sb-au logo
Story image

Poor SSH key management an open invitation for malicious threats

14 Dec 2017

Organisations that use Secure Shell (SSH) technologies and keys are doing a poor job of making sure they are secure, even though those keys provide the highest levels of administrative access.

SSH keys often enable ongoing automatic connections from one system to another, often without a second authentication. This results in a persistent trust relationship that can be exploited.

A survey of 100 IT security professionals in the financial services industry revealed a widespread lack of security controls that are routinely untracked, unmanaged and poorly secured, according to research by Venafi.

The research found that 69% of respondents admit they do not actively rotate keys, even after an administrator leaves their organisations. The result is that the former employee could have ongoing privileged access to critical and sensitive systems until the keys are next rotated.

“When I speak to CIOs of many organisations in Australia and New Zealand, they are still largely unaware of the number of SSH keys they have in their organisation due to disparate and manual management systems,” comments Venafi APAC regional director Terrie Anderson.

“Awareness of SSH is a specialist area but manual management presents a high level of risk because SSH keys don’t expire like SSL certificates. This means the number of available keys explodes over time.”

Venafi’s senior technical manager Nick Hunter says that cybercriminals can also use compromised SSH keys to get elevated access to servers, conduct their malicious activities – all while remaining undetected.

“In addition, they know that a single SSH key will often be copied across hundreds or thousands of systems. Cybercriminals can use compromised keys to move throughout a financial services organisation, creating additional backdoors and setting up beachheads for their operations,” he says.

61% of respondents say they do not restrict the number of SSH administrators. Because of this, an unlimited number of users can generate SSH keys across large numbers of systems, Venafi explains.

In addition, 85% of respondents say they do not have a complete or accurate inventory of all SSH keys. Without this information, they cannot know if any key has been stolen, misused or if it is untrustworthy.

31% of respondents also say that SSH entitlements do not feature in their Privileged Access Management policies. These entitlements are rarely audited, leading to undetectable SSH weaknesses that put organisations at risk of cyber attack.

Venafi says that there are best strategies for protecting SSH keys in financial services organisations, and it all starts with a few tips:

  • Limit the number and carefully monitor administrators who manage SSH for all systems
  • Establish and enforce strict authentication, configuration and usage policies
  • Reduce the risk of SSH key compromise with regular rotation and retirement practices
  • Scan and monitor SSH-enabled systems for changes and anomalous usage, which can indicate a compromise

How safe are your organisation’s SSH keys? Click here for details.

Story image
Sophos named mobile security Leader in IDC MarketScape
Sophos Intercept X for Mobile has capabilities in protecting Android, iOS and Chrome OS users from known and never before seen mobile threats.More
Story image
ESET launches the latest version of its Mobile Security solution
“With this latest version of ESET Mobile Security, we want to ensure our users feel completely secure when performing financial transactions on their devices, in addition to being protected from malware and phishing attempts."More
Story image
The importance of selecting a secure SD-WAN solution
It’s essential to adopt a secure SD-WAN solution to avoid the risks that an unsecured SD-WAN solution can introduce, writes Wavelink managing director Ilan Rubin.More
Download image
Network functions virtualisation: What is is, how to use it, and why it matters
Network functions virtualisation (NFV) is fast becoming the go-to method of simplifying corporate networks from planning, through deployment and management.More
Story image
Acronis announces new security endpoint solution
The solution is an integration of data protection and cybersecurity which provides customers with effective endpoint protection in a landscape where the pointlessness of perimeter security is becoming more pronounced.More
Story image
Why securing IoT installations will be ‘do or die’ in post-pandemic Australia
Unless IoT technology is visible on the network, organisations will find themselves at risk with an unmanageable high-tech morass, warns ExtraHop A/NZ regional sales manager Glen Maloney.More