Poor SSH key management an open invitation for malicious threats
Organisations that use Secure Shell (SSH) technologies and keys are doing a poor job of making sure they are secure, even though those keys provide the highest levels of administrative access.
SSH keys often enable ongoing automatic connections from one system to another, often without a second authentication. This results in a persistent trust relationship that can be exploited.
A survey of 100 IT security professionals in the financial services industry revealed a widespread lack of security controls that are routinely untracked, unmanaged and poorly secured, according to research by Venafi.
The research found that 69% of respondents admit they do not actively rotate keys, even after an administrator leaves their organisations. The result is that the former employee could have ongoing privileged access to critical and sensitive systems until the keys are next rotated.
"When I speak to CIOs of many organisations in Australia and New Zealand, they are still largely unaware of the number of SSH keys they have in their organisation due to disparate and manual management systems," comments Venafi APAC regional director Terrie Anderson.
"Awareness of SSH is a specialist area but manual management presents a high level of risk because SSH keys don't expire like SSL certificates. This means the number of available keys explodes over time.
Venafi's senior technical manager Nick Hunter says that cybercriminals can also use compromised SSH keys to get elevated access to servers, conduct their malicious activities – all while remaining undetected.
"In addition, they know that a single SSH key will often be copied across hundreds or thousands of systems. Cybercriminals can use compromised keys to move throughout a financial services organisation, creating additional backdoors and setting up beachheads for their operations," he says.
61% of respondents say they do not restrict the number of SSH administrators. Because of this, an unlimited number of users can generate SSH keys across large numbers of systems, Venafi explains.
In addition, 85% of respondents say they do not have a complete or accurate inventory of all SSH keys. Without this information, they cannot know if any key has been stolen, misused or if it is untrustworthy.
31% of respondents also say that SSH entitlements do not feature in their Privileged Access Management policies. These entitlements are rarely audited, leading to undetectable SSH weaknesses that put organisations at risk of cyber attack.
Venafi says that there are best strategies for protecting SSH keys in financial services organisations, and it all starts with a few tips:
- Limit the number and carefully monitor administrators who manage SSH for all systems
- Establish and enforce strict authentication, configuration and usage policies
- Reduce the risk of SSH key compromise with regular rotation and retirement practices
- Scan and monitor SSH-enabled systems for changes and anomalous usage, which can indicate a compromise