the domain of system administrators. System administrators usually don't control the entire IT environment; instead, they only see the area under their immediate jurisdiction. It must also be taken into account that IT administrators are some of the company's busiest employees, and as such, they may not have had time to recognize and investigate the issue. In addition, because managers and executives are disconnected from the problem, and its underlying consequences, no action is taken and the high risk remains present.

Best Practices for Dealing with SSH Key Mismanagement
The process needed to fix the issue involves several teams within IT operations. The possible liability and compliance risks demand the awareness and buy-in from executive management as well.

Some best practices to get rid of the dangers include:

  • Enforcing proper approvals for all key setups
  • Discovering all existing users, public and private keys, and mapping trust between machines and users
  • Restricting where each key has access and what commands can be executed using the key
  • Rotating keys regularly, so that copied keys cease to work and proper termination of access can be ensured
  • Monitoring the environment to determine which keys are actually used, and removing keys no longer in use
  • Automating key setups and key removals; eliminating manual work and human errors. This step slashes the number of administrators needed for key setups from possibly several hundred to only a few highly trusted administrators

To further reduce risk, proper key management should involve the establishment of internal boundaries within the organization. The organization should strictly control what key-based trust relationships can cross which boundaries, while enforcing iron-clad IP address and "forced command" restrictions for all authorized keys involving trust relationships crossing such boundaries.

Conclusion
While SSH is widely considered the benchmark for data-in-transit security, the current threat landscape requires organizations to rethink how they are managing access to their encrypted networks. The SSH protocol has done a great job in protecting data-in-transit at a tactical level, but an ever-increasing number of threat vectors means effective management of the SSH environment is critical to secure network operations. Best security practices like the ones identified above will position your enterprise to prepare for security threats and new compliance mandates before they occur.

