Retail companies rely on an assortment of connected machines that most other industries don’t use. From credit card terminals to specialized e-commerce services, these machines require unique identities and security.
Secure Shell (SSH) keys are often used to authenticate retail machine identities and, in the process, provide the highest levels of administrative access within retail organizations. However, these powerful assets are routinely untracked, unmanaged and poorly secured. Unfortunately, this makes SSH keys popular targets for cyber criminals.
“Retail machines contain lucrative financial information,” said Nick Hunter, senior digital trust researcher for Venafi. “This makes retailers, and their transactions, prime targets for cyber criminals. Simply put, retailers face unique and significant machine identity threats.”
Venafi recently conducted a study that evaluated how retailers manage and implement SSH in their environments. With participation from 101 IT security professionals from the retail sector, the study reveals a widespread lack of SSH security controls.
For example, 81% of respondents acknowledge they do not have a complete and accurate inventory of all SSH keys. If retailers do not know where their
SSH keys are and how they are managing privileged access, it will be difficult to determine if any SSH keys have been stolen, misused or should not be trusted.
Additional highlights from the study:
Users have continuing access to critical assets.
Over a third (35%) of respondents admit they do not actively rotate keys, even when administrators leave their organizations. This can allow former employees ongoing privileged access to sensitive systems.
SSH keys are rarely rotated, if at all.
Just 35% of respondents rotate SSH keys at least quarterly; 37% said they don’t rotate these keys at all or only do so occasionally. This means that attackers who gain access to SSH keys will have ongoing privileged access until keys are rotated.
Unlimited users can generate SSH keys across many systems.
38% of respondents do not restrict the number of SSH administrators, which allows an unlimited number of users to generate SSH keys across large numbers of systems.
No port forwarding controls can mean big trouble for retailers.
32% say they do not enforce “no port forwarding” for SSH. Because port forwarding allows users to effectively bypass the firewalls between systems, the lack of these controls can allow a cybercriminal with SSH access to rapidly pivot across network segments.
SSH keys are not audited.
Over a third (35%) say SSH entitlements are not featured in their Privileged Access Management (PAM) policies and are rarely audited. Without proper auditing and effective SSH security policies, SSH key weaknesses can go undetected, leaving retailers vulnerable to a wide range of cybersecurity attacks.
Ultimately, it’s crucial for retailers to secure their SSH assets. “To protect their customers and their critical business data, retailers need a strong SSH governance program that provides them with complete visibility of all their SSH keys,” concluded Hunter.
Are retailers doing enough to protect their SSH keys?