Recently the International Monetary Fund (IMF) published Working Paper “Cyber Risk, Market Failures, and Financial Stability” (WP/17/185) and a blogby the Organization’s Executive Director Christine Lagarde. The main conclusion of both documents is that cyber risk has emerged as a significant threat to the financial system. In accordance with these reports, all types of banks, money transfer services, and third party payment processors have seen their systems compromised. Financial market infrastructures have been attacked and the effects from downtimes and service disruptions due to successful attacks have the potential to be widespread and systemic. Another finding is that cyber-attacks evolve quickly and are highly dynamic by nature, which complicates risk assessment. Successful attacks have already resulted in data breaches in which thieves gained access to confidential information, and fraud, such as the theft of $500 million from the Coincheckcryptocurrency exchange.
In accordance with Christine Lagarde, an IMF staff modeling exercise estimated that annual losses to financial institutions from cyber-attacks could reach up to $350 billion, eroding bank profits and potentially threatening financial stability. As a result of this estimation, surveys consistently show that risk managers and other executives at financial institutions worry most about cyber-attacks than eminent geopolitical risks or recent revelations such as Brexit.
Why Banks Are Vulnerable?
The financial sector plays a crucial role in intermediating funds and in political and societal stability and prosperity. A simple look on the outcomes of the euro crisis in countries such as Portugal, Ireland and Greece is enough evidence to understand the criticality of the financial sector stability. That is exactly the reason why banks are attractive targets and hence vulnerable to cyber-attacks. A successful cyber-attack on one institution could spread rapidly through the highly interconnected financial system. One vulnerability highlighted by both IMF documents is that many institutions still use older systems that might not be resilient to cyber-attacks.
Another vulnerability is the ability of these institutions to manage effectively the SSH keys. SSH keys enable ongoing automatic connections from one system to another, often without the use of a second authentication factor. These connections create a persistent trust relationship, one that cyber criminals and malicious insiders are eager to access and misuse. A July 2017 survey of 100 financial services security professionals in the U.S., U.K. and Germany measured how well their organizations implemented security controls for SSH keys. The results show that most financial services organizations are underprepared to protect against SSH-based attacks, with fewer than half following industry best practices for securing SSH keys.
In accordance with the survey, SSH keys are routinely untracked, unmanaged and unmonitored. In fact, most financial services organizations do not set policies and controls that limit how SSH keys can be used. Unfortunately, this is also true for several of the Fortune 500 enterprises. The findings of both surveys indicate that the organizations have extremely large numbers of SSH keys - even several million - and their use is grossly underestimated. They have no provisioning and termination processes in place for key based access. They have no records of who provisioned each key and for what purpose, and they allow their system administrators to self-provision permanent key-based access, without policies, processes, or oversight.
Solution to the SSH Key Management Problem
In order to remedy this grave and dangerous situation, NIST has issued guidance on SSH key management known as NIST IR 7966. In addition ISACA has published guidance on how to audit SSH, including SSH keys. Both documents highlight the need to assess SSH keys and usage, associated privileged identity, complete logging and compliance. They also suggest controls, configuration options and other techniques to ensure robust and compliant management of SSH keys.
The recommendations include actions such as the implementation of access periodic reviews, the creation and implementation of hardening configuration considering automated configurations management tools, and the application of integrity control checks and monitoring over critical files. Other key points include the definition of roles and responsibilities over who owns SSH key management, the automated deployment of SSH keys, the inventory of keys, the usage tracking and the governance of SSH keys as part of the overarching risk assessment process.
The aforementioned recommendations for SSH best practices indicate that successful SSH key management is not a one-time task, but ongoing security procedures that should be regularly audited, including a regular review of entitlements and trust relationships. Both documents imply that “manual” SSH key management can lead to severe vulnerabilities and they propose the use of automated configuration management tools, such the Venafi Platform.