SSH Keys: Security Asset or Liability?

//
// SSH: Your Lowest Cost,
Highest Risk Security Tool
Securing SSH Keys in Today’s Enterprise
© 2019 Venafi. All Rights Reserved.
1
Michael Thelander
Director Product & Strategy, Venafi
michael.thelander@venafi.com

//// © 2019 Venafi. All Rights Reserved.2
What Is SSH?1
How SSH Is Used2
SSH-Related Risks3
Security Best Practices For SSH (and a Path Toward Sanity)4
In This Session

//
// Recent News
© 2019 Venafi. All Rights Reserved.3
“Breach Shaming”
noun
Using recent breaches and exploits to ridicule the
security posture, readiness, or intelligence of
breach victims.
“The session lacked substance, and focused on
breach shaming"

//
//
• 500 million records
compromised
• Exploit began in 2014
• PII, dates of stays, locations
• 5 million passport records
Recent News
“Another point brought up by Marriott … despite
having encrypted customer payment card data it
cannot assure those affected that the criminals
did not take the keys and access the
information.”

//
5
Machine Identity Protection

//
//
Machines
Machine Identities
People
Usernames & Passwords
Identity
Two Actors on a Network

//
//
Machines
Machine Identities
People
User Names & Passwords Machine Identities
$8 Billion
spent annually to protect Just beginning…

//
//
Machines
Machine Identities
People

//
//
Machines
Machine Identities
People
Identities Are the Target

//
//
Slide Content
Devices
Futures:
Algorithms &
Blockchain
ServicesCode
What Are “Machines”?

//
//
SSH Keys
SSL/TLS
Certificates
Code-signing
Certificates
Mobile & IoT
Certificates
Digital Keys and Certificates = Machine Identities
What Establishes Machines Identities?

//
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved.
0.0
10.0
20.0
30.0
40.0
50.0
2005 2010 2015 2020 2025
0.0
50.0
100.0
150.0
200.0
250.0
300.0
2005 2010 2015 2020 2025
PROJECTED GROWTH (IN BILLIONS)
PEOPLE
APPLICATIONS
MACHINES
DEVICES
Growth Factors
• Cloud
• Virtual Machines
• Containerization
• DevOps
• Mobile Devices
• Internet of Things
• Industrial IoT
• Data Access
• Privacy Laws
More Machines = More Automated Connections
People
Machines
The Network is Growing Exponentially

//
//
I’m an SSH administrator
I’m a frequent SSH user
I’m an occasional SSH user
I can spell SSH
© 2019 Venafi. All Rights Reserved. 13
1
2
3
4
A Quick Poll
What is your usage of SSH?

//
// What Is SSH?
• The Free Protocol That Replaced Telnet
• Secure Shell (SSH) is
a cryptographic protocol for
operating network services
securely over an unsecured
network
• Typical applications include
remote command-line login and
remote command execution,
but any network service can be
secured with SSH

//
// What Is SSH?
• It Is Now Nearly Ubiquitous
• The standard TCP port for SSH is
port 22
• SSH is generally used to access
Linux or Unix-like operating
systems, but it can also be used
on Windows
• Windows 10 uses OpenSSH as
its default SSH client

//
//
• Both systems authenticate
connections between clients
and servers
• Both encrypt sessions
• Both can leverage asymmetric
or symmetric cryptography
• Both use built-in mechanisms
to insure data integrity
(algorithms and hashing, etc.)
• SSL/TLS usually employs x509
certificates, the SSH protocol
creates digital keys
• SSH includes commands that
allow activities like remote login
and command execution
• SSH supports a host of other
protocols and features: secure
file transfer, secure copy, flow
control, multiplexing, terminal
management
16
Similarities with SSL/TLS

//
//
Systems Managed Using SSH
Over 28% of organizations
use SSH to manage
1000 or more systems
Enterprises with large
SSH environments are
3X more likely to use SSH in
automated processes
• SSH Usage is Surprisingly Widespread
Nobody owns it and it’s free | So it’s easy to overlook its importance

//
“We’re changing audit procedures
again. They’ve added the requirement
to account for SSH key access.”
“Ummmm…. We don’t track SSH
key access. But I think we have
about 500,000 key pairs in our
different estates.”
Jim, the CISO
Chris, the InfoSec Dir
“We need to know in 60 days.”
“Oh SSHit.”
Jim, the CISO

//
Jim, the CISO
“What did the survey say?”
“Did I say 500,00 key pairs?”
“We need a plan by quarter end on how
we’re going to go from 6 million to no
more than 2 million key pairs.”
“It turns out we have
about 6 million key pairs.”
Chuck, the COO
60 Days Later…

//
//
SSHTLS
Customers
Partners
Employees Admins with
Root Access
Application
Owners
System
Admins
SSH
(SCP or SFTP)
File Transfer &
Remote Script
Execution
Jupiter
Where is SSH Used?
For 59% of orgs most or all admins manage SSH for systems they control
2017 Study by Dimensional Research n = 411 IT and Security professionals with in-depth knowledge of SSH

//
//
How Does SSH Work?
sally’s
public key
Is the correct
public key for
server1?
This is what we call
“Key Sprawl”

//
//
Illustrating SSH Risk
Private key
compromise
Weak/
guessable keys
Unauthorized
SSH servers
SSH SW
vulnerabilities
Pivoting to
other systems
Root account
compromise
Terminated
employee access
Unauthorized
SSH access
Backdoor keys
Port
forwarding
Privilege
escalation
Man-in-the-middle attacks
Vulnerable SSH configuration

