Vulnerabilities / Threats

10/20/2017
01:10 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Study: 61 Percent of Organizations Have Minimal Control of SSH Privileged Access

Only 35 percent rotate SSH keys as an automated process when administrators leave or are reassigned

SALT LAKE CITY, UT – October 17, 2017: Venafi®, the leading provider of machine identity protection, today announced the results of a study that evaluates how organizations manage and implement Secure Shell (SSH) in their environments. Over 410 IT security professionals participated in the study, which reveals a widespread lack of SSH security controls.

Cybercriminals can abuse SSH keys to secure and automate administrator-to-machine and machine-to-machine access to critical business functions. According to Venafi’s research, even though SSH keys provide the highest levels of administrative access they are routinely untracked, unmanaged and poorly secured. For example, 63 percent of respondents admit they do not actively rotate keys, even when an administrator leaves their organization, allowing them to have ongoing privileged access to critical systems.

“A compromised SSH key in the wrong hands can be extremely dangerous,” said Nick Hunter, senior technical manager for Venafi. “Cybercriminals can use them to access systems from remote locations, evade security tools, and often use the same key to access more systems. Based on these results, it’s very clear that most organizations have not implemented SSH security policies and restricted SSH access configurations because they do not understand the risks of SSH and how it affects their security posture.”

Key study findings:

  • Sixty-one percent of respondents do not limit or monitor the number of administrators who manage SSH; only 35 percent enforce policies that prohibit SSH users from configuring their authorized keys leaving organizations blind to abuse from malicious insiders.
  • Ninety percent of the respondents said they do not have a complete and accurate inventory of all SSH keys so there is no way to determine if keys have been stolen, misused or should not be trusted.
  • Just twenty-three percent of respondents rotate keys on a quarterly or more frequent basis. Forty percent said that they don’t rotate keys at all or only do so occasionally. Attackers that gain access to SSH keys will have ongoing privileged access until keys are rotated.
  • Fifty-one percent of respondents said they do not enforce “no port forwarding” for SSH.  Port forwarding allows users to effectively bypass the firewalls between systems so a cybercriminal with SSH access can rapidly pivot across network segments.
  • Fifty-four percent of respondents do not limit the locations from which SSH keys can be used.  For applications that don’t move, restricting SSH use to a specific IP address can stop cybercriminals from using a compromised SSH key remotely.

 

The study was conducted by Dimensional Research and completed in July 2017. It analyzed responses from four hundred eleven IT and security professionals with in-depth knowledge of SSH from the United States, United Kingdom and Germany.

Additional Resources:

eBook: How Safe are Your SSH Keys?

Executive Brief: 2017 SSH Study

Solution Brief: Manage and Secure SSH Keys

Blog: Best Practices for SSH Key Management: What Are Your SSH Security Risks?

About Venafi

Venafi is the cybersecurity market leader in machine identity protection, securing all connections and communications between machines. Venafi protects machine identity types by orchestrating cryptographic keys and digital certificates for SSL/TLS, IoT, mobile and SSH. Venafi provides global visibility of machine identities and the risks associated with them for the extended enterprise —on premises, mobile, virtual, cloud and IoT — at machine speed and scale. Venafi puts this intelligence into action with automated remediation that reduces the security and availability risks connected with weak or compromised machine identities while safeguarding the flow of information to trusted machines and preventing communication with machines that are not trusted.

With over 30 patents, Venafi delivers innovative solutions for the world's most demanding, security-conscious Global 5000 organizations, including the top five U.S. health insurers, the top five U.S. airlines, four of the top five U.S., U.K. and South African banks, and four of the top five U.S. retailers. For more information, visit http://venafi.com.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Data Privacy Careers Are Helping to Close the IT Gender Gap
Dana Simberkoff, Chief Compliance and Risk Management Officer, AvePoint, Inc,  8/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15601
PUBLISHED: 2018-08-21
apps/filemanager/handlers/upload/drop.php in Elefant CMS 2.0.3 performs a urldecode step too late in the "Cannot upload executable files" protection mechanism.
CVE-2018-15603
PUBLISHED: 2018-08-21
An issue was discovered in Victor CMS through 2018-05-10. There is XSS via the Author field of the "Leave a Comment" screen.
CVE-2018-15598
PUBLISHED: 2018-08-21
Containous Traefik 1.6.x before 1.6.6, when --api is used, exposes the configuration and secret if authentication is missing and the API's port is publicly reachable.
CVE-2018-15599
PUBLISHED: 2018-08-21
The recv_msg_userauth_request function in svr-auth.c in Dropbear through 2018.76 is prone to a user enumeration vulnerability because username validity affects how fields in SSH_MSG_USERAUTH messages are handled, a similar issue to CVE-2018-15473 in an unrelated codebase.
CVE-2018-0501
PUBLISHED: 2018-08-21
The mirror:// method implementation in Advanced Package Tool (APT) 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 mishandles gpg signature verification for the InRelease file of a fallback mirror, aka mirrorfail.