Financial Organizations Are in Denial About SSH Keys

By Markku Rossi, CTO, SSH.COM

With the rise in system complexity and scale caused by digital transformation, a large financial institution can have as many as two million Secure Shell (SSH) keys in its network. These keys grant employees’ remote access to servers that house critical systems and data and create connections between machines for automated transactions. In a typical Fortune 500 finance company, most of these SSH keys are unmanaged at best, or major security vulnerabilities waiting to be exploited by hackers or insiders at worst.

In short, financial organizations are in denial about their SSH keys.

A study conducted at a large bank with more than a million keys found that at least 10 percent of these keys allowed for unlimited administrative (“root”) access to production servers. This was a clear violation of the company’s internal security policies and a PCI-DSS audit failure point. It is just one example of the risk facing the financial services industry regarding securing remote access to sensitive data in a highly regulated environment.

As financial institutions continue to digitally transform, the number of people, devices and machines connecting to the company network is growing exponentially. They must ensure their identity and access management plans do not neglect governance and management controls for their legacy SSH key environment or future M2M and human connections secured via SSH keys.

Keys in the Wrong Hands

Some financial organizations do have their SSH key environments under management, but those that don’t are typically in denial about the risk. In a sense, this is natural. Enterprise security teams have traditionally been focused on building the perimeter. While systems administrators and those responsible for internal access provisioning are aware that there might be tens of thousands of root access keys lost, orphaned or neglected on the company’s networks, the problem is not visible at the C-suite or board level.

Of course, breaches associated with Equifax, Lennon Ray Brown (Citibank), Edward Snowden and others highlight the importance of key management. Unmanaged SSH keys are a bonanza for hackers, a gift for disgruntled insiders and an unhappy accident waiting to happen.

Rogue SSH keys are often used as a secondary attack vector. A hacker might enter a network via a phishing scam, social engineering, malware or botnet. But once inside, when they find an unmanaged SSH key, they can move laterally within the network, access servers without detection and create headlines.

The Risk Behind the Scenes

The reality is that sysadmins, database admins (DBAs), maintenance techs and application developers create keys on the fly, keep a few keys listed on a spreadsheet, neglect keys passed to subcontractors and configure keys just enough to get the job done.

This is neither compliant nor safe. Failure to address the issue preserves unacceptable large-scale risk exposure, as revealed in scans of SSH key environment. For instance, a medium-sized international bank with significant digital assets might have 10,000 servers under management.

With 10,000 Unix/Linux hosts, the bank might have 1.5 million keys in circulation granting various levels of access and more than 75,000 keys owned by each system admin or DBA. There can be up to one billion authentications per year granting privileged access to critical systems and data.

SSH key environment scans typically find that up to 90 percent of keys in circulation are obsolete and should be immediately removed, as they were created for ex-employees, former subcontractors or redundant processes.

Compliance Concerns

Regulatory bodies won’t be easing up any time soon – instead, they are issuing seven-figure fines, jail time and reputation-damaging publicity. For instance, potential fines and jail time await SOX[i] violators, and PCI[ii] violations pack their own punch.

In addition to stiff fines, PCI can take away payment processing privileges. This happened to a national chain, rendering the chain incapable of processing card transactions for several weeks.

Financial institutions are exposed to increased compliance and security risk if they do not address the following factors:

• Visibility into SSH key-based trust relationships and monitoring capabilities
• Processes for provisioning ownership, remediation, revocation and rotation of keys
• Policies for SSH key-based access
• Secure Shell governance and reporting

To begin the conversation and learn about the risk from unmanaged SSH keys in your organization, here are some key questions to start with:

• Where in our organization, including for subcontractors, consultants and remote machines, do we use SSH keys?
• Do we track and monitor the creation and use of SSH keys?
• Do our current IT policies cover SSH keys?
• Are our current practices with SSH keys policy-compliant and regulations-compliant?
• Is the risk from SSH key-related incidents involving malicious externals, disgruntled insiders, or accidents involving internals or subcontractors in our risk profile?
• Do we have a named owner for SSH access or Secure Shell governance?

Best Practices

Best practices for SSH key management begin with comprehensively managing SSH keys and their lifecycle with best-of-breed software. With the right tools, major financial organizations can:

• Get vast key environments under management
• Reduce the administrative work related to manually provisioning and troubleshooting key-based access
• Minimize their threat surface
• Become and remain compliant
• Avoid financial penalties from non-compliance
• Decrease the risk of business disruption
• Avoid financial loss from data exfiltration, IP theft and reputation loss

Audit associations, such as ISACA and IIA, offer specific guides on best practices for SSH-related risk mitigation and compliance. ISACA’s SSH: Practitioner Considerations[iii] is the first port of call for those in ops, compliance, risk or C-suite looking to further their knowledge.

NIST, the U.S. body responsible for cybersecurity standards and guidelines for federal government agencies provides a mandate for agencies and concrete guidance for enterprises in the NIST 7966 Interagency Report[iv], co-authored by the inventor of the SSH protocol, Tatu Ylönen.

Secure Your Keys

To be ready for your next IT audit and protect your company and your customers, review the information above and start the conversation with the specialists in your organization. You will face some denial, but you will learn the scale of the challenge with SSH keys in your company. Then, you can get the assistance of experts to help you prioritize and walk you through the process of discovery, management and automation without compromising your core business.