[BreachExchange] The Hidden Risks of SSH

[Audrey McNeil]

http://www.datacenterjournal.com/hidden-risks-ssh/

About 20 years ago, a Finnish man named Tatu Ylonen saw a need for stronger
security in the nascent online world and created a powerful access protocol
called Secure Shell (SSH). It provides trusted access and encrypts
communication in transit to prevent man-in-the-middle attacks. In effect,
SSH creates an encrypted tunnel to enable secure communication between two
points. Understandably, it became popular quickly and is now de rigueur,
pre-installed in every Unix, Linux, mainframe and Mac computer, as well as
most network devices.

It’s About Access

In a way, cybersecurity has become a victim of SSH’s success. Because SSH
comes pre-installed, most organizations have no group or individual
responsible for monitoring SSH activities. In fact, most businesses make
the leap that SSH equals encryption and encryption equals security. And who
doesn’t want more encryption and security? The premise that encryption
alone negates the need for vigilance and oversight of SSH use is
dangerously flawed.

That’s because, although SSH does encrypt communication, a more accurate
understanding is that it’s about access. SSH access comes in two variants:
interactive (human to machine) and noninteractive (machine to machine).
Furthermore, access to critical resources and data must be managed,
monitored and controlled. Thus, closing the SSH responsibility gap should
be a Tier One priority for an enterprise.

Starting to address all risks early is crucial. Organizations must have
complete accountability of their protected data: Who has access to our
data? Where is our data? What laws and regulations must we adhere to?
Governance for your trusted access to protected data is of utmost
importance.

Maintaining authorized access to protected data has become a challenge to
all IT-security professionals. SSH user key-based access, called as the
dark side of compliance, continues to bubble up on the high-risk radar as
uncontrolled and unmanaged elevated access to production. Organizations
must consider SSH access when assessing credentials because these
credentials provide the highest level of access yet are rarely, if ever,
monitored.

The Risks of SSH

SSH creates key pairs comprising a private key and a public key. To
understand their function, it’s best to use an analogy: A public key is
similar to a lock on a door, whereas a private key is similar to a physical
key you keep in your pocket. Presenting a matching private key to a public
key grants an encrypted connection.

Owing to a variety of features, SSH has inherent risks:

- Root-level access—SSH can provide root-level (command-level) access to
systems and data.
- Keys are self-provisioned—All employees and consultants can grant
themselves access to critical applications.
- Security bypass—Your expensive security-tool investment is worthless in
the face of SSH encrypted traffic, effectively creating a security blind
spot.
- SSH tunneling—SSH enables traffic to traverse routers and avoid being
blocked.
- People share keys—Employees and contractors often copy and share SSH
keys, preventing you from knowing who did what, when.
- No expiration date—Even a key pair created two decades ago still works
today.

Therefore, SSH keys that fall into malicious hands can become a security
nightmare for any business, giving bad actors the ability to do all sorts
of nefarious things beyond detection in this security blind spot that SSH
creates.

Follow Good Procedures

Effective, consistent SSH key management and risk prevention is possible if
your organization implements industry best practices. First, assess the
security risks facing your organization. Let your first line of defense be
your business owners and users, and define effective security controls that
satisfy multiple regulations. In the age of GDPR, assess your compliance
gaps before an auditor does.

Next, create usage procedures that include periodic access reviews,
documenting and disseminating security policies and standards, and
implementation of required IT controls. Then, create and deploy hardening
configuration and review it from time to time. Consider automated tools to
manage the configuration and apply integrity-control checks and monitoring
over critical files. Make sure to define roles and responsibilities as well
so that SSH key management doesn’t fall through the cracks again.

Automation is also vital to the success of SSH key deployments, so make
sure use it. Standardization is required, and access restrictions are
critical. Finally, inventory of keys and usage tracking is necessary as
part of the overall provisioning of users and accounts. These security best
practices will enhance your security program, support positive audit
outcomes and, most of all, help eliminate the risk of data loss.

Vigilance Required

You can’t take SSH for granted. It’s not a “set it and forget it”
technology, but one that must be watched like a hawk because it grants
pervasive, root-level access to the network. Organizations must do
everything in their power to secure it and make sure it stays that way.
Like many tools, SSH has tremendous advantages and some significant
vulnerabilities. Follow the best practices outlined above and remain
vigilant to keep your data safe.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180430/5c62beda/attachment.html>