Secure Shell (SSH) is a security protocol broadly used by organizations of all types. As such, SSH is used by administrators to remotely manage Unix/Linux servers, routers and firewalls as well as many other systems.
Despite its importance, most organizations have limited, or no, formal SSH policies or management in place. Unfortunately, this means cyber criminals can easily abuse SSH keys that secure and automate administrator-to-machine and machine-to-machine access to critical business functions.
Venafi recently conducted a study that evaluated how organizations manage and implement SSH in their environments. Over 400 IT security professionals with in-depth knowledge of SSH participated, however, the study reveals a widespread lack of SSH security controls.
For example, 63% of the study respondents admit they do not actively rotate keys, even when an administrator leaves their organization, which can allow the former employees to have ongoing, privileged access to critical systems.
Additional highlights from the study:
Organizations are blind to malicious insiders.
61% of respondents do not limit or monitor the number of administrators who manage SSH; only 35 percent enforce policies that prohibit SSH users from configuring their own authorized keys.
There is no way to determine if keys have been stolen, misused or should not be trusted.
90% of the respondents say they do not have a complete and accurate inventory of all SSH keys.
Attackers can gain elevated privileges.
Only 23% of respondents rotate keys on a quarterly or more frequent basis. 40% said that they don’t rotate keys at all or only do so occasionally. Attackers that gain access to these SSH keys will have ongoing privileged access until they are rotated.
No port forwarding controls means big trouble for organizations.
51% of respondents said they do not enforce “no port forwarding” for SSH. Port forwarding allows users to effectively bypass the firewalls between systems so a cybercriminal with SSH access can rapidly pivot across network segments.
Attackers can keep using compromised SSH keys.
54% of respondents do not limit the locations from which SSH keys can be used. For applications that don’t move, restricting SSH use to a specific IP address can stop cybercriminals from using a compromised SSH key remotely.
“A compromised SSH key in the wrong hands can be extremely dangerous,” said Nick Hunter, senior technical manager for Venafi. “Cybercriminals can use them to access systems from remote locations, evade security tools, and often use the same key to access more systems. Based on these results, it’s very clear that most organizations have not implemented SSH security policies and restricted SSH access configurations because they do not understand the risks of SSH and how it affects their security posture.”