Skip to main content
banner image
venafi logo

You’re Already Compromised: Exposing SSH as an Attack Vector

You’re Already Compromised: Exposing SSH as an Attack Vector

ssh as an attack vector
December 28, 2018 | David Bisson

Before 2013, the average person rarely thought about encryption. But that changed when Edward Snowden breached the National Security Agency (NSA) and disclosed information about PRISM. Since then, a series of events have helped keep encryption at the forefront of everyone’s minds. Most recently, WikiLeaks published a new document in its “Vault 7” data leak series involving the CIA. This new file contained information on “BothanSpy” and “Gyrfalcon,” two hacking tools which enable someone to steal a target’s SSH keys.

Adversaries and insiders have long known how to abuse the trust established by keys and certificates and use them as the next attack vector. Acknowledging that fact, I decided to work with Dimensional Research to understand how organizations were managing and implementing Secure Shell (SSH) in their environments. The researchcovered the responses of 411 security professionals with knowledge of SSH from the United States the United Kingdom and Germany.

What was very evident from the research was the fact that most organizations were inadequately prepared for or incapable of detecting a security incident related to the compromise or misuse of SSH keys. We break down these chilling results below.

A lack of visibility

A majority of organizations don’t have adequate visibility into their SSH keys. Significantly, 90 percent of security professionals surveyed by Venafi said that they lacked a complete and accurate inventory of all SSH keys. As a result, they had no means to determine whether someone had stolen or misused their organization’s keys.

The more SSH admins, the scarier!

The issue of key misuse doesn’t relate to only external attackers. Malicious insiders also constitute a threat if they have the ability to configure authorized SSH keys. Organizations can mitigate this risk by creating policies that prohibit such behavior. But according to survey participants, just 35 percent of organizations actually enforce these policies. 61% of respondents said that their organization doesn’t even limit or monitor the number of administrators who are authorized to manage SSH.

Unlimited opportunities in how SSH keys are used

As most organizations fail to clarify who can manage their SSH keys, it’s no surprise that many also fail to stipulate how their SSH keys can be used. For instance, nearly half of respondents said that their organization doesn’t restrict port forwarding for SSH, limit the locations where SSH can be used or remove SSH keys when a user leaves the company at 48 percent, 49 percent and 42 percent, respectively. These oversights make it possible for someone to abuse SSH in order to evade other security mechanisms.

A never-ending nightmare

As the research suggests, organizations have limited visibility into how SSH keys are used in the enterprise network and no ability to apply policies to SSH keys. However, you would think that even organizations using manual, disparate SSH key management would provide guidelines for rotating SSH keys. After all, SSH keys have no expiration date.

Unfortunately, that’s not the case. Seventy-percent of survey respondents said that their organization does not rotate SSH keys regularly. This opens the possibility for an SSH key leak, such as what happened in a security incidentagainst FreeBSD’s infrastructure back in 2012.

Considering that SSH bypasses host-based controls and provides elevated privileges, every organization should make rotating keys a priority. Every organization needs to stop viewing SSH keys and the management thereof as an operational matter that can be resolved with a few simple discovery scripts or relying on individual application administrators to self-govern. You wouldn’t do that with domain credentials, so why treat SSH keys—which enable elevated root privilege—any differently?

Every organization needs to have central visibility into the entire SSH key inventory, understand how SSH keys are used on the enterprise network and apply SSH policies. Only then will an organization be able to quickly detect security incidents related to SSH and immediately remediate them.

This blog was originally posted by Gavin Hill on February 26, 2016.

Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

man shrugging his shouldders, torso shot, dressed in business attire

Jury Out on Whether Reducing Certificate Lifetimes Would Actually Improve Security

Elizabeth Warren image Corporate Executive Accountability Act

Can Encryption Save Execs from Blame in Breaches? [Ask Infosec Pros]

Why Encryption Should Be the Next Step in Operationalizing GDPR Compliance

Why Encryption Should Be the Next Step in Operationalizing GDPR Compliance

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat