Secure Shell (SSH) is everywhere. Regardless of the size, industry, location, operating systems in use or any other factor, chances are near certain (whether you know about it or not) that it exists and is in active use somewhere in your environment. Not only does SSH come “stock” with almost every modern version of UNIX and Linux, but it is in a normative mechanism for systems administration, a ubiquitous method for secure file transfer and batch processing, and a standard methodology for accessing virtual hosts whether they are on premises or in the cloud.
Because of this ubiquity, SSH is important for assurance, security and risk practitioners to pay attention to. There are a few reasons why this is the case.
First, configuration. SSH can be complicated to configure, and incorrect or inappropriate configuration translates directly to technical risk and potential security issues. Why is it complicated? The configuration parameters border on the arcane, and they require knowledge of the underlying protocol operation to make sure strong selections are made. These configuration choices are highly dependent on both environment and usage, so what might be robust enough for one use case might be insufficient for another. Likewise, the client and the server (e.g., solid-state hybrid drives) have separate configuration options, and each option directly impacts the security properties of the usage.
Second, usage. Usage tends to be niche and tends to grow organically over time rather than (usually) being “deployed” in a planned-out, systematic way. It is natural that this happens because the number of SSH users in the organization is relatively small (most consisting of operations folks), the tool itself is ubiquitous (coming as it does “stock” on multiple platforms and (because it is a security-focused tool) it is sometimes viewed with reduced skepticism by assurance and security teams. These factors serve to make it less “visible” from a management point of view, meaning very often, organizations do not systematically analyze potential risk areas associated with SSH, evaluate the security properties of their existing usage or otherwise systematically examine configuration and other parameters.
Finally, it makes extensive use of cryptography. By virtue of how the protocol operates, cryptographic keys are integral to the protocol operation, and choices are available about how the cryptography operates, how keys are managed and distributed, and numerous other considerations. As we all know, managing cryptographic keys can be challenging and it is critical to get it right for the security of the usage to be preserved, and cryptography generally can be a subject area difficult to get right.
For these reasons, it is important that organizations pay attention to their SSH usage the same way that they would any other technology that they use. There are some specific practical considerations that organizations should address and important questions to ask themselves around usage, configuration and maintenance of SSH. ISACA’s recent guidance Assessing Cryptographic Systems lays out the general considerations for assessing a cryptographic system, but specific considerations for SSH remain, for example, specific configuration options for SSH and key management issues specific to SSH.
To help practitioners work through these issues, ISACA has published SSH: Practitioner Considerations. The goal of the publication is to give security, audit, risk and governance practitioners more detailed guidance about how to approach and evaluate SSH usage in their environments.
Ed Moyle is director of thought leadership and research at ISACA. Prior to joining ISACA, Moyle was senior security strategist with Savvis and a founding partner of the analyst firm Security Curve. In his nearly 20 years in information security, he has held numerous positions including senior manager with CTG’s global security practice, vice president and information security officer for Merrill Lynch Investment Managers and senior security analyst with Trintech. Moyle is coauthor of Cryptographic Libraries for Developers and a frequent contributor to the information security industry as an author, public speaker and analyst.