The importance of a robust SSH key management policy is often underrated or ignored by many organisations, even though thousands, in some cases millions, of SSH keys are used by organisations that are deeply embedded in the highly interconnected financial system.
According to a recent study carried out by the IMF, financial institutions across the world could lose up to £271 billion to cyber-attacks every year. What's worse is that cyber-attacks not only result in monetary loss, but also the loss of trade secrets, sensitive customer data, as well as financial information of investors and customers such as bank account and credit card details.
Three years ago, a survey carried out by security research firm Venafi at the 2015 RSA Conference found that 38 percent of IT security professionals didn't know how to detect compromised keys and certificates and 64 percent of them expressed their inability to replace compromised SSH keys within 24 hours after a breach had taken place.
A similar survey carried out by Venafi in 2017 showed that 90 percent of IT security teams at financial organisations in the US, UK and Germany did not have complete and accurate inventory of SSH keys their organisations employed for privileged administrative access, and that 61 percent of such organisations did not adequately restrict the number of SSH administrators. The result of such lack of restriction was that most administrators used ad-hoc processes and inconsistent security controls when managing and generating SSH keys, thereby leaving their organisations vulnerable to cyber-attacks.
The survey also revealed that the absence of SSH key rotation and revocation policies left organisations vulnerable to unauthorised privileged access by insiders, former employees and cyber-criminals, that 47 percent of organisations did not use both password and public key authentication for SSH users, and that 60 percent of them not use both password and public key authentication with SSH usage in automated processes.
According to Anastasios Arampatzis, an informatics instructor at AKMI Educational Institute and formerly a certified NATO evaluator for information security, a major reason behind the vulnerability of financial organisations to cyber-crime is the inability of such institutions to manage SSH keys effectively.
"SSH keys enable ongoing automatic connections from one system to another, often without the use of a second authentication factor. These connections create a persistent trust relationship, one that cyber-criminals and malicious insiders are eager to access and misuse.
"SSH keys are routinely untracked, unmanaged and unmonitored. In fact, most financial services organisations do not set policies and controls that limit how SSH keys can be used. Unfortunately, this is also true for several of the Fortune 500 enterprises," he said.
He added that organisations have extremely large numbers of SSH keys, sometimes numbering millions, yet they have no provisioning and termination processes in place for key based access. They have no records of who provisioned each key and for what purpose, and they allow their system administrators to self-provision permanent key-based access, without policies, processes, or oversight.
Commenting on the lack of security around SSH keys at major financial organisations, Andy Richmond, vice president for UK at Varonis, told SC Media UK that SSH keys, passwords, PKI certificates and files containing sensitive data are managed in an extremely ad hoc fashion by the majority of organisations worldwide and in the UK.
"Lacking formalised rules surrounding the care and handling of digital secrets is a recipe for disaster. In almost every case SSH key visibility (knowing what keys are created, what they can access, who is using them and when they should be rotated) is all but non-existent.
When asked what he believes is the best way for organisations to regulate key-based access so as to protect against cyber-attacks, Richmond said that organisations should consider defence in depth and how to layer multiple different applications and services to protect against attacks, even though there are a variety of open source and commercial products to assist with key and secret management.
According to Arampatzis, organisations can implement various measures to better regulate the security around SSH keys and to control who can access such keys. Such measures include the implementation of access periodic reviews, the creation and implementation of hardening configuration considering automated configurations management tools, and the application of integrity control checks and monitoring over critical files.
"Other key points include the definition of roles and responsibilities over who owns SSH key management, the automated deployment of SSH keys, the inventory of keys, the usage tracking and the governance of SSH keys as part of the overarching risk assessment process," he added.
Suggested reading: Security of Interactive and Automated Access Management Using Secure Shell (SSH) published by the National Institute of Standards and Technology (NIST).