How to manage enterprise SSH keys
There are many ways of illegal entry into the enterprise network. With all the sophistication of the intruders, the companies themselves sometimes leave obvious and spacious loopholes. Inattention to working with SSH keys is one of the common mistakes.
Keys are used for system automation and authentication, application integration, system management, and other common functions. Using them, an attacker can move deeper into the company's network. Therefore, today we are talking about managing SSH-keys.
/ Pexels / Caio / CC
')
SSH keys are designed as a simplified way to log into the server without having to enter a password. According to Tatu Ylonen, the creator of SSH and the general director of SSH Communications Security, a company specializing in corporate security, from 50 to 200 keys accumulate on one server. In the case of large enterprises, their number is in the hundreds of thousands, and sometimes - in the millions.
As a rule, they are created by developers and database administrators to simplify authentication. As a result, according to Tatu, about 90% of the keys created over the years, and sometimes over the decades, are not used, but remain active. Moreover, about 10% of these keys provide root access. What does this mean for intruders? At their disposal is a limitless field for maneuvers.
A survey of the Ponemon Institute, conducted in 2014 among 2.1 thousand system administrators from among the companies of Global 2000, showed that three out of four enterprises are vulnerable to attacks due to weak key protection for SSH.
The problem is that individual keys open access not only to a specific server, but also pave the way for other network elements. This allows you to conduct protracted, imperceptible attacks that can undermine the entire infrastructure of the enterprise. Having the keys, you can install malware into the firmware or erase any data on servers and storage systems, including all backups.
Of course, the unfair key management policy opens up opportunities for corporate espionage. For example, the attack on Sony Pictures in 2014 with the theft of confidential information is believed to have occurred precisely because of the SSH vulnerability.
In the context of IoT, there is a more serious danger: SSH keys can open access to hardware. Tatu Ullenen said that manufacturers are increasingly seeking to optimize the process and resort to remote control technologies, relying on the security of the network protocol. In the meantime, SSH key files are sold in black markets, and with them, competitors can access surveillance cameras or cause a company security failure. There are a lot of attack scenarios, and their consequences are unpredictable.
“There is no universal solution to correct this. This is not even a technical problem - this is a management problem, ”says Tattoo.
Different keys serve to perform various functions: from restoring backups for data centers to executing transactions. Therefore, competent management of SSH-keys implies an understanding of the meaning of each element, which means that the earlier the so-called “key management” is adopted by the enterprise, the more efficiently the defense will be built.
Tatu Ullenen offers three main areas of work with keys: monitoring, administration and automation. In a conversation about the SSH vulnerability, he lamented the fact that most organizations still do not have tools to track current keys. Accordingly, there is no understanding of who installed them and why, and when they should be removed.
Some businesses use Excel for accounting. Paper-based or spreadsheet-based key management systems are used by 57% of companies, according to a 2016 Global Encryption Trend Study. However, as Michael Cobb, a specialist in cyber security, points out , such an approach is error prone, so it cannot be effective.
With regard to automation, Tatu Ulenen gives an example of one of the three largest banks in the United States, which employs 200 system administrators. 10% of the team dealt exclusively with SSH keys. In addition to the inefficient use of resources, in this situation the risk associated with human factors increases. For example, the ability to randomly assign a key to root-access.
According to Tatu, enterprise security begins with the creation of an SSH key lifecycle management strategy, and then flows into the mandatory application of this strategy. The Ponemon survey demonstrates the unpopularity of this approach: about 74% of respondents said that they allow administrators to independently control and manage keys. As a result, enterprise security teams often do not see the magnitude of the problem.
Companies need to adapt processes for the automated removal of keys with the care of the people to whom they belonged. At the same time, some companies have been actively using the key accounting method since the server was launched. So, 1cloud provides access to the control panel, where all keys are stored in a convenient form, and the generation of secret keys is performed by the administrator independently, which guarantees additional security. And on how to connect to Linux-servers using SSH-keys, we have prepared a small guide .
Matthew McKenna, commercial director of SSH Communications Security, advises focusing on what keys can have root access and how serious the consequences of losing control of each of these keys will be. Therefore, the next step is a clear distribution of responsibility in the network with the establishment of each key holder. The use of robust cryptographic standards and best practices in this area is another guarantee for the organization.