More Stories By Jason Thompson

Jason Thompson is director of global marketing for SSH Communications Security. He brings more than 12 years of experience launching new, innovative solutions across a number of industry verticals. Prior to joining SSH, he worked at Q1 Labs where he helped build awareness around security intelligence and holistic approaches dealing with advanced threat vectors. Mr. Thompson holds a BA from Colorado State University and an MA for the University of North Carolina at Wilmington.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
Dave will share his insights on how Internet of Things for Enterprises are transforming and making more productive and efficient operations and maintenance (O&M) procedures in the cleantech industry and beyond. Speaker Bio: Dave Landa is chief operating officer of Cybozu Corp (kintone US). Based in the San Francisco Bay Area, Dave has been on the forefront of the Cloud revolution driving strategic business development on the executive teams of multiple leading Software as a Services (SaaS) application providers dating back to 2004. Cybozu's kintone.com is a leading global BYOA (Build Your O...
Health care systems across the globe are under enormous strain, as facilities reach capacity and costs continue to rise. M2M and the Internet of Things have the potential to transform the industry through connected health solutions that can make care more efficient while reducing costs. In fact, Vodafone's annual M2M Barometer Report forecasts M2M applications rising to 57 percent in health care and life sciences by 2016. Lively is one of Vodafone's health care partners, whose solutions enable older adults to live independent lives while staying connected to loved ones. M2M will continue to gr...
With IoT exploding, massive data will transform businesses with opportunities to monetize almost anything that can be measured. In this C-Level Roundtable Discussion at @ThingsExpo, Brendan O’Brien, Aria Systems Co-founder and Chief Evangelist, will lead an expert panel of consultants, thought leaders and practitioners who will look at these new monetization trends, discuss the implications, and detail lessons learned from their collective experience. Finally, the panel will point the way forward for enterprises who wish to leverage the resulting complex recurring revenue models, adding valu...
How is unified communications transforming the way businesses operate? In his session at WebRTC Summit, Arvind Rangarajan, Director of Product Marketing at BroadSoft, will discuss how to extend unified communications experience outside the enterprise through WebRTC. He will also review use cases across different industry verticals. Arvind Rangarajan is Director, Product Marketing at BroadSoft. He has over 19 years of experience in the telecommunications industry in various roles such as Software Development, Product Management and Product Marketing, applied across Wireless, Unified Communic...
SYS-CON Events announced today that Vicom Computer Services, Inc., a provider of technology and service solutions, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. They are located at booth #427. Vicom Computer Services, Inc. is a progressive leader in the technology industry for over 30 years. Headquartered in the NY Metropolitan area. Vicom provides products and services based on today’s requirements around Unified Networks, Cloud Computing strategies, Virtualization around Software defined Data Ce...
The 17th International Cloud Expo has announced that its Call for Papers is open. 17th International Cloud Expo, to be held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, APM, APIs, Microservices, Security, Big Data, Internet of Things, DevOps and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit your speaking proposal today!
What exactly is a cognitive application? In her session at 16th Cloud Expo, Ashley Hathaway, Product Manager at IBM Watson, will look at the services being offered by the IBM Watson Developer Cloud and what that means for developers and Big Data. She'll explore how IBM Watson and its partnerships will continue to grow and help define what it means to be a cognitive service, as well as take a look at the offerings on Bluemix. She will also check out how Watson and the Alchemy API team up to offer disruptive APIs to developers.
The IoT Bootcamp is coming to Cloud Expo | @ThingsExpo on June 9-10 at the Javits Center in New York. Instructor. Registration is now available at http://iotbootcamp.sys-con.com/ Instructor Janakiram MSV previously taught the famously successful Multi-Cloud Bootcamp at Cloud Expo | @ThingsExpo in November in Santa Clara. Now he is expanding the focus to Janakiram is the founder and CTO of Get Cloud Ready Consulting, a niche Cloud Migration and Cloud Operations firm that recently got acquired by Aditi Technologies. He is a Microsoft Regional Director for Hyderabad, India, and one of the f...
SYS-CON Events announced today that SoftLayer, an IBM company, has been named “Gold Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place June 9-11, 2015 at the Javits Center in New York City, NY, and the 17th International Cloud Expo®, which will take place November 3–5, 2015 at the Santa Clara Convention Center in Santa Clara, CA. SoftLayer operates a global cloud infrastructure platform built for Internet scale. With a global footprint of data centers and network points of presence, SoftLayer provides infrastructure as a service to leading-edge customers ranging from ...
SYS-CON Events announced today that Cisco, the worldwide leader in IT that transforms how people connect, communicate and collaborate, has been named “Gold Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Cisco makes amazing things happen by connecting the unconnected. Cisco has shaped the future of the Internet by becoming the worldwide leader in transforming how people connect, communicate and collaborate. Cisco and our partners are building the platform for the Internet of Everything by connecting the...
SYS-CON Events announced today that Liaison Technologies, a leading provider of data management and integration cloud services and solutions, has been named "Silver Sponsor" of SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York, NY. Liaison Technologies is a recognized market leader in providing cloud-enabled data integration and data management solutions to break down complex information barriers, enabling enterprises to make smarter decisions, faster.
SYS-CON Events announced today that Windstream, a leading provider of advanced network and cloud communications, has been named “Silver Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9–11, 2015, at the Javits Center in New York, NY. Windstream (Nasdaq: WIN), a FORTUNE 500 and S&P 500 company, is a leading provider of advanced network communications, including cloud computing and managed services, to businesses nationwide. The company also offers broadband, phone and digital TV services to consumers primarily in rural areas.
SYS-CON Events announced today that Ciqada will exhibit at SYS-CON's @ThingsExpo, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Ciqada™ makes it easy to connect your products to the Internet. By integrating key components - hardware, servers, dashboards, and mobile apps - into an easy-to-use, configurable system, your products can quickly and securely join the internet of things. With remote monitoring, control, and alert messaging capability, you will meet your customers' needs of tomorrow - today! Ciqada. Let your products take flight. For more inform...
SYS-CON Events announced today that ProfitBricks, the provider of painless cloud infrastructure, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY., and the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. ProfitBricks is the IaaS provider that offers a painless cloud experience for all IT users, with no learning curve. ProfitBricks boasts flexible cloud servers and networking, an integrated Data Center Designer tool f...
SYS-CON Events announced today that GENBAND, a leading developer of real time communications software solutions, has been named “Silver Sponsor” of SYS-CON's WebRTC Summit, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. The GENBAND team will be on hand to demonstrate their newest product, Kandy. Kandy is a communications Platform-as-a-Service (PaaS) that enables companies to seamlessly integrate more human communications into their Web and mobile applications - creating more engaging experiences for their customers and boosting collaboration and productiv...
SYS-CON Events announced today that Dyn, the worldwide leader in Internet Performance, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Dyn is a cloud-based Internet Performance company. Dyn helps companies monitor, control, and optimize online infrastructure for an exceptional end-user experience. Through a world-class network and unrivaled, objective intelligence into Internet conditions, Dyn ensures traffic gets delivered faster, safer, and more reliably than ever.
SYS-CON Events announced today that Open Data Centers (ODC), a carrier-neutral colocation provider, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. Open Data Centers is a carrier-neutral data center operator in New Jersey and New York City offering alternative connectivity options for carriers, service providers and enterprise customers.
SYS-CON Events announced today that On the Avenue Marketing Group, a sales and marketing firm that utilizes events to market and sell products to consumers, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. On the Avenue Marketing Group (OTA) is a sales and marketing firm that utilizes events to market and sell products to consumers. On behalf of our clients, we attend thousands of fairs, festivals, expos, concerts, conferences, and sporting events annually, helping them reach millions of individuals ...
SYS-CON Events announced today that BroadSoft, the leading global provider of Unified Communications and Collaboration (UCC) services to operators worldwide, has been named “Gold Sponsor” of SYS-CON's WebRTC Summit, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. BroadSoft is the leading provider of software and services that enable mobile, fixed-line and cable service providers to offer Unified Communications over their Internet Protocol networks. The Company’s core communications platform enables the delivery of a range of enterprise and consumer calling...
SYS-CON Events announced today that ActiveState, the leading independent Cloud Foundry and Docker-based PaaS provider, has been named “Silver Sponsor” of SYS-CON's DevOps Summit New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. ActiveState believes that enterprises gain a competitive advantage when they are able to quickly create, deploy and efficiently manage software solutions that immediately create business value, but they face many challenges that prevent them from doing so. The Company is uniquely positioned to help address these challenges thro...