Poor management of widely used encryption protocol places enterprises at great risk.



There are many ways attackers can try to infiltrate an enterprise, but many times enterprises make it so easy that the attackers don’t have to try too hard. Consider the current state of orphan SSH (Secure Shell) keys and how these keys represent one of the biggest risks in the enterprise.

These keys are a cryptographic network protocol for operating network services and are used for system to system automation and authentication, application integration, system management and other common functions. Should an attacker get ahold of these keys, they could find it very easy to burrow their way deeper into the network.

To better understand the state of SSH security, or insecurity, in the enterprise, we turned to the inventor of SSH, Tatu Ylonen chief executive officer at SSH Communications Security, and author of US National Institute of Standards and Technology Internal Report 7966, Security of Interactive and Automated Access Management Using Secure Shell (SSH), and several Internet Engineering Task Force standards.

Here’s our conversation.

CSO: As you see it, what is the general state of SSH key security within enterprises today?

Ylonen: We’ve worked for five years with half of the top 10 banks in the U.S., U.K., Germany and several stock exchanges; some central banks. And we are finding anywhere from several hundred thousand to several million SSH keys granting access to their servers. I don't know how familiar your readers are with SSH. Basically SSH Keys operate like passwords and provide access, but without the need to enter anything. And we are finding, typically, anywhere from 50 to 200 keys per server. This is in traditional enterprise environments with tens of thousands of servers.

For instance, in one bank we found 3 million keys. Another bank found 4.5 million keys. The fewest we've seen in the Fortune 500 companies that we’ve looked at has been in the hundreds of thousands of keys. It turns out these keys are almost always unused. In fact, something like 90 percent is unused, in most cases. Something that was from years ago but never removed when the people left.

And SSH keys are the only credential that users can still provision in a default configuration.

Are they mostly server and system admins who are creating the keys? Do you see poor implementations in regulated industries, such as healthcare?

It's mostly server and system admins. But also developers and database admins who want a quick, easy single sign-in access to of all their database servers. They create this convenience to do their jobs more easily, but it violates policy. And it creates a lot of risk because these keys accumulate and remain valid forever.

