sb-nz logo
Story image

Poor SSH key management an open invitation for malicious threats

14 Dec 2017

Organisations that use Secure Shell (SSH) technologies and keys are doing a poor job of making sure they are secure, even though those keys provide the highest levels of administrative access.

SSH keys often enable ongoing automatic connections from one system to another, often without a second authentication. This results in a persistent trust relationship that can be exploited.

A survey of 100 IT security professionals in the financial services industry revealed a widespread lack of security controls that are routinely untracked, unmanaged and poorly secured, according to research by Venafi.

The research found that 69% of respondents admit they do not actively rotate keys, even after an administrator leaves their organisations. The result is that the former employee could have ongoing privileged access to critical and sensitive systems until the keys are next rotated.

“When I speak to CIOs of many organisations in Australia and New Zealand, they are still largely unaware of the number of SSH keys they have in their organisation due to disparate and manual management systems,” comments Venafi APAC regional director Terrie Anderson.

“Awareness of SSH is a specialist area but manual management presents a high level of risk because SSH keys don’t expire like SSL certificates. This means the number of available keys explodes over time.”

Venafi’s senior technical manager Nick Hunter says that cybercriminals can also use compromised SSH keys to get elevated access to servers, conduct their malicious activities – all while remaining undetected.

“In addition, they know that a single SSH key will often be copied across hundreds or thousands of systems. Cybercriminals can use compromised keys to move throughout a financial services organisation, creating additional backdoors and setting up beachheads for their operations,” he says.

61% of respondents say they do not restrict the number of SSH administrators. Because of this, an unlimited number of users can generate SSH keys across large numbers of systems, Venafi explains.

In addition, 85% of respondents say they do not have a complete or accurate inventory of all SSH keys. Without this information, they cannot know if any key has been stolen, misused or if it is untrustworthy.

31% of respondents also say that SSH entitlements do not feature in their Privileged Access Management policies. These entitlements are rarely audited, leading to undetectable SSH weaknesses that put organisations at risk of cyber attack.

Venafi says that there are best strategies for protecting SSH keys in financial services organisations, and it all starts with a few tips:

  • Limit the number and carefully monitor administrators who manage SSH for all systems
  • Establish and enforce strict authentication, configuration and usage policies
  • Reduce the risk of SSH key compromise with regular rotation and retirement practices
  • Scan and monitor SSH-enabled systems for changes and anomalous usage, which can indicate a compromise

How safe are your organisation’s SSH keys? Click here for details.

Story image
Surfshark rolls out WireGuard open source VPN protocol
When there is less code in a VPN, it is less susceptible to security vulnerabilities due to easier configuration and management, according to Surfshark.More
Story image
Security and operations collaboration key to success post COVID-19
“We are in an ultra-hybrid world with multi-everything, and in order to successfully navigate this landscape, ITOps, DevOps, and SecOps teams need to more closely align."More
Story image
COVID-19 crushes fingerprint reader market
However, the biometrics market is expected to regain momentum with alternatives already beginning to find their feet.More
Story image
Gartner reveals the top strategic tech trends for 2021
“CIOs are striving to adapt to changing conditions to compose the future business - this requires the organisational plasticity to form and reform dynamically. Gartner’s top strategic technology trends for 2021 enable that plasticity.”More
Story image
Research: Younger cybersecurity pros more fearful of being replaced by AI
According to the findings, 53% of respondents under 45 years old either agreed or strongly agreed that AI and ML are a threat to their job security, despite 89% of this demographic believing that it would improve their jobs.More
Story image
Cisco report: Remote working is here to stay, making cybersecurity a top priority
"With this new way of working here to stay and organisations looking to increase their investment in cybersecurity, there’s a unique opportunity to transform the way we approach security as an industry to better meet the needs of our customers and end-users.”More