The size of the key, its “age” and the algorithm should be taken into account. Additional components include the protection of the passphrase associated with the private key controls and the elimination or rotation of SSH1 keys. System configuration management provides the ability to standardize key locations and control access controls, such as prohibiting root access and restricting obsolete keys.
/ Pixabay / Ashish_Choudhary / CC
Facebook engineers on their blog shared their experience using certificates when designing security systems. IT giant servers are configured in such a way that all authentications pass through a certification authority for SSH with an access directory. So the system determines whether the authenticated client has the right to perform a specific action.
In addition, Facebook has a centralized syslog infrastructure in its service, collecting real-time logs and the infrastructure necessary to support it. Syntax analyzers interpret and convert logs into tabular data that is sent to long-term storage databases, such as Hive. As a recommendation, employees recommend that when designing their own certification center, keep records of all issued certificates and consider issuing short-term certificates.
Since the creator of SSH is in favor of automating the operation of keys, and SSH Communications Security is actively developing relevant products, we have collected several useful tools for key management.
Discussing the best ways to manage SSH keys, a number of Hacker News users preferred physical protection, devices that provide authentication through direct contact. Solutions such as YubiKey 4 are often used for two-factor authentication with compliance with virtual security measures.
PS Some more materials from our blog on Habré:
Keys are used for system automation and authentication, application integration, system management, and other common functions. Using them, an attacker can move deeper into the company's network. Therefore, today we are talking about managing SSH-keys.
/ Pexels / Caio / CC
')
What threatens a weak SSH-key-management?
SSH keys are designed as a simplified way to log into the server without having to enter a password. According to Tatu Ylonen, the creator of SSH and the general director of SSH Communications Security, a company specializing in corporate security, from 50 to 200 keys accumulate on one server. In the case of large enterprises, their number is in the hundreds of thousands, and sometimes - in the millions.
As a rule, they are created by developers and database administrators to simplify authentication. As a result, according to Tatu, about 90% of the keys created over the years, and sometimes over the decades, are not used, but remain active. Moreover, about 10% of these keys provide root access. What does this mean for intruders? At their disposal is a limitless field for maneuvers.
A survey of the Ponemon Institute, conducted in 2014 among 2.1 thousand system administrators from among the companies of Global 2000, showed that three out of four enterprises are vulnerable to attacks due to weak key protection for SSH.
The problem is that individual keys open access not only to a specific server, but also pave the way for other network elements. This allows you to conduct protracted, imperceptible attacks that can undermine the entire infrastructure of the enterprise. Having the keys, you can install malware into the firmware or erase any data on servers and storage systems, including all backups.
Of course, the unfair key management policy opens up opportunities for corporate espionage. For example, the attack on Sony Pictures in 2014 with the theft of confidential information is believed to have occurred precisely because of the SSH vulnerability.
In the context of IoT, there is a more serious danger: SSH keys can open access to hardware. Tatu Ullenen said that manufacturers are increasingly seeking to optimize the process and resort to remote control technologies, relying on the security of the network protocol. In the meantime, SSH key files are sold in black markets, and with them, competitors can access surveillance cameras or cause a company security failure. There are a lot of attack scenarios, and their consequences are unpredictable.
“There is no universal solution to correct this. This is not even a technical problem - this is a management problem, ”says Tattoo.
Different keys serve to perform various functions: from restoring backups for data centers to executing transactions. Therefore, competent management of SSH-keys implies an understanding of the meaning of each element, which means that the earlier the so-called “key management” is adopted by the enterprise, the more efficiently the defense will be built.
How to build management of SSH-keys in the enterprise
Tatu Ullenen offers three main areas of work with keys: monitoring, administration and automation. In a conversation about the SSH vulnerability, he lamented the fact that most organizations still do not have tools to track current keys. Accordingly, there is no understanding of who installed them and why, and when they should be removed.
Some businesses use Excel for accounting. Paper-based or spreadsheet-based key management systems are used by 57% of companies, according to a 2016 Global Encryption Trend Study. However, as Michael Cobb, a specialist in cyber security, points out , such an approach is error prone, so it cannot be effective.