//
//
Illustrating SSH Risk
SSH Risks/Vulnerabilities
Root account compromise
Unauthorized SSH Access
Privilege escalation
Terminated employee access
Backdoor keys
Port forwarding thru firewalls
Pivoting to other systems
Man-in-the-Middle attacks
Unauthorized SSH servers
SSH SW vulnerabilities
Private key compromise
Weak/guessable keys
Private key
compromise
Weak/
guessable keys
Unauthorized
SSH servers
SSH SW
vulnerabilities
Pivoting to
other
systems
Root account
compromise
Terminated
employee access
Unauthorize
d SSH access
Privilege
escalation
Man-in-the-middle attacks
Backdoor keys
Port
forwarding

//
//
2017 SSH Risk Study
The Result?
Most organizations are
underprepared to protect
against SSH-based attacks
o Surveyed over 400
o IT and Security professionals
with in-depth knowledge of SSH
o From the U.S., U.K. and Germany
o Goal: Measure how well
organizations implement security
controls for SSH keys
• 2017 Study by Dimensional Research
<10%
have a complete and
accurate inventory

//
//
2017 Study by Dimensional Research
n = 411 IT and Security professionals
2017 SSH Risk Study
• After Employee Resignation / Termination
SSH keys do not expire

//
//
2017 Study by Dimensional Research
n = 411 IT and Security professionals
• No inventory
• No key rotation
• Weak keys
• Terminated employees
still have access
• Potential backdoor keys
• Pivoting opportunities
for attackers
The Typical State of SSH

//
//
What About PAM?

//
//
What About PAM?
PAM covers the interactive access of people
but doesn’t focus on machine access
There are privileged people
and there are privileged machines
And these are NOT THE SAME
How often do your PAM policies require entitlement reviews?
Almost half (47%)review entitlements annually—at most

//
// Visibility | Intelligence | Automation
Risk Assessment
Discovery and Inventory
RemediationContinuous Monitoring
Automation
Stop
Bleeding
Clean Up
Mess
Stop
bleeding
CleanUp
Mess
Stop the Bleeding Clean Up Mess
Decision Point
Stop
Bleeding
Clean Up
Mess
2. Intelligence
1. Visibility
3. Automation

//
//
1 Network
Discovery to
Find SSH
Servers
2
SSH Key
Discovery*
2
SSH Key
Discovery*
Centralized
Repository
3
Report &
Analyze
4Notify &
Alert
*Agent or Agentless Discovery
Visibility | Intelligence | Automation

//
//
1 Network
Discovery to
Find SSH
Servers
2
SSH Key
Discovery*
2
SSH Key
Discovery*
Centralized
Repository
3
Report &
Analyze
4
Notify &
Alert
*Agent or Agentless Discovery
Best Practices in Action

//
// Track Your SSH Vulnerabilities
• Potential backdoor keys
• Root Access Orphans
• User Access Orphans
• Root Access
• Duplicate Private Keys
• Weak Key Lengths
• Vulnerable Protocol Use (SSH1)
• Private Key Orphans
• Known Host Orphans
• Shared Server Accounts
• Non-compliant Commands
• Non-compliant Source
Restrictions
• Missing Options
• Stale (unused) Keys
• Non-compliant Algorithms
• Non-compliant Vendor Format
• More…

//
//
Remediation and Verification
Discovery &
Inventory
Visibility
& Compliance
Monitor
& Report
Remediate
& Manage
• Discovery
• Network
• Agentless
• Agent-based
• Delegation
• Hierarchical
Structure
• Dynamic Groups
& Placement
• Permissions
• Dashboard
• Policies
• Violation Status
Messages
• Filtering
• Authorized Users
Report
(to PAM System)
• Key Usage
Logging
• Notifications -
SMTP, SNMP,
Splunk, more…
• Dashboard
• Ad Hoc Reporting
• Entitlements
Report
• Rotate Keysets
• Remove Keys
(User, Authorized, etc.)
• Add New Keys
• Configure Access
Restrictions
• Enforce
Approved
Configuration

//
//
A Word About Butter
• “Low and slow”
methodology evades
detection
• Brute-forces SSH
credentials
• Leads to deployment of
Samba RAT
• Can join DDoS attacks
• Can download and run
a Monero cyrptominer
One way to address:
• Enforce SSH Key Policy
• Rotate SSH Keys
What’s Old is New Again
//

//
//
A Word About DevOps
DevOps Can Feed SSH Key Sprawl

//
//
Align SSH practices with your governing policies
Establish your SSH security requirements
Start gaining visibility
Gain intelligence about keys and connections
Start a discussion about automation of SSH key rotation
Talk to your DevOps teams about their usage of SSH
5 Things To Do TOMORROW*
36
1
2
3
4
5
6
* And a bonus “6th thing”

//
//
Summary
SSH is a powerful (but potentially dangerous) tool
• SSH environment provides privileged access to most systems
• It should be centrally controlled
• Hygiene policies should be analogous to user identities
Without centralized SSH key management
• Risk of breach from multiple vectors
• Pivoting risks are exacerbated
• Risk of non-compliance with PCI-DSS, HIPAA, etc.

//
// SSH: Your Lowest Cost,
Highest Risk Security Tool
Securing SSH Keys in Today’s Enterprise
38
Michael Thelander | michael.thelander@venafi.com

SSH Keys: Security Asset or Liability?

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to SSH Keys: Security Asset or Liability?

Similar to SSH Keys: Security Asset or Liability? (20)

Recently uploaded

Recently uploaded (20)

SSH Keys: Security Asset or Liability?

Editor's Notes