The Secure Shell (SSH) protocol has been used for well over a decade, but its use has typically flown under the radar of security teams. As a result, this protocol, which was initially designed to secure remote access between systems, has also had the unintended consequence of creating major security holes in mission critical assets. Recognizing the risks, NIST recently released an Internal Report that highlights the prevalence of SSH within the enterprise IT infrastructure, common vulnerabilities associated with SSH and recommended controls to better secure SSH and protect critical systems.
If you don’t typically work with Unix or Linux systems, it’s likely you’ve never knowingly used SSH. SSH is commonly used by interactive users to securely access remote Unix and Linux systems, and it is often used in secure file transfer processes and point-to-point tunneling to protect sensitive data transferred between systems. Given the nature of its use, most SSH-based access is privileged access. Yet, unlike privileged passwords, the SSH keys used to establish SSH connections are rarely protected, managed or even known.
“Because SSH is the primary secure access method used for administration and automated processes on mission critical systems, its security is crucial.” –NISTIR 7966
Because SSH has been commonly used for over a decade with little oversight, organizations can have hundreds of thousands of valid SSH keys with no insight into where these SSH keys live, what trusts exist between key pairs or who has access to the keys. Without any control over these keys, it can be easy for an attacker to compromise an SSH key and use it to gain persistent access to critical systems – without raising any red flags. Worse, when organizations take proactive steps to control password-based access to privileged accounts on Unix and Linux systems, SSH key-based access can be used to bypass these privileged account management controls. As a result, organizations can be left with an increased risk of attack using SSH keys and little, if any, ability to detect a key compromise.
To help organizations address these risks, NIST issued a series of recommended controls to better secure and manage SSH keys, and thus better protect critical systems from compromise. Because SSH keys provide privileged access to critical systems, NIST’s recommended controls for SSH keys are very similar to those for privileged passwords.
NIST recommended controls include:
- Account Management to rotate, audit and control access to private SSH keys.
- Access Enforcement to prevent users from granting themselves access to critical systems and privileged SSH keys.
- Least Privilege to limit root access to only situations in which it is absolutely necessary.
- Auditing and Monitoring to track who or what accessed a particular system using an SSH key.
- Risk Assessment to discover and validate SSH-key based trust relationships between users and systems.
- Identity and Authentication to associate SSH keys with individual users or systems and detect unauthorized SSH-key based access.
By following the controls recommended in NISTIR 7966 and applying the same level of security to both privileged passwords and privileged SSH keys, organizations can minimize privileged account risks across the enterprise and significantly reduce the likelihood of a successful attack.