“Such a file very quickly loses its relevance, some of the keys are not inserted, some are not deleted, the information is not changed in time, and then forgotten. This leads to a colossal discrepancy with the real picture, ”said Sergey Belkin, head of the development department of the 1cloud project. - Moreover, the temptation to organize remote access to such a file immediately arises. There were cases when users laid it out, for example, in Dropbox. And in recent years, such services have repeatedly suffered from large-scale data breaches. ”
With regard to automation, Tatu Ulenen gives an example of one of the three largest banks in the United States, which employs 200 system administrators. 10% of the team dealt exclusively with SSH keys. In addition to the inefficient use of resources, in this situation the risk associated with human factors increases. For example, the ability to randomly assign a key to root-access.
According to Tatu, enterprise security begins with the creation of an SSH key lifecycle management strategy, and then flows into the mandatory application of this strategy. The Ponemon survey demonstrates the unpopularity of this approach: about 74% of respondents said that they allow administrators to independently control and manage keys. As a result, enterprise security teams often do not see the magnitude of the problem.
Companies need to adapt processes for the automated removal of keys with the care of the people to whom they belonged. At the same time, some companies have been actively using the key accounting method since the server was launched. So, 1cloud provides access to the control panel, where all keys are stored in a convenient form, and the generation of secret keys is performed by the administrator independently, which guarantees additional security. And on how to connect to Linux-servers using SSH-keys, we have prepared a small guide .
Matthew McKenna, commercial director of SSH Communications Security, advises focusing on what keys can have root access and how serious the consequences of losing control of each of these keys will be. Therefore, the next step is a clear distribution of responsibility in the network with the establishment of each key holder. The use of robust cryptographic standards and best practices in this area is another guarantee for the organization.
The size of the key, its “age” and the algorithm should be taken into account. Additional components include the protection of the passphrase associated with the private key controls and the elimination or rotation of SSH1 keys. System configuration management provides the ability to standardize key locations and control access controls, such as prohibiting root access and restricting obsolete keys.
/ Pixabay / Ashish_Choudhary / CC
Facebook engineers on their blog shared their experience using certificates when designing security systems. IT giant servers are configured in such a way that all authentications pass through a certification authority for SSH with an access directory. So the system determines whether the authenticated client has the right to perform a specific action.
In addition, Facebook has a centralized syslog infrastructure in its service, collecting real-time logs and the infrastructure necessary to support it. Syntax analyzers interpret and convert logs into tabular data that is sent to long-term storage databases, such as Hive. As a recommendation, employees recommend that when designing their own certification center, keep records of all issued certificates and consider issuing short-term certificates.
Tools for managing SSH-keys
Since the creator of SSH is in favor of automating the operation of keys, and SSH Communications Security is actively developing relevant products, we have collected several useful tools for key management.
- PuTTY : an SSH client designed for the Windows platform. It is open source software and allows you to generate new keys.
- Thycotic Secret Server : privileged user management. Allows you to associate SSH key generators with the official credential management system.
- Universal SSH Key Manager : Development of SSH Communications Security, which offers comprehensive key management, including full accounting and access control for SSH, cryptographic recommendations and configuration management, continuous monitoring, access lock if necessary, recovery and key lifecycle management.
- PowerBroker Password Safe : a tool for distributing rights to a network. The solution allows you to manage passwords and sessions, providing secure access control. The tool is able to selectively process password changes, check them for specific workgroups, support standard encryption algorithms such as AES 256 and Triple DES, perform automatic key rotation and automatically update passwords on remote and mobile devices.
- Venafi TrustAuthority : useful when deploying a certification center. It can detect internal certificates by scanning local systems and store SSH keys for users and hosts.
- GitWarden : a tool for GitHub commands that provides automatic synchronization of local user accounts, SSH keys with organization commands. This makes it easy to manage users directly through the GitHub user interface.
Discussing the best ways to manage SSH keys, a number of Hacker News users preferred physical protection, devices that provide authentication through direct contact. Solutions such as YubiKey 4 are often used for two-factor authentication with compliance with virtual security measures.
PS Some more materials from our blog on Habré:
Source: https://habr.com/ru/post/338080/
All Articles