Enterprises that have attained the level of Fortune 500 status have massive physical infrastructure and presence, hordes of employees, and significant financial resources. Cyber threats make these companies as susceptible to data breaches as any other company – but Fortune 500s have a lot more to lose. These enterprises must acknowledge that their Achilles’ heel is their information systems. If a criminal can control, corrupt and destroy the servers and the data within them, business will come to a screeching halt.
The Danger Hiding in the Infrastructure
Large organizations are diligent about who gets access to their tens of thousands of servers and disaster recovery data centers. Surely nothing can penetrate all of them?
System administrators and various automated tools are managing the servers behind traditional applications. In order for daily communications and operations to function, the automated systems need to gain access to other systems. They usually do this by using what are called SSH keys, which are also used by system administrators and developers to log in from their workstation to access servers without having to type their password all the time.
What many are shocked to learn is that about 90 percent of the SSH keys in an enterprise are unused. That means there is privileged access to critical systems and data that has never been terminated – violating policies, regulations and laws. It is almost as if employees’ user accounts were never removed when they left, and they have the capability to create new accounts for anyone they like.
As if that weren’t a frightening enough revelation, about 10 percent of those SSH keys grant root access (highest-level administrative access). Such keys are used to make backups, install patches, manage configurations and implement emergency response procedures, often using automated tools. In some enterprises, there are more than 5 million automated daily logins using SSH keys – resulting in more than 2 billion logins per year.
How an Attack Spreads
It is important to understand the anatomy of a typical cyber-attack to see how SSH keys come into play. First, a cyber-criminal penetrates a company computer and then steals passwords or other credentials to gain access to some set of servers (this often involves malware). Once on a server, the attacker obtains elevated privileges using locally exploitable vulnerabilities to read private SSH keys from the server. Many of these keys grant unrestricted access to other servers and systems. The attacker uses these keys to gain access to those other servers and repeats the process to move undetected within the enterprise.
Given the high number of SSH keys (10-200 per server on average in most enterprises), it is quite possible for the attack to spread to nearly all data centers in the enterprise. Key-based access between data centers is almost always present. Usually, there are also many SSH keys granting access from individual user accounts to privileged service accounts, bypassing systems that were supposed to monitor privileged access.
In order to avoid detection, a cyber-criminal may monitor the server for days or weeks to see which SSH keys are actually used with what servers, and then piggyback on legitimate connections to move undetected.
Casualties of Cyberwar
If the attacker’s intent is to take the entire organization down, he or she can confuse the system or outright destroy it. They can modify database records in subtle ways, corrupt backups or render every penetrated server, storage device and router inoperable. For example, the attacker can reprogram the firmware on routers and switches, install malware into disk drive firmware, network adapter firmware or bios firmware, as well as wipe any data on the affected servers and storage systems, including any penetrated backup systems and disaster recovery systems.
If this happened, an enterprise would be hamstrung. A Fortune 500 would need weeks or months to rebuild and reinstall its systems, and it would likely lose a good number of recent transactions. How many hours, days or weeks can a typical Fortune 500 be down before the reputation damage is irreparable? The damage to shareholders could easily exceed $30 billion, given the extent of the damage and the inability to operate or even communicate.
There are a variety of entities that would be interested in shutting down an enterprise in this way. Perhaps a nation-state in a cyberwar might conduct such activity to as many enterprises as possible, even launching multiple attacks simultaneously. Perhaps a terrorist organization would want to cause chaos. Perhaps a hacktivist would want to teach investors not to put money in “unethical” enterprises. Perhaps a criminal organization would want to extract ransom. For many others, the point would be the extracting of information, a breach committed to gain competitive intelligence. In such cases, privacy and regulatory issues would be of paramount concern.
Mitigating SSH Key Risk
Enterprise operations totally depend on automation made possible by SSH keys. That means there is no simple patch or quick fix. Rather, the problem is fundamentally an administrative one. Essentially, enterprises must establish proper management of automated access just as they manage passwords. They must also sort out the weaknesses present in legacy systems.
Remediating this problem requires determination and dedication. First, set up a provisioning process that is tightly controlled. Get rid of any SSH keys that are not being used or that violate policy. Require application teams to justify with sign-off any keys that remain. Because the problem is far too large to tackle manually, find tools that will make the remediation process faster and more effective. Additionally, closely examine SSH key-based access into backup systems and disaster recovery data centers.
Creating and maintaining a secure SSH key policy takes diligence, but it can be the difference between the life or the death of a Fortune 500 – or any enterprise, for that matter.
For more information on protecting your organization from today’s evolving cyber-threats, check out Aberdeen’s comprehensive content brief, Quantifying the Value of Time in Cyber-Threat Detection and Response.
Tatu Ylonen is the creator of the SSH protocol and the founder of SSH Communications Security.