Badly Managed SSH Keys Pose a Serious Threat to Your Security

Posted by HANDD on 15th August 2016

Badly Managed SSH Keys Pose Threats

Over the years enterprises have been seriously lax in their approach to the management of their SSH keys. The problem has been compounded by the lack of visibility and monitoring capabilities as well as the lack of provisioning and remediation processes.

What has happened in the past is Administrators and external contractors are typically given unfettered access to the network and the ability to create their own SSH Key pairs. When the administrator then moves to a new role their account is removed from AD/LDAP but very rarely are the SSH keys they have created getting removed.

This leads to many SSH Keys being left open on the network which presents auditors with a massive compliance headache.

What are SSH Keys?

SSH Keys are made up of chains of public and private keys typically used by administrators and contractors to authenticate access to servers within the network for maintenance and other work related activities.

Think of private keys like a real key to your house and a public key being more like the lock on the door. The user is identified by their private key and the door (server) is identified by its lock (public key). The holder of the key is then allowed to unlock the door and access the building and contents within.

What are the problems facing organisations?

With strong authentication methods naturally comes the ability to misuse and abuse secure connections for ill purposes. For example encrypting data in transit is the perfect solution to preventing man in the middle attacks but it creates a blind spot for security professionals looking at malicious behaviour. The ability to execute commands such as move, copy and delete is great for administrators but also empowers rogue users to exfiltrate confidential information, deploy malware or delete and damage databases.

Universal SSH Key Manager, an Agentless Based Approach

HANDD are partners with SSH, inventors of the SSH protocol and industry leaders in the management of SSH keys.

In a recent case study Universal SSH Key Manager was used to scan 6750 servers in a client network on which were found more than 9000 private keys and 65,000 public keys. To exasperate the problem further it was found that more than 68% of those keys had no restrictions at all on which servers they could be used to access. More incredibly 99% of these keys were allowed to be used to run whatever commands they wanted (think edit, delete etc.) and finally 100% of all keys found had no restrictions enforced around acting as ROOT.

Out of all of the keys found the key that carried the highest risk was able to access 6730 of the 6750 servers scanned.

So as you can see, leaving active SSH keys unmanaged on your network can have severe implications on your security practices and compliance mandates.

Universal SSH Key Manager helps customers discover, monitor and more importantly lockdown and remediate across the entire lifecycle of SSH keys without disrupting existing processes or the need to deploy agents.