Organizations have become reliant on SSH to provide authentication and establish elevated privileges between administrators, applications, and virtual machines in the data center and out to cloud. SSH helps enterprises establish trust. However, there is a darker side to SSH, a dirty little secret that research published by Forrester exposes. Most bad actors understand this secret and continuously take advantage of it. In fact, the problem is becoming worse as organizations become more reliant on SSH to administer workloads in the cloud.
On a daily basis, IT security professionals must balance a myriad of threats and security challenges, all while ensuring the business remains operational. When you take into account the elevated privileges SSH provides, you would assume that enterprises make SSH keys more secure and apply more well-defined, stringent polices than simple usernames and passwords, which provide fewer privileges. But this is not the case. Most organizations have a 30-, 60-, or 90-day password rotation policy. However, Forrester research shows that most organizations have no policies or controls to secure SSH keys. Almost three-quarters (73%) of organizations hardly ever rotate SSH keys. They also rely on system administrators to self-govern their SSH keys. This negligence provides bad actors with near unfettered access to enterprise networks with elevated privileges, sometimes for a span of several years (see an example of a multi-year APT attack).
In the last 24 months, nearly 50% of survey respondents reported that they had to respond to security incidents related to the compromise or misuse of SSH keys. Unfortunately, even with such a high frequency in security incidents, information security professionals don’t seem to be taking the issue seriously. Only 9% of organizations scan for unauthorized SSH activity every 12 hours. The remaining survey respondents either do not scan at all or at a frequency that ranges from greater than every 12 hours to every month. When compared to vulnerability scanning or AV scanning, you would never consider 12 hours to be sufficient.
When considering the importance of SSH and the fact that they provide the ‘keys to the kingdom’—your enterprise network—the security of SSH keys should be a high priority. Forrester research recommends the following minimum steps be taken to close the SSH security gaps: