Poorly managed SSH keys pose serious risks for most companies

Three in four have no processes for managing keys that provide access to critical servers

Many companies are dangerously exposed to threats like the recently revealed Mask Advanced Persistent Threat because they don't properly manage the Secure Shell (SSH) cryptographic keys used to authenticate access to critical internal systems and services.

A Ponemon Institute survey of more than 2,100 systems administrators at Global 2000 companies discovered that three out of four enterprises are vulnerable to root-level attacks against their systems because of their failure to secure SSH keys.

Even though more than half of the surveyed enterprises had suffered SSH-key related compromises, 53% said they still had no centralized control over the keys and 60% said they had no way to detect new keys introduced in the organizations. About 46% said they never change or rotate SSH keys -- even though the keys never expire.

Those findings reveal a significant gap in enterprise security controls, said Larry Ponemon, founder and CEO of the Ponemon Institute. "It's hard to believe that companies allow themselves to be so insecure," he said. "This doesn't appear to be a situation where this vulnerability has to even be a vulnerability."

SSH keys allow administrators to remotely login to and operate a system via a secure encrypted tunnel. Administrators use such keys to authenticate access to critical database systems, application servers, cloud systems and security systems. SSH keys are also used to authenticate machines running automated processes and services and to protect data in transit.

SSH keys never expire, meaning that once a key is used to authenticate access to a system, the same key can be used in perpetuity unless it is changed. A hacker who acquires an unsecured SSH key can use it to gain access to the server or service to which it is attached and then use that access to try and find more keys for jumping on to other systems in a network.

Because SSH keys provide administrator-level, fully encrypted access to enterprise systems, any compromise of the keys could allow an attacker to gain complete control of a system while they remain hidden from view.

SSH uses an encryption key pair to enable a secure connection between two systems. One key is for the server and the other for the client device that wants access to the server. An organization might have numerous SSH keys with access to a single server.

Large enterprises can have tens of thousands of SSH keys on their network -- most of which are poorly managed, said Kevin Bocek, vice president of product marketing and threat research at security vendor Venafi, which commissioned the Ponemon survey.

Companies often have little knowledge about the presence of such keys on their networks and therefore do little to manage them.

"SSH is really critical as a root-level access [tool]," Bocek said. "It is an encrypted channel that goes around traditional host protections."

By stealing SSH keys, attackers like those behind The Mask APT can impersonate admins, snoop around and take complete control of a target's network without being detected, he said. There are signs that National Security Agency contractor Edward Snowden might have used SSH keys or a similar digital certificate to access and steal documents without being detected, he said.

Systems administrators typically introduce SSH keys into an environment with little awareness of how the keys can be misused, Bocek said. Though IT security teams at some organizations have attempted to gain control over key management, many enterprises still leave the task to the administrators, he said.

In the Ponemon survey, about 74% of the respondents said they allow administrators to independently control and manage SSH keys. As a result, enterprise security teams often have very little visibility into the scale of the problem and even less information about how to manage it.

To get a handle on the problem, enterprises must figure out where SSH is in use and how many keys might be floating about on their networks. They then need to find a way to correlate the keys back to the appropriate servers, evaluate whether they're needed and put in place a process for automatically changing keys.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingShellsecurityPonemon InstituteMalware and Vulnerabilities

More about APTNational Security AgencySSHTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts