Story image

Poor SSH key management an open invitation for malicious threats

14 Dec 17

Organisations that use Secure Shell (SSH) technologies and keys are doing a poor job of making sure they are secure, even though those keys provide the highest levels of administrative access.

SSH keys often enable ongoing automatic connections from one system to another, often without a second authentication. This results in a persistent trust relationship that can be exploited.

A survey of 100 IT security professionals in the financial services industry revealed a widespread lack of security controls that are routinely untracked, unmanaged and poorly secured, according to research by Venafi.

The research found that 69% of respondents admit they do not actively rotate keys, even after an administrator leaves their organisations. The result is that the former employee could have ongoing privileged access to critical and sensitive systems until the keys are next rotated.

“When I speak to CIOs of many organisations in Australia and New Zealand, they are still largely unaware of the number of SSH keys they have in their organisation due to disparate and manual management systems,” comments Venafi APAC regional director Terrie Anderson.

“Awareness of SSH is a specialist area but manual management presents a high level of risk because SSH keys don’t expire like SSL certificates. This means the number of available keys explodes over time.”

Venafi’s senior technical manager Nick Hunter says that cybercriminals can also use compromised SSH keys to get elevated access to servers, conduct their malicious activities – all while remaining undetected.

“In addition, they know that a single SSH key will often be copied across hundreds or thousands of systems. Cybercriminals can use compromised keys to move throughout a financial services organisation, creating additional backdoors and setting up beachheads for their operations,” he says.

61% of respondents say they do not restrict the number of SSH administrators. Because of this, an unlimited number of users can generate SSH keys across large numbers of systems, Venafi explains.

In addition, 85% of respondents say they do not have a complete or accurate inventory of all SSH keys. Without this information, they cannot know if any key has been stolen, misused or if it is untrustworthy.

31% of respondents also say that SSH entitlements do not feature in their Privileged Access Management policies. These entitlements are rarely audited, leading to undetectable SSH weaknesses that put organisations at risk of cyber attack.

Venafi says that there are best strategies for protecting SSH keys in financial services organisations, and it all starts with a few tips:

  • Limit the number and carefully monitor administrators who manage SSH for all systems
  • Establish and enforce strict authentication, configuration and usage policies
  • Reduce the risk of SSH key compromise with regular rotation and retirement practices
  • Scan and monitor SSH-enabled systems for changes and anomalous usage, which can indicate a compromise

How safe are your organisation’s SSH keys? Click here for details.

McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.
Google Cloud, Palo Alto Networks extend partnership
Google Cloud and Palo Alto Networks have extended their partnership to include more security features and customer support for all major public clouds.
Using blockchain to ensure regulatory compliance
“Data privacy regulations such as the GDPR require you to put better safeguards in place to protect customer data, and to prove you’ve done it."
A10 aims to secure Kubernetes container environments
The solution aims to provide teams deploying microservices applications with an automated way to integrate enterprise-grade security with comprehensive application visibility and analytics.
DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill.