Answer

SSH security risks: Assessment and remediation planning

SSH Communications released a free tool to help assess SSH security risks in enterprise environments. How does the tool work, and what steps can enterprises take with the results to improve SSH security?

    Requires Free Membership to View

Ask the Expert

Application security and platform security expert Michael Cobb is ready to answer your questions. Submit them now via email! (All questions are anonymous)

The Secure Shell (SSH) cryptographic network protocol is typically used to secure data communications between two computers connecting over an insecure network, such as the Internet. Its use is ubiquitous in IT departments of all sizes for remote command-line login and execution, and for maintaining operating systems and applications. But, like any protocol that uses encryption keys, key management can be a real headache. The proliferation of keys over an extended period of time can adversely impact identity and access management controls, particularly those used in automated application-to-application processes.

Poorly managed deployments of SSH usually lack centralized creation, rotation and removal of keys, and expose organizations to data breaches and compliance failures due to a lack of accountability, transparency and control over who has access to which resources and when. Recently, SSH Communications Security Corp. -- the original developer of the SSH protocol -- surveyed some of its customers and found thousands of lost SSH keys, some providing root access to sensitive data.

To get this situation under control, administrators need a practical, non-intrusive means of determining the extent and seriousness of the problem within their IT infrastructure. Fortunately, SSH Communications Security released a free lightweight scanning and reporting tool that enables administrators and auditors to obtain actionable information on the state of compliance and SSH security.

SSH Risk Assessor (SRA) is designed to be simple to deploy. The tool works by running a script that looks for SSH keys and related users. It then builds a report detailing which keys lack passphrase protection, don't have command or host name restrictions, and/or contain various other vulnerabilities associated with poorly managed keys. Note that all scanned systems must have Perl 5.6 or later installed.

Mediating the problems found in the SSH Communications Security report will greatly reduce the chances of potential insider threats and other attack vectors, as well as satisfy relevant standards and compliance mandates such as the Sarbanes-Oxley Act, Payment Card Industry Data Security Standard, Health Insurance Portability and Accountability Act, National Institute of Standards and Technology and Federal Information Security Management Act.

Once rogue keys have been removed or secured, proper key management processes should be adopted to stop the problem from recurring. Administrators needing detailed advice on key management best practices should read the whitepaper released by SSH Communications Security titled, A Gaping Hole in Your Identity and Access Management Strategy: Secure Shell Access Controls. It covers SSH key management and access control risks, and describes proper mitigation strategies for both.

This was first published in January 2014

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: