A study conducted by Gartner found that 90 percent of organizations that experience a large loss of data will shut down within two years of the incident. With a statistic like this, it’s clear a strong need for secure data transmission exists. For almost two decades, organizations have been using the Secure Shell data-in-transit protocol to safely transfer information between devices. Up to 50 percent of websites worldwide employ some kind of Secure Shell protocol. Currently Linux, Unix and the Mac OS are all bundled with the protocol with implementation increasing for Windows devices. A definitive count of implementations around the world is not possible, but is believed to be over a million, thus making the protocol universally accepted.
Over the past 17 years, the secure shell protocol has cemented its position as the premier encrypted data transmission standard. In spite of handling billions of business transactions, the protocol has never experienced a major security problem due to the procedure itself. However, significant problems have arisen from misuse. Regardless of the protocol’s proven track record, the constantly evolving world of cyber threats requires organizations to reconsider their own internal Secure Shell procedures.
Looking Out On the New Threat Horizon
Typically, Secure Shell has been used to securely transmit large amounts of important business data, such as credit card numbers, personally identifiable information, healthcare records and classified information. From the perspective of an attacker, or malicious insider, Secure Shell is a treasure chest full of information gold.
But if the protocol itself is secure, how could a ne’er-do-well gain permission to access such important information believed to be properly guarded? In this case, the keys are key.
When two devices connect with the Secure Shell Protocol a trust relationship is formed between a computer and the server. These trust relationships are created and managed internally, sometimes on systems dating back to the mid ‘90’s. Few, if any, of these systems have the ability or means to look for where the trust relationship within the organization originated, or currently exists. Therefore, tracking keys must be done manually. In a network with possibly thousands of keys, a key is bound to be lost. If a malicious user, internal or external, gains access to one of these keys, he or she can mimic an authorized user freely and easily.
Consequently, the mishandling of Secure Shell keys creates a situation that can be easily exploited by attackers. A study was performed on the management operations of some of the largest organizations in the world and a few unsettling trends appeared:
* Some organizations permit administrators to create or delete user keys at will – without approvals or control – essentially granting unfettered, permanent access to systems and people
* Organizations rarely know what each key is used for, presenting not only a risk to security, but also to business continuity
* Key-based access grants are essentially permanent; a direct violation of SOX, PCI and FISMA requirements for proper termination of access, which leaves the network vulnerable to attack
* One in ten user keys provide root access, which creates security and compliance issues
* Sharing of Secure Shell host keys across thousands of computers allows for man-in-the-middle attacks
* Many keys that allow access to important servers have been abandoned and are no longer in use
* Few organizations ever change user keys or remove them when a user leaves or an application is decommissioned.
Considering how quickly security threats are evolving, organizations without proper Secure Shell key management are in serious risk of having their data compromised. The greater the variance from a best practices approach to key management, the greater the risk to the organization.
In addition to the security problems of Secure Shell key mismanagement, organizations need to be aware of federal compliance standards like PCI, SOX, NIST and HIPAA that require organizations to keep a high-level of control over access to important network information, or face costly fines. However, organizations can also face severe economic consequences for key mismanagement. The average major organization has 20,000 servers or more, which creates a cost of $40 million over ten years for manual Secure Shell key management. Including the significant reputation damage caused by a security breach, organizations are looking at a list of reasons to fix their key management practices.
Improving Key Management Strategies
Problems with access control in Secure Shell environments are not the fault of the protocol itself. Rather, the security and compliance risks identified are caused by:
* A lack of useful tools and guidelines for solving early key management issues
* Poor understanding of the span and consequences of the problem
* Focusing on interactive users without addressing automated access
* Lack of time and resources to identify and resolve the problem
* A reluctance on the part of auditors to flag issues for which they don’t have effective solutions
One wonders why this issue of key mismanagement has not come to light sooner considering the consequences of a security breach. The reason is that secure shell key management is a very technical problem, and it has remained hidden in the domain of system administrators. Since each system administrator usually only sees one part of the IT landscape, they do not have the full picture. Administrators are typically so busy that they may not even recognize there is a problem. Coupled with the fact that management may be several steps removed from the problem, the end result is no action being taken.
Nevertheless, the risk remains.
Tactics To Improve Secure Shell Key Management
Since the vulnerability is typically found in all Unix/Linux servers and many Windows servers, multiple teams with IT backgrounds will be needed to fix the problem. Also, the possible liability and compliance issues that accompany key mismanagement require awareness and buy-in from executive management as well.
Some helpful tactics to fix the problem are:
* Discovering all existing users, public and private keys and mapping trust between machines and users
* Monitoring the environment to determine which keys are actually used and removing keys no longer in use
* Enforcing proper approvals for all key setups
* Automating key setups and key removals; eliminating manual work and human errors. This step slashes the number of administrators needed for key setups from possibly several hundred to only a few highly trusted administrators
* Rotating keys regularly, so that copied keys cease to work and proper termination of access can be ensured
* Restricting where each key has access and what commands can be executed using the key
Most people would not feel secure if they did not know who else had a key to their house. The same could be asked to organizations without correct key management practices. Proper key management requires the establishment of internal boundaries within the organization and is necessary to decrease potential risk. Organizations should closely manage what key-based trust relationships can cross which boundaries. Furthermore, organizations should enforce iron-clad IP address and “forced command” restrictions for all authorized keys spanning such boundaries.
Regardless of the Secure Shell protocol being considered the standard for data-in-transit security, the ever-changing world of cyber threats necessitates that organizations alter the standards involved in accessing encrypted networks. Despite the Secure Shell protocol doing an excellent job at protecting data-in-transit at a tactical level, the constant increase in numbers of threat vectors means that effective management of the key environment is necessary for secure network operations. Following the best practices listed above will help your organization combat security threats before they even happen.
About the Author:
Jason Thompson is director of global marketing for SSH Communications Security. Mr Thompson brings more than 12 years of experience launching new, innovative solutions across a number of industry verticals. Prior to joining SSH, Mr Thompson worked at Q1 Labs where he helped build awareness around security intelligence and holistic approaches dealing with advanced threat vectors. Mr Thompson holds a BA from Colorado State University and an MA for the University of North Carolina at Wilmington.