SSH has become the machine interface of choice for administrative and automation processes. Built into many operating systems and devices, SSH is very popular as a vehicle to automate authentication usage. However, using SSH is not without risk, especially if we don’t actively manage SSH machine identities or are not prepared to address any vulnerability exploits that may arise.
As reported by ZDNet recently, one of SSH’s key developers updated the SSH source code to protect against potential side channel attacks leading to compromise of private keys. This news was reported a month after Cisco disclosed an SSH vulnerability, indicating that their devices shipped with common default authorized keys.
What we learn from this story is that SSH is more than just an interface, it is a lively tool that is well adopted within a strong community that keeps updating it. If you don’t believe me, look no further than Google’s Chrome SSH plugin, which is an SSH client with close to 1 Million current users.
Yet, many organizations seem to be unaware of the privileged access that SSH keys grant within their networks. So they largely ignore that SSH keys can represent a true risk. Granted, they do support the popular automated authentications. But once these keys are compromised—via known vulnerabilities or other oversights—access to the crown jewels is immediately at hand for cyber attackers.
How exposed are unprotected SSH keys? The answer is that SSH key theft is a realistic scenario that teams need to think about. To avoid the risk of an SSH compromise, you need to know who owns your SSH keys, where they are being used and how many SSH keys you have in play. To remediate any negative findings, you also need to be prepared to revoke SSH keys that are out of compliance—especially in the case of an emergency key rotation, this has become a must for threat defenders as well as info risk planners.
Basically, you need to know everything about where your SSH keys are running at any given moment. To do that, you’ll need to be able to do the following:
- Understand where keys have been generated and which connections they enable.
- Monitor SSH key usage to detect anomalies and get notified of any suspicious deviance
- Establish automated processes to revoke or clean up potential compromised keys in seconds
However, protecting SSH keys may be easier said than done. Implementing these requirements is not a simple task because you may already have a lot of SSH keys in use. In fact, based on anecdotal research, enterprises have 10 to 100x more keys then they estimate.
So, inventory alone is not an easy task. But even if you manage to complete that herculean task, it may be difficult to find the resources to implement monitoring and remediation can lead to interruptions.
That’s why security savvy organizations go for a specialized solution which provides visibility, intelligence and automation of all your SSH keys and the connections they enable. The right solution will arm your security incident response teams with a weapon that’s ready to respond when needed. But it will also give your info security teams with the insights they need to adapt to rapidly emerging threats.
SSH keys are a powerful element to automate authentications. But that also makes them a desirable tool for adversaries to open the doors to the kingdom. The good news is that the community that created SSH keys is alive and maintaining these valuable tools against some of the biggest computer hardware flaws ever seen. But you will also need to do your part by actively protecting the SSH keys within your organization with the visibility, intelligence and automation to continuous monitor risk and respond quickly if SSH keys are stolen.
Learn more about Venafi SSH Protect solutions.