Skip to main content
banner image
venafi logo

5 Steps that May Be Leading You toward a Ticking SSH Bomb

5 Steps that May Be Leading You toward a Ticking SSH Bomb

infographic of three businessmen running from one businessman with a ticking time bomt
September 12, 2019 | Bart Lenaerts

No one wants a poorly managed SSH deployment to create the perfect threat surface for adversaries. If you are not properly protecting SSH connections, they can lead to very costly incidents. But what are the ingredients for this ticking time bomb?

When evidence is found of a stolen SSH client key, a security event can quickly become a serious incident. How can it get this far? Or, to be more specific, what are the shortcuts organizations are taking that may lead to severe SSH threat risks?

Here 5 signs that your SSH environment may have a ticking SSH bomb:


  1. The Fuel: A toxic growth in trusted connections
    SSH is known for its encryption and built-in automation. By using a single command and a key, a script or automation tool can reach out to another SSH identity, send a command and receive system information back. This type of SSH connection is often based on a high level of trust. Today, cloud migration or digital transformation can push resource-stretched organizations toward a toxic growth in these automated machine-to-machine connections — especially when IT productivity is given a high priority.


  1. The Blindside: Outdated or bypassed observation
    Traditional controls may not be able to cope with new environments and new growth. As connections grow outside the traditional perimeter, legacy controls — like jump or proxy servers — may get bypassed. Even worse they may become bottlenecks because they can no longer deal with the volume and intensity of the machine-to-machine connections. Also, deep PAM (privilege access management) controls like full-session recording may become irrelevant as DevOps processes continuously change the IT environment and programmatic sessions becomes hard to decipher.


  1. The Catalyst: Unassigned ownership of SSH identities
    This step is often the biggest tipping point. Once a cloud model is adopted, virtual machines and containers are created on a continuous basis. Venafi’s home grown risk assessments have indicated that SSH host keys and even private keys are often copied between machines and their clients. The underlying reason for this is the lack of ownership of these machine identity keys. Specifically, as IT Infrastructure, Operations and Security Teams all have their own priorities, lifecycle ownership of the SSH identities (or keys) literally falls between the cracks and highly trusted keys get lost, making them easy targets for adversaries.


  1. The Concealer: Weak audits or assessments
    Today, most organizations audit their SSH environment on a regular basis. Best practices have been defined by industry or governmental instances. However, once an audit has passed, there is a false sense of security that can take over—especially if the compliance mandate focuses on human interaction and a full audit of the machine identity lifecycle has been skipped.


  1. The Ignition: Malware or human error
    The last step that may indicate an active SSH bomb is a stolen SSH credential. This can happen in many forms, such as humans getting tricked by a phishing attack or day-one malware slowly extracting data. Once an SSH key has left the organization, limiting the exposure can become a challenge. And very quickly, a very expensive response may need to be put in place.


Will your organization benefit from an SSH risk assessment? Find out.

In an effort to stay left of the boom, security engineering teams often focus exclusively on this last step. When they do this, they are tempted to forget that their organization is still producing the fuel and catalysts for an SSH bomb. It’s important to protect the entire chain of exposure for SSH keys. To learn more about how you can shift more to the left and detonate a potential SSH time bomb, see our article on six steps for managing SSH keys.


Related posts


Like this blog? We think you will love this.
Featured Blog

Most Common SSH Vulnerabilities & How to Avoid Them

Most common SSH vulnerabilities

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Bart Lenaerts
Bart Lenaerts

Bart is a Product Manager at Venafi. He has 20 plus years of experience in Network Systems & Security and is a passionate storyteller with strong operational and inter-personal management skills. His international background has allowed him experiences within both Fortune 500 and start-up environments.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more