My recent ISACA Journal article discusses what every chief information security officer (CISO) must know about Secure Shell (SSH) key management. This is a topic that keeps me awake at night and should be of major concern to the whole audit community.
In short, SSH is a tool for systems management, automation and file systems, and it is used in every data center in every major enterprise. It introduced a new authentication mechanism based on cryptographic keys, called public key authentication. Unfortunately, in the default configuration, OpenSSH allows any user to provision new credentials for themselves and their friends, and these credentials never expire—not even when the user’s account is removed if the credentials have been added to a service account.
SSH keys can be used to violate segregation of duties—passwordless access using them from development into production systems is common. Attackers can also use them to spread laterally from server to server or data center to data center. This introduces an existential risk to enterprises, involving not only ransomware and exfiltration but also outright destruction and cyberwarfare.
We have found that many large enterprises have unprecedented numbers of these credentials configured—one customer found 3 million, and another had 4.5 million keys granting access to their environment—on tens of thousands of servers. The probability of being able to pivot from server to server using the keys is very high when combined with other attacks for privilege escalation (such as the recent memory management vulnerability in all Linux versions).
In my opinion, SSH access management has been the biggest risk in identity and access governance since we realized 20 years ago that many organizations had not terminated accounts for users that had left the organization. Today, most organizations do not have a process for terminating SSH key-based access, and some have accumulated 10 times as many SSH keys as they have users.
What keeps me awake at night is the thought of ransomware and other attacks spreading to practically all servers in a Fortune 500 company—including backup systems and disaster recovery data centers—using SSH keys. It can be done in a very stealthy fashion, and the outage could last months.
Read Tatu Ylonen’s recent Journal article:
“What Every CISO Must Know About SSH Keys,” ISACA Journal, volume 1, 2017.