Fri, 6 December 2013
Many organisations take proactive steps to prevent hackers from gaining access to company networks, believing that by keeping the information safely inside it¹s secure. What companies forget is that IT administrators, with unfettered access to company information, are in an ideal position to leak sensitive information.
Jason Thompson, Director of Global Marketing from SSH Security is here to talk about the need for SSH key management to close security holes and control system administrators access to critical systems and data.
Jason, you’ve been doing some research recently into how organisations can address these problems, give us the background of how this study came about and what the actual depth of the problem is here?
We have been working on this secure shell environment since we invented the protocol back in 1995/96 The secure shell protocol has been around for quite some time and it has been a trusted workhorse for encrypted data and transit communications and from that standpoint we have deploying our product across the Linux / Unix platform as well as main frame and windows. In addition to that SSH is an open source protocol so it is widely used and is distributed with every version of Linux and Unix and is sold other machines as well. There are millions of deployments of SSH throughout the world.
Over time SSH has done its job to definitely secure the pathways to information assets to make sure that there is a secure encrypted channel between two machines or to allow remote access to a server to do work on that server and in an encrypted fashion. What has happened over a period of time is that the access controls to these millions of deployments by the server in the organizations and how you gain access to those encrypted channels and in many cases a key. In many cases there could be one key or there could be many keys and in some organizations we found that there were millions of keys to the high levels of administrative access to various servers throughout the environment. What that was creating as wells as a compliance issue was obviously a security issue where if anyone were to get hold of one of those keys then they would be able to gain access a wide swab of the organizations servers and potentially do a lot of damage to the organization. So we went back into our customer base and others using open SSH looking initially at the economic costs and challenges of managing these keys. This was substantial into millions of dollars and really there was no ability to rotate and remove the keys so that was a provisioning cost of several million a year. Out of that was a significant security risk that was created by a lack of identity of the access management control inside of the organizations. In one instance an organization that we went into we asked them how many keys you have in your environment and how many do you think you have and they estimated maybe 500,000 but they had 1.5 million. We asked them how many of those 500,000 do you consider should have high level of privilege access and they said that they didn’t think that any of them should and it ended up that about 10% of them did. So what we learnt from our customer base is that this is a widespread problem that really has become a real risk and now the compliance organizations are all coming to us and asking us to help them write updates to their current guidelines to help address this. Also to come with best practices so that we can help organizations better secure their encrypted channels so that people can’t get control of those really vital networks and do damage to the organization or steal critical information assets.
The numbers quoted of unidentified people with access are huge and this much represent a really difficult situation to manage if organisations are realizing this now for the first time?
It really is an uncontrolled environment and this is the challenge because when SSH was developed and deployed especially because of its open source setup, individual groups and administrators used it mostly as a plumbing layer type solution. So over time you have these silos in organizations who were all managing deploying keys to gain access to servers on their own and there was no centralized control or management so the proliferation of this kind of attack happened over a decade. Now because of the existence of advanced persistent threats and the idea that the perimeter is not going to be 100% secure we know we need to implement a zero trust model inside the environment. We know that we need to make sure that inside of our organizations for security and also for compliance purposes that we are able to restrict and control who has access to what information and also who can provision, remove and rotate the keys and those types of things are really critical.
You mention the recent ‘Edward Snowden’ case as an example of how administrators can pose a risk to security in this way. Given that understanding how the threat is deployed helps to find solutions, how do administrators compromise security in this way and how can understanding that method help identify what is missing and how to deal with it?
I don’t actually know what happening with that particular case, the details will come out in the course of the ongoing criminal investigation. But I can tell you about a potential way an attack can occur though and that would be to effectively go into and environment and use a key that had a broad range and level to it and then once you have access to that you can then use that key to access an encrypted channel and move throughout the environment. You then have privileges that enable you to take information out. Because it is an encrypted channel you are basically able to pull that information out and you are going to blind any sort of security operation or forensics teams as to what you have done. So that is one way that someone could pull a tremendous amount of information out of an organization like the Department of State without being noticed because they are going to be using an encrypted channel. Part of our platform in addition to the key management is a solution that is in the middle, which actually utilizes the key so that an authentication error drops into what we call a ‘crypto monitor.’ We can actually then inspect the traffic and provide contacts to the identity inside the network.
The key here in the Snowden case is that yes that person is probably authenticated with the strong authentication but the organization in this case, the Department of State was not able to understand what the identity was doing inside the environment and they were not able to provide context and because it was an IT administrator using an encrypted channel they were blinded.
So really there needs to be solution in place that allows the organization to strip back who has access to what, that would be the key access management control side but also would be to actually be able to monitor what that individual is doing while they are transacting with the network. We call that security intelligence and the IT world where we provide that intelligence in real time. So if a guy is pulling out files at 2am until 5am this is the kind of activity we need to shut down in order to do an investigation. In this case that was not possible so the person who put that information on to a computer and flies to Hong Kong at that point it is outside the grasp of who did what and to whom and when. Those are the critical things that are missing.
What is awareness like in industry about this, is it a case of educating IT departments around the risks that this problem presents?
It depends who you are talking to in the organization, in some cases they don’t know but if you talk to a Unix / Linux admin they would tell you that yes they had known about the problem for a long time but no one has said anything about it on the upper levels so we are not really concerned about it until someone says something.
As you get into the compliance side you see people a little bit more concerned because of the compliance issues and the risk as well As you get higher up in the organization you get the feeling that they are almost unaware of this problem largely because it doesn’t appear broken. There is no compliance mandate that is required there will be compliance mandates coming out towards the end of this year which will give these organizations about 9-18 months to comply with it. Those are really the triggers that build awareness of the things that are going to happen to you. I think if we talk to some customers who tend to be the financial institutions and they are really worried about credit cards being stolen and anything that can pose a threat to even a part of their business, these early adopters are looking at it from a stand point of we have a security issue which we need to resolve and that is happening in the financial institutions these problems are coming in the top 10 – 15 projects for organizations, which if you are huge bank it is pretty high up there.
So for the early adopters who see themselves to be at the greatest risk for the most severe attacks they are aware of it and it is really getting harder talking to the broader group of users out there is the world and getting them to recognize that you need to control access to your privileged users and internal users in the same manner you control access to your office administrators who have very limited access to your organization and the message is now getting out there.