SSH privileged access has minimal control at most organisations
SSH privileged access has minimal control at most organisations

Although Secure Shell (SSH)  keys provide the highest levels of administrative access they are routinely untracked, unmanaged and poorly secured according to a recent report by Venafi. In the survey 63 percent of respondents admitted that they do not actively rotate keys, even when an administrator leaves their organisation, allowing them to have ongoing privileged access to critical systems. 

It also found that  61 percent  don't limit or monitor the number of administrators who manage SSH, leaving their organisations blind to malicious insiders, and  90 percent don't have a complete and accurate inventory of SSH keys, and so have no way of knowing if keys have been stolen or misused.

Cyber-criminals can abuse SSH keys to secure and automate administrator-to-machine and machine-to-machine access to critical business functions. Management and correct implementation of SSH is particularly important its role in securing remote machine-to-machine communication. But the report findings show that SSH best practices are routinely disregarded.

“A compromised SSH key in the wrong hands can be extremely dangerous,” said Nick Hunter, senior technical manager for Venafi. “Cyber-criminals can use them to access systems from remote locations, evade security tools, and often use the same key to access more systems. Based on these results, it's very clear that most organisations have not implemented SSH security policies and restricted SSH access configurations because they do not understand the risks of SSH and how it affects their security posture.”

Only 35 percent of the 411 IT security professionals from the United States, United Kingdom and Germany who participated in the study reported enforcing policies that prohibit SSH users from configuring their authorised keys leaving organisations blind to abuse from malicious insiders. Ninety percent of the respondents said they do not have a complete and accurate inventory of all SSH keys so there is no way to determine if keys have been stolen, misused or should not be trusted.

Only twenty-three percent of respondents rotate keys on a quarterly or more frequent basis. Forty percent said that they don't rotate keys at all or only do so occasionally. Attackers that gain access to SSH keys will have ongoing privileged access until keys are rotated.

Fifty-one percent of respondents said they do not enforce “no port forwarding” for SSH.  Port forwarding allows users to effectively bypass the firewalls between systems so a cybercriminal with SSH access can rapidly pivot across network segments. Fifty-four percent of respondents do not limit the locations from which SSH keys can be used.  For applications that don't move, restricting SSH use to a specific IP address can stop cyber-criminals from using a compromised SSH key remotely.

The study was conducted for Venafi by Dimensional Research and completed in July 2017.