10 December 2015 - The National Institute on Standards & Technology (NIST) published the report: "Security of Interactive and Automated Access Management Using Secure Shell (SSH)". This report, written with Venafi, the immune system for the Internet, is intended to make companies more aware of the major risks related to the use of SSH certificates. It also contains practical guidelines for better protection against certificate abuse.
Three-quarters Global 2000 organizations do not have SSH protection
Research by Venafi and the Ponemon Institute shows that 3 of the 4 Global 2000 organizations do not have a security solution for SSH. As a result, the door may be open for root-level access and information theft by cyber criminals. Furthermore, almost half of all companies surveyed never change the used SSH keys. If they are stolen and misused, criminals can take over their networks, servers and cloud environments.
Examples of SSH abuse
In 2014, Kapersky Labs unveiled The Mask (Careto) operation. It became clear that criminals from Spain used multiple APT-style attacks for seven years to steal information from governments and companies. This group focused mainly on SSH keys for authenticating administrators, servers, virtual machines and cloud services.
In June 2015, Cisco announced that they had standard SSH keys on three security devices. As a result, customers run the risk of unauthorized remote users intercepting traffic or gaining access to critical systems with root privileges.
Most common SSH vulnerabilities
The NIST report shows that the following SSH vulnerabilities occur regularly:
Weak SSH implementations
Incorrectly configured access rights
Stolen, leaked, counterfeit and non-terminated SSH keys
Backdoors (uncontrolled user keys)
Unintentional use of keys
Lack of knowledge and human errors
Five advice for managing SSH keys
1. Define policies and processes for the entire lifecycle of SSH keys. Configuring access to an account for interactive users and automated processes must be a conscious decision. The balance between access needs and risks must be carefully weighed, including the access level.
2. Create processes for continuous monitoring and auditing, to verify that processes for issuance, management and termination are actually applied and discover unauthorized or misconfigured SSH keys.
3. Identify and clean up existing SSH servers, keys and trusts. Old keys represent a greater risk and make a risk analysis more complex if they are not understood. That is why it is recommended to make a complete inventory of all SSH keys (location and application) and the trusts based on them, in order to be able to weigh these against the defined policies.
4. Automate processes. Automating the management processes for SSH keys makes an important contribution to improving security, efficiency and availability.
5. Train the management. Most managers are not aware of the crucial role played by SSH keys in the daily use of critical infrastructures and systems and the possible consequences of abuse. Without training security and business managers, initiatives to improve the management of SSH keys derail through other priorities. As a result, organizations remain vulnerable.
Worst case scenarios
"Abuse of an encryption technique or SSH key are among the worst case scenarios that companies can experience, " said Kevin Bocek, Vice President of Security Strategy & Threath Intelligence at Venafi. "If an attacker gets root-level access, they can take over entire networks and systems and abuse them for any purpose. At Venafi we advise clients to protect and monitor SSH keys for more than ten years. That is why we were happy to contribute to this valuable report, to inform security professionals about the risks related to unprotected SSH keys and to advise on possible improvements. "
Policies and processes
"Because SSH plays such an important role in securing and administering the automated access to different systems in organizations of all sizes, the policies and processes are critical, " says Matthew Scholl, chief of the National Institute of Standards & Technology computer security division. "But also regular security checks for the correct management of all used SSH keys and their settings". "Many IT and security professionals are insufficiently aware that SSH keys can provide root-level access and never expire, " adds Bocek. "As soon as an attacker has stolen such an SSH key, a back door will be opened for eternity. That is why it is so important that organizations take action quickly to better protect their SSH keys on the basis of the NIST guideline. "
Venafi is the supplier of the Immune System for the Internet ™, for securing encryption keys and digital certificates, which form the foundation of cybersecurity. This prevents them from being stolen by criminals and used for attacks. In today's digital world, criminals want to steal keys and certificates to create a trusted status and not be discovered for as long as possible. Most security systems blindly trust keys and certificates, allowing criminals to use them to hide in encrypted traffic, redirect websites, install malware and steal information. With the immune system for the Internet, Venafi patrols the network of organizations, on equipment, behind the firewall and the entire Internet, to monitor which SSL / TLS, SSH, WiFi, VPN and mobile keys and certificates are trustworthy. These are automatically protected or repaired while they block untrusted certificates.