Study: SSH Key Weaknesses Overlooked in Privileged Access Audits
November 16, 2017
Venafi study reveals over half of organizations do not audit SSH entitlements
SALT LAKE CITY, UT – November 16, 2017: Venafi®, the leading provider of machine identity protection, today announced the results of a study on how well audits measure Secure Shell (SSH) security in their environments. Over 400 IT security professionals participated in the study, which reveals a widespread lack of SSH audits.
Cyber criminals, such as malicious insiders, use SSH keys to access systems from remote locations, evade security tools and escalate privileges. Auditing SSH entitlements as part of Privileged Access Management (PAM) policies can help organizations understand how well they control access to sensitive data. However, fifty-five percent of the respondents said SSH entitlements are not featured in their PAM policies and are rarely audited. Without proper auditing and effective SSH security policies, SSH key weaknesses can go undetected, leaving organizations vulnerable to a wide range of cybersecurity attacks.
Key findings of Venafi’s study include:
Only a third (thirty-three percent) of respondents said auditors review SSH key rotation and retirement policies. Although SSH grants privileged access in the same ways that passwords do, they are rarely audited.
Less than half (forty-six percent) of respondents said auditors review the control of authorized key files. When SSH access is not limited to approved systems, attackers with SSH access can move easily across enterprise networks and remain undetected.
Just forty-three percent of respondents said auditors review their port forwarding policy. If port forwarding is not limited, malicious actors can use it to create encrypted connections that evade most security controls.
More than one-quarter (twenty-seven percent) of respondents said that none of these critical SSH best practices are audited. Without visibility into the efficacy of SSH security practices, organizations cannot accurately measure their security posture.
“Proper oversight from auditors and policy makers would go a long way toward helping organizations understand SSH security risks,” said Steven Armstrong, enterprise information security and risk management consultant and former Federal Reserve Bank Examiner. “Sadly, without detailed insight into the impact of lax SSH policy enforcement, most organizations do not have the information or the catalysts they need to strengthen SSH security.”
The study was conducted by Dimensional Research and completed in July 2017. It analyzed responses from 411 IT and security professionals with in-depth knowledge of SSH from the U.S., U.K. and Germany.