Venafi Co-Authors New NIST Report on Managing & Securing SSH Keys

Published Guidance Offers Enterprises Advice on How to Identify and Protect Against Root-Level Compromises

December 4, 2015

6 Min Read


Salt Lake City, UT - December 1, 2015 - Venafi, the Immune System for the Internet™ and the leading provider of Next Generation Trust Protection, announced today the publication of a new National Institute on Standards and Technology (NIST) report entitled, “Security of Interactive and Automated Access Management Using Secure Shell (SSH).” NIST partnered with Venafi and others to coauthor the report to raise awareness of the major vulnerabilities associated with SSH user key management and to provide concrete steps for securing and protecting SSH systems and environments.

“A compromised cryptographic secure shell or SSH key is by far one of the worst case breach scenarios for any enterprise. Once an attacker has root-level or privileged access, they have the keys to the kingdom to completely take over an entire network or system and compromise it however they want,” said Kevin Bocek, Vice President of Security Strategy & Threat Intelligence at Venafi. “At Venafi, we’ve been educating our customers for the past decade on the importance of securing and protecting their SSH keys. We’re therefore pleased to contribute to this valuable report that will help educate security professionals about the risks associated with unsecured SSH keys and give them proper guidance on what steps they should take to best protect their systems.”

“Because SSH plays such an important role in securing administrative and automated access to a wide variety of systems across organizations of all sizes, it is critical to have a comprehensive set of policies, processes, and technical security controls in place for the proper management and oversight of SSH keys and configuration,” says Matthew Scholl, chief of the National Institute of Standards and Technology’s computer security division.

Research from Venafi and The Ponemon Institute found that 3 out of 4 Global 2000 organizations have no security system for SSH, leaving the door open for rogue, root-level access and data compromises, and nearly half of all enterprises never rotate or change SSH keys. This makes their networks, servers, and cloud systems completely owned by malicious actors when SSH keys are stolen and misused.

Notable SSH compromises in the past few years include:

·         In 2014, Kaspersky Labs revealed The Mask operation (Careto) compromises over a seven year period where a sophisticated, organized crime group in Spain carried out an APT-style attack using multiple attack methods to steal data from governments and businesses. This group was known to steal SSH keys used to authenticate administrators, servers, virtual machines, and cloud services.

·         In June 2015, Cisco announced it had default SSH keys deployed on three of its security appliances which left its customers at risk of an unauthenticated remote attacker being able intercept traffic or gain access to vulnerable systems with root privileges.


The NIST publication describes several SSH vulnerability areas commonly found in enterprises, including:

●        Vulnerable SSH implementation

●        Improperly configured access controls

●        Stolen, leaked, derived, and unterminated SSH user keys

●        Backdoors (unaudited user keys)

●        Unintended usage of user keys

●        Pivoting

●        Lack of knowledge and human errors


It provides recommended steps to manage SSH keys, including:


●        Define SSH Key-Based Life Cycle and Termination Policies and Processes. Configuring access to an account for interactive users and automated processes should be a judged decision, balancing the need for access against the risks, and should include consideration of the level of access required.

●        Establish Continuous Monitoring and Audit Processes. The purpose of continuous monitoring is to ensure that the processes for provisioning, life cycle management, and termination are followed and enforced. Unauthorized and misconfigured SSH user keys should be detected.

●        Inventory and Remediate Existing SSH Servers, Keys, and Trust Relationships. Existing legacy keys pose a substantial security risk and make risk analysis difficult if they are not understood. An inventory of the location of all existing SSH keys and an inventory of trust relationships must be created and evaluated against defined policies.

●        Automate Processes. The automation of the processes involved in the management of SSH key-based access can significantly improve security, efficiency, and availability.

●        Educate Executive Management. Many executives are not aware of the central role SSH keys play in the operation of mission critical infrastructure and the significant breaches that can occur if they are exploited. Without sufficient executive education for both security and operationally focused executives, SSH key management initiatives can get derailed by other seemingly higher priorities, leaving an organization vulnerable. 


Added Bocek, “Most IT and security professionals don’t realize that SSH keys can provide root-level access and don’t expire—ever. So once an attacker has stolen an SSH key, they will likely have perpetual backdoor access. That’s why it’s critically important that enterprises take action now to protect their SSH keys and review this NISTguideline.”


To view a full copy of the NIST report, please visit:


About Venafi

Venafi is the Immune System for the Internet™ that protects the foundation of all cybersecurity—cryptographic keys and digital certificates—so they can’t be misused by bad guys in attacks. In today’s connected world, cybercriminals want to gain trusted status and remain undetected, which makes keys and certificates a prime target. Unfortunately, most security systems blindly trust keys and certificates, allowing bad guys to use them to hide in encrypted traffic, spoof websites, deploy malware, and steal data. As the Immune System for the Internet, Venafi patrols across the network, on devices, behind the firewall, and throughout the internet to determine which SSL/TLS, SSH, WiFi, VPN and mobile keys and certificates are trusted, protects those that should be trusted, and fixes or blocks those that are not.

As the market-leading cybersecurity company in Next Generation Trust Protection (NGTP) and a Gartner-recognized Cool Vendor, the Venafi Trust Protection Platform™ protects keys and certificates and eliminates blind spots from threats hidden in encrypted traffic. As part of any enterprise infrastructure protection strategy, Venafi TrustAuthority™, Venafi TrustForce™, and Venafi TrustNet™ help organizations know what’s trusted and “self” in order to regain control over keys and certificates on mobile devices, applications, virtual machines and network devices and out in the cloud. From stopping certificate-based outages to enabling SSL inspection, Venafi creates an ever-evolving, intelligent response that protects your network, business, and brand. Venafi Threat Center also provides primary research and threat intelligence for attacks on keys and certificates.

Venafi is the market leading cybersecurity company in Next Generation Trust Protection (NGTP). As a Gartner-recognized Cool Vendor, Venafi delivered the first Trust Protection Platform™ to secure cryptographic keys and digital certificates that every business and government depends on for secure communications, commerce, computing, and mobility. With little to no visibility into how the tens of thousands of keys and certificates in the average enterprise are used, no ability to enforce policy, and no ability to detect or respond to anomalies and increased threats, organizations that blindly trust keys and certificates are at increased risk of costly attacks, data breaches, audit failures and unplanned outages.

Venafi customers are among the world's most demanding, security-conscious Global 2000 organizations in financial services, retail, insurance, healthcare, telecommunications, aerospace, manufacturing, and high tech. Today Venafi protects four of the top five U.S. banks, eight of the top U.S. 10 health insurance companies and four of the top seven U.S. retailers. Venafi is backed by top-tier venture capital funds, including Foundation Capital,Intel CapitalOrigin PartnersPelion Venture PartnersQuestMark Partners, and Silver Lake Partners. For more information, visit


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights