industry wire

NIST report with guidelines for protection against certificate abuse

10 December 2015 - The National Institute on Standards & Technology (NIST) published the report: "Security of Interactive and Automated Access Management Using Secure Shell (SSH)". This report, written with Venafi, the immune system for the Internet, is intended to make companies more aware of the major risks related to the use of SSH certificates. It also contains practical guidelines for better protection against certificate abuse.

Three-quarters Global 2000 organizations do not have SSH protection

Research by Venafi and the Ponemon Institute shows that 3 of the 4 Global 2000 organizations do not have a security solution for SSH. As a result, the door may be open for root-level access and information theft by cyber criminals. Furthermore, almost half of all companies surveyed never change the used SSH keys. If they are stolen and misused, criminals can take over their networks, servers and cloud environments.

Examples of SSH abuse

  • In 2014, Kapersky Labs unveiled The Mask (Careto) operation. It became clear that criminals from Spain used multiple APT-style attacks for seven years to steal information from governments and companies. This group focused mainly on SSH keys for authenticating administrators, servers, virtual machines and cloud services.

  • In June 2015, Cisco announced that they had standard SSH keys on three security devices. As a result, customers run the risk of unauthorized remote users intercepting traffic or gaining access to critical systems with root privileges.

Most common SSH vulnerabilities

The NIST report shows that the following SSH vulnerabilities occur regularly:

  • Weak SSH implementations

  • Incorrectly configured access rights

  • Stolen, leaked, counterfeit and non-terminated SSH keys

  • Backdoors (uncontrolled user keys)

  • Unintentional use of keys

  • Pivoting

  • Lack of knowledge and human errors

Five advice for managing SSH keys

1. Define policies and processes for the entire lifecycle of SSH keys. Configuring access to an account for interactive users and automated processes must be a conscious decision. The balance between access needs and risks must be carefully weighed, including the access level.

2. Create processes for continuous monitoring and auditing, to verify that processes for issuance, management and termination are actually applied and discover unauthorized or misconfigured SSH keys.

3. Identify and clean up existing SSH servers, keys and trusts. Old keys represent a greater risk and make a risk analysis more complex if they are not understood. That is why it is recommended to make a complete inventory of all SSH keys (location and application) and the trusts based on them, in order to be able to weigh these against the defined policies.

4. Automate processes. Automating the management processes for SSH keys makes an important contribution to improving security, efficiency and availability.

5. Train the management. Most managers are not aware of the crucial role played by SSH keys in the daily use of critical infrastructures and systems and the possible consequences of abuse. Without training security and business managers, initiatives to improve the management of SSH keys derail through other priorities. As a result, organizations remain vulnerable.

Worst case scenarios

"Abuse of an encryption technique or SSH key are among the worst case scenarios that companies can experience, " said Kevin Bocek, Vice President of Security Strategy & Threath Intelligence at Venafi. "If an attacker gets root-level access, they can take over entire networks and systems and abuse them for any purpose. At Venafi we advise clients to protect and monitor SSH keys for more than ten years. That is why we were happy to contribute to this valuable report, to inform security professionals about the risks related to unprotected SSH keys and to advise on possible improvements. "

Policies and processes

"Because SSH plays such an important role in securing and administering the automated access to different systems in organizations of all sizes, the policies and processes are critical, " says Matthew Scholl, chief of the National Institute of Standards & Technology computer security division. "But also regular security checks for the correct management of all used SSH keys and their settings". "Many IT and security professionals are insufficiently aware that SSH keys can provide root-level access and never expire, " adds Bocek. "As soon as an attacker has stolen such an SSH key, a back door will be opened for eternity. That is why it is so important that organizations take action quickly to better protect their SSH keys on the basis of the NIST guideline. "

About Venafi

Venafi is the supplier of the Immune System for the Internet ™, for securing encryption keys and digital certificates, which form the foundation of cybersecurity. This prevents them from being stolen by criminals and used for attacks. In today's digital world, criminals want to steal keys and certificates to create a trusted status and not be discovered for as long as possible. Most security systems blindly trust keys and certificates, allowing criminals to use them to hide in encrypted traffic, redirect websites, install malware and steal information. With the immune system for the Internet, Venafi patrols the network of organizations, on equipment, behind the firewall and the entire Internet, to monitor which SSL / TLS, SSH, WiFi, VPN and mobile keys and certificates are trustworthy. These are automatically protected or repaired while they block untrusted certificates.

Editor'S Choice

Category industry wire, Interesting Articles

Artform launches new website Salesgids.com - industry wire
industry wire

Artform launches new website Salesgids.com

On Friday 18 July, Artform launched the new website of Salesgids.com. Salesgids is the internet portal for smart and progressive sales professionals. In addition to many articles on sales and sales, a wide range of training courses, free formats, books, links and solutions for sales success can be found here
none
New Dutch travel app makes sharing and collecting travel tips easy - industry wire
industry wire

New Dutch travel app makes sharing and collecting travel tips easy

AMSTERDAM - If you go on a city trip to a popular city, your friends know at which coffee shop, breakfast spot or cocktail bar you have to be. But to collect all those tips is still a hassle. Today, the Dutch social travel network Flamyngo launches the app that solves exactly that problem. The Flamyngo app makes it as easy as possible for users to collect the best travel tips from friends, so that you can compile a social travel guide yourself
none
Completely renewed: NS Reisplanner Xtra - industry wire
industry wire

Completely renewed: NS Reisplanner Xtra

The NS Journey Planner Xtra has been completely renewed: With the new version, travelers can plan their journeys with one app. The design has also been completely re-created. Users who have already installed the app will be offered a new version between now and 19 June via the Google Play store or Apple Store
none
Mechelen startup Newfusion plant chips in employees - industry wire
industry wire

Mechelen startup Newfusion plant chips in employees

The future is now. Under this motto, the Mechelen Digital Media Agency innovates NewFusion in a very striking way. This young startup has developed its own way of access control by means of 'biohacking'. Employees are given an electronic chip to be able to enter the office inside and outside
none