Protect the Key or Change the Lock: SSH Key Mismanagement in the Network Environment
By Tatu Ylönen, CEO and founder, SSH Communications Security
Imagine a home security company creating dozens of copies of someone’s house keys, occasionally tossing them around the neighborhood and never bothering to change the lock. The only barriers standing in the way of someone leveraging one of these keys to unlock your front door are curiosity, time and a little know-how.
Currently, nearly all major network environments – including those in large enterprises, financial institutions and governments – use a form of SSH to protect data in transit and provide administrators remote-management capabilities. The SSH protocol creates a pair of encryption keys – one key for the user’s machine, and the other key for the server – while simultaneously encrypting the data that is transmitted amongst those two keys. Organizations utilize SSH to encrypt everything from logins to health records, financial data and other personal information.
Even though SSH keys guard highly sensitive information, organizations have been extraordinarily lax when it comes to managing SSH keys within their network environments.
When organizations lose control over the creation and management of keys, they are leaving themselves vulnerable to security breaches and jeopardizing their compliance with federal regulations. This article will assess the magnitude of the problems with SSH key management and discuss how organizations can establish and deploy programs to manage automated access.
SSH key mismanagement has persisted in the IT department, concealed by its technical nature and high volumes of daily use within the organization. System administrators usually oversee their portion of the network and may not understand or appreciate the full landscape of the issue. At the other end of the organization, even if executives and other business managers acknowledge that there is a discrepancy in the network, they are often too busy to explore the scope of the problem.
The mismanagement of SSH keys is as prevalent as it is inconspicuous. Through discussions with major enterprises, governments and financial institutions, we have concluded that on average an organization has anywhere from eight to over 100 SSH keys in its network that grant access to each Unix/Linux server. Some of these keys also provide high-level root access, leaving servers susceptible to “high-risk” insiders. These “insiders,” including anyone who has ever been given server access, can administer these mismanaged SSH keys to gain permanent access to production servers.
Vulnerable Keys Pave the Way for Viruses
The likelihood of such an attack taking place is increases daily. News reports about network breaches are commonplace as attacks become more sophisticated. Leveraging SSH keys as an attack vector for a virus is unassuming, requiring only a few hundred lines of code. Once a virus successfully roots itself, it can use improperly managed SSH keys to permeate throughout the organization.
In fact, key-based access networks are so extensively interconnected that the probability of an organization-wide attack is high. A successful attack can infect virtually every organizational server, especially if the virus uses other attack vectors to elevate privileges to “root” after infiltrating a server. With high volumes of keys being distributed, odds are the virus will infect the entire network in a matter of seconds to minutes, including disaster recovery and backup servers that are usually also managed with such keys.
Under the worst conditions, a virus using numerous attack vectors could quickly extend to the Internet and, combined with destruction technologies, could destroy massive amounts of data.
Insufficient Network Control Leads to Noncompliance
Organizations lacking sufficient SSH key management protocols are not only endangered by security breaches; they become non-compliant with mandatory security regulations and laws. Industry requirements like SOX, FISMA, PCI and HIPAA demand both control and termination over server access. Furthermore, organizations may also be violating internal security policies (in some cases, policies mandated by customers) by not properly managing SSH keys.
The risks described are not a result of any defects or weaknesses in the SSH protocol itself or its most commonly used implementations. Rather, it is a consequence of insufficient guidelines relating to SSH keys, inadequate time and resources devoted to developing solutions, the unknown magnitude of the problem and the indecision of auditors to flag issues that they cannot solve.
It is obvious that SSH key mismanagement cannot be ignored. Without proper control and termination of SSH key-based access to their IT systems and data, most enterprises, government agencies, and healthcare providers are sitting ducks for an attacker.
Integrating Best Practices
Resources (costs of labor, energy and network down-time) devoted to solving network security flaws are expensive and limited. Organizations must first acknowledge problematic network security deficiencies before taking steps to implement a solution. It may take several IT teams to begin a remediation project and will require proper support and authorization within the organization itself.
The core of the remediation project is comprised of multiple steps:
- Automating key setups and key removals; eliminating manual work, human errors and cutting the number of administrators from several hundred to virtually none.
- Controllingwhat commands can be executed using the key and where each key can be used.
- Enforcingproper procedures for all key setups and other key operations.
- Monitoring the environment in order to establish which keys are in use and removing stagnant keys.
- Rotating keys, i.e., altering every authorized key (and corresponding identity keys) regularly, so that any compromised (copied) key ceases to work.
- Unearthing all current trust-relationships (who has access to what).
Almost all Fortune 500 companies and many government agencies continue to operate out of compliance and unknowingly susceptible to security threats from hackers or rogue employees. Fully addressing the issue will take several years and thousands of properly trained people. Chief information officers/information security officers and enterprise IT risk management professionals must make it a priority to guarantee that SSH keys are sufficiently managed in their organizations.
While SSH continues to be the gold-standard for data-in-transit security, current threat landscapes require organizations to take fundamental steps to improve the management of access to their networks.
About the Author:
Tatu Ylönen is the CEO and founder of SSH Communications Security. While working as a researcher at Helsinki University of Technology, Tatu Ylönen began working on a solution to combat a password-sniffing attack that targeted the university’s networks. What resulted was the development of the secure shell (SSH), a security technology that would quickly replace vulnerable rlogin, TELNET and rsh protocols as the gold standard for data-in-transit security.
Tatu has been a key driver in the emergence of security technology, including SSH & SFTP protocols and co-author of globally recognized IETF standards. He has been with SSH since its inception in 1995, holding various roles including CEO, CTO and as a board member.
In October 2011 Tatu returned as chief executive officer of SSH Communications Security, bringing his experience as a network security innovator to SSH’s product line. He is charting an exciting new course for the future of the space that he invented.
Tatu holds a Master of Science degree from the Helsinki University of Technology.