SANS Institute and Venafi are cohosting a live webinar this Wednesday on the Secure Shell (SSH) network protocol, its vulnerabilities, and how organizations can address these vulnerabilities using SANS Critical Security Controls (CSCs).
When I read news stories about SSH-based attacks, I always wonder if organizations are paying attention. Are they taking the news stories as cautionary tales? Or are they taking the stories as isolated incidents that don't affect them? Or are they ignoring the stories altogether?
If your organization is in either of the latter two camps, I have news for you. While SSH is a sound technology, it has its vulnerabilities—all technologies do. And because it is providing privileged access to your organization's highest-value digital assets, you should know what these vulnerabilities are and how to address them. If you don't, how can you be sure you've adequately protecting your SSH implementation from the bad guys who seek out and prey upon SSH vulnerabilities?
In other words, how can you tell if you're properly securing the technology that secures your digital wealth?
Experts agree that SSH must be secured. Read this recent blog on the new NIST paper on SSH titled, Security of Interactive and Automated Access Management using Secure Shell (SSH), which emphasizes that SSH provides access to nearly all mission-critical systems and organizations should have an active SSH key management and security initiative to ensure their SSH keys remain protected.
This Wednesday, I’m cohosting a webinar with SANS SSH expert, Barb Filkins, to give organizations precisely the information they need to implement this type of initiative. In the webinar, Securing SSH Itself with the Critical Security Controls, we’ll share how the bad guys exploit SSH vulnerabilities to give themselves privileged access to organizations' most confidential and critical data. And follow up with ways organizations can stop the bad guys cold.
A few SSH vulnerabilities lie in the technology itself, but the webinar will show that most lie with a wide variety of implementation and configuration mistakes. For example, harried key administrators can inadvertently deploy authorized keys to root user accounts rather than to regular user accounts. Then when SSH keys are compromised, this opens the door to attacks where bad guys gain privileged access to everything from organizations' firewalls to their most coveted (and perhaps heavily regulated) data—costing organizations millions.
The webinar will also explain how to remediate these SSH vulnerabilities so SSH can be a strong tool for enabling and controlling access. When configured correctly, SSH keys are harder to crack, steal, or guess than are passwords.
In the webinar, you'll see how the SANS CSCs map to the National Institute of Standards and Technology (NIST) best practices for properly implementing SSH, a good complement to the new NIST paper on SSH. For example, CSC subcontrols and NIST's best practices both recommend that organizations automate key-provisioning processes, keep a complete inventory of enabled SSH identity keys, and rotate these keys regularly.
You'll also learn how, with Venafi, you can effectively implement these SANS and NIST recommendations—easily creating a complete key inventory, managing SSH keys throughout their lifecycles, and automating SSH key issuance and revocation. Venafi, as the Immune System for the Internet™, also seeks, destroys, and replaces keys that are compromised, much as the human immune system seeks and destroys cells that threaten the body.
Most enterprises do not have companywide SSH policies and management practices—instead turning to administrators to manage their own keys. This ad hoc approach to SSH key management and security doesn’t keep organizations safe. It’s time to learn how to implement effective SSH key protection that secures your critical systems and data. And, besides, you'll enjoy the webinar much more than reading a story about your organization's SSH-based data breach in the morning news.
I hope you join me at the SSH webinar this Wednesday!