Last month Snowden (the movie) was released in the US. While the film has received mixed reviews, the story behind the movie has played out very publicly over the last three years providing a salutary lesson for all charged with organisational security.
Whether you approve of Edward Snowden’s actions by exposing the NSA’s surveillance operations or not, all organisations should take note of the alleged method he used to gain this highly sensitive information: SSH keys.
Unmanaged SSH Keys: A Risk And Compliance Headache
While it has never been confirmed, it is widely thought that Snowden was able to access NSA files by creating and manipulating SSH keys. If true, this is a prime example of a malicious attack from a trusted insider, and it could happen -or already be underway – in your organisation.
‘Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network.’ – Wikipedia.
SSH is everywhere. Multiple platforms, devices, traffic encryption and identities use it, for activities such as support and maintenance, dynamic machine to machine interaction or secure batch file transfers.
However, organisations can very quickly lose sight of who has access to what. Most organisations have thousands of SSH keys but larger organisations could have millions in existence in their estate. In many cases the vast majority of SSH keys, whilst still deployed on production servers, are not in active use. And many of those keys provide root access.
This causes risk and compliance executives a real headache. Often it is not until an organisation undergoes a security or regulatory audit does the scale of the problem become known: unmanaged privileged access is a violation of compliance. If the organisation experiences a data breach as a result, the fallout is even more severe. According to research from Verizon, over half of data breaches use legitimate user credentials; SSH keys can be one such vulnerability.
Could Your SSH Keys Be Stolen?
Stolen SSH keys are hot property for cybercriminals, essentially providing a cybercriminal with the master key in an unmanaged environment. Edward Snowden, a contractor at NSA, is alleged to have created a privileged account and then fabricated SSH keys that allowed him to access critical files. In another scenario these fabricated SSH keys could be sold to cybercriminals facilitating financial and identity theft, IP theft, lose of data, disruption to business operations…the list goes on.
Our partners SSH Communications found in a security audit they performed for a banking client that 10% of around 150,000 keys originated from an unknown source and granted root or other elevated privileges. Many organisations, like the bank, cannot detect when new SSH keys are introduced to their networks. It becomes even more of a challenge when transitioning services to the Cloud.
If this has given you cause for concern, what steps should you be taking? The following questions should help you understand the scale of the problem you face:
- Does your organisation know how many SSH keys are in active use? And those that are not?
- Do you have centralised control of SSH keys?
- Who manages privileged accounts? System administrators or IT security teams?
- Is it possible to detect when new keys are introduced, and if so is this monitored?
- What procedures are in place to allow access to privileged accounts, do IT security policies address this issue?
- Has the organisation performed a risk assessment on the threat of insider or external attack via SSH keys?
- Does the organisation have a process for changing non-active SSH keys, especially when users leave the organisation or no longer require access to privileged accounts or specific areas?
- Could the organisation be exposed to a violation of compliance regulations if it is found to have unmanaged SSH keys?
If you think you need to manage your SSH keys more effectively there are solutions available. SSH key management solutions can be deployed to assess the state of your SSH environment, discover who has access to what and where, monitor activity such as the creation of unauthorised keys, clean up the environment by changing old keys, and enable organisations to demonstrate regulatory compliance. Left unmanaged SSH keys are a ticking time bomb in your organisation.
To explore this subject in more depth with us and to hear our recommendations, please get in contact 01252 843014 or info@burningtree.co.uk.