Story image

Poor SSH key management an open invitation for malicious threats

14 Dec 17

Organisations that use Secure Shell (SSH) technologies and keys are doing a poor job of making sure they are secure, even though those keys provide the highest levels of administrative access.

SSH keys often enable ongoing automatic connections from one system to another, often without a second authentication. This results in a persistent trust relationship that can be exploited.

A survey of 100 IT security professionals in the financial services industry revealed a widespread lack of security controls that are routinely untracked, unmanaged and poorly secured, according to research by Venafi.

The research found that 69% of respondents admit they do not actively rotate keys, even after an administrator leaves their organisations. The result is that the former employee could have ongoing privileged access to critical and sensitive systems until the keys are next rotated.

“When I speak to CIOs of many organisations in Australia and New Zealand, they are still largely unaware of the number of SSH keys they have in their organisation due to disparate and manual management systems,” comments Venafi APAC regional director Terrie Anderson.

“Awareness of SSH is a specialist area but manual management presents a high level of risk because SSH keys don’t expire like SSL certificates. This means the number of available keys explodes over time.”

Venafi’s senior technical manager Nick Hunter says that cybercriminals can also use compromised SSH keys to get elevated access to servers, conduct their malicious activities – all while remaining undetected.

“In addition, they know that a single SSH key will often be copied across hundreds or thousands of systems. Cybercriminals can use compromised keys to move throughout a financial services organisation, creating additional backdoors and setting up beachheads for their operations,” he says.

61% of respondents say they do not restrict the number of SSH administrators. Because of this, an unlimited number of users can generate SSH keys across large numbers of systems, Venafi explains.

In addition, 85% of respondents say they do not have a complete or accurate inventory of all SSH keys. Without this information, they cannot know if any key has been stolen, misused or if it is untrustworthy.

31% of respondents also say that SSH entitlements do not feature in their Privileged Access Management policies. These entitlements are rarely audited, leading to undetectable SSH weaknesses that put organisations at risk of cyber attack.

Venafi says that there are best strategies for protecting SSH keys in financial services organisations, and it all starts with a few tips:

  • Limit the number and carefully monitor administrators who manage SSH for all systems
  • Establish and enforce strict authentication, configuration and usage policies
  • Reduce the risk of SSH key compromise with regular rotation and retirement practices
  • Scan and monitor SSH-enabled systems for changes and anomalous usage, which can indicate a compromise

How safe are your organisation’s SSH keys? Click here for details.

NZ Internet Task Force joins iSANZ Hall of Fame
NZITF chair Barry Brailey and former chairs Mike Seddon and Paul McKitrick received the award in Auckland last week.
Quantum computing: The double-edged sword for cybersecurity
Quantum computing is quickly moving from science fiction to reality.
Three ways to achieve data security whilst enabling BYOD
"A mobility strategy is now more important than ever before, that said, selecting the right one is often no small task."
How IoT and hybrid cloud will change in 2019
"Traditional VPN software solutions are obsolete for the new IT reality of hybrid and multi-cloud."
WatchGuard’s eight (terrifying) 2019 security predictions
The next evolution of ransomware, escalating nation-state attacks, biometric hacking, Wi-Fi protocol security, and Die Hard fiction becomes reality.
GCSB's CORTEX project scoops iSANZ Award
“I believe this award is particularly significant as it is acknowledgement from our peers in the information security industry and from across the private sector."
NZ firms lack cybersecurity confidence, HP survey says
Out of 434 of New Zealand’s small and large businesses, only half (50%) feel confident that they would be able to cope if they experienced a significant cybersecurity breach.
SonicWall secures hybrid clouds by simplifying firewall deployment
Once new products are brought online in remote locations, administrators can manage local and distributed networks.