Organizations have become reliant on SSH to provide authentication and establish elevated privileges between administrators, applications, and virtual machines in the data center and out to cloud. SSH helps enterprises establish trust. However, there is a darker side to SSH, a dirty little secret that research published by Forrester exposes. Most bad actors understand this secret and continuously take advantage of it. In fact, the problem is becoming worse as organizations become more reliant on SSH to administer workloads in the cloud.
Lax Policy Enforcement
On a daily basis, IT security professionals must balance a myriad of threats and security challenges, all while ensuring the business remains operational. When you take into account the elevated privileges SSH provides, you would assume that enterprises make SSH keys more secure and apply more well-defined, stringent polices than simple usernames and passwords, which provide fewer privileges. But this is not the case. Most organizations have a 30-, 60-, or 90-day password rotation policy. However, Forrester research shows that most organizations have no policies or controls to secure SSH keys. Almost three-quarters (73%) of organizations hardly ever rotate SSH keys. They also rely on system administrators to self-govern their SSH keys. This negligence provides bad actors with near unfettered access to enterprise networks with elevated privileges, sometimes for a span of several years (see an example of a multi-year APT attack).
In the last 24 months, nearly 50% of survey respondents reported that they had to respond to security incidents related to the compromise or misuse of SSH keys. Unfortunately, even with such a high frequency in security incidents, information security professionals don’t seem to be taking the issue seriously. Only 9% of organizations scan for unauthorized SSH activity every 12 hours. The remaining survey respondents either do not scan at all or at a frequency that ranges from greater than every 12 hours to every month. When compared to vulnerability scanning or AV scanning, you would never consider 12 hours to be sufficient.
Closing the Gaps in SSH Security
When considering the importance of SSH and the fact that they provide the ‘keys to the kingdom’—your enterprise network—the security of SSH keys should be a high priority. Forrester research recommends the following minimum steps be taken to close the SSH security gaps:
Ensure there is centralized visibility and control over SSH keys. Reliance on disparate administrative controls is proven to be ineffective.
Ensure there is centralized policy enforcement. Policy enforcement helps reduce the number of mistakes made when configuring SSH.
Ensure there is a clear understanding of baseline usage. Without an understanding of how SSH keys are used and by whom, it is near impossible to detect any security incident related to SSH compromise.
Ensure there is continuous monitoring of the network to identify any anomalous SSH usage. With a clear baseline of SSH usage and continuous monitoring you can dramatically reduce your organizations threat surface.
Ensure remediation of identified SSH vulnerabilities is acted upon swiftly. An SSH compromise provides bad actors with elevated privileges to the enterprise network.