09:34 AM
Auditors Not Okay With Rampant Secure Shell Key Mismanagement
Financial services across all industries and levels have encryption requirements that control user access. It’s what keeps HR personnel from looking into a client’s account, or an advisor from looking into a colleague’s healthcare information. For good reason, institutions must have these securities in place to meet compliance mandates.
Over the years the keys, or blocks of codes, to internal networks are given to employees on a case-by-case basis to provide access to the information necessary to complete their work. More privileged site administrators and IT personnel often hold unique keys with deep or unlimited access to the encrypted channels. With enough of the right keys in hand, a user can theoretically access an entire network.
“As long as those [privileged users] are not internal bad actors it’s no big deal, otherwise they can go into large parts of the environment, steal information and insert viruses,” explains Jason Thompson, Director of Global Marketing at SSH Communications Security in a phone interview. “Furthermore, someone on the outside can also get past the perimeter and find and copy the key, and impersonate the key. And because those keys have access to broad admin servers, they can easily take out a bank or stock exchange.”
Disturbingly, this doomsday scenario is highly realistic when you take a look at the gross mismanagement of keys.
A Case of Too Many Keys
SSH developed a new tool, SSH Risk Assessor (SRA), to provide users with a snapshot report on their risk and compliance exposures in their Secure Shell environments.
The results can be jaw dropping. “Our customers are some of the biggest banks and organizations in the world. When we surveyed them, none had any idea that their network environments were home to over 100,000 lost Secure Shell keys providing root access to their most sensitive data,” says Matthew McKenna, EVP and COO in a press release.
Unaccounted for keys leave a company “vulnerable to attack and in violation of current and emerging compliance mandates including SOX, PCI, NIST & FISMA,” according to the press release.
“In one case,” adds Thompson, “we found a top bank had 1.5 million keys in their environment, 10% of which were unknowns, with access to a huge amount of the servers. The bank had no visibility and failed their security audit as a result.” And because keys do not expire, they are deactivated, some lost keys were more than 14 years old.
Security auditors are updating their requirements for key management and are training auditors to identify types of mismanagement. “You have to be able to account for any key in your environment. If you don’t know who has access to the keys then you’re out of compliance. Being able to control keys is important component of this,” says Thompson. “The main issue is pulling back these keys and being sure that any lost keys to sensitive data aren’t just laying around.”
Now More Than Ever
This problem isn’t new news, but the risk associated with the problem is increasingly bubbling to the surface because an institution’s security perimeters, once thought to be secure, is no longer considered a strong defense against hackers. Additional security is necessary so that once hackers gain access the systems, they are unable to penetrate the most sensitive areas of the server. As it stands, hackers seem to have as much access as a janitor with a hefty key ring.
[More on Secure Shell Security. Read: How to Protect Your Bank From an Information Heist]
What’s more, for IT groups it is coming to light that their admins are in violation of audits, and subject to an increased risk of attacks on SSH and SSL environments. “The realm of admins has generally been very protected, and it was trusted that admins would always do the right thing, but that doesn’t account for the risk.”
Finding the Keys – a SSH solution
SSH is pushing their Risk Assessor out to auditors as well as internal security and compliance folks so they can see how many keys are lying around a company’s networks. “Without this tool there’s no way for them to know.” It’s free, downloadable from the SSH website. Of course, if the report comes back with some disturbing information – an abundance of unaccounted for keys and high risk – a remediation should begin.
Remediation includes locating all keys and matching them up, categorizing them, and disable ones that are say, 14 years old. “We can do automated discovery, key rotation, see if any are deployed against policy and shut down that actor, in addition to reporting and continuous monitoring.”
Becca Lipman is Senior Editor for Wall Street & Technology. She writes in-depth news articles with a focus on big data and compliance in the capital markets. She regularly meets with information technology leaders and innovators and writes about cloud computing, datacenters, ... View Full Bio