Call to Action
What needs to be done?
- Both internal and external auditors must add Secure Shell key scanning and management to their checks. It is much better to wake up to the issue in an internal audit than be given an ultimatum by a banking regulator or having to explain to shareholders or the SEC why the doors are closed for the fourth consecutive week after a massive attack.
- Proper controls and tools must be put in place for managing Secure Shell keys. The real issue is authorized keys, as they are the ones that grant access. No matter how much you try to protect private keys, it is of no help until the millions of existing authorized keys have been sorted out.
- Regulators must establish firm deadlines for enterprises and agencies to get their acts together. Regulations themselves are already sufficient. FISMA, HIPAA, NERC CIP, PCI, COBIT and others already require controls over who can access the systems and data and the proper termination of access when no longer needed. However, implementation and audit guidelines should be clarified to ensure Secure Shell keys are taken into account.
- Boards, audit committees, CEOs and risk management officers must ensure Secure Shell key-based access is properly accounted for in their organizations to avoid civil and criminal liability.
The size, frequency and impact of breaches are increasing. The longer Secure Shell keys are lost in mismanaged network environments, the greater the chances hackers or malicious insiders will exploit them to access and steal sensitive data. While the Secure Shell protocol itself remains secure, an effective risk mitigation strategy must include effective key creation, deployment and management practices. Auditors and hackers alike will be paying keen attention to this issue in the coming years. It’s time for organizations to step up and do the same.
About the Author
Ylönen released the first Secure Shell version in 1995 as open source, in response to a password-sniffing incident in which passwords from his company were stolen. The open source version eventually became OpenSSH. He founded SSH Communications Security in 1995 to build commercial security solutions around the protocol. Today, the company serves more than half of the world’s top ten banks and 40% of Fortune 500 companies, focusing on managing Secure Shell key-based and privileged access. It is also the producer of the world’s most widely used commercial Secure Shell implementation. Ylönen is the company’s Chief Innovation Officer, working on next-generation key management solutions that will change the market via ease of use and massive scalability. He holds approximately 50 U.S. and international patents.
Tatu initially drafted the guidelines for NIST IR 7966, after having worked with several large-scale key management projects with some of the world’s largest enterprises. In part, the work is based on an earlier Internet draft published with the IETF (Internet Engineering Task Force). Paul Turner of Venafi, Karen Scarfone of Scarfone Cybersecurity, Murugiah Souppaya of NIST and numerous reviewers also contributed significantly to the various revisions
Sign up for CIO Asia eNewsletters.