Wall Street & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk Management

09:34 AM
Connect Directly

Auditors Not Okay With Rampant Secure Shell Key Mismanagement

Software that provides a risk and compliance report for Secure Shell environments continues to show large-scale security violations across the industry. Auditors, who are also armed with the software, are not taking kindly to the old habit of leaving forgotten access codes lying around.

Financial services across all industries and levels have encryption requirements that control user access. It’s what keeps HR personnel from looking into a client’s account, or an advisor from looking into a colleague’s healthcare information. For good reason, institutions must have these securities in place to meet compliance mandates.

Over the years the keys, or blocks of codes, to internal networks are given to employees on a case-by-case basis to provide access to the information necessary to complete their work. More privileged site administrators and IT personnel often hold unique keys with deep or unlimited access to the encrypted channels. With enough of the right keys in hand, a user can theoretically access an entire network.

“As long as those [privileged users] are not internal bad actors it’s no big deal, otherwise they can go into large parts of the environment, steal information and insert viruses,” explains Jason Thompson, Director of Global Marketing at SSH Communications Security in a phone interview. “Furthermore, someone on the outside can also get past the perimeter and find and copy the key, and impersonate the key. And because those keys have access to broad admin servers, they can easily take out a bank or stock exchange.”

Disturbingly, this doomsday scenario is highly realistic when you take a look at the gross mismanagement of keys.

A Case of Too Many Keys

SSH developed a new tool, SSH Risk Assessor (SRA), to provide users with a snapshot report on their risk and compliance exposures in their Secure Shell environments.

The results can be jaw dropping. “Our customers are some of the biggest banks and organizations in the world. When we surveyed them, none had any idea that their network environments were home to over 100,000 lost Secure Shell keys providing root access to their most sensitive data,” says Matthew McKenna, EVP and COO in a press release.

Unaccounted for keys leave a company “vulnerable to attack and in violation of current and emerging compliance mandates including SOX, PCI, NIST & FISMA,” according to the press release.

“In one case,” adds Thompson, “we found a top bank had 1.5 million keys in their environment, 10% of which were unknowns, with access to a huge amount of the servers. The bank had no visibility and failed their security audit as a result.” And because keys do not expire, they are deactivated, some lost keys were more than 14 years old.

Security auditors are updating their requirements for key management and are training auditors to identify types of mismanagement. “You have to be able to account for any key in your environment. If you don’t know who has access to the keys then you’re out of compliance. Being able to control keys is important component of this,” says Thompson. “The main issue is pulling back these keys and being sure that any lost keys to sensitive data aren’t just laying around.”

Now More Than Ever

This problem isn’t new news, but the risk associated with the problem is increasingly bubbling to the surface because an institution’s security perimeters, once thought to be secure, is no longer considered a strong defense against hackers. Additional security is necessary so that once hackers gain access the systems, they are unable to penetrate the most sensitive areas of the server. As it stands, hackers seem to have as much access as a janitor with a hefty key ring.

[More on Secure Shell Security. Read: How to Protect Your Bank From an Information Heist]

What’s more, for IT groups it is coming to light that their admins are in violation of audits, and subject to an increased risk of attacks on SSH and SSL environments. “The realm of admins has generally been very protected, and it was trusted that admins would always do the right thing, but that doesn’t account for the risk.”

Finding the Keys – a SSH solution

SSH is pushing their Risk Assessor out to auditors as well as internal security and compliance folks so they can see how many keys are lying around a company’s networks. “Without this tool there’s no way for them to know.” It’s free, downloadable from the SSH website. Of course, if the report comes back with some disturbing information – an abundance of unaccounted for keys and high risk – a remediation should begin.

Remediation includes locating all keys and matching them up, categorizing them, and disable ones that are say, 14 years old. “We can do automated discovery, key rotation, see if any are deployed against policy and shut down that actor, in addition to reporting and continuous monitoring.”

Becca Lipman is Senior Editor for Wall Street & Technology. She writes in-depth news articles with a focus on big data and compliance in the capital markets. She regularly meets with information technology leaders and innovators and writes about cloud computing, datacenters, ... View Full Bio

Register for Wall Street & Technology Newsletters
Inside Abel Noser's Trading Floor
Inside Abel Noser's Trading Floor
Advanced Trading takes you on an exclusive tour of Abel Noser's New York trading floor, where the agency broker known for transaction cost analysis, is customizing algorithms for the buy side, while growing its fixed income trading and transitions